FORENSIC ANALYSIS AND DETECTION OF EMAIL BASED CYBER ATTACKS

Abstract

In the interconnected world of cyberspace, where digital communication is ubiquitous, the prevalence of email-based cyber-attacks has become a significant concern. Email, a pervasive communication tool, has become a prime vector for cyber adversaries seeking unauthorized access, data breaches, and financial exploitation. Cybercriminals employ various tactics using different types of email attacks, such as spoofing, phishing, email bombing, and malware distribution, to exploit vulnerabilities and deceive unsuspecting users. As email continues to be a primary mode of digital communication, understanding the risks associated with these malicious activities is crucial for individuals and organizations alike. The current study on state-of-the-art solutions reveals that many are vulnerable, time consuming, and have low detection accuracy. Thus, in our research, an attempt has been made to apply forensics analysis to investigate and identify email based cyber-attacks quickly with low detection time, high detection accuracy, minimum false positives, least overheads, and without affecting the system’s normal operation. In the first chapter, we develop a mechanism based on memory forensic to detect inbound spoofed e-mails. To reduce the detection time, we propose an efficient method to reduce the size of memory dump used for email header analysis. The traditional approach in memory forensics is to capture live memory dump of complete RAM, resulting in a large file to be stored, which further requires a significant amount of time for processing and extracting the email header [1]. Instead of capturing the complete memory dump, we only capture all the browser’s live running processes from memory and extract the email header for analysis. This reduces the size of the memory dump and makes detection fast. The solution thus proposed can be used by both individuals and organizations, but it is most suitable for individual users. Second, we present the design of a spoofed e-mail detection algorithm that works for both inbound and outbound email attacks. We suggest a novel mechanism called URL extractor, which uses seven novel features from URL to identify only the process (amongst all live browser running processes having multiple tabs and web pages opened for browsing) associated with email inbox messages and only capture it for analysis. The authentication header fields of SPF, DKIM, DMARC, and ARC are examined closely to develop a detection algorithm for received emails. Similarly, novel header fields along with MX records are applied to detect replied emails. The MX record is fetched to verify the domain name by sending a forward ns-lookup query to DNS. This solution is most suitable for organizations and institutes as it caters to both external and internal attack threats. Third, we further improve the design of the email header capturing mechanism and spoofed email detection algorithm to reduce detection time and enhance detection accuracy. In this chapter, we propose two significant improvements. First is the URL validation module that uses a novel technique of checking each captured URL with email URL features. This scheme is fast and significantly reduces total time. Second, spoofed email detection is ameliorated by applying an ML model built using two novel email header fields along with four authentication header fields. An email alert mechanism for spoofed email attacks is also incorporated to give a threat profile and early warning to the IT admins and security team of the organization to initiate further forensic investigation. Fourth, we design a machine learning-based, feature-rich, real-time, scalable, novel anti-phishing detection technique based on ML that extracts the HTTP headers (predominantly security headers) from web pages to identify them as legitimate or phished. A study was conducted to understand the critical features used in the past for anti-phishing, and we found 16 novel HTTP header features. We have also examined a list of popular phishing website creation tools and incorporated them into our dataset for testing to build a robust detection model to identify and predict results correctly. Our approach brings immense benefits as it is independent of URL and web page content features, Language agnostics, free from visual similarity or image matching approaches, platform neutral, devoid of any privacy violation, and independent of third-party dependencies resulting in delay in response and cost factors.Furthermore, for each proposed algorithm, a performance analysis is conducted considering the system resource utilization, processing overhead, and time analysis to judge the performance of our methodology. Average values of CPU utilization, Memory usage, and Disk utilization were observed, along with time taken during execution of the program. Also, a comparative analysis along the key parameters of system resources is conducted with current state-of-the-art solutions. Additionally, past work has been studied carefully to develop critical benchmarked checklist that works as comparative points to compare our proposed work with current state-of-the-art techniques. The study of previous benchmarks was mainly focused on the inbound attack (received emails) and did not consider outbound attack by an inside user (relied email). In contrast, our proposed method focuses on both types of attacks. Though some studies saved detection results in log files, no alert mechanism was used in the past. The key benchmark points missed by previous research studies were related to language agnostics, domain features dependence, protection from privacy violation, and third-party tools dependence.