Spear Phishing Email Detection with Multiple Reputation Features and Sample Enhancement

Spear phishing is a complex targeted attack which has rapidly increased in recent years. The traditional email features based on the sender's behavior portrait cannot accurately characterize the spear phishing email, and the detection is often hampered when the data set is small. In order to tackle these problems, in this paper, we present a new approach for detecting spear phishing attacks in the full help of the local and external reputation features. Our method extracts 8 local and 6 external reputation features derived from an analysis of spear phishing emails, combined with 4 forwarding features and 20 general features for more accurate detection. Synthetic Minority Oversampling Technique (SMOTE) algorithm and an improved KM-SMOTE are applied on enhancing samples.We evaluate features on a multi-source data set of over 41 thousand emails and achieve the recall of 86.89%, the accuracy of 88.33% in identifying spear phishing emails. With SMOTE, we improve the recall and precision to 91.80% and 93.55%, and the false positive rate is reduced by at least 22%. With KM-SMOTE, we achieve better maximum recall of 95.08%, precision of 93.55% and F1-score of 94.31%.