Embed Size (px)
Citation preview
Data Mining of E-Mails to Support Periodic & Continuous Assurance
Glen L. GrayCalifornia State University at Northridge
Roger DebrecenyUniversity of Hawai`i at Mānoa
5th Symposium on Information Systems Assurance5th Symposium on Information Systems Assurance
Toronto: October 2007
In this Presentation
Continuous monitoring of emails – why? Technologies
Social Network Analysis Text analysis
Challenges Opportunities
Continuous Monitoring of Emails – Why?
Increased focus on forensic approaches to auditing
Increased interest in continuous assurance and monitoring of business processes
Emails = Organization’s DNA Evidential matter on:
Employee & management fraud (overrides) Compliance (e.g., HIPAA) Loss of intellectual property Corporate policies
Enron Email Archive
Released by Federal Energy Regulatory Commission
500K emails 151 Enron employees Cleaned version at Carnegie Mellon
www.cs.cmu.edu/~enron/ Relational DB version at USC
www.isi.edu/~adibi/Enron/Enron_Dataset_Report.pdf
Email Mining Targets
EmailData Mining
Key WordQueries
DeceptionClues
Volume &Velocity
Social NetworkAnalysis
ContentAnalysis
LogAnalysis
Content Analysis
Key Word Queries
Yes, people do say self-incriminating things in their emails Fraud Corporate dysfunction
Overwhelming false positives Need “smart” compound queries Good continuous auditing (CA) candidate
Already scanning for spam, porn, etc.
Sender Deception -- Content
Deceptive emails include: Fewer first-person pronouns to dissociate
themselves from their own words Fewer exclusive words, such as but and
except, to indicate a less complex story More negative emotion words because of the
sender’s underlying feeling of guilt More action verbs to, again, indicate a less
complex story
Sender Deception -- Identification
Writeprint features Lexical -- characters & words
Function words Root words
Syntactic -- sentences Structural -- paragraphs Content-specific
Sender Deception -- Identification
Number of potential features unlimited Optimum number can vary by
context and language Developing user profiles and comparing new
emails to profiles would be challenging for real-time CA
Temporal/Log Analysis
Volume & Velocity
Volume = number of emails a person sends and/or receives over a period of time.
Velocity = how quickly the volume changes. Many external factors (e.g., vacations, seasonal
activities, etc.) impact these numbers Need “rolling histogram”
Volume & Velocity
Key issue -- determining the optimum time intervals to sample the data
Continuous monitoring cannot be continuous in terms of sampling in real time
Comparing hourly, daily, and even weekly volumes and velocities will result in many false positives
Optimum time internal could vary by job title
Social Network Analysis
Social Network Analysis
Social relationships as an undirected graph Importance of understanding relationships
within the flow of email exchanges
Social Network Analysis in Emails
Emails semi-structured data sender primary recipient(s) copied recipient(s) date subject line
Social groups and cliques CA = who doesn’t belong?
Thread Analysis – This?Time
S R
C
C
SR
C
C
R
C
C
S
S
R
C
C
Thread Analysis – Or this?Time
S
R
C
C
S
R
R
C
S
C
R
R
S
R
Integrating Content Analysis and Social Network Analysis
EmailData Mining
Key WordQueries
DeceptionClues
Volume &Velocity
Social NetworkAnalysis
ContentAnalysis
LogAnalysis
Challenges of Email Mining
Textual Inconsistent use of abbreviations Misspelled words Smileys etc. etc. Replies, replies, and more replies…
Inability to identify: Identities of email participants
[email protected] Roles and responsibilities
What Enron Emails Show?
People do say the darnest things What did he know and when did he know it? Verified numerous bodies of email data
mining research Content analysis Social network analysis
Tools
Content monitoring eSoft Corporation’s ThreatWall Symantec’s Mail Security 8x00 Series Vericept Corporation’s Vericept Content 360º Reconnex Corporation’s iGuard Appliance InBoxer, Inc. Anti-Risk Appliance
Social networks Microsoft SNARF Heer Vizter
Research Opportunities
Research Questions
Role of email monitoring in overall CA environment?
Join SNA with examination of textual patterns. Link SNA with control environment Frauds/control overrides footprint? What email cleaning is required for CA purposes? Privacy and policy issues? Lessons from existing commercial products?
