TLDR: This research introduces “authorship validation,” an AI-driven method to verify if an email was truly written by its claimed sender, combating internal phishing and Business Email Compromise. Using datasets from the Enron corpus, the study shows that a character-level convolutional neural network (Char-CNN) effectively learns individual writing styles, outperforming a Naive Bayes baseline. The findings suggest that integrating per-sender AI classifiers into email security systems is a practical and low-overhead way to detect impersonators.
Email-based attacks continue to be a significant threat in cybersecurity, with “phishing” being a common tactic where recipients are tricked into revealing sensitive information or downloading malware. A more targeted form, “spear phishing,” often focuses on individuals or small groups, usually within the same organization. A particularly damaging variant is “Business Email Compromise” (BEC), where attackers aim to steal money by impersonating executives or trusted employees.
A growing concern is “lateral spear phishing,” where an attacker gains access to an employee’s account and then uses it to send phishing emails to other colleagues within the same organization. These attacks are especially challenging to detect because many organizations, by default, trust internal emails and don’t subject them to the same rigorous security checks as external messages. This leaves them vulnerable to fraud, as employees might unknowingly fall for malicious instructions from what appears to be a legitimate internal source.
This research introduces and explores a crucial defense mechanism called authorship validation. Unlike traditional phishing detection, which looks for malicious content or suspicious links, authorship validation focuses on verifying whether a claimed sender actually wrote a given email. It’s a lightweight, real-time defense that models each sender’s unique writing style, complementing existing security measures.
The paper defines authorship validation as a binary classification task: determining if a document (email) was authored by a specific individual (the email account owner). This is a more practical and computationally simpler problem than general “authorship attribution,” which tries to identify an author from a large pool of potential candidates. By simplifying the problem, it becomes feasible to integrate such systems into commercial email security platforms for real-time decision-making.
To test this concept, the researchers built several new datasets based on the well-known Enron email corpus. They created “authentic” email sets from specific Enron senders. For “inauthentic” emails, they used a few methods: some were generated by a large language model (GPT-4) in a different style, others were taken from different top Enron senders, and a third set combined these with third-party BEC emails. This allowed for testing the classifiers against various types of impersonation attempts.
Two types of classifiers were evaluated for the authorship validation task. The first was a simple Naive Bayes model, serving as a baseline due to its interpretability and computational efficiency. The second was a more complex character-level convolutional neural network (Char-CNN). This neural network was chosen because similar models have shown success in authorship attribution for short texts by learning patterns from raw character sequences.
The experiments showed promising results. While the Naive Bayes classifier performed reasonably well, the Char-CNN model consistently achieved higher accuracy and F1 scores across various datasets. For instance, on one dataset, Char-CNN achieved an accuracy of 0.9662 and an F1 score of 0.9654, outperforming Naive Bayes. This suggests that Char-CNN’s ability to learn subtle stylistic and structural cues from character sequences makes it more effective at distinguishing authentic emails from impersonations.
The paper also discusses how these per-sender authorship classifiers could be practically integrated into existing commercial email security systems. The idea is to maintain an explicit “sender profile” for each employee, tracking their typical email behaviors (like send times, client used, and writing style). A unique neural network classifier, like Char-CNN, would be associated with each sender and trained on their past emails. When a new email is sent, this classifier provides an authorship validation signal, which can be combined with other security signals in a modular detection system.
The computational overhead for such a system appears to be low. Training a Char-CNN on a dataset of over a thousand emails took less than 11 minutes on a consumer-grade machine, and testing was even faster. This indicates that deploying per-sender neural network classifiers is practical for real-world commercial systems.
Also Read:
- Rethinking Phishing Detection: A New Approach to Benchmarking Email Threats
- Unmasking AI Text: A Framework That Learns Writing Styles
Future work includes creating larger and more diverse datasets, exploring more advanced classifier designs, implementing a detailed sender detection system, and studying the robustness of these classifiers against sophisticated adversarial attacks. This research highlights a significant step forward in protecting organizations from internal email-borne threats by leveraging AI to understand and validate individual writing styles. You can find the full research paper here: Per-sender neural network classifiers for email authorship validation.
