CATBERT: Context-Aware Tiny BERT for Detecting Social Engineering Emails
This addresses the challenge of phishing email detection for organizations, but it is incremental as it builds on existing BERT models with modifications.
The paper tackled the problem of detecting hand-crafted social engineering emails that lack malicious code or shared word choices with known attacks, by fine-tuning a pre-trained BERT model with adapters and context-aware features, achieving an 87% detection rate compared to baselines like DistilBERT at 83%.
Targeted phishing emails are on the rise and facilitate the theft of billions of dollars from organizations a year. While malicious signals from attached files or malicious URLs in emails can be detected by conventional malware signatures or machine learning technologies, it is challenging to identify hand-crafted social engineering emails which don't contain any malicious code and don't share word choices with known attacks. To tackle this problem, we fine-tune a pre-trained BERT model by replacing the half of Transformer blocks with simple adapters to efficiently learn sophisticated representations of the syntax and semantics of the natural language. Our Context-Aware network also learns the context representations between email's content and context features from email headers. Our CatBERT(Context-Aware Tiny Bert) achieves a 87% detection rate as compared to DistilBERT, LSTM, and logistic regression baselines which achieve 83%, 79%, and 54% detection rates at false positive rates of 1%, respectively. Our model is also faster than competing transformer approaches and is resilient to adversarial attacks which deliberately replace keywords with typos or synonyms.