Disciplined and Explainable ML for Email Security

February 16, 2021

The primary value that Abnormal brings to email security is an advanced, ML-based detection system that can extract and analyze thousands of signals, identify patterns, and adapt over time to detect important attacks–without relying exclusively on threat intel or signature approaches. A common pitfall with ML initiatives in general, though, is a focus on building more and more complex, advanced models and hoping they will magically solve a practical problem.

While Abnormal does spend a lot of time innovating on the model front, the team also has paid special attention to feature engineering—the creation of informative signals from raw data that encapsulate the real problem we are trying to solve. As such, Abnormal produces features and models pertaining to each key part of a message that we may process—ranging from payload analysis (e.g. does the attachment have Javascript?) to business context (e.g. does the body have RFQ language patterns?) to better detect attacks.

Furthermore, we believe it is critical to expose these system internals to our customers to open up “the black box” and give them a real understanding of why Abnormal’s detection system makes the decisions that it does. The rise of new methods in the field of ML explainability (see here and here), in conjunction with this highly intentional design of our system, enables Abnormal to effectively convey deep insights directly in our product.

In particular, we have now introduced an anomaly and behavioral analysis chart on the Details page for every attack, showcasing the different surface areas of messages that we model and the key attributes therein, along with their actual values. In addition to improving confidence in the sophistication and comprehensiveness of the Abnormal detection engine, this visualization has real utility in terms of giving customers insights on specific patterns and risk factors at a more granular level.

Given that ML is the core of the Abnormal approach, we look forward to not only innovating to improve our systems day by day but also to channel these improvements into our product for better customer engagement and understanding.

See what the Abnormal portal could do for you with a free product demo today.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.

Request a Demo

CISO Insights

Cyber Savvy: Protecting Vital Signs with Nicholas Schopperth, CISO at Dayton Children’s Hospital

Discover key insights from seasoned cybersecurity professional Nicholas Schopperth, CISO at Dayton Children’s Hospital.

Company & Culture Thought Leadership

Introducing SOC Unlocked: Tales from the Cybersecurity Frontline, an Abnormal Security Original Podcast

Discover 'SOC Unlocked,' Abnormal Security's new podcast featuring host Mick Leach and cybersecurity expert guests like Jeremy Ventura, Dave Kennedy, and Mick Douglas.

B 07 22 24 MKT624 Images for Paris Olympics Blog

Data & Trends

French Companies Face Olympic-Sized Cyber Threats

Threat actors are targeting French businesses ahead of the Paris 2024 Olympics. Learn how they're capitalizing on the event and how to protect your organization.

Account Takeover Threat Intel

Cross-Platform Account Takeover: 4 Real-World Scenarios

Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.