Foiling attackers who try to lure email users into clicking on a malicious link is a cat-and-mouse game, as phishing tactics evolve to evade detection. But machine learning models designed to recognize phishing attempts can evolve, too, through automatic retraining and checks to maintain accuracy.
What’s new: Food giant Nestlé built a system that checks incoming emails and sends suspicious ones to the company’s security team. Microsoft’s Azure Machine Learning web platform supplies the tools and processing power.
Problem: Nestlé receives up to 20 million emails in 300,000 inboxes daily. An earlier commercial system flooded analysts with legitimate messages wrongly flagged as phishing attempts — too many to evaluate manually.
Solution: The company built an automated machine learning system that continually learns from phishing attempts, spots likely new ones, and forwards them to security analysts.
How it works: The system comprises three automated pipelines that run in the cloud. The first manages training, the second evaluates incoming messages, and the third passes the latest risky messages to security.
- The system stores incoming emails in a data lake. A transformer model fine-tuned for the task examines email subject headers to classify phishing attempts. Factors such as the sender’s domain are used to prioritize messages for human attention.
- It processes incoming messages hourly in batches that run in parallel and retrains the model weekly to learn from the latest attacks. It also retrains the model whenever the surrounding code is revised; say, if the software that parses subject headers implements a new tokenization scheme. It evaluates the new model's performance and, if the model performs well, deploys it.
- All models are versioned, registered, associated with the code base at the time, and saved to a database. Engineers can track the impact on performance of changes to the model, data, or code, making it easier to track down bugs, revert changes, and perform experiments.
Results: The system detects malicious emails more quickly and accurately than its commercial predecessor. It flags phishing attempts with 60 percent precision. Previously, most of those would have been missed, the team said.
Why it matters: Running several software pipelines continuously at high volume means a lot of moving parts in a critical application. Automating them and putting in place good tools and processes saves headaches and avoids security threats.
We’re thinking: With machine learning models hard at work fighting phishing, machine learning engineers have more time to go fishing.