Mar 15–18, 2020

High-precision detection of business email compromise

Lior Gavish (Barracuda)
4:15pm4:55pm Tuesday, March 17, 2020
Location: LL21 C

Who is this presentation for?

Data scientists or analysts




Business email compromise (BEC) and employee impersonation have become one of the most costly cybersecurity threats, causing over $12 billion in reported losses. Impersonation emails take several forms: some ask for a wire transfer to the attacker’s account. Others lead the recipient to a link that compromises their credentials. Email security systems aren’t effective in detecting these attacks because the attacks don’t contain a clearly malicious payload and are personalized.

Lior Gavish breaks down BEC-Guard, a detector used at Barracuda that prevents BEC attacks in real time using supervised learning. BEC-Guard has been in production since July 2017 and is part of the Barracuda Sentinel email security product. BEC-Guard detects attacks by relying on statistics about the historical email patterns accessed via cloud email provider APIs. The two main challenges when designing BEC-Guard were the need to label millions of emails to train its classifiers and to properly train the classifiers when employee impersonation emails is very rare, which can bias the classification. Barracuda’s key insight was to split the classification problem into two parts: one analyzing the email header and the second applying natural language processing to detect phrases associated with BEC or suspicious links in the email body. BEC-Guard uses cloud email providers’ public APIs to automatically learn the historical communication patterns of each organization and to quarantine emails in real time. Barracuda evaluated BEC-Guard on a commercial dataset containing more than 4,000 attacks, and it achieved a precision of 98.2% and a false positive rate of less than one in five million emails.

Prerequisite knowledge

  • A basic understanding of common ML models
  • Familiarity training ML models

What you'll learn

  • Learn strategies to successfully label and classify imbalanced datasets with >100M objects and to codify vast amounts of historical data for use in real-time classification
  • Understand an API-based analysis of historical and real-time communication data
Photo of Lior Gavish

Lior Gavish


Lior Gavish is a senior vice president of engineering at Barracuda, where he coleads the email security business. Lior developed AI solutions that were recognized by industry and academia, including a Distinguished Paper Award at USENIX Security 2019. Lior joined Barracuda through the acquisition of Sookasa, an Accel-backed startup where he was a cofounder and vice president of engineering. Previously, Lior led startup engineering teams building machine learning, web and mobile technologies. Lior holds a BSc and MSc in computer science from Tel-Aviv University and an MBA from Stanford University.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)

Contact us

For conference registration information and customer service

For more information on community discounts and trade opportunities with O’Reilly conferences

Become a sponsor

For information on exhibiting or sponsoring a conference

For media/analyst press inquires