Cross-dataset email classification

Abstract

Email is one of the most popular ways of communication. Nevertheless, it is also a potential tool to deceive and fill users with unwanted publicity, which reduces productivity. To alleviate such fact, a common solution has been building machine learning models based on the content of emails to automatically separate emails (spam vs ham). In this work, a study of a set of machine learning models and content-based features for the problem of cross-dataset email classification is presented. This problem consists in training and testing the models using different datasets; considering the fact that the datasets were collected under different independent setups. This has the purpose of simulating future variable or unpredictable conditions in the emails content distributions as could happen in a real setting, where models are trained using emails from a certain period of time, group of users or accounts, but tested with emails from other users or accounts. Experiments were conducted with the models and features using different datasets and two setups, same-dataset, and cross-dataset, to show the complexity of the later. The performance was evaluated using the Area Under the ROC Curve, a common metric in email classification. The results show interesting insights for the problem.

Keywords

Email classification data mining machine learning cross-dataset classification

1 Introduction

Electronic mail (shortened as email), is nowadays one of the most popular and efficient ways to communicate among persons and organizations; it is mainly due to its easy access, low cost, and speed. As an example, since 2014 an approximate of 200 million email accounts have been created every year, according to a survey published in a popular german online portal for statistics. Nevertheless, despite its advantages and popularity, this service has several problems to face; the main one lies in that not all emails that an user receives are important or reliable. To tackle this problem, email classification has been widely studied throughout the years to help automatically filter out emails that the users do not want to read or that are untruthful.

The most common task in email classification consists in separating the email in two classes, spam and ham. The first class refers to emails that users do not expect or want to receive and that do not have importance for them. The content of these emails is generally about commercial publicity, but it could also be more dangerous by trying to steal users’ financial identities (phishing email). The second class refers to those legit emails that users want to receive; some of them of high importance because could contain urgent or sensitive information. The present work deals with this type of email classification.

One of the most popular approaches among the existing techniques for email classification [7, 17] is to build machine learning models based on emails text content [8]. Following this line, along the years researchers have built models using different features such as words [19, 34], n-grams [23], character n-grams [19], stylistics [20] and deep learning features [18]. They have also implemented a variety of methods for feature selection [15, 32] and feature extraction [15]. Finally, several machine learning models have been proposed for the task [31, 33], such as Support Vector Machines (SVM) [9], Näive Bayes (NB) [22, 27], K-Nearest Neighbors (KNN) [11], Logistic Regression (LR) [5], PCA reconstruction [14], Decision Trees (DT) [29], Neural Networks [6] and classification ensembles [28].

Despite the great efforts conducted by academic and industrial researchers, the filtering of unwanted email is still an open problem because spammers and phishers are continuously changing their techniques to deceive automated filters, which results in an evolution of the content of the emails. The previous situation leads to the so called dataset shift problem [26]. This problem comes from the fact that models are trained using data collected during a certain period of time, and from certain groups of users or accounts. The population of users or accounts to collect emails could be selected based on practical or experimental decisions, such as geographic locations, topics of interest and/or email servers. When using such collected data to build machine learning based email filters, the models are biased to the specific content distribution of the data, and when applied in a real setting, they have problems to correctly detect emails. There are very few works that consider the dataset shift problem in email classification, such as in [4], where the authors propose a model based on Markov processes that could be updated with new emails; and [15], in which the authors used a set of features to train models with emails from the past, and test the models with emails from the future. Nevertheless, the vast majority of works in the literature uses the same dataset to train and test models (even if they use a diversity of datasets), reaching very high values in performance measures, but without reflecting the performance in more realistic environments.

In this work, a study of a variety of machine learning models and content-based features for the problem of email classification in a cross-dataset scenario was conducted. In this scenario, the models were trained using emails from a dataset and tested using emails from another dataset; considering the fact that the datasets were collected under different independent setups. This has the purpose of simulating future variable or unpredictable conditions in the emails content distributions as could happen in a real setting. Experiments were developed with five machine learning models encompassing four approaches, discriminative (SVM and LR), probabilistic (NB), instance-based (KNN) and decision trees (Random Forrest). Aditionally, four feature sets were used, divided in two approaches, superficial features (words, links and emoticons/emojis) and deep learning features (word2vec). Finally, five email datasets that are commonly used in the literature were used, TREC 2007, GenSpam, SpamAssassin, Enron, and Ling Spam. The main contribution is to gain understanding on the effect of different machine learning approaches and feature sets for the dataset shift problem in email classification. Final results present interesting insights.

There are three question for the present research; for cross-dataset email classification:

Which machine learning model or approach performs the best?

Which feature set is better to discriminate between spam and ham?

Is there an association between the amount of shared content among datasets and the classification performance?

The remainder of this paper is organized as follows: Section 2 presents a review of previous works on email classification. Section 3 describes the materials and methods used in this paper. Section 4 contains the experimental results. Finally, Section 5 concludes this paper and presents some insights for future work.

2 Related works

Since email was developed and thanks to its huge and growing popularity through the years, there have been many works around it and its problems. Specifically on email classification, there are some works that summarize methods and techniques used in the literature [2, 33]. For example, Blanzieri and Bryl [3] conducted a survey of learning-based techniques of email classification using nine different datasets to review the most common methods and features (non-content, language based, bag of words and image-based) used in spam filtering. Further studies have been carried by not only comparing models and using different datasets, but also parameters, architectures and even simulation tools and environments [8]. In [30], the authors reviewed popular email mining tasks, techniques and tools and identified five major categories named spam detection, email categorization, contact analysis, email network property and email visualization.

Regarding feature sets, several types have been explored, including words [19, 34], n-grams [23], character n-grams [19], stylistics [20] and deep learning features [18]. Additionally, feature selection (FS) and feature extraction (FE) have also been used. In [32], the authors implement a meta-heuristic model based on harmony search to select a set of features considering document frequency and discriminative power. For FE, extended versions of several techniques and models have been developed, for example, based on PCA (principal component analysis) there is PCAII [15] and PCADR (PCA document reconstruction) [14]; whilst using LDA (linear discriminant analysis) there are BDA (biased discriminant analysis), and ANMM (average neighborhood maximization) [13].

Although using solely content-based features has been more explored by researchers, other interesting options have been used in combination with content-based features for improving the classification, such as using online and offline features [12], behavioural email traffic features [21], a combination of content, image and salting features [1], and web-based approaches [16].

Finally, there have been a diversity of machine learning models that have been employed for the task [31, 33], such as SVM [22 , 27–29], KNN [11], LR [5], PCA reconstruction [14], Decision Trees [29], Neural Networks [6], compression models [4] and classification ensembles [28].

In most of these mentioned works, the experimentation has been done either by splitting a dataset in training and test parts, or by applying cross validation over it. In this sense, the same distribution of content is used for training and testing, which is something that normally does not occur in a real application, where the models have to be tested in more complex settings.

3 Materials and methods

3.1 Datasets description

For experimenting, in the present paper, five popular datasets that are common in the literature were used, SpamAssassin (SA) 1 , Enron (EN) 2 , TREC 2007 (TR) 3 , GenSpam (GS) 4 and Ling Spam (LS) 5 . These datasets are free and publicly available.

The SA dataset is originally split in five files, easy_ham, easy_ham_2, hard_ham, spam and spam_2. The first two files contain emails easy to differentiate from spam and without any spammish signatures. The third file contains ham emails closer to typical spam. Finally, the fourth and fifth files contain emails received from non-spam-trap sources. All the emails were merged in two files for ham and spam respectively. The GS dataset is originally split in 5 directories, train_GEN, train_SPAM, adapt_GEN, adapt_SPAM, test_GEN, and test_SPAM, which contain spam and ham (GEN) for each phase, training, validation, and testing, respectively. When conducting the same-dataset experiments (see Subsection 3.3), the original split of the data was used; when doing cross-dataset experiments, all the emails from the directories were merged in two files for ham and spam respectively. The Enron dataset is originally divided in six folders, each one containing spam and ham emails. All the emails were joined in two files for ham and spam respectively. The LS dataset originally contains different versions of the data, in this work the bare version was used, which is unprocessed or coded. This version is split in ten parts with ham and spam in each one. When conducting the same dataset experiments, the original split of the data was used; when doing cross-dataset experiments, the emails from the directories were merged in two files for ham and spam respectively. Finally, the full version of the TR dataset was the one used, where each email is labeled either as ham or spam.

Table 1 shows the distribution of emails for each class. In most of the dataset, there is a predominance of spam email (since it is easier to collect), except in SA where the proportions are reverted, and EN, where the dataset is almost balanced.

Table 1
Datasets content breakdown

Dataset Spam Ham Total % Spam % Ham

TR 50071 25217 75288 66.51 33.49

GS 30761 9186 39947 77.00 23.00

SA 1892 4144 6036 31.35 68.65

EN 17110 16544 33654 50.84 49.16

LS 481 2412 2893 16.63 83.37

Dataset	Spam	Ham	Total	% Spam	% Ham
TR	50071	25217	75288	66.51	33.49
GS	30761	9186	39947	77.00	23.00
SA	1892	4144	6036	31.35	68.65
EN	17110	16544	33654	50.84	49.16
LS	481	2412	2893	16.63	83.37

Table 2 contains some statistics for the three superficial features used for experimenting, words, links and emoticons/emojis (see Subsection 3.2). Columns two to four indicate the vocabulary size for each feature (the number of unique words, links and emoticons/emojis) per dataset. The fifth column represents the proportion of unique words per email (the size of the word vocabulary divided by the total number of emails). The larger this number, the more diversity of content is present in the dataset. Columns six to eight are the averages of each feature per email in the dataset. In this table, it can be observed that TR has the largest word and link vocabularies; that means that it has a more diverse content than the rest of the datasets. This is complemented by the fact that its emails are the largest on average, and they contain more emoticons than emails in other datasets. The GS dataset, despite being the second largest one, it has the shortest emails on average, producing a moderate word vocabulary. Emails in this dataset do not contain links and have the least emoticons. The contrary occurs with SA, that despite being a small dataset, its word, link and emoticon vocabularies are larger. Emails in this dataset contain the largest average number of links, as well as the second largest number of emoticons. The EN dataset is the third largest one, with a moderate word vocabulary, some links, and some emoticons on average per email. Finally, LS is the smallest dataset, but its emails are the second largest, producing a moderate word and link vocabularies. Also, its emails contain some links and some emoticons on average. In general, emails in the datasets contain few emoticons and very few links; with small vocabularies for these features, specially for emoticons/emojis, which is expected since the available set of symbols for this feature is limited. On the other hand, the number of words varies largely, with different sizes for the word vocabulary.

Table 2

Vocabulary sizes and statistics for superficial features

	Vocabulary				Average per email
Dataset	Words	Links	Emoticons	Voc Words/#Emails	Words	Links	Emoticons
TR	5231250	11193	102	69.48	264.53	0.51	8.00
GS	93427	0	113	2.34	52.03	0.00	0.13
SA	142461	6107	162	23.60	172.35	2.33	5.79
EN	158652	5739	158	4.71	117.59	0.33	1.19
LS	58950	1234	126	20.38	239.35	0.64	2.79

3.2 Data processing

Before using the datasets for building and testing machine learning models, several processing techniques to transform them and extract the features were applied. First the text from the body and subject line was taken, excluding tags such as re, fwd and fw; and for datasets in XML format, those tags referring to the beginning and end of an element. Secondly, regular expressions were used to extract the three superficial features used, words, links and emoticons/emojis. Words represent the majority of content in an email since they are used to express the purpose of the message. Links are sometimes present in spam email to redirect the user to pages with publicity or malicious content. Emoticons are sometimes used to capture the attention of the user with a friendly style. After extracting the superficial features, very short (length <3) and very long (length >35) words, and the English stopwords from the Python NLTK library were removed. Finally, for each superficial feature, each email was transformed to a document vector using the term-document-inverse-document-frequency (tf-idf) method. Tf-idf is defined by Eq. (1), where tf (t, d) is the frequency of feature t in document d and idf (t) is given by Eq. (2). In turn, df (d, t) is the number of emails that contain feature t; whilst n_d is the total number of emails in the training set. $tf - idf (t, d) = tf (t, d) \times idf (t)$ (1) $idf (t) = log \frac{1 + n_{d}}{1 + df (d, t)} + 1$ (2)

Additionally, a deep learning representation was used, by employing the Word2Vec (W2V) [24] technique to express each word as a vector. In this case, for each email its filtered words were taken and passed each one through the Google pre-trained model 6 , obtaining as output a word embedding of 300 dimensions. Afterwards, the average of all the word embeddings from an email was computed as its final document vector.

In both cases, of superficial and deep learning features, each email document vector was normalized to the unit using the Euclidean norm.

3.3 Model building and evaluation

Using the extracted superficial and deep learning features, different models based on five popular machine learning methods were built, trying to explore different approaches. The methods include two discriminative classifiers (SVM and LR), one probabilistic (NB), one instance-based (KNN), and one based on decision trees (RF).

Two types of experiments for building and testing the models were conducted, one where the same dataset is used for training and testing, and another where a dataset was used for building a model and the rest of the datasets as test sets.

In the same-dataset setup, a 10-fold cross-validation with the TR, SA, EN and LS datasets was performed. For the first three datasets, the cross-validation was randomly stratified, whilst for LS the original data split was used. With GS, the original data split of training, validation and test was utilized. During the 10-fold cross-validation, for every iteration, an independent vocabulary from the training part was extracted, composed of nine folds, compute the idf for each feature in it, and then used this vocabulary and idfs to vectorize both the training part and the remaining test fold. The vectorization is done either using tf-idf for the superficial features, or word embeddings with W2V, using the vocabulary extracted from the training part.

In the cross-dataset setup, as mentioned before, first, all the emails from each dataset were merged in two files, containing ham and spam. Secondly, the vocabulary from each training dataset was extracted. Finally, such vocabulary was used to transform all the test datasets, either using tf-idf for the superficial features, or word embeddings with W2V.

Additionally, the SVM, LR, KNN and RF classifiers have hyper-parameters that affect their behaviours. The performance of the individual models was optimized by conducting a 3-fold cross-validation for each training part and for each possible value of the hyper-parameter. The training part could be the one composed by nine folds, in the same-dataset setup; or a whole dataset in the cross-dataset setup. In the case of the GS dataset, in order to conduct the optimization, the original split of training and validation was used. Table 3 shows the hyper-parameter (HP) optimized for each method and the values considered for it. All this seeking to maximize the AUC metric.

Table 3
Hyper-parameter to optimize in each method

Classifier HP Description Values

SVM C Regularization parameter [0.1, 1, 10, 100]

LR C Regularization parameter [0.1, 1, 10, 100]

KNN K Number of neighbors [1, 2, 3, 5, 10]

RF n Number of trees in the forest [5, 10, 15, 20]

Classifier	HP	Description	Values
SVM	C	Regularization parameter	[0.1, 1, 10, 100]
LR	C	Regularization parameter	[0.1, 1, 10, 100]
KNN	K	Number of neighbors	[1, 2, 3, 5, 10]
RF	n	Number of trees in the forest	[5, 10, 15, 20]

The email classification problem naturally deals with unbalanced distributions of data, where a class is more predominant than the other (as shown in Table 1). In that case, metrics such accuracy are not recommended to evaluate the classification performance of a model, because it would tend to be biased towards the dominating class. In our case, the performance of the different models was evaluated using the area under the ROC (Receiver Operating Characteristic) curve, or AUC, which is a popular metric for email classification [4]. ROC is a probability curve that plots the true positive rate against the false positive rate at various thresholds. AUC assesses a degree of separability, by measuring the probability that a model will rank a randomly chosen positive instance higher than a randomly chosen negative one [10]. AUC takes values between 0 and 1; however, a random classifier would produce the diagonal of the ROC curve obtaining and AUC of 0.5, which represents the baseline performance.

The processing and classification methods were implemented in Python, using the libraries NLTK, numpy and Scikit-learn. The experiments were performed in a Linux workstation with a 2.1 GHz Xeon Silver processor and 128 GB of RAM. Datasets and code used for this work is publicly available. 7

4 Results

Tables 7 present the results of the experiments using the described features, words, links, emoticons/emojis, and W2V. The tables are split in blocks of 5×5, each block represents the AUC values for a specific classification model for the corresponding feature. Each row in the block indicates the dataset that was used for training and the columns the datasets used for testing. The AUC values in italics in the diagonal of a block correspond to the same-dataset results. The values in bold indicate the best values in a row. The last column in a table shows the average and standard deviation of all the values in a row, corresponding to a single training dataset over all the classification models. All the previous averages are computed without considering the values of the diagonal, meaning they represent the cross-dataset performance. The penultimate row in a table indicates the average and standard deviation of the values in a block’s diagonal, corresponding to the performance of a single classifier in the same-dataset setup (SD AVG). Similarly, the last row in a table shows the average and standard deviation of all the non-diagonal values in a block, corresponding to the performance of the classifier in the cross-dataset setup (CD AVG). The values in the lower right corner aggregate all the averages for the datasets, indicating the general performance for a specific feature.

Table 4
Results for all machine learning models using words

Test

SVM LR NB KNN RF

TR GS SA EN LS TR GS SA EN LS TR GS SA EN LS TR GS SA EN LS TR GS SA EN LS AVG

Train TR 0.98 0.60 0.73 0.58 0.64 0.98 0.60 0.73 0.57 0.63 0.97 0.58 0.77 0.58 0.78 0.97 0.58 0.69 0.62 0.57 0.95 0.67 0.77 0.67 0.73 0.65(0.07)

GS 0.69 0.93 0.80 0.72 0.93 0.70 0.93 0.79 0.71 0.93 0.67 0.91 0.75 0.65 0.97 0.61 0.75 0.61 0.59 0.79 0.66 0.90 0.79 0.71 0.90 0.75(0.11)

SA 0.61 0.70 0.95 0.66 0.86 0.66 0.74 0.95 0.70 0.90 0.60 0.66 0.83 0.59 0.60 0.74 0.74 0.92 0.70 0.86 0.67 0.71 0.92 0.67 0.78 0.72(0.10)

EN 0.66 0.80 0.63 0.98 0.76 0.65 0.80 0.62 0.98 0.77 0.74 0.80 0.65 0.98 0.88 0.68 0.72 0.68 0.96 0.74 0.60 0.79 0.66 0.98 0.82 0.72(0.08)

LS 0.65 0.70 0.79 0.74 0.97 0.63 0.70 0.78 0.72 0.96 0.52 0.57 0.56 0.54 0.70 0.59 0.62 0.56 0.68 0.96 0.65 0.63 0.73 0.67 0.93 0.65(0.08)

SD AVG 0.96(0.02) 0.96(0.02) 0.88(0.10) 0.91(0.08) 0.94(0.03) 0.93(0.05)

CD AVG 0.71(0.09) 0.72(0.09) 0.67(0.12) 0.67(0.08) 0.71(0.07) 0.70(0.09)

	Test
	SD AVG	0.96(0.02)	0.96(0.02)	0.88(0.10)	0.91(0.08)	0.94(0.03)	0.93(0.05)
	CD AVG	0.71(0.09)	0.72(0.09)	0.67(0.12)	0.67(0.08)	0.71(0.07)	0.70(0.09)

Table 5

Results for all machine learning models using links

	Test
		SVM					LR					NB					KNN					RF
		TR	GS	SA	EN	LS	TR	GS	SA	EN	LS	TR	GS	SA	EN	LS	TR	GS	SA	EN	LS	TR	GS	SA	EN	LS	AVG
Train	TR	0.70	-	0.52	0.50	0.50	0.70	-	0.52	0.50	0.50	0.69	-	0.50	0.50	0.50	0.70	-	0.52	0.50	0.50	0.70	-	0.52	0.50	0.50	0.50(0.01)
	GS	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-
	SA	0.50	-	0.62	0.50	0.50	0.50	-	0.62	0.50	0.50	0.50	-	0.62	0.50	0.50	0.50	-	0.62	0.50	0.50	0.50	-	0.62	0.50	0.50	0.50(0.00)
	EN	0.50	-	0.54	0.58	0.50	0.50	-	0.54	0.58	0.50	0.50	-	0.50	0.51	0.50	0.50	-	0.53	0.52	0.50	0.50	-	0.53	0.58	0.50	0.50(0.01)
	LS	0.50	-	0.50	0.50	0.52	0.50	-	0.50	0.50	0.52	0.50	-	0.50	0.50	0.50	0.50	-	0.50	0.50	0.52	0.50	-	0.50	0.50	0.51	0.50(0.00)
		SD AVG	0.61(0.07)					0.61(0.07)					0.58(0.08)					0.59(0.08)					0.60(0.07)					0.60(0.07)
	CD AVG	0.51(0.01)					0.51(0.01)					0.50(0.00)					0.50(0.01)					0.50(0.01)					0.50(0.00)

Table 6

Results for all machine learning models using emoticons/emojis

	Test
		SVM					LR					NB					KNN					RF
		TR	GS	SA	EN	LS	TR	GS	SA	EN	LS	TR	GS	SA	EN	LS	TR	GS	SA	EN	LS	TR	GS	SA	EN	LS	AVG
Train	TR	0.66	0.50	0.59	0.59	0.55	0.66	0.50	0.59	0.59	0.56	0.64	0.50	0.59	0.58	0.54	0.65	0.51	0.55	0.59	0.54	0.67	0.51	0.57	0.61	0.56	0.56(0.04)
	GS	0.58	0.51	0.58	0.58	0.53	0.58	0.51	0.57	0.58	0.53	0.56	0.51	0.52	0.53	0.52	0.58	0.51	0.57	0.56	0.55	0.57	0.51	0.53	0.51	0.53	0.55(0.02)
	SA	0.56	0.50	0.64	0.51	0.57	0.55	0.50	0.64	0.51	0.55	0.57	0.50	0.66	0.51	0.54	0.57	0.50	0.65	0.50	0.54	0.56	0.50	0.66	0.51	0.55	0.53(0.03)
	EN	0.49	0.51	0.52	0.66	0.64	0.48	0.51	0.52	0.66	0.63	0.48	0.51	0.52	0.65	0.61	0.49	0.51	0.57	0.62	0.58	0.49	0.50	0.53	0.65	0.61	0.54(0.05)
	LS	0.50	0.50	0.57	0.50	0.59	0.50	0.50	0.56	0.50	0.58	0.50	0.50	0.57	0.51	0.58	0.50	0.50	0.56	0.51	0.61	0.50	0.50	0.56	0.49	0.59	0.52(0.03)
		SD AVG	0.61(0.06)					0.61(0.06)					0.61(0.06)					0.61(0.05)					0.62(0.06)					0.61(0.06)
	CD AVG	0.54(0.04)					0.54(0.04)					0.53(0.03)					0.54(0.03)					0.53(0.04)					0.54(0.03)

Table 7

Results for all machine learning models using W2V

	Test
		SVM					LR					NB					KNN					RF
		TR	GS	SA	EN	LS	TR	GS	SA	EN	LS	TR	GS	SA	EN	LS	TR	GS	SA	EN	LS	TR	GS	SA	EN	LS	AVG
Train	TR	0.95	0.58	0.71	0.70	0.85	0.95	0.58	0.73	0.69	0.85	0.50	0.50	0.50	0.50	0.50	0.96	0.55	0.64	0.67	0.72	0.95	0.56	0.69	0.65	0.77	0.65(0.11)
	GS	0.75	0.94	0.84	0.70	0.95	0.75	0.95	0.83	0.71	0.95	0.50	0.50	0.50	0.50	0.50	0.72	0.93	0.83	0.69	0.93	0.66	0.88	0.74	0.67	0.90	0.73(0.15)
	SA	0.76	0.80	0.93	0.67	0.89	0.76	0.80	0.93	0.67	0.89	0.50	0.50	0.50	0.50	0.50	0.72	0.75	0.92	0.61	0.85	0.63	0.72	0.91	0.63	0.81	0.70(0.13)
	EN	0.71	0.75	0.65	0.96	0.77	0.71	0.75	0.65	0.96	0.79	0.54	0.54	0.54	0.85	0.70	0.73	0.79	0.72	0.97	0.69	0.67	0.69	0.61	0.95	0.77	0.69(0.08)
	LS	0.71	0.74	0.71	0.77	0.99	0.71	0.71	0.71	0.76	0.99	0.50	0.50	0.50	0.50	0.94	0.68	0.69	0.66	0.67	0.98	0.65	0.67	0.69	0.68	0.96	0.66(0.09)
		SD AVG	0.95(0.02)					0.96(0.02)					0.66(0.20)					0.95(0.02)					0.93(0.03)					0.89(0.06)
	CD AVG	0.75(0.08)					0.75(0.08)					0.52(0.04)					0.72(0.08)					0.72(0.08)					0.69(0.11)

In Table 4 is shown that for the same-dataset experiments, when using words, most of the classifiers show a good performance. There are few exceptions, such as when classifying the LS dataset with NB, or the GS dataset with KNN and NB. On the other hand, in the same-dataset experiments, the datasets that produce the highest AUC values are TR and EN with all the classifiers, meaning they are easier to classify with word features. In this setup, discriminative classifiers SVM and LR present the best average performance over all the datasets. For the cross-dataset experiments, when using words, training models with some datasets yield better results when testing with the other datasets. Specifically, using the GS dataset for training produces the best average performance. Furthermore, training with GS or SA and testing with LS produces high AUC values with some classifiers. LS is the smallest dataset, thus its word features must be well represented inside the distributions of GS and SA. The second best performance is obtained using either the SA or the EN datasets for training; and the lowest values are obtained when training either with the TR or LS datasets. Despite the large vocabulary present in TR, its word features are very specific of such dataset; whilst the small vocabulary from LS does not represent well the distributions of other datasets. Regarding the classification model, SVM, LR, and RF present similar average performances.

In Table 5, it is observed that in general, when using links, the models perform poorly. The ‘-’ symbol indicates that the GS dataset does not contain links. In the same-dataset setup, the datasets that produce better results are TR and SA. The SA dataset contains the most links per email, but the ones in the TR dataset only have a few, which would mean that such few links include valuable information. Similarly than with words, when using links, discriminative classifiers SVM and LR present the best average performance over all the datasets. The general average of using links in the same-dataset setup is much lower than when using words. In the cross-dataset results, for most of the cases, the performance is similar to a random classifier. The exceptions are when training with the TR or EN datasets and testing with the SA dataset. This indicates that such datasets share some link information. Regarding the classification model, SVM and LR present the best average performances.

Table 6 shows that in general when using emoticons/emojis the models perform poorly. In the same-dataset setup, the datasets that produce better results are TR, SA, and EN. The two first are the ones with more emoticons/emojis in their emails, indicating a higher chance of such features being discriminative between classes. For the same-dataset setup, RF presents the best average performance among all the classifiers. The general average AUC of using emoticons/emojis is much lower than when using words but similar to the use of links. In the cross-dataset experiments, the performance varies depending on the datasets used for training and testing. Some of the best results are obtained when training with EN and testing with LS in all the classifiers. When the datasets are switched, the performance drops. This would mean that the emoticons/emojis from the LS are well represented in the distribution of EN dataset, but not the other way around. On average, using TR as the training dataset produces the best AUC value. Since emails in this dataset contain the most emoticons, there is a higher chance that the distributions of emoticons/emojis from other datasets are captured inside the distribution of TR. The lowest performance comes when using LS for training since it is the smallest dataset, likely to have a poor distribution of emoticons/emojis between its classes. The best classification models in the cross-dataset setup are SVM, LR, and KNN, whose performances are a little higher than those shown by a random classifier.

In Table 7, the results of the experiments with W2V features are presented. The results are good and similar to the ones of using words, but with some differences. The most notorious is that the NB classifier performs poorly in almost all cases. In the same-dataset setup, the LS dataset obtains the highest AUC values with all the classifiers, meaning it is easy to classify with W2V features. In this setup, LR produces the best average performance among all the classifiers. In the cross-dataset setup, training with datasets TR, GS, SA and EN, and testing with the LS dataset produces the best results. In some cases, such as training with GS, this combination yields values only 4% below to the same-dataset experiment with LS. Values with other combinations of datasets vary largely. The best average values are obtained when using the GS dataset for training, and the lowest when using the TR dataset. Similarly than with words, the W2V features from TR are very specific of such dataset. Regarding the classification model, SVM and LR and RF present the best averages performance.

Table 8 shows the aggregated average performance per test dataset along with the different features in the cross-dataset setup. In this table, it is observed that LS is the easiest dataset to classify when training with any other dataset. The hardest datasets to classify are TR and EN. LS is the smallest dataset, and most of its features are well captured by the feature distributions of other datasets. The contrary occurs with TR, which is the largest dataset and it is more likely that part of its content is not present in other datasets.

Table 8

Average performance per testing dataset per feature

	TR	GS	SA	EN	LS
Words	0.65(0.05)	0.70(0.08)	0.69(0.08)	0.65(0.06)	0.79(0.11)
Links	0.50(0.00)	-	0.51(0.01)	0.50(0.00)	0.50(0.00)
Emoticons	0.53(0.04)	0.50(0.00)	0.56(0.02)	0.54(0.04)	0.56(0.03)
W2V	0.67(0.09)	0.66(0.11)	0.67(0.10)	0.65(0.08)	0.78(0.14)
AVG	0.59(0.05)	0.62(0.06)	0.61(0.05)	0.59(0.05)	0.66(0.07)

Tables 9 and 10 show aggregated averages of the cross-dataset performance for each model and for each feature, respectively. Here, it can be observed that in general, discriminative classifiers SVM and LR perform the best on average, but RF performs closely. Regarding features, words produce the best results on average, but W2V features are just behind.

Table 9

Summary of classification results per model

	SVM	LR	NB	KNN	RF
AUC	0.63(0.06)	0.63(0.06)	0.55(0.05)	0.61(0.05)	0.62(0.05)

Table 10

Summary of classification results per feature

	Words	Links	Emoticons	W2V
AUC	0.70(0.09)	0.50(0.00)	0.54(0.03)	0.69(0.11)

As a complement of Table 9, in Table 11 the average training and test times per model and per feature is presented. The slowest model on average is RF, specially with words. The fastest one is NB, with any feature. Thus, even if RF has a similar general performance than SVM and LR, the later models are on average faster to train and test. Regarding features, words are the slowest for training and testing, whilst links and emoticons/emojis are the fastest. W2V features also have fast training and test times, since in that case there are only 300 features to represent a document. These features could be preferred over words because of the similar performance, but faster times.

Table 11

Averages of training and testing times in minutes

	Training				Testing
	Words	Links	Emoticons	W2V	Words	Links	Emoticons	W2V	AVG
SVM	1.22	0.08	0.08	0.52	0.45	0.03	0.06	0.32	0.35
LR	0.93	0.02	0.01	0.13	0.59	0.01	0.01	0.06	0.22
NB	0.00	0.00	0.00	0.00	0.51	0.01	0.01	0.01	0.07
KNN	1.59	0.42	0.47	0.53	1.04	0.25	0.27	0.27	0.61
RF	9.71	0.06	0.03	0.15	5.34	0.03	0.02	0.09	1.93
AVG	2.69	0.11	0.12	0.27	1.58	0.07	0.07	0.15

To test if there is an association between the amount of shared content and the classification performance, first, the degree of similarity between the feature distributions of two datasets using the Jaccard index was calculated. This index is defined by Eq. (3), where A is the feature vocabulary of one dataset and B the feature vocabulary of another. Jaccard index takes values from 0 to 1, being 0 if the datasets do not share any feature, and 1 if they share all the features. Table 12 contains the Jaccard indices for each pair of datasets using words and emoticons/emojis. It is important to mention that links were not consider since for such feature most of the classification results are similar, no matter the datasets used for training and testing. $J (A, B) = \frac{| A \cap B |}{| A \cup B |}$ (3)

Table 12

Jaccard indices for words and emoticons/emojis

	Words					Emoticons
	TR	GS	SA	EN	LS	TR	GS	SA	EN	LS
TR	1.000	0.080	0.009	0.010	0.005	1.000	0.335	0.529	0.481	0.414
GS	-	1.000	0.101	0.128	0.131	-	1.000	0.348	0.376	0.320
SA	-	-	1.000	0.107	0.094	-	-	1.000	0.435	0.477
EN	-	-	-	1.000	0.121	-	-	-	1.000	0.487
LS	-	-	-	-	1.000	-	-	-	-	1.000

Afterwards, the Pearson correlation coefficient of the Jaccard indices of a training dataset and its test datasets, and the classification results of using that training dataset and those test datasets was calculated. The correlation was computed per feature. For that, the same Jaccard indices for each classifier were repeated and concatenated the results of the different classifiers in a single array. In Table 13, the correlations for each dataset used for training are shown. From that table, it is observed that effectively there is, in general, a correlation between the amount of shared content of a training dataset with the test datasets, and the classification performance. That could mean that the more features two datasets share, the higher the expected classification results in a cross-dataset experiment. The correlation is stronger with emoticons/emojis for datasets TR and SA, which are the ones that contain more emoticons/emojis in their emails. The negative correlation seen in the GS dataset could be due to the very few emoticons/emojis this dataset contains. On the other hand, the low correlation presented in words is due to GS producing better results when classifying a dataset with a lower Jaccard index (SA dataset) than another with a higher index (EN), but considering that SA is a much smaller dataset and it is easier to classify.

Table 13

Correlation between Jaccard indices and classification results when using a specific dataset for training

	Words	Emoticons
TR	0.880	0.903
GS	0.511	-0.608
SA	0.735	0.962
EN	0.857	0.739
LS	0.784	0.809

5 Conclusions

In this work, an analysis of different machine learning models and content-based features for email classification in a cross-dataset setting has been presented. Emails were classified in two classes, spam and ham. Models and features were tested with a set of five different datasets conducting both, same-dataset and cross-dataset experiments, this in order to analyze the complexity of the later. In the cross-dataset scenario, models were trained using emails from a dataset and test the models using emails from another dataset; considering the fact that the datasets were collected under different independent setups. This has the purpose of simulating future variable or unpredictable conditions in the emails content distributions as could happen in a real setting. From the results obtained with the experiments with cross-dataset classification, the following can be concluded:

Cross-dataset experiments produce lower results than the same-dataset experiments, with differences of more than 20%, indicating that the former problem is more complex to solve.

Discriminative classifiers SVM and LR tend to perform better on average than other machine learning approaches, no matter the features used for building the models.

Random Forrest shows a good performance in different experiments, but it tends to require more time for training and testing.

Words and W2V as features tend to produce the highest values in classification, averaging over all the classification methods. Nevertheless, W2V uses a shorter representation for emails, and has lower training and testing times.

Links are moderately present in emails in the datasets, and they do not represent a good feature to discriminate among classes. Most of the models using this feature reach a performance comparable to a random classifier.

Emoticons/emojis carry some discriminative information to separate the email classes. Nevertheless, given the very low presence of this feature in emails of the datasets, models using them have limited performance.

Small datasets, such as LS and SA, are relatively easy to classify when training a model with a bigger dataset since the feature distribution of the bigger dataset should capture the content of the small dataset.

With words and emoticons/emojis as features, there is a general correlation between the amount of shared content between two datasets and the expected classification performance when using such datasets for training and testing.

Directions for further research include the use of other features, such as projections over discriminative spaces (e.g. Linear Discriminant Analysis or Biased Discriminant Analysis), and other types of deep learning features (such as Doc2Vec or Thought Vectors); and the use of feature selection methods, to choose features with more discriminative power between classes.

Footnotes

Available at:

Code is available at https://bit.ly/2loKQsQ, and datasets at [].

References

Bergholz

, De Beer

, Glahn

, Moens

M.-F.

, Paaß

and Strobel

, New filtering approaches for phishing email, Journal of Computer Security18(1) (2010), 7–35.

Bhowmick

and Hazarika

S.M.

, E-mail spam filtering: A review of techniques and trends, In Advances in Electronics Communication and Computing, pp. 583–590. Springer, (2018).

Blanzieri

and Bryl

, A survey of learning-based techniques of email spam filtering, Artificial Intelligence Review29(1) (2008), 63–92.

Bratko

, Cormack

G.V.

, Filipič

, Lynam

T.R.

and Zupan

, Spam filtering using statistical data compression models, Journal of Machine Learning Research7(Dec) (2006), 2673–2698.

Chang

M.-w.

, Yih

W.-t.

and Meek

, Partitioned logistic regression for spam filtering, In Proceedings of the 14th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 97–105. ACM, (2008).

Clark

, Koprinska

and Poon

, A neural network based approach to automated e-mail classification, In Proceedings IEEE/WIC International Conference on Web Intelligence (WI 2003), pp. 702–705. IEEE, (2003).

Cormack

G.V.

, et al., Email spam filtering: A systematic review, Foundations and TrendsR in Information Retrieval1(4) (2008), 335–455.

Dada

E.G.

, Bassi

J.S.

, Chiroma

, Adetunmbi

A.O.

, Ajibuwa

O.E.

, et al., Machine learning for email spam filtering: review, Approaches and Open Research Problems, Heliyon, 5 (6) e01802 (2019).

Drucker

, Wu

and Vapnik

V.N.

, Support vector machines for spam categorization, IEEE Transactions on Neural Networks10(5) (1999), 1048–1054.

10.

Fawcett

, An introduction to roc analysis, Pattern Recognition Letters27(8) (2006), 861–874.

11.

Firte

, Lemnaru

and Potolea

, Spam detection filter using knn algorithm and resampling, In Proceedings of the 2010 IEEE 6th International Conference on Intelligent Computer Communication and Processing, pp. 27–33. IEEE, (2010).

12.

Gansterer

W.N.

and Pölz

, E-mail classification for phishing defense, In European Conference on Information Retrieval, pp. 449–460. Springer, (2009).

13.

Gomez

J.C.

and Moens

M.-F.

, Using biased discriminant analysis for email filtering, In International Conference on Knowledge-Based and Intelligent Information and Engineering Systems, pp. 566–575. Springer, (2010).

14.

Gomez

J.C.

and Moens

M.-F.

, Pca document reconstruction for email classification, Computational Statistics & Data Analysis56(3) (2012), 741–751.

15.

Gomez

J.C.

, Boiy

and Moens

M.-F.

, Highly discriminative statistical features for email classification, Knowledge and Information Systems31(1) (2012), 23–53.

16.

Grbovic

, Halawi

, Karnin

and Maarek

, Howmany folders do you really need?: Classifying email into a handful of categories, In Proceedings of the 23rd ACMInternational Conference on Conference on Information and Knowledge Management, pp. 869–878. ACM, (2014).

17.

Guzella

T.S.

and Caminhas

W.M.

, A review of machine learning approaches to spam filtering, Expert Systems with Applications36(7) (2009), 10206–10222.

18.

Jain

, Sharma

and Agarwal

, Optimizing semantic lstm for spam detection, International Journal of Information Technology11(2) (2019), 239–250.

19.

Kanaris

, Kanaris

, Houvardas

and Stamatatos

, Words versus character n-grams for anti-spam filtering, International Journal on Artificial Intelligence Tools16(06) (2007), 1047–1067.

20.

Kumar

R.K.

, Poonkuzhali

and Sudhakar

, Comparative study on email spam classifier using data mining techniques, In Proceedings of the International MultiConference of Engineers and Computer Scientists1 (2012), pp. 14–16.

21.

Martin

, Nelson

, Sewani

, Chen

and Joseph

A.D.

, Analyzing behavioral features for email classification, In CEAS, (2005).

22.

Metsis

, Androutsopoulos

and Paliouras

, Spam filtering with naive bayes-which naive bayes? In CEAS, 17 pp. 28–69. Mountain View, CA, (2006).

23.

Meyer

T.A.

and Whateley

, Spambayes: Effective open-source, bayesian based, email classification system, In CEAS. Citeseer, (2004).

24.

Mikolov

, Sutskever

, Chen

, Corrado

G.S.

and Dean

, Distributed representations of words and phrases and their compositionality, In Advances in Neural Information Processing Systems (2013), pp. 3111–3119,

25.

Morales

, Gomez

J.C.

and Van Amerongen

, Email datasets for cross dataset experiments, (2019). URL https://doi.org/10.7910/DVN/V7IFSM.

26.

Quionero-Candela

, Sugiyama

, Schwaighofer

and Lawrence

N.D.

, Dataset shift in machine learning, The MIT Press, (2009).

27.

Sahami

, Dumais

, Heckerman

and Horvitz

, A bayesian approach to filtering junk e-mail, In Learning for Text Categorization: Papers from the 1998 workshop, 62 pp. 98–105. Madison, Wisconsin, (1998).

28.

Sakkis

, Androutsopoulos

, Paliouras

, Karkaletsis

, Spyropoulos

C.D.

and Stamatopoulos

, Stacking classifiers for anti-spam filtering of e-mail, arXiv preprint cs/0106040, (2001).

29.

Sharma

A.K.

, Prajapat

S.K.

and Aslam.

, A comparative study between naive bayes and neural network (mlp) classifier for spam email detection, In Ijca Proceedings On National Seminar On Recent Advances In Wireless Networks And Communications, Foundation of Computer Science (FCS), 2 (2014), pp. 12–16.

30.

Tang

, Pei

and Luk

W.-S.

, Email mining: tasks, common techniques, and tools, Knowledge and Information Systems41(1) (2014), 1–31.

31.

Tretyakov

, Machine learning techniques in spam filtering, In Data Mining Problem-oriented Seminar, MTAT, 3 pp. 60–79. Citeseer, (2004).

32.

Wang

, Liu

, Feng

and Zhu

, Novel feature selection method based on harmony search for email classification, Knowledge-Based Systems73 (2015), 311–323.

33.

Youn

and McLeod

, A comparative study for email classification, In Advances and Innovations in Systems, Computing Sciences and Software Engineering pp. 387–391. Springer, (2007).

34.

Zhang

, Zhu

and Yao

, An evaluation of statistical spam filtering techniques, ACM Transactions on Asian Language Information Processing (TALIP)3(4) (2004), 243–269.

Cross-dataset email classification

Abstract

Keywords

1 Introduction

2 Related works

3 Materials and methods

3.1 Datasets description

Table 1 Datasets content breakdown Dataset Spam Ham Total % Spam % Ham TR 50071 25217 75288 66.51 33.49 GS 30761 9186 39947 77.00 23.00 SA 1892 4144 6036 31.35 68.65 EN 17110 16544 33654 50.84 49.16 LS 481 2412 2893 16.63 83.37

Table 3 Hyper-parameter to optimize in each method Classifier HP Description Values SVM C Regularization parameter [0.1, 1, 10, 100] LR C Regularization parameter [0.1, 1, 10, 100] KNN K Number of neighbors [1, 2, 3, 5, 10] RF n Number of trees in the forest [5, 10, 15, 20]

Footnotes

References

Table 1
Datasets content breakdown

Dataset Spam Ham Total % Spam % Ham

TR 50071 25217 75288 66.51 33.49

GS 30761 9186 39947 77.00 23.00

SA 1892 4144 6036 31.35 68.65

EN 17110 16544 33654 50.84 49.16

LS 481 2412 2893 16.63 83.37

Table 3
Hyper-parameter to optimize in each method

Classifier HP Description Values

SVM C Regularization parameter [0.1, 1, 10, 100]

LR C Regularization parameter [0.1, 1, 10, 100]

KNN K Number of neighbors [1, 2, 3, 5, 10]

RF n Number of trees in the forest [5, 10, 15, 20]