Introduction
In the rapidly evolving landscape of cybersecurity, AI-powered email protection is becoming increasingly sophisticated. This tutorial will guide you through building a basic AI email fraud detection system using Python and machine learning concepts. You'll learn how to analyze email content, extract features, and build a model that can identify potential phishing attempts based on contextual analysis.
Prerequisites
- Python 3.7+ installed on your system
- Basic understanding of machine learning concepts
- Knowledge of Python libraries like pandas, scikit-learn, and nltk
- Access to a dataset of emails (we'll use a sample dataset for this tutorial)
Step-by-Step Instructions
1. Setting Up Your Environment
1.1 Install Required Libraries
First, we need to install the necessary Python libraries for our email analysis system.
pip install pandas scikit-learn nltk numpy matplotlib seaborn1.2 Import Libraries
Start by importing the required libraries in your Python script:
import pandas as pd
import numpy as np
from sklearn.model_selection import train_test_split
from sklearn.feature_extraction.text import TfidfVectorizer
from sklearn.ensemble import RandomForestClassifier
from sklearn.metrics import accuracy_score, classification_report
import nltk
from nltk.corpus import stopwords
from nltk.tokenize import word_tokenize
import re1.3 Download NLTK Data
We'll use NLTK for text processing, so download the required datasets:
nltk.download('punkt')
nltk.download('stopwords')2. Data Preparation and Feature Engineering
2.1 Create Sample Email Dataset
For this tutorial, we'll create a simple dataset of emails to demonstrate the concept. In a real-world scenario, you'd use a larger, more comprehensive dataset.
# Create sample dataset
emails_data = {
'email_content': [
'Congratulations! You have won $1000000. Click here to claim your prize now!',
'Hi John, can you please review the quarterly report attached? Thanks.',
'URGENT: Your account will be suspended. Verify your information immediately.',
'Meeting scheduled for tomorrow at 2 PM in conference room A.',
'You have been selected for a special offer. Act now before it expires!',
'Please find the updated project timeline attached for your review.',
'Security alert: Unauthorized access detected. Reset your password immediately.',
'Thank you for your presentation yesterday. The team looks forward to your follow-up.',
'Free iPhone giveaway! Click here now to enter!',
'Please confirm your attendance for the upcoming team building event.'
],
'is_phishing': [1, 0, 1, 0, 1, 0, 1, 0, 1, 0]
}
df = pd.DataFrame(emails_data)
print(df.head())2.2 Text Preprocessing
Before we can analyze emails, we need to clean and preprocess the text data:
def preprocess_text(text):
# Convert to lowercase
text = text.lower()
# Remove special characters and digits
text = re.sub(r'[^a-zA-Z\s]', '', text)
# Tokenize
tokens = word_tokenize(text)
# Remove stopwords
stop_words = set(stopwords.words('english'))
tokens = [token for token in tokens if token not in stop_words]
return ' '.join(tokens)
# Apply preprocessing to email content
df['processed_content'] = df['email_content'].apply(preprocess_text)
print(df[['email_content', 'processed_content']].head())3. Feature Extraction and Model Training
3.1 TF-IDF Vectorization
Transform the text data into numerical features using TF-IDF (Term Frequency-Inverse Document Frequency) vectorization:
# Initialize TF-IDF vectorizer
vectorizer = TfidfVectorizer(max_features=1000, ngram_range=(1, 2))
# Fit and transform the processed content
X = vectorizer.fit_transform(df['processed_content'])
Y = df['is_phishing']
print(f"Feature matrix shape: {X.shape}")3.2 Split Data for Training and Testing
Split the dataset into training and testing sets to evaluate our model's performance:
# Split the data
X_train, X_test, Y_train, Y_test = train_test_split(
X, Y, test_size=0.3, random_state=42, stratify=Y
)
print(f"Training set size: {X_train.shape[0]}")
print(f"Testing set size: {X_test.shape[0]}")3.3 Train the Classification Model
Train a Random Forest classifier to detect phishing emails based on our extracted features:
# Initialize and train the model
model = RandomForestClassifier(n_estimators=100, random_state=42)
model.fit(X_train, Y_train)
# Make predictions
y_pred = model.predict(X_test)
# Evaluate the model
accuracy = accuracy_score(Y_test, y_pred)
print(f"Model Accuracy: {accuracy:.2f}")
print("\nClassification Report:")
print(classification_report(Y_test, y_pred))4. Email Analysis Function
4.1 Create Prediction Function
Now we'll create a function that can analyze new emails and determine if they're likely to be phishing attempts:
def analyze_email(email_text):
# Preprocess the email
processed_email = preprocess_text(email_text)
# Transform using the same vectorizer
email_vector = vectorizer.transform([processed_email])
# Make prediction
prediction = model.predict(email_vector)[0]
probability = model.predict_proba(email_vector)[0]
return {
'is_phishing': bool(prediction),
'confidence': max(probability),
'details': f"{'Phishing' if prediction else 'Legitimate'} with {max(probability):.2f} confidence"
}4.2 Test the Analysis Function
Test our analysis function with sample emails:
# Test with new emails
test_emails = [
"Congratulations! You've won a million dollars! Click here now!",
"Hi team, please review the quarterly report attached.",
"URGENT: Your account will be suspended. Click here to verify now!"
]
for email in test_emails:
result = analyze_email(email)
print(f"Email: {email[:50]}...")
print(f"Result: {result['details']}")
print("-" * 50)5. Model Enhancement and Improvement
5.1 Feature Engineering
Enhance our model by adding more sophisticated features:
def extract_features(email_text):
features = {}
# Basic text features
features['length'] = len(email_text)
features['num_exclamation'] = email_text.count('!')
features['num_question'] = email_text.count('?')
features['num_caps'] = sum(1 for c in email_text if c.isupper())
# Common phishing keywords
phishing_keywords = ['urgent', 'immediate', 'verify', 'account', 'password', 'click here']
features['phishing_keywords'] = sum(1 for keyword in phishing_keywords if keyword in email_text.lower())
return features
# Apply feature extraction to our dataset
feature_df = df['email_content'].apply(extract_features).apply(pd.Series)
print(feature_df.head())5.2 Combine Text and Feature-Based Models
Combine both text-based and feature-based approaches for better detection:
# Combine TF-IDF features with engineered features
from scipy.sparse import hstack
# Get TF-IDF features
tfidf_features = vectorizer.fit_transform(df['processed_content'])
# Combine with engineered features
combined_features = hstack([tfidf_features, feature_df.values])
# Retrain model with combined features
X_train_combined, X_test_combined, Y_train, Y_test = train_test_split(
combined_features, Y, test_size=0.3, random_state=42, stratify=Y
)
# Train enhanced model
enhanced_model = RandomForestClassifier(n_estimators=100, random_state=42)
enhanced_model.fit(X_train_combined, Y_train)
# Test enhanced model
y_pred_enhanced = enhanced_model.predict(X_test_combined)
accuracy_enhanced = accuracy_score(Y_test, y_pred_enhanced)
print(f"Enhanced Model Accuracy: {accuracy_enhanced:.2f}")Summary
In this tutorial, you've learned how to build a foundational AI email fraud detection system. You've covered text preprocessing, feature extraction using TF-IDF, model training with Random Forest, and created a prediction function for new emails. The system demonstrates key concepts used in real-world AI security platforms like Ocean that analyze email context to detect fraud and impersonation attempts.
The approach shown here is simplified but demonstrates the core principles of how agentic email security platforms work. In production systems, you'd incorporate more sophisticated techniques like deep learning models, real-time threat intelligence feeds, and continuous learning from new data patterns.
