基于登录行为分析的失陷邮箱检测技术研究

赵建军; 汪旭童; 崔翔; 刘奇旭

doi:10.19665/j.issn1001-2400.2023.04.004

您当前的位置：

首页 >

文章列表页 >

基于登录行为分析的失陷邮箱检测技术研究

网络空间安全专栏 | 更新时间：2023-10-18

- 基于登录行为分析的失陷邮箱检测技术研究
- 暂无标题
- 西安电子科技大学学报 2023年50卷第4期页码：34-44
- 作者机构：
  
  1. 中国科学院信息工程研究所,北京 100089
  2. 中国科学院大学网络空间安全学院,北京 100089
  3. 中关村实验室,北京 100089
- 作者简介：
  
  [ "赵建军(1990—),男,中国科学院大学博士研究生,E-mail:[email protected];" ]
  [ "汪旭童(1997—),男,中国科学院大学博士研究生,E-mail:[email protected];" ]
  [ "崔翔(1978—),男,研究员,E-mail:[email protected]" ]
  刘奇旭(1984—),男,研究员,E-mail:[email protected]
- 基金信息：
  
  中国科学院青年创新促进会(2019163);国家自然科学基金(61902396);中国科学院战略性先导科技专项项目(XDC02040100);中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助
- DOI：10.19665/j.issn1001-2400.2023.04.004
  中图分类号：
扫描看全文
赵建军, 汪旭童, 崔翔, 等. 基于登录行为分析的失陷邮箱检测技术研究[J]. 西安电子科技大学学报, 2023,50(4):34-44.
赵建军, 汪旭童, 崔翔, 等. 基于登录行为分析的失陷邮箱检测技术研究[J]. 西安电子科技大学学报, 2023,50(4):34-44. DOI： 10.19665/j.issn1001-2400.2023.04.004.

DOI：

摘要

发现失陷邮箱在安全运维、溯源取证工作中面临多种困难,例如,所依赖的威胁情报数据不充分、待分析的数据规模庞大、难以向邮箱所有者确认等。针对上述问题,提出了一种仅使用登录日志作为数据源且不依赖任何标记样本的失陷邮箱检测方法。首先,归纳针对邮箱账户的攻击手段,提炼出邮箱失陷模型。其次,基于所提出的邮箱失陷模型,从空间和时间的角度刻画攻击者在入侵邮箱账户时所暴露出的空间相似性和时间同步性。在利用空间相似性检测失陷邮箱时,使用图来描述邮箱之间的空间距离,再将空间距离相近的邮箱划分至同一社区,并根据社区规模来评价邮箱失陷的可能性;在利用时间同步性检测失陷邮箱时,提出一种异常登录行为的描述方法,并通过比较多个邮箱的异常行为是否集中在一定时期内来评价邮箱失陷的可能性。最后,根据失陷可能性输出一个排序的邮箱列表为分析人员提供优先级参考。实验结果表明,所提出的方法能够在降低约70%工作量的情况下检测出约98%的失陷邮箱,检测效果好于同类研究,且具备发现未知攻击者和未公开恶意IP地址的能力。

Abstract

Compromised email accounts detection faces various challenges in the system administration and attack forensics,such as the lack of threat intelligence,a large amount of data to be analyzed,and the difficulty with direct confirmation with the email owners.To address the above problems,this paper proposes a compromised email accounts detection method using only login logs without relying on any labeled samples.First,this paper summarizes the attack features and proposes an email accounts compromise model.Second,based on the email accounts compromise model,this paper characterizes the spatial similarity and temporal synchronization when invading the email accounts.When using the spatial similarity to detect the compromised email accounts,this paper uses graphs to construct the spatial distances between accounts;and then,the accounts with a similar spatial distance are grouped into the same community,and the possibility of accounts compromising is evaluated according to the community size.When using the temporal synchronization to detect the compromised email accounts,this paper proposes a metric to describe the abnormal login behaviors and evaluates the possibility of compromise by checking if other accounts have similar abnormal behaviors in the same period.Finally,a sorted list of email accounts is outputted to provide priority reference for analysts according to the possibility of compromise.Experimental results show that the method proposed in this paper can detect about 98% of the compromised email accounts with 70% workload reduced,and the detection effect is better than that of the similar studies.Additionally,the detection method can discover the unknown attackers and the undisclosed malicious IP addresses.

关键词

失陷邮箱检测时空分析网络攻击溯源

Keywords

compromised email detectionspatiotemporal analysiscyber attack attribution

references

MITRE. Enterprise Matrix (2023)[EB/OL].[2023-04-06]. https://attack.mitre.org/matrices/enterprise. https://attack.mitre.org/matrices/enterprisehttps://attack.mitre.org/matrices/enterprise

王平, 汪定, 黄欣沂. 口令安全研究进展[J]. 计算机研究与发展, 2016, 53(10):2173-2188.

WANG Ping, WANG Ding, HUANG Xinyi. Advances in Password Security[J]. Journal of Computer Research and Development, 2016, 53(10):2173-2188.

DING X, LIU B, JIANG Z, et al. Spear Phishing Emails Detection Based on Machine Learning[C]// 2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design(CSCWD).Piscataway:IEEE, 2021:354-359.

STRINGHINI G, THONNARD O. That Ain’t You:Blocking Spearphishing Through Behavioral Modelling[C]// International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment.Berlin:Springer, 2015:78-97.

GASCON H, ULLRICH S, STRITTERB, et al. Reading Betweenthe Lines:Content-Agnostic Detection of Spear-Phishing Emails[C]// International Symposium on Research in Attacks,Intrusions,and Defenses.Berlin:Springer, 2018:69-91.

WANG X J, ZHANG C X, ZHENG K F, et al. Detecting Spear-Phishing Emails Based on Authentication[C]// 2019 IEEE 4th International Conference on Computer and Communication Systems(ICCCS).Piscataway:IEEE, 2019:450-456.

HU X, LI B, ZHANG Y, et al. Detecting Compromised Email Accountsfrom the Perspective of Graph Topology[C]// Proceedings of the 11th International Conference on Future Internet Technologies. New York: ACM, 2016:76-82.

HO G, SHARMA A, JAVED M, et al. Detecting Credential Spearphishing in Enterprise Settings[C]// 26th USENIX Security Symposium (USENIX Security 17).Berkeley:USENIX, 2017:469-485.

杨加, 李笑难, 张扬, 等. 基于大数据分析的校园电子邮件异常行为检测技术研究[J]. 通信学报, 2018, 39(Z1):116-123.

YANG Jia, LI Xiaonan, ZHANG Yang, et al. Abnormal Behavior Detection for Campus Email Systems Based on Big Data Analysis[J]. Journal on Communications, 2018, 39(Z1):116-123.

HO G, CIDON A, GAVISH L, et al. Detecting and Characterizing Lateral Phishing at Scale[C]// 28th USENIX Security Symposium (USENIX Security 19).Berkeley:USENIX, 2019:1273-1290.

VISWANATH B, BASHIR M A, CROVELLA M, et al. Towards Detecting Anomalous User Behavior in Online Social Networks[C]// 23rd USENIX security symposium (USENIX security 14).Berkeley:USENIX, 2014:223-238.

XIN R, WU Z, WANG H, et al. Profiling Online Social Behaviors for Compromised Account Detection[J]. IEEE Transactions on Information Forensics and Security, 2015, 11(1):176-187. DOI:10.1109/TIFS.2015.2482465http://doi.org/10.1109/TIFS.2015.2482465http://ieeexplore.ieee.org/document/7277068/http://ieeexplore.ieee.org/document/7277068/

EGELE M, STRINGHINI G, KRUEGEL C, et al. Towards Detecting Compromised Accounts on Social Networks[J]. IEEE Transactions on Dependable and Secure Computing, 2015, 14(4):447-460. DOI:10.1109/TDSC.2015.2479616http://doi.org/10.1109/TDSC.2015.2479616http://ieeexplore.ieee.org/document/7271060/http://ieeexplore.ieee.org/document/7271060/

STRINGHINI G, MOURLANNE P, JACOB G, et al. {EVILCOHORT}:Detecting Communities of Malicious Accounts on Online Services[C]//24th USENIX Security Symposium (USENIX Security 15).Berkeley:USENIX, 2015:563-578.

王丽娜, 柯剑鹏, 叶傲霜, 等. 基于多元特征的微博被劫持账户检测[J]. 武汉大学学报:理学版, 2020, 66(2):95-102.

WANG Lina, KE Jianpeng, YE Aoshuang, et al. Compromised Accounts Detection in Weibo Based on Multiple Features[J]. Journal of Wuhan University (Nature Science Edition), 2020, 66(2):95-102.

住房和城乡建设部城市交通基础设施监测与治理实验室, 中国城市规划设计研究院, 百度地图. 2022年度中国主要城市通勤监测报告 (2022)[R/OL].[2022-07-29]. https://huiyan.baidu.com/reports/landing?id=123. https://huiyan.baidu.com/reports/landing?id=123https://huiyan.baidu.com/reports/landing?id=123

BLONDEL V D, GUILLAUME J L, LAMBIOTTE R, et al. Fast Unfolding of Communities in Large Networks[J]. Journal of Statistical Mechanics:Theory and Experiment, 2008, 2008(10):P10008. DOI:10.1088/1742-5468/2008/10/P10008http://doi.org/10.1088/1742-5468/2008/10/P10008https://iopscience.iop.org/article/10.1088/1742-5468/2008/10/P10008https://iopscience.iop.org/article/10.1088/1742-5468/2008/10/P10008

KHAN K, REHMAN S U, AZIZ K, et al. DBSCAN:Past,Present and Future[C]// The fifth International Conference on the Applications of Digital Information and Web Technologies(ICADIWT 2014).Piscataway:IEEE, 2014:232-238.

NUR A Y, TOZAL M E. Identifying Critical Autonomous Systems in the Internet[J]. The Journal of Supercomputing, 2018, 74(10):4965-4985. DOI:10.1007/s11227-018-2336-3http://doi.org/10.1007/s11227-018-2336-3

ALIENVAULT. Open Threat Exchange(2023)[EB/OL].[2023-04-06]. https://otx.alienvault.com/browse/global/pulses. https://otx.alienvault.com/browse/global/pulseshttps://otx.alienvault.com/browse/global/pulses

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

暂无数据