西安电子科技大学学报 ›› 2023, Vol. 50 ›› Issue (4): 34-44.doi: 10.19665/j.issn1001-2400.2023.04.004

• 网络空间安全专栏 • 上一篇    下一篇

基于登录行为分析的失陷邮箱检测技术研究

赵建军1,2(),汪旭童1,2(),崔翔3(),刘奇旭1,2()   

  1. 1.中国科学院 信息工程研究所,北京 100089
    2.中国科学院大学 网络空间安全学院,北京 100089
    3.中关村实验室,北京 100089
  • 收稿日期:2023-01-15 出版日期:2023-08-20 发布日期:2023-10-17
  • 通讯作者: 刘奇旭
  • 作者简介:赵建军(1990—),男,中国科学院大学博士研究生,E-mail:zhaojianjun@iie.ac.cn;|汪旭童(1997—),男,中国科学院大学博士研究生,E-mail:wangxutong@iie.ac.cn;|崔翔(1978—),男,研究员,E-mail:cuix@mail.zgclab.edu.cn
  • 基金资助:
    中国科学院青年创新促进会(2019163);国家自然科学基金(61902396);中国科学院战略性先导科技专项项目(XDC02040100);中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助

Detecting compromised email accounts via spatiotemporal login behavior analysis

ZHAO Jianjun1,2(),WANG Xutong1,2(),CUI Xiang3(),LIU Qixu1,2()   

  1. 1. Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100089,China
    2. School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100089,China
    3. Zhongguancun Laboratory,Beijing 100089,China
  • Received:2023-01-15 Online:2023-08-20 Published:2023-10-17
  • Contact: Qixu LIU

摘要:

发现失陷邮箱在安全运维、溯源取证工作中面临多种困难,例如,所依赖的威胁情报数据不充分、待分析的数据规模庞大、难以向邮箱所有者确认等。针对上述问题,提出了一种仅使用登录日志作为数据源且不依赖任何标记样本的失陷邮箱检测方法。首先,归纳针对邮箱账户的攻击手段,提炼出邮箱失陷模型。其次,基于所提出的邮箱失陷模型,从空间和时间的角度刻画攻击者在入侵邮箱账户时所暴露出的空间相似性和时间同步性。在利用空间相似性检测失陷邮箱时,使用图来描述邮箱之间的空间距离,再将空间距离相近的邮箱划分至同一社区,并根据社区规模来评价邮箱失陷的可能性;在利用时间同步性检测失陷邮箱时,提出一种异常登录行为的描述方法,并通过比较多个邮箱的异常行为是否集中在一定时期内来评价邮箱失陷的可能性。最后,根据失陷可能性输出一个排序的邮箱列表为分析人员提供优先级参考。实验结果表明,所提出的方法能够在降低约70%工作量的情况下检测出约98%的失陷邮箱,检测效果好于同类研究,且具备发现未知攻击者和未公开恶意IP地址的能力。

关键词: 失陷邮箱检测, 时空分析, 网络攻击溯源

Abstract:

Compromised email accounts detection faces various challenges in the system administration and attack forensics,such as the lack of threat intelligence,a large amount of data to be analyzed,and the difficulty with direct confirmation with the email owners.To address the above problems,this paper proposes a compromised email accounts detection method using only login logs without relying on any labeled samples.First,this paper summarizes the attack features and proposes an email accounts compromise model.Second,based on the email accounts compromise model,this paper characterizes the spatial similarity and temporal synchronization when invading the email accounts.When using the spatial similarity to detect the compromised email accounts,this paper uses graphs to construct the spatial distances between accounts;and then,the accounts with a similar spatial distance are grouped into the same community,and the possibility of accounts compromising is evaluated according to the community size.When using the temporal synchronization to detect the compromised email accounts,this paper proposes a metric to describe the abnormal login behaviors and evaluates the possibility of compromise by checking if other accounts have similar abnormal behaviors in the same period.Finally,a sorted list of email accounts is outputted to provide priority reference for analysts according to the possibility of compromise.Experimental results show that the method proposed in this paper can detect about 98% of the compromised email accounts with 70% workload reduced,and the detection effect is better than that of the similar studies.Additionally,the detection method can discover the unknown attackers and the undisclosed malicious IP addresses.

Key words: compromised email detection, spatiotemporal analysis, cyber attack attribution

中图分类号: 

  • TN915.08