Journal of Xidian University ›› 2023, Vol. 50 ›› Issue (4): 34-44.doi: 10.19665/j.issn1001-2400.2023.04.004

• Special Issue on Cyberspace Security • Previous Articles     Next Articles

Detecting compromised email accounts via spatiotemporal login behavior analysis

ZHAO Jianjun1,2(),WANG Xutong1,2(),CUI Xiang3(),LIU Qixu1,2()   

  1. 1. Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100089,China
    2. School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100089,China
    3. Zhongguancun Laboratory,Beijing 100089,China
  • Received:2023-01-15 Online:2023-08-20 Published:2023-10-17
  • Contact: Qixu LIU;;;


Compromised email accounts detection faces various challenges in the system administration and attack forensics,such as the lack of threat intelligence,a large amount of data to be analyzed,and the difficulty with direct confirmation with the email owners.To address the above problems,this paper proposes a compromised email accounts detection method using only login logs without relying on any labeled samples.First,this paper summarizes the attack features and proposes an email accounts compromise model.Second,based on the email accounts compromise model,this paper characterizes the spatial similarity and temporal synchronization when invading the email accounts.When using the spatial similarity to detect the compromised email accounts,this paper uses graphs to construct the spatial distances between accounts;and then,the accounts with a similar spatial distance are grouped into the same community,and the possibility of accounts compromising is evaluated according to the community size.When using the temporal synchronization to detect the compromised email accounts,this paper proposes a metric to describe the abnormal login behaviors and evaluates the possibility of compromise by checking if other accounts have similar abnormal behaviors in the same period.Finally,a sorted list of email accounts is outputted to provide priority reference for analysts according to the possibility of compromise.Experimental results show that the method proposed in this paper can detect about 98% of the compromised email accounts with 70% workload reduced,and the detection effect is better than that of the similar studies.Additionally,the detection method can discover the unknown attackers and the undisclosed malicious IP addresses.

Key words: compromised email detection, spatiotemporal analysis, cyber attack attribution

CLC Number: 

  • TN915.08