基于登录行为分析的失陷邮箱检测技术研究

doi:10.19665/j.issn1001-2400.2023.04.004

Abstract

Abstract:

Compromised email accounts detection faces various challenges in the system administration and attack forensics,such as the lack of threat intelligence,a large amount of data to be analyzed,and the difficulty with direct confirmation with the email owners.To address the above problems,this paper proposes a compromised email accounts detection method using only login logs without relying on any labeled samples.First,this paper summarizes the attack features and proposes an email accounts compromise model.Second,based on the email accounts compromise model,this paper characterizes the spatial similarity and temporal synchronization when invading the email accounts.When using the spatial similarity to detect the compromised email accounts,this paper uses graphs to construct the spatial distances between accounts;and then,the accounts with a similar spatial distance are grouped into the same community,and the possibility of accounts compromising is evaluated according to the community size.When using the temporal synchronization to detect the compromised email accounts,this paper proposes a metric to describe the abnormal login behaviors and evaluates the possibility of compromise by checking if other accounts have similar abnormal behaviors in the same period.Finally,a sorted list of email accounts is outputted to provide priority reference for analysts according to the possibility of compromise.Experimental results show that the method proposed in this paper can detect about 98% of the compromised email accounts with 70% workload reduced,and the detection effect is better than that of the similar studies.Additionally,the detection method can discover the unknown attackers and the undisclosed malicious IP addresses.

Key words: compromised email detection, spatiotemporal analysis, cyber attack attribution

CLC Number:

TN915.08

ZHAO Jianjun,WANG Xutong,CUI Xiang,LIU Qixu. Detecting compromised email accounts via spatiotemporal login behavior analysis[J].Journal of Xidian University, 2023, 50(4): 34-44.

Figures/Tables 8

References 20

[1]	MITRE. Enterprise Matrix (2023)[EB/OL].[2023-04-06]. https://attack.mitre.org/matrices/enterprise.
[2]	王平, 汪定, 黄欣沂. 口令安全研究进展[J]. 计算机研究与发展, 2016, 53(10):2173-2188.
	WANG Ping, WANG Ding, HUANG Xinyi. Advances in Password Security[J]. Journal of Computer Research and Development, 2016, 53(10):2173-2188.
[3]	DING X, LIU B, JIANG Z, et al. Spear Phishing Emails Detection Based on Machine Learning[C]// 2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design(CSCWD).Piscataway:IEEE, 2021:354-359.
[4]	STRINGHINI G, THONNARD O. That Ain’t You:Blocking Spearphishing Through Behavioral Modelling[C]// International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment.Berlin:Springer, 2015:78-97.
[5]	GASCON H, ULLRICH S, STRITTERB, et al. Reading Betweenthe Lines:Content-Agnostic Detection of Spear-Phishing Emails[C]// International Symposium on Research in Attacks,Intrusions,and Defenses.Berlin:Springer, 2018:69-91.
[6]	WANG X J, ZHANG C X, ZHENG K F, et al. Detecting Spear-Phishing Emails Based on Authentication[C]// 2019 IEEE 4th International Conference on Computer and Communication Systems(ICCCS).Piscataway:IEEE, 2019:450-456.
[7]	HU X, LI B, ZHANG Y, et al. Detecting Compromised Email Accountsfrom the Perspective of Graph Topology[C]// Proceedings of the 11th International Conference on Future Internet Technologies. New York: ACM, 2016:76-82.
[8]	HO G, SHARMA A, JAVED M, et al. Detecting Credential Spearphishing in Enterprise Settings[C]// 26th USENIX Security Symposium (USENIX Security 17).Berkeley:USENIX, 2017:469-485.
[9]	杨加, 李笑难, 张扬, 等. 基于大数据分析的校园电子邮件异常行为检测技术研究[J]. 通信学报, 2018, 39(Z1):116-123.
	YANG Jia, LI Xiaonan, ZHANG Yang, et al. Abnormal Behavior Detection for Campus Email Systems Based on Big Data Analysis[J]. Journal on Communications, 2018, 39(Z1):116-123.
[10]	HO G, CIDON A, GAVISH L, et al. Detecting and Characterizing Lateral Phishing at Scale[C]// 28th USENIX Security Symposium (USENIX Security 19).Berkeley:USENIX, 2019:1273-1290.
[11]	VISWANATH B, BASHIR M A, CROVELLA M, et al. Towards Detecting Anomalous User Behavior in Online Social Networks[C]// 23rd USENIX security symposium (USENIX security 14).Berkeley:USENIX, 2014:223-238.
[12]	XIN R, WU Z, WANG H, et al. Profiling Online Social Behaviors for Compromised Account Detection[J]. IEEE Transactions on Information Forensics and Security, 2015, 11(1):176-187. doi: 10.1109/TIFS.2015.2482465
[13]	EGELE M, STRINGHINI G, KRUEGEL C, et al. Towards Detecting Compromised Accounts on Social Networks[J]. IEEE Transactions on Dependable and Secure Computing, 2015, 14(4):447-460. doi: 10.1109/TDSC.2015.2479616
[14]	STRINGHINI G, MOURLANNE P, JACOB G, et al. {EVILCOHORT}:Detecting Communities of Malicious Accounts on Online Services[C]//24th USENIX Security Symposium (USENIX Security 15).Berkeley:USENIX, 2015:563-578.
[15]	王丽娜, 柯剑鹏, 叶傲霜, 等. 基于多元特征的微博被劫持账户检测[J]. 武汉大学学报:理学版, 2020, 66(2):95-102.
	WANG Lina, KE Jianpeng, YE Aoshuang, et al. Compromised Accounts Detection in Weibo Based on Multiple Features[J]. Journal of Wuhan University (Nature Science Edition), 2020, 66(2):95-102.
[16]	住房和城乡建设部城市交通基础设施监测与治理实验室, 中国城市规划设计研究院, 百度地图. 2022年度中国主要城市通勤监测报告 (2022)[R/OL].[2022-07-29]. https://huiyan.baidu.com/reports/landing?id=123.
[17]	BLONDEL V D, GUILLAUME J L, LAMBIOTTE R, et al. Fast Unfolding of Communities in Large Networks[J]. Journal of Statistical Mechanics:Theory and Experiment, 2008, 2008(10):P10008. doi: 10.1088/1742-5468/2008/10/P10008
[18]	KHAN K, REHMAN S U, AZIZ K, et al. DBSCAN:Past,Present and Future[C]// The fifth International Conference on the Applications of Digital Information and Web Technologies(ICADIWT 2014).Piscataway:IEEE, 2014:232-238.
[19]	NUR A Y, TOZAL M E. Identifying Critical Autonomous Systems in the Internet[J]. The Journal of Supercomputing, 2018, 74(10):4965-4985. doi: 10.1007/s11227-018-2336-3
[20]	ALIENVAULT. Open Threat Exchange(2023)[EB/OL].[2023-04-06]. https://otx.alienvault.com/browse/global/pulses.

数据集	日志天数	邮箱账户数	IP地址数	/24子网数	登录次数
数据集	日志天数	邮箱账户数	IP地址数	/24子网数	Web	SMTP	POP3	IMAP	合计
1	113	323	15 371	2993	25 875	47 642	320 971	1 682 202	2 076 690
2	70	2 910	68 924	17 383	99 755	23 427	691 813	13 900 911	14 715 906
3	277	1 356	84 522	16 709	312 523	237 120	981 876	19 139 990	20 671 509
4	277	1 445	86 592	17 490	274 772	91 222	1 364 399	16 358 601	18 088 994
5	277	923	44 435	9018	149 160	196 680	4 813 528	7 417 580	12 576 948

数据集	恶意子网个数	恶意子网内实际IP地址情况	失陷邮箱总数	被登录邮箱数
1	2	子网A内有1个IP地址子网B内有9个IP地址	132	子网A登录129个邮箱子网B登录7个邮箱
2	6	所有子网内均有1个IP地址	6	所有子网均只登录1个邮箱
3	2	所有子网内均有1个IP地址	3	子网I登录2个邮箱子网J登录1个邮箱
4	2	所有子网内均有1个IP地址	2	所有子网均只登录1个邮箱
5	1	子网M内有1个IP地址	55	子网M登录55个邮箱

数据集	输出邮箱数	总社区个数	最大社区内邮箱个数	社区内失陷邮箱个数/社区内邮箱总数
数据集	输出邮箱数	总社区个数	最大社区内邮箱个数	TOP1社区内	TOP2社区内	TOP5社区内
1	141	9	77	74/77	93/109	103/133
2	439	75	166	4/166	4/182	4/213
3	259	16	116	0/116	2/212	2/237
4	216	22	142	0/142	0/167	0/189
5	105	13	64	36/64	36/73	36/88

数据集	输出邮箱数	异常周个数	最大异常周异常指数	异常周内失陷邮箱个数/异常周内邮箱总数
数据集	输出邮箱数	异常周个数	最大异常周异常指数	TOP1异常周内	TOP2异常周内	TOP5异常周内
1	114	39	11 331.88	7/9	9/14	13/23
2	1 068	44	617.67	1/117	2/183	3/381
3	479	126	3 353.35	0/33	0/43	0/73
4	465	132	420.39	0/11	0/20	0/34
5	279	117	720.34	1/3	1/8	2/26

数据集	10%			20%			30%
数据集	待分析数	文中	DAS	待分析数	文中	DAS	待分析数	文中	DAS
1	32	24	14	65	44	36	97	63	37
2	291	5	4	582	5	5	873	6	5
3	136	0	1	271	0	2	406	2	3
4	145	0	0	289	0	1	433	0	1
5	92	22	10	185	39	15	275	43	19

Detecting compromised email accounts via spatiotemporal login behavior analysis

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 8

References 20

Related Articles 9

Metrics

Comments

Recommended 10

[1]	JIANG Qi,ZHAO Xiaomin,ZHAO Guichuan,WANG Jinhua,LI Xinghua. Adaptive score-level fusion for multi-modal biometric authentication [J]. Journal of Xidian University, 2023, 50(4): 11-21.
[2]	XU Zhicheng,LI Xiang,MAO Jian,LIU Jianwei,ZHOU Zhihong. Overview of Sybil attacks and defenses in the distributed architecture [J]. Journal of Xidian University, 2021, 48(1): 39-49.
[3]	XIE Yixi,JI Lixin. Blockchain-based bio-inspired distributed detection approach [J]. Journal of Xidian University, 2020, 47(5): 70-76.
[4]	LI Yan-ping;ZHANG Jian-zhong. A fair multi-party exchange protocol with the off-line trusted third party [J]. J4, 2004, 31(5): 811-814.
[5]	Lü Xi-xiang;YANG Bo;PEI Chang-xin;SU Xiao-long. A data mining based design for the detection engine of the intrusion detection system [J]. J4, 2004, 31(4): 574-580.
[6]	LIU Yi;WANG Yu-min. A micropayment protocol based on mobile agents [J]. J4, 2004, 31(4): 614-617.
[7]	Authors. title [J]. J4, 2001, 28(4): 413-417.
[8]	Authors. title [J]. J4, 2001, 28(2): 268-273.
[9]	Authors. title [J]. J4, 2001, 28(1): 31-35.