Detecting compromised email accounts via login behavior characterization

作     者：Jianjun Zhao Can Yang Di Wu Yaqin Cao Yuling Liu Xiang Cui Qixu Liu 

作者机构：Institute of Information EngineeringChinese Academy of SciencesBeijing100085China School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijing100049China China Cybersecurity Review Technology and Certification CenterBeijing100013China Zhongguancun LaboratoryBeijing100089China 

出 版 物：《Cybersecurity》 (网络空间安全科学与技术（英文）)

年 卷 期：2024年第7卷第1期

页      面：16-36页

核心收录：

学科分类：0839[工学-网络空间安全] 08[工学] 

基　　金：supported by the Youth Innovation Promotion Association CAS(No.2019163) the Strategic Priority Research Program of Chinese Academy of Sciences(No.XDC02040100) the Key Laboratory of Network Assessment Technology at Chinese Academy of Sciences and Beijing Key Laboratory of Network security and Protection Technology 

主　　题：Compromised account detection Mixture model Login log analysis Attribution and forensic 

摘      要：The illegal use of compromised email accounts by adversaries can have severe consequences for enterprises and *** compromised email accounts is more challenging than in the social network field,where email accounts have only a few interaction events(sending and receiving).To address the issue of insufficient features,we propose a novel approach to detecting compromised accounts by combining time zone differences and alternate logins to identify abnormal *** on this approach,we propose a compromised email account detection framework that relies on widely available and less sensitive login logs and does not require *** framework characterizes login behaviors to identify logins that do not belong to the account owner and outputs a list of account-subnet pairs ranked by their likelihood of having abnormal login *** approach reduces the number of account-subnet pairs that need to be investigated and provides a reference for investigation *** evaluation demonstrates that our method can detect most email accounts that have been accessed by disclosed malicious IP addresses and outperforms similar ***,our framework has the capability to uncover undisclosed malicious IP addresses.