Content area

Abstract

Translate

The illegal use of compromised email accounts by adversaries can have severe consequences for enterprises and society. Detecting compromised email accounts is more challenging than in the social network field, where email accounts have only a few interaction events (sending and receiving). To address the issue of insufficient features, we propose a novel approach to detecting compromised accounts by combining time zone differences and alternate logins to identify abnormal behavior. Based on this approach, we propose a compromised email account detection framework that relies on widely available and less sensitive login logs and does not require labels. Our framework characterizes login behaviors to identify logins that do not belong to the account owner and outputs a list of account-subnet pairs ranked by their likelihood of having abnormal login relationships. This approach reduces the number of account-subnet pairs that need to be investigated and provides a reference for investigation priority. Our evaluation demonstrates that our method can detect most email accounts that have been accessed by disclosed malicious IP addresses and outperforms similar research. Additionally, our framework has the capability to uncover undisclosed malicious IP addresses.

Details

1009240
Subject
Electronic mail;
Access control;
Social networks;
IP (Internet Protocol);
Electronic mail systems;
Behavior;
Data integrity;
Correspondence;
Investigations;
Reputations;
Cybercrime;
Cybersecurity
Business indexing term
Identifier / keyword
Cybersecurity; Login; Authentication; Email; Computer security; Cyber-physical system
Title
Detecting compromised email accounts via login behavior characterization
Author
Zhao, Jianjun 1 ; Yang, Can 1 ; Wu, Di 2 ; Cao, Yaqin 1 ; Liu, Yuling 1 ; Cui, Xiang 3 ; Liu, Qixu 1 

 Chinese Academy of Sciences, Institute of Information Engineering, Beijing, China (GRID:grid.9227.e) (ISNI:0000000119573309); University of Chinese Academy of Sciences, School of Cyber Security, Beijing, China (GRID:grid.410726.6) (ISNI:0000 0004 1797 8419) 
 China Cybersecurity Review Technology and Certification Center, Beijing, China (GRID:grid.410726.6) 
 Zhongguancun Laboratory, Beijing, China (GRID:grid.410726.6) 
Publication title
Cybersecurity; Singapore
Volume
6
Issue
1
Pages
36
Publication year
2023
Publication date
Dec 2023
Publisher
Springer Nature B.V.
Place of publication
Singapore
Country of publication
Netherlands
Publication subject
Computers--Computer Security
e-ISSN
25233246
Source type
Scholarly Journal
Language of publication
English
Document type
Journal Article
Publication history
 
 
Online publication date
2023-09-04
Milestone dates
2023-06-12 (Registration); 2023-04-06 (Received); 2023-06-11 (Accepted)
Publication history
 
 
   First posting date
04 Sep 2023
DOI
https://doi.org/10.1186/s42400-023-00167-8
ProQuest document ID
2890364581
Document URL
https://www.proquest.com/scholarly-journals/detecting-compromised-email-accounts-via-login/docview/2890364581/se-2?accountid=40258
Copyright
© The Author(s) 2023. This work is published under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.
Last updated
2024-08-26
Database
Publicly Available Content Database