基于半监督学习的邮件伪装攻击检测方法OA

[Objective]Masquerade attacks are a typical attack in email systems,where attackers illicitly obtain genuine us-er authentication credentials to access unauthorized services,causing significant damage.Due to the complexity of email usage scenarios and the irregular distribution of data,the limited labeled anomaly data makes the detec-tion of masquerade attacks in email systems challenging.[Methods]To solve the above issues,we propose a rule-based self-training Auto-Encoder anomaly detection framework.Initially,the framework analyzes and categorizes scenarios of the SMTP email protocol log data,introducing coarse-grained label correction rules.Subsequently,it employs an Auto-Encoder for iterative detection through self-training,with each detection result refined by rules.Lastly,the kernel density estimation method is utilized to find an appropriate threshold to reduce the false posi-tive rate.[Results]Utilizing data from 6736 real corporate email accounts over three months,the framework de-tected 7 anomalous accounts and 12 anomalous IP addresses.The proposed method detects more than 75%anom-alous accounts compared to those detected by the corporate Security Operations Center(SOC),meanwhile the number of false positive accounts is reduced by 81.3%.