摘要
电子邮件是APT攻击中常用的攻击载体,本文针对APT邮件攻击提出了一种基于多维度分析的APT邮件攻击检测方法。首先,提取邮件头部和邮件正文信息,邮件附件文件还原;其次,分别通过邮件头部、邮件正文、情报检测、文件内容深度检测、邮件异常行为检测和邮件站点自学习等多维度进行分析;最后,基于分析结果将邮件归类为普通邮件和可疑APT攻击特征的邮件。本文提出的方案,首先是基于规则特征的威胁邮件检测,然后融入情报检测和文件内容的深度检测,接着从邮件异常行为开始分析,最后进行客户业务自学习,可以有效提高APT邮件攻击的检测准确率,为APT邮件攻击检测提供一种良好的检测方案。
E-mail is a commonly used attack vector in APT attacks.This article proposes an APT e-mail attack detection method based on multi-dimensional analysis for APT e-mail attacks.First,the mail header,body information and file attachments are parsed and extracted.Then,the mail header,mail body,intelligence detection,file content depth detection,and mail multi-dimensional analysis of abnormal behavior detection and self-learning of the mail site;fi nally,based on the analysis results,the mail is classifi ed as ordinary mail and mail with APT attack characteristics.The solution proposed in this paper fi rstly detects threats based on rule characteristics,then integrates intelligence detection and in-depth detection of fi le content,then analyzes abnormal e-mail behavior,and fi nally conducts customer business self-learning,which can effectively improve the APT e-mail attack.The detection accuracy rate provides a good detection scheme for APT mail attack detection.
作者
高泽芳
胡娜
文成江
王岱辉
GAO Ze-fang;HU Na;WEN Cheng-jiang;WANG Dai-hui(China Mobile Group Device Co.,Ltd.,Beijing 100053,China)
出处
《电信工程技术与标准化》
2020年第12期48-53,共6页
Telecom Engineering Technics and Standardization