基于多维度分析的APT邮件攻击检测

电子邮件是APT (Advanced Persistent Threat)攻击中常用的攻击载体,本文针对APT邮件攻击提出了一种基于多维度分析的APT邮件攻击检测方法。首先,提取邮件头部和邮件正文信息,邮件附件文件还原；然后,分别通过邮件头部、邮件正文、情报检测、文件内容深度检测、邮件异常行为检测和邮件站点自学习等多维度进行分析；最后基于分析结果将邮件归类为普通邮件和可疑APT攻击特征的邮件。本文提出的方法既结合传统的邮件威胁攻击特征,并融入情报检测和附件深度检测,且考虑邮件异常行为分析,最后结合客户业务进行自学习分析,有效地提高了APT邮件攻击的检测准确率,为APT邮件攻击检测提供一种良好的检测方案。

APT email attack detection based on multi-dimensional analysis

Email is a commonly used attack vector in APT (Advanced Persistent Threat) attacks. This article proposes an APT email attack detection method based on multi-dimensional analysis for APT email attacks. First, the mail header, body information and file attachments are parsed and extracted. Then, the mail header, mail body, intelligence detection, file content depth detection, and mail Multi-dimensional analysis of abnormal behavior detection and self-learning of the mail site; finally, based on the analysis results, the mail is classified as ordinary mail and mail with APT attack characteristics. The method proposed in this paper not only combines traditional email threat attack characteristics, but also integrates intelligence traceability and file content in-depth detection, and considers email abnormal behavior analysis, and finally combines customer business for self-learning analysis. Effectively improve the detection accuracy of APT email attacks, and provide a good detection idea for APT email attack detection.