面向异常行为的邮件访问控制网关的设计与实现  

作　　者：周林志[1,2] 陈晨 郑浩然 时轶 邢家鸣 林峰旭 ZHOU Linzhi;CHEN Chen;ZHENG Haoran;SHI Yi;XING Jiaming;LIN Fengxu(Network Information Center,Beihang University,Beijing 100191,China;School of Cyber Science and Technology,Beihang University,Beijing 100191,China;School of Software,Beihang University,Beijing 100191,China)

机构地区：[1]北京航空航天大学网络信息中心,北京100191 [2]北京航空航天大学网络空间安全学院,北京100191 [3]北京航空航天大学软件学院,北京100191

出　　处：《信息通信技术与政策》2024年第8期46-54,共9页Information and Communications Technology and Policy

摘　　要：高校邮件系统平均每月面临数万次的暴力破解认证攻击,攻击者会使用简单邮件传输协议(Simple Mail Transfer Protocal,SMTP)认证的方式对高校师生邮件账号进行暴力破解认证,尤其是分布式暴力破解和低频慢速暴力破解难以识别检测,是导致邮件服务器面临资源消耗及账户安全问题的巨大威胁。因此,有必要设计一种面向异常行为的邮件访问控制网关,通过分析邮件日志捕获异常攻击行为,动态阻断恶意互联网协议(Internet Protocal,IP)攻击。测试结果表明,该网关通过分析邮件日志、抽取安全事件、捕获异常行为特征,构建了特征规则;基于漏桶算法捕获低频、分布式暴力破解的恶意IP,联动防火墙实现了对恶意IP的动态封禁及解除;设计、实现访问控制网关并应用于校园网,成功阻断了62%的攻击流量。On average,university email systems face tens of thousands of brute force authentication attacks every month.Attackers will use the SMTP protocol authentication method to perform brute force authentication on email accounts of university teachers and students.Especially,it is difficult to identify and detect distributed brute force attacks and low-frequency slow brute force attacks,which is a huge threat to the resource consumption and account security of the mail server.Therefore,it is necessary to design a mail access control gateway for abnormal behavior,which can dynamically block malicious IP addresses by analyzing mail logs to capture abnormal attacks.The test results indicate that the gateway has constructed feature rules by analyzing email logs,extracting security events,and capturing abnormal behavior characteristics;based on the leaky bucket algorithm,low-frequency and distributed brute force attacking malicious IPs are captured,and dynamic blocking and lifting of malicious IPs are achieved through linkage with firewalls;designed and implemented an access control gateway and applied it to the campus network,successfully blocking 62%of attack traffic.

关 键 词：邮件网关 访问控制系统 日志分析 异常检测 

分 类 号：G434[文化科学—教育学] TP393.18[文化科学—教育技术学]