CN110519150B - Mail detection method, device, equipment, system and computer readable storage medium - Google Patents

Mail detection method, device, equipment, system and computer readable storage medium Download PDF

Info

Publication number
CN110519150B
CN110519150B CN201810497358.8A CN201810497358A CN110519150B CN 110519150 B CN110519150 B CN 110519150B CN 201810497358 A CN201810497358 A CN 201810497358A CN 110519150 B CN110519150 B CN 110519150B
Authority
CN
China
Prior art keywords
mail
mails
abnormal
behavior
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810497358.8A
Other languages
Chinese (zh)
Other versions
CN110519150A (en
Inventor
陈瑞钦
郭开
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201810497358.8A priority Critical patent/CN110519150B/en
Publication of CN110519150A publication Critical patent/CN110519150A/en
Application granted granted Critical
Publication of CN110519150B publication Critical patent/CN110519150B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/23Reliability checks, e.g. acknowledgments or fault reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a mail detection method, which comprises the following steps: identifying a mail type of each mail; the mail types comprise a safe mail type, a dangerous mail type and a potentially dangerous mail type; acquiring behavior data of a target mail according to the mail type of each mail; and analyzing and detecting the behavior data by using a preset behavior analysis model, and identifying abnormal mails in the target mails. Therefore, according to the scheme, after the type of the mail is identified, the mail can be subjected to behavior analysis through a preset analysis model, so that abnormal mails in the mail can be identified according to behavior data of the mail, and by means of identifying the abnormal mails from multiple angles, more potential security holes can be detected, and the safety of the mail is further improved; the invention also discloses a mail detection device, equipment, a system and a computer readable storage medium, which can also realize the technical effects.

Description

Mail detection method, device, equipment, system and computer readable storage medium
Technical Field
The present invention relates to the field of mail security detection technologies, and in particular, to a method, an apparatus, a device, a system, and a computer-readable storage medium for mail detection.
Background
At present, in daily business activities, a large number of mail messaging behaviors exist, and mails are important media for people to communicate. From another convenience, the mail is an important means for spreading virus and phishing information, on one hand, the mail protocol has certain security defects, and on the other hand, the mail is frequently used and is easy to be stared by hackers to become an attack carrier. There are currently a large number of phishing fraud virus advertisement class mails on the network. According to statistics, more than half of Lesox viruses are transmitted through mails, phishing fraud mails easily cause economic losses for enterprises and users, and mail safety is a serious problem facing the present.
Therefore, how to detect the mails and improve the safety of the mails is a problem to be solved by those skilled in the art.
Disclosure of Invention
The invention aims to provide a mail detection method, a mail detection device, equipment, a mail detection system and a computer readable storage medium, which are used for detecting mails and improving the safety of the mails.
In order to achieve the above purpose, the embodiment of the present invention provides the following technical solutions:
a mail detection method, comprising:
identifying a mail type of each mail; the mail types comprise a safe mail type, a dangerous mail type and a potentially dangerous mail type;
acquiring behavior data of a target mail according to the mail type of each mail;
and analyzing and detecting the behavior data by using a preset behavior analysis model, and identifying abnormal mails in the target mails.
The analyzing and detecting the behavior data by using a preset behavior analysis model to identify abnormal mails in the target mails includes:
identifying account blasting behaviors according to the login records of the target mails, and determining the mails corresponding to the account blasting behaviors in the target mails as abnormal mails; and/or the presence of a gas in the gas,
and identifying a group mail sending behavior according to the mail sending record of the target mail, and determining the mail corresponding to the group mail sending behavior in the target mail as an abnormal mail.
After the mail type of each mail is identified, the method further comprises the following steps:
determining a mail to be checked and killed corresponding to the type of the potentially dangerous mail;
and sending the detection object information corresponding to the mails to be checked and killed to a cloud checking and killing system so as to identify abnormal mails in the mails to be checked and killed through the cloud checking and killing system.
The sending of the detection object information corresponding to the mail to be checked and killed to the cloud checking and killing system so as to identify the abnormal mail in the mail to be checked and killed through the cloud checking and killing system includes:
and at least one of account information, URL information, attachment information and text information corresponding to the mails to be checked and killed is sent to the cloud checking and killing system, so that abnormal mails in the mails to be checked and killed are identified through the cloud checking and killing system.
The cloud searching and killing system identifies abnormal mails in the mails to be searched and killed, and comprises the following steps:
identifying whether a source address and/or a destination address in the account information is a fake address or not to obtain an account information identification result; and/or identifying whether the URL information has malicious URL content to obtain a URL identification result; and/or identifying whether the attachment information has the attachment with the malicious type or not to obtain an attachment identification result; and/or identifying whether malicious text content exists in the text information to obtain a text identification result;
and identifying an abnormal mail according to at least one of the account information identification result, the URL identification result, the attachment identification result and the text identification result.
A mail detection device comprising:
the mail type identification module is used for identifying the mail type of each mail; the mail types comprise a safe mail type, a dangerous mail type and a potentially dangerous mail type;
the behavior data acquisition module is used for acquiring the behavior data of the target mail according to the mail type of each mail;
and the abnormal mail identification module is used for analyzing and detecting the behavior data by utilizing a preset behavior analysis model and identifying abnormal mails in the target mails.
The abnormal mail identification module comprises a first identification unit and/or a second identification unit;
the first identification unit is used for identifying an account blasting behavior according to the login record of the target mail and determining a mail corresponding to the account blasting behavior in the target mail as an abnormal mail;
and the second identification unit is used for identifying a group sending mail behavior according to the mail sending record of the target mail and determining the mail corresponding to the group sending mail behavior in the target mail as an abnormal mail.
Wherein, still include:
the mail to be checked and killed determining module is used for determining the mail to be checked and killed corresponding to the type of the potentially dangerous mail;
and the detection object sending module is used for sending the detection object information corresponding to the mails to be checked and killed to a cloud checking and killing system so as to identify abnormal mails in the mails to be checked and killed through the cloud checking and killing system.
The detection object sending module is specifically configured to send at least one of account information, URL information, attachment information, and text information corresponding to the mail to be checked and killed to the cloud checking and killing system, so that the cloud checking and killing system identifies an abnormal mail in the mail to be checked and killed.
A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the mail detection method as described above.
A mail detection apparatus, comprising:
a memory for storing a computer program; a processor for implementing the steps of the mail detection method as described above when executing the computer program.
A mail detection system comprises a target host and a cloud searching and killing server; the target host comprises the mail detection equipment;
and the cloud searching and killing server is used for identifying abnormal mails in the mails to be searched and killed, which are sent by the target host and correspond to the types of the potentially dangerous mails.
The cloud searching and killing server is specifically used for:
identifying whether a source address and/or a destination address in the account information is a fake address or not to obtain an account information identification result; and/or identifying whether the URL information has malicious URL content to obtain a URL identification result; and/or identifying whether the attachment information has the attachment with the malicious type or not to obtain an attachment identification result; and/or identifying whether malicious text content exists in the text information to obtain a text identification result; and identifying an abnormal mail according to at least one of the account information identification result, the URL identification result, the attachment identification result and the text identification result.
According to the scheme, the mail detection method provided by the embodiment of the invention comprises the following steps: identifying a mail type of each mail; the mail type comprises a safe mail type, a dangerous mail type and a potentially dangerous mail type; acquiring behavior data of a target mail according to the mail type of each mail; and analyzing and detecting the behavior data by using a preset behavior analysis model, and identifying abnormal mails in the target mails. Therefore, according to the scheme, after the type of the mail is identified, the mail can be subjected to behavior analysis through a preset analysis model, so that abnormal mails in the mail can be identified according to behavior data of the mail, and by means of identifying the abnormal mails from multiple angles, more potential security holes can be detected, and the safety of the mail is further improved; the invention also discloses a mail detection device, equipment, a system and a computer readable storage medium, which can also realize the technical effects.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a mail detection method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram illustrating mail detection object division disclosed in the embodiment of the present invention;
FIG. 3 is a schematic flow chart of another mail detection method disclosed in the embodiments of the present invention;
FIG. 4 is a schematic view of a cloud searching and killing system according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a mail detection apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
The embodiment of the invention discloses a mail detection method, a mail detection device, equipment, a mail detection system and a computer readable storage medium, which are used for detecting mails and improving the safety of the mails.
Referring to fig. 1, an email detection method provided in an embodiment of the present invention includes:
s101, identifying the mail type of each mail; the mail types comprise a safe mail type, a dangerous mail type and a potentially dangerous mail type;
specifically, the identification of the mail type of each mail in this embodiment specifically refers to detecting the mail by methods based on rules, a black and white list library, built-in soft killing, and the like, and by identifying the mail type, the specific type of the mail can be identified, and the type can obviously classify the mail, where the safe mail type is a safe mail conforming to a white list rule, the dangerous mail type is an abnormal mail conforming to a black list rule, the potentially dangerous mail type includes a suspicious mail type and an unknown mail type, the suspicious mail type is a mail having a suspicious mail, and specifically, it can be understood that a mail having a potential safety hazard but not belonging to the dangerous mail type is possible, and the unknown mail type is an unknown type other than the above types.
The detection method can quickly identify the general type of each mail, but the detection method is limited by manually extracted rule contents, the updating of a black and white list library and the updating of a soft built-in virus library, so that the detection and response to the newly appeared threats cannot be carried out, and particularly, the detection capability for the spear type directional fishing mails and the newly appeared virus mails is obviously poor. Therefore, in the present application, the identification of the abnormal mail according to the mail behavior data can be realized through S102-S103.
It should be noted that, before the mail type is identified, basic information of each mail needs to be acquired, specifically, each field information of each mail is extracted, and the audited fields are classified into 4 types: connection information, protocol command information, mail header information, mail body, and attachments.
The auditing fields mainly comprise:
1) connection information: a source IP, a destination IP, a protocol type, a software version, a port number and the like of the mail;
2) protocol command information: the method comprises the following steps of requesting and responding to an account login command, requesting and responding to a command of a sender, requesting and responding to a mail operation command and the like;
3) mail header information: the mail sending date, the mail subject, the mail receiver and sender, the mail text type and the like;
4) mail body and attachment: extracting the body content of the mail and storing the mail attachment independently.
Further, in the scheme, the mail is divided into 5 detection objects on the detection object, as shown in fig. 2, the mail is divided into 5 types of detection objects, which are respectively a mail account, URL information, a mail attachment, mail text content and mail sending and receiving behavior, and the field relationship corresponding to mail audit is as follows:
1) e, mail account number: the source IP, the destination IP, the receiving and sending persons in SMTP, POP3 and IMAP protocols and the information of the mail login account in the connection information, and the field information of the receiving and sending persons of the mail head and the like;
2) URL information: URL information extracted from the body of the mail, or potential URL information extracted from the body of the mail;
3) mail attachment: a mail attachment;
4) e, mail text content: the text content of the mail;
5) e, mail receiving and sending actions: the source IP and the destination IP in the connection information, various operations in the command information, such as the operation of refusing the sending of the mail, deleting and moving the mail, the subject of the mail head, the information of the receiving and sending persons and the like.
This scheme is through carrying out the detection object to the mail and dividing, can show scalability and the maintainability that promotes detection device, is absorbed in for each detection object promotes the testing capability to the testing result quick response, this kind of testing capability relies on specific detection object to make this kind of detection framework possess higher flexibility.
Furthermore, after each detection object is obtained, the mail can be detected by using methods based on rules, a black and white list library, built-in softening and the like, the detection method is similar to the traditional mail safety detection device, so that the mail is rapidly filtered, the problem which can be detected by the traditional mail safety device is detected, most normal mails are eliminated, and the detection efficiency is improved for subsequent detection.
S102, acquiring behavior data of a target mail according to the mail type of each mail;
specifically, S102 to S103 in the present solution may be executed by setting a time interval, for example, if the time interval is set to 3 days, behavior data within the three days is obtained after three days. When acquiring the behavior data, it is necessary to determine which part of the behavior data of the mail is to be acquired, so in this embodiment, the target mail is selectively acquired according to the mail type of each mail, and the selection manner of the target mail is not specifically limited herein; for example, when account blasting behavior is detected, if only the higher number of login failures is used as the only determination criterion, then the white list type mail can be understood as a safe mail, and the black list type mail is already identified as an abnormal mail, that is, the two types of mails have no potential safety hazard, at this time, when account blasting behavior is identified, the behavior data of only the potentially dangerous mail type mails can be set to be acquired, that is, only the mails of the potentially dangerous mail type are identified whether the abnormal mails exist or not; however, if the login failure rate is taken as a standard, the mails of the safe mail type and the dangerous mail type need to be acquired.
S103, analyzing and detecting the behavior data by using a preset behavior analysis model, and identifying abnormal mails in the target mails.
Specifically, the analysis model in this scheme is constructed by using behavior data generated by a user using a mailbox under a normal condition, that is, the multidimensional behavior analysis data existing in the analysis model is behavior data of a user standard, for example: the login time of the mailbox, the frequency of sending/receiving mails of the mailbox, the common login address of the mailbox and the like. And analyzing and comparing the behavior data of the target mail with the behavior data in the analysis model, so that the abnormal mail in the target mail can be identified according to the behavior data. Compared with the identification of the mail type in the S101, the identification of the mail through the behavior data can identify abnormal mails from various angles, thereby increasing the safety of the mail.
Based on the above-mentioned embodiment of the mail detection method, in this embodiment, the analyzing and detecting the behavior data by using a preset behavior analysis model to identify an abnormal mail in the target mail specifically includes:
identifying account blasting behaviors according to the login records of the target mails, and determining the mails corresponding to the account blasting behaviors in the target mails as abnormal mails; and/or the presence of a gas in the atmosphere,
and identifying group mail sending behaviors according to the mail sending records of the target mails, and determining the mails corresponding to the group mail sending behaviors in the target mails as abnormal mails.
It should be noted that the analysis model may detect various abnormal behaviors, such as detecting an account blasting behavior, a mass mail behavior, a login time abnormal behavior, a login location abnormal behavior, and the like, and in this embodiment, the description is given by taking the detection of the account blasting behavior and the mass mail behavior as an example. Specifically, when account blasting behaviors are identified according to login records of target mails, specifically, login failure times, success times, attempted password information and other contents of a to-be-detected mail account in a past period of time are obtained, analysis is performed according to an analysis model, if the account logs in by using a large amount of weak password information and the account blasting behaviors can be identified as the account blasting behaviors due to high failure ratio, and all mails belonging to the account blasting behaviors are determined to be abnormal mails.
Furthermore, when identifying the group-sending mail behavior according to the mail sending record of the target mail, the abnormal behaviors of a single account group-sending mail, a plurality of accounts group-sending mails and the like are identified mainly by analyzing the mail sending record of each account in a period of time in the past, specifically including information such as successful sending, failure record, mail subject and the like to perform statistical analysis. It is to be understood that, for the abnormal behavior, it may be determined that the number of times of sending mails of the same subject is greater than a predetermined threshold as the abnormal behavior, it may be determined that the failure rate of sending the same subject is greater than the predetermined threshold as the abnormal behavior, or it may be determined that only the failure rate of sending mails of the same subject is greater than the predetermined threshold as the abnormal behavior.
Compared with the method for identifying the abnormal mails in a single mail, the method for identifying the abnormal mails in the embodiment identifies the abnormal mails of the user/host in the past period of time through modeling from the aspect of the abnormal behaviors, can accurately discover the behaviors of mass-sending junk mails, account blasting and the like, and further increases the safety of the mails.
Referring to fig. 3, another mail detection method provided in the embodiment of the present invention includes:
s201, identifying the mail type of each mail; the mail types comprise a safe mail type, a dangerous mail type and a potentially dangerous mail type;
s202, acquiring behavior data of the target mail according to the mail type of each mail;
s203, analyzing and detecting the behavior data by using a preset behavior analysis model, and identifying abnormal mails in the target mails;
it should be noted that the contents of S201 to S203 in this embodiment are the same as those of S101 to S103 described in the above embodiment of the method, and please refer to the above embodiment for related contents, which is not described herein again.
S204, determining the mail to be checked and killed corresponding to the type of the potentially dangerous mail;
s205, sending the detection object information corresponding to the mails to be checked and killed to a cloud checking and killing system so as to identify abnormal mails in the mails to be checked and killed through the cloud checking and killing system.
Specifically, because the mail is only identified locally, a problem of security vulnerability caused by the fact that the identification rule is not updated exists, in this embodiment, a cloud searching and killing technology is used, namely, the mail corresponding to the type of the potentially dangerous mail is uploaded to the cloud, and the mail is searched and killed by using the strong computing capability of the cloud server and the latest and abundant detection standard, so that the abnormal mail is identified as much as possible.
It should be noted that S204-S205 and S202-S203 are two parallel detection manners, S202-S203 identify an abnormal mail according to the behavior data of the user, and S204-S205 identify the abnormal mail by cloud searching and killing, which, of course, may be performed simultaneously, that is, in this embodiment, on the basis of identifying the mail type by S201 as the first layer detection, S202-S203 serve as the second layer detection, the abnormal mail is identified by the behavior data, and S204-S205 serve as the third layer detection, the abnormal mail is identified by cloud searching and killing, and the detection capability is improved to the maximum extent by these three layers of detection filtering.
In this embodiment, sending the detection object information corresponding to the mail to be checked and killed to a cloud checking and killing system specifically includes: at least one of account information, URL information, attachment information and text information corresponding to the mail to be checked and killed is sent to the cloud checking and killing system;
the cloud searching and killing system identifies abnormal mails in the mails to be searched and killed, and comprises the following steps:
identifying whether a source address and/or a destination address in the account information is a fake address or not to obtain an account information identification result; and/or identifying whether the URL information has malicious URL content to obtain a URL identification result; and/or identifying whether the attachment information has the attachment with the malicious type or not to obtain an attachment identification result; and/or identifying whether malicious text content exists in the text information to obtain a text identification result;
and identifying an abnormal mail according to at least one of the account information identification result, the URL identification result, the attachment identification result and the text identification result.
Specifically, before detecting the mail, 5 types of detection objects, which are respectively a mail account, URL information, a mail attachment, mail text content, and a mail sending and receiving behavior, have been determined, where the mail sending and receiving behavior is behavior data in S102-S103/S202-S203, and in addition, 4 types of detection objects are detection object information corresponding to the mail to be checked and killed, which needs to be cloud-checked and killed in this embodiment, of course, the 4 types of detection object information do not need to be cloud-checked and killed all over, and need to be determined according to information contained in the mail itself, for example: the mail attachment and the mail body content are not all contained in the mail.
Referring to fig. 4, which is a schematic diagram of cloud searching and killing provided in this embodiment, in the present embodiment, at least one of a mail account, a URL in a mail text, a mail attachment, and a mail text content may be identified and determined, and whether the mail is an abnormal mail is determined according to each final result. Specifically, the method comprises the following steps:
cloud searching and killing of the account number: the method mainly provides validity detection, judges whether a source IP and a target IP are legal or not, and identifies whether counterfeiting exists or not;
URL cloud searching and killing: the method mainly comprises the steps of analyzing and classifying URLs by acquiring URL content, wherein the specific categories comprise fishing, lasso, advertisements and the like;
cloud searching and killing of accessories: performing multi-engine searching and killing on the attachment, and outputting the category of the file;
text cloud searching and killing: and (4) aiming at the suspicious text, performing semantic and emotion analysis by using the model, and outputting the theme and malicious type of the text.
In summary, the present embodiment mainly includes three detection modes: the first layer is the traditional detection based on rules, black and white lists and built-in softening and killing to identify the type information of the mails, the second layer is the behavior analysis detection to analyze the behaviors of the receiving and sending parts of each account, extract the characteristics, analyze by using an algorithm and further analyze and confirm the detection result; the third layer is cloud searching and killing detection, and is mainly used for uploading suspicious objects in the mails to a cloud end for analysis and detection; the three-layer filtering detection method can be used for analyzing and detecting, the detection capability of each layer is independent, and the mail safety detection capability can be obviously improved. Meanwhile, the mail is divided according to the detection objects, so that the detection capability development and expansion can be conveniently carried out on different detection objects, the new detection capability can be rapidly released, the safety event response can be rapidly carried out, and the method has the advantages of strong detection capability, good expandability, easiness in maintenance and the like.
In the following, the mail detection apparatus provided by the embodiment of the present invention is introduced, and the mail detection apparatus described below and the mail detection method described above may be referred to each other.
Referring to fig. 5, an email detection apparatus provided in an embodiment of the present invention includes:
a mail type identification module 100 for identifying the mail type of each mail; the mail types comprise a safe mail type, a dangerous mail type and a potentially dangerous mail type;
a behavior data obtaining module 200, configured to obtain behavior data of a target email according to an email type of each email;
the abnormal mail identification module 300 is configured to analyze and detect the behavior data by using a preset behavior analysis model, and identify an abnormal mail in the target mail.
The abnormal mail identification module comprises a first identification unit and/or a second identification unit;
the first identification unit is used for identifying an account blasting behavior according to the login record of the target mail and determining a mail corresponding to the account blasting behavior in the target mail as an abnormal mail;
the second identification unit is used for identifying group sending mail behaviors according to the mail sending records of the target mails and determining the mails corresponding to the group sending mail behaviors in the target mails as abnormal mails.
Wherein, this scheme still includes:
the mail to be checked and killed determining module is used for determining the mail to be checked and killed corresponding to the type of the potentially dangerous mail;
and the detection object sending module is used for sending the detection object information corresponding to the mails to be checked and killed to a cloud checking and killing system so as to identify abnormal mails in the mails to be checked and killed through the cloud checking and killing system.
The detection object sending module is specifically configured to send at least one of account information, URL information, attachment information, and text information corresponding to the mail to be checked and killed to the cloud checking and killing system, so that the cloud checking and killing system identifies an abnormal mail in the mail to be checked and killed.
The present embodiment also provides a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the above-mentioned mail detection method.
Wherein the storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The present embodiment further provides a mail detection apparatus, including: a memory for storing a computer program; and the processor is used for realizing the steps of the mail detection method when executing the computer program.
The embodiment also provides a mail detection system, which comprises a target host and a cloud searching and killing server; the target host comprises the mail detection equipment;
and the cloud searching and killing server is used for identifying abnormal mails in the mails to be searched and killed, which are sent by the target host and correspond to the types of the potentially dangerous mails.
The cloud searching and killing server is specifically used for: identifying whether a source address and/or a destination address in the account information is a fake address or not to obtain an account information identification result; and/or identifying whether the URL information has malicious URL content to obtain a URL identification result; and/or identifying whether the attachment information has the attachment with the malicious type or not to obtain an attachment identification result; and/or identifying whether malicious text content exists in the text information to obtain a text identification result; and identifying an abnormal mail according to at least one of the account information identification result, the URL identification result, the attachment identification result and the text identification result.
In the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (11)

1. A method for mail detection, comprising:
identifying the mail type of each mail according to the detection object of each mail; the mail types comprise a safe mail type, a dangerous mail type and a potentially dangerous mail type; the detection object includes: the method comprises the steps of sending mail account information, URL information, mail attachment information, mail text information and mail sending and receiving behaviors;
acquiring behavior data of a target mail according to the mail type of each mail;
analyzing and detecting the behavior data by using a preset behavior analysis model, and identifying abnormal mails in the target mails; wherein the analytical model is configured to detect abnormal behavior, the abnormal behavior comprising: account blasting behavior, mass mail sending behavior, login time abnormal behavior and login place abnormal behavior;
determining a mail to be checked and killed corresponding to the type of the potentially dangerous mail; the potentially dangerous mail types comprise suspicious mail types and unknown mail types;
and sending the detection object information corresponding to the mails to be checked and killed to a cloud checking and killing system so as to identify abnormal mails in the mails to be checked and killed through the cloud checking and killing system.
2. The mail detection method of claim 1, wherein the analyzing and detecting the behavior data by using a preset behavior analysis model to identify the abnormal mail in the target mail comprises:
identifying account blasting behaviors according to the login records of the target mails, and determining the mails corresponding to the account blasting behaviors in the target mails as abnormal mails; and/or the presence of a gas in the atmosphere,
and identifying a group mail sending behavior according to the mail sending record of the target mail, and determining the mail corresponding to the group mail sending behavior in the target mail as an abnormal mail.
3. The mail detection method according to claim 1, wherein the sending of the detection object information corresponding to the mail to be checked and killed to a cloud checking and killing system to identify an abnormal mail in the mail to be checked and killed by the cloud checking and killing system comprises:
and at least one of account information, URL information, attachment information and text information corresponding to the mails to be checked and killed is sent to the cloud checking and killing system, so that abnormal mails in the mails to be checked and killed are identified through the cloud checking and killing system.
4. The mail detection method according to claim 3, wherein the cloud searching and killing system identifies abnormal mails in the mails to be searched and killed, and comprises the following steps:
identifying whether a source address and/or a destination address in the account information is a forged address or not to obtain an account information identification result; and/or identifying whether the URL information has malicious URL content to obtain a URL identification result; and/or identifying whether the attachment information contains attachments of malicious types or not to obtain an attachment identification result; and/or identifying whether malicious text content exists in the text information to obtain a text identification result;
and identifying an abnormal mail according to at least one of the account information identification result, the URL identification result, the attachment identification result and the text identification result.
5. A mail detection device, comprising:
the mail type identification module is used for identifying the mail type of each mail according to the detection object of each mail; the mail types comprise a safe mail type, a dangerous mail type and a potentially dangerous mail type; the detection object includes: the method comprises the steps of sending mail account information, URL information, mail attachment information, mail text information and mail sending and receiving behaviors;
the behavior data acquisition module is used for acquiring the behavior data of the target mail according to the mail type of each mail;
the abnormal mail identification module is used for analyzing and detecting the behavior data by utilizing a preset behavior analysis model and identifying abnormal mails in the target mails; wherein the analytical model is configured to detect abnormal behavior, the abnormal behavior comprising: account blasting behavior, mass mail sending behavior, login time abnormal behavior and login place abnormal behavior;
the mail to be checked and killed determining module is used for determining the mail to be checked and killed corresponding to the type of the potentially dangerous mail; the potentially dangerous mail types comprise suspicious mail types and unknown mail types;
and the detection object sending module is used for sending the detection object information corresponding to the mails to be checked and killed to a cloud checking and killing system so as to identify abnormal mails in the mails to be checked and killed through the cloud checking and killing system.
6. Mail detection apparatus according to claim 5, characterized in that the abnormal mail identification module comprises a first identification unit and/or a second identification unit;
the first identification unit is used for identifying an account blasting behavior according to the login record of the target mail and determining a mail corresponding to the account blasting behavior in the target mail as an abnormal mail;
and the second identification unit is used for identifying a group sending mail behavior according to the mail sending record of the target mail and determining the mail corresponding to the group sending mail behavior in the target mail as an abnormal mail.
7. The mail detection device according to claim 5, wherein the detection object sending module is specifically configured to send at least one of account information, URL information, attachment information, and text information corresponding to the mail to be checked and killed to the cloud checking and killing system, so as to identify an abnormal mail in the mail to be checked and killed through the cloud checking and killing system.
8. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the mail detection method according to any one of claims 1 to 4.
9. A mail detection apparatus, comprising:
a memory for storing a computer program;
processor for implementing the steps of the mail detection method according to any of claims 1 to 4 when executing the computer program.
10. The mail detection system is characterized by comprising a target host and a cloud searching and killing server; the target host comprises the mail detection device of claim 9;
and the cloud searching and killing server is used for identifying abnormal mails in the mails to be searched and killed, which are sent by the target host and correspond to the types of the potentially dangerous mails.
11. The mail detection system of claim 10, wherein the cloud killing server is specifically configured to:
identifying whether a source address and/or a destination address in the account information is a forged address or not to obtain an account information identification result; and/or identifying whether the URL information has malicious URL content to obtain a URL identification result; and/or identifying whether the attachment information has the attachment with the malicious type or not to obtain an attachment identification result; and/or identifying whether malicious text content exists in the text information to obtain a text identification result; and identifying an abnormal mail according to at least one of the account information identification result, the URL identification result, the attachment identification result and the text identification result.
CN201810497358.8A 2018-05-22 2018-05-22 Mail detection method, device, equipment, system and computer readable storage medium Active CN110519150B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810497358.8A CN110519150B (en) 2018-05-22 2018-05-22 Mail detection method, device, equipment, system and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810497358.8A CN110519150B (en) 2018-05-22 2018-05-22 Mail detection method, device, equipment, system and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN110519150A CN110519150A (en) 2019-11-29
CN110519150B true CN110519150B (en) 2022-09-30

Family

ID=68622363

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810497358.8A Active CN110519150B (en) 2018-05-22 2018-05-22 Mail detection method, device, equipment, system and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN110519150B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995576B (en) * 2019-12-16 2022-04-29 深信服科技股份有限公司 Mail detection method, device, equipment and storage medium
CN111614543B (en) * 2020-04-10 2021-09-14 中国科学院信息工程研究所 URL-based spear phishing mail detection method and system
CN112039874B (en) * 2020-08-28 2023-03-24 绿盟科技集团股份有限公司 Malicious mail identification method and device
CN112163215A (en) * 2020-10-14 2021-01-01 杭州安恒信息技术股份有限公司 Weak password detection method and device and computer equipment
CN112511517B (en) * 2020-11-20 2023-11-07 深信服科技股份有限公司 Mail detection method, device, equipment and medium
CN113381983B (en) * 2021-05-19 2023-09-22 清华大学 Method and device for identifying fake e-mail
CN113282921A (en) * 2021-06-11 2021-08-20 深信服科技股份有限公司 File detection method, device, equipment and storage medium
CN113595994B (en) * 2021-07-12 2023-03-21 深信服科技股份有限公司 Abnormal mail detection method and device, electronic equipment and storage medium
CN114006721B (en) * 2021-09-14 2023-05-19 北京纽盾网安信息技术有限公司 E-mail risk detection method and system
CN117061198B (en) * 2023-08-30 2024-02-02 广东励通信息技术有限公司 Network security early warning system and method based on big data

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101001244A (en) * 2006-01-13 2007-07-18 腾讯科技(深圳)有限公司 Method and system for removing misdicision of garbage E-mail
CN101540773A (en) * 2009-04-22 2009-09-23 成都市华为赛门铁克科技有限公司 Junk mail detection method and device thereof
CN102413076A (en) * 2011-12-22 2012-04-11 网易(杭州)网络有限公司 Spam mail judging system based on behavior analysis
CN105049334A (en) * 2015-08-04 2015-11-11 新浪网技术(中国)有限公司 E-mail filtering method and device
CN106027505A (en) * 2016-05-10 2016-10-12 国家电网公司 Anti-accident exercise inspecting and learning system
CN107196844A (en) * 2016-11-28 2017-09-22 北京神州泰岳信息安全技术有限公司 Exception mail recognition methods and device
CN107707462A (en) * 2017-10-31 2018-02-16 下代互联网重大应用技术(北京)工程研究中心有限公司 Spam emergency processing method based on cloud computing
CN107743087A (en) * 2016-10-27 2018-02-27 腾讯科技(深圳)有限公司 The detection method and system of a kind of e-mail attack
CN108011809A (en) * 2017-12-04 2018-05-08 北京明朝万达科技股份有限公司 Anti-data-leakage analysis method and system based on user behavior and document content
CN108694202A (en) * 2017-04-10 2018-10-23 上海交通大学 Configurable Spam Filtering System based on sorting algorithm and filter method

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7657935B2 (en) * 2001-08-16 2010-02-02 The Trustees Of Columbia University In The City Of New York System and methods for detecting malicious email transmission
US20050015626A1 (en) * 2003-07-15 2005-01-20 Chasin C. Scott System and method for identifying and filtering junk e-mail messages or spam based on URL content
AU2006235845A1 (en) * 2006-10-13 2008-05-01 Titus Inc Method of and system for message classification of web email
CN101188580B (en) * 2007-12-05 2010-12-15 中国联合网络通信集团有限公司 A real time spam filtering method and system
US8417715B1 (en) * 2007-12-19 2013-04-09 Tilmann Bruckhaus Platform independent plug-in methods and systems for data mining and analytics
CN102223316A (en) * 2011-06-15 2011-10-19 成都市华为赛门铁克科技有限公司 Method and device for processing electronic mail
US9710821B2 (en) * 2011-09-15 2017-07-18 Stephan HEATH Systems and methods for mobile and online payment systems for purchases related to mobile and online promotions or offers provided using impressions tracking and analysis, location information, 2D and 3D mapping, mobile mapping, social media, and user behavior and
CN103841094B (en) * 2012-11-27 2017-04-12 阿里巴巴集团控股有限公司 Method and device for judging mail types
CN104714970B (en) * 2013-12-16 2018-11-09 阿里巴巴集团控股有限公司 Method, transmitting terminal, receiving terminal and the system that Email is sorted out
CN105743876B (en) * 2015-08-28 2019-09-13 哈尔滨安天科技股份有限公司 A kind of method and system based on mail source data discovery targeted attacks

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101001244A (en) * 2006-01-13 2007-07-18 腾讯科技(深圳)有限公司 Method and system for removing misdicision of garbage E-mail
CN101540773A (en) * 2009-04-22 2009-09-23 成都市华为赛门铁克科技有限公司 Junk mail detection method and device thereof
CN102413076A (en) * 2011-12-22 2012-04-11 网易(杭州)网络有限公司 Spam mail judging system based on behavior analysis
CN105049334A (en) * 2015-08-04 2015-11-11 新浪网技术(中国)有限公司 E-mail filtering method and device
CN106027505A (en) * 2016-05-10 2016-10-12 国家电网公司 Anti-accident exercise inspecting and learning system
CN107743087A (en) * 2016-10-27 2018-02-27 腾讯科技(深圳)有限公司 The detection method and system of a kind of e-mail attack
CN107196844A (en) * 2016-11-28 2017-09-22 北京神州泰岳信息安全技术有限公司 Exception mail recognition methods and device
CN108694202A (en) * 2017-04-10 2018-10-23 上海交通大学 Configurable Spam Filtering System based on sorting algorithm and filter method
CN107707462A (en) * 2017-10-31 2018-02-16 下代互联网重大应用技术(北京)工程研究中心有限公司 Spam emergency processing method based on cloud computing
CN108011809A (en) * 2017-12-04 2018-05-08 北京明朝万达科技股份有限公司 Anti-data-leakage analysis method and system based on user behavior and document content

Also Published As

Publication number Publication date
CN110519150A (en) 2019-11-29

Similar Documents

Publication Publication Date Title
CN110519150B (en) Mail detection method, device, equipment, system and computer readable storage medium
US11516248B2 (en) Security system for detection and mitigation of malicious communications
Ho et al. Detecting and characterizing lateral phishing at scale
US10218740B1 (en) Fuzzy hash of behavioral results
CN109951500B (en) Network attack detection method and device
CN108683687B (en) Network attack identification method and system
CN108471429B (en) Network attack warning method and system
CN108881265B (en) Network attack detection method and system based on artificial intelligence
EP3469770B1 (en) Spam classification system based on network flow data
CN108881263B (en) Network attack result detection method and system
CN110730175B (en) Botnet detection method and detection system based on threat information
CN108183888B (en) Social engineering intrusion attack path detection method based on random forest algorithm
Stringhini et al. The harvester, the botmaster, and the spammer: On the relations between the different actors in the spam landscape
CN108833185B (en) Network attack route restoration method and system
US20200106790A1 (en) Intelligent system for mitigating cybersecurity risk by analyzing domain name system traffic
CN109450955B (en) Traffic processing method and device based on network attack
CN111147489B (en) Link camouflage-oriented fishfork attack mail discovery method and device
US11563757B2 (en) System and method for email account takeover detection and remediation utilizing AI models
KR100927240B1 (en) A malicious code detection method using virtual environment
CN110149319B (en) APT organization tracking method and device, storage medium and electronic device
CN110210213A (en) The method and device of filtering fallacious sample, storage medium, electronic device
CN103716335A (en) Detecting and filtering method of spam mail based on counterfeit sender
US11665195B2 (en) System and method for email account takeover detection and remediation utilizing anonymized datasets
CN111404805A (en) Junk mail detection method and device, electronic equipment and storage medium
CN108683589B (en) Junk mail detection method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant