CN111404939A - Mail threat detection method, device, equipment and storage medium - Google Patents
Mail threat detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN111404939A CN111404939A CN202010185057.9A CN202010185057A CN111404939A CN 111404939 A CN111404939 A CN 111404939A CN 202010185057 A CN202010185057 A CN 202010185057A CN 111404939 A CN111404939 A CN 111404939A
- Authority
- CN
- China
- Prior art keywords
- information
- analysis result
- abnormal
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/42—Mailbox-related aspects, e.g. synchronisation of mailboxes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a mail threat detection method, which comprises the following steps: acquiring mail information of a plurality of mails; extracting target information to be analyzed from the mail information; judging whether the mail corresponding to the target information has abnormal information or not according to the target information; if the mail exists, the mail with the abnormal information is judged to be a malicious mail. The invention also discloses a mail threat detection device, equipment and a computer readable storage medium. Malicious mails are searched out from a plurality of mails by analyzing the target information, and the overall detection efficiency and effect are improved.
Description
Technical Field
The invention relates to the technical field of network information security, in particular to a mail threat detection method, a device, equipment and a computer readable storage medium.
Background
With the rapid development of internet technology, information carried by network information is increasing and diversified, so that how to perform security protection on the increasing network information becomes a key topic of attention of people. As a mainstream network communication method, how to detect malicious mails is also receiving more and more attention. However, most of the existing malicious mail detection methods are limited to the detection of a single mail, not only the detection method is not flexible, but also the mail sending situation in the whole network cannot be sensed, and in order to further improve the detection effect, a large amount of computing resources are generally consumed.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a mail threat detection method, a mail threat detection device and a computer readable storage medium, and aims to solve the problems that existing malicious mail detection schemes are mostly limited to detection of single mail, the detection mode is inflexible, and the detection effect is not favorable for further improvement.
In order to achieve the above object, the present invention provides a mail threat detection method, including the steps of:
acquiring mail information of a plurality of mails;
extracting target information to be analyzed from the mail information;
judging whether the mail corresponding to the target information has abnormal information or not according to the target information;
if the mail exists, the mail with the abnormal information is judged to be a malicious mail.
Optionally, the step of extracting target information to be analyzed from the mail information includes:
determining information types corresponding to different mail information according to the mail information;
determining target information types corresponding to different attack types according to the information types;
and extracting the mail information corresponding to the target information type as target information to be analyzed.
Optionally, the step of determining whether the mail corresponding to the target information has abnormal information according to the target information includes:
determining an analysis mode corresponding to the target information;
analyzing the target information according to the determined analysis mode to obtain an analysis result;
and judging whether the mail corresponding to the target information has abnormal information according to the analysis result.
Optionally, the step of determining the analysis manner corresponding to the target information includes:
if the communication information is determined as the target information to be analyzed, determining that the analysis mode corresponding to the target information is sending behavior analysis;
the step of analyzing the target information according to the determined analysis mode to obtain an analysis result comprises the following steps:
according to the determined sending behavior analysis mode, carrying out feature analysis on first feature information contained in the communication information to obtain an initial analysis result;
when the initial analysis result is normal, carrying out sending rule analysis on second characteristic information contained in the communication information to obtain a sending rule analysis result;
and obtaining a first analysis result according to the initial analysis result and the sending rule analysis result.
Optionally, the step of determining the analysis manner corresponding to the target information includes:
if the content information is determined as target information to be analyzed, determining that an analysis mode corresponding to the target information is document analysis;
the step of analyzing the target information according to the determined analysis mode to obtain an analysis result comprises the following steps:
according to the determined document analysis mode, when the content information contains a text, performing text analysis on the text to obtain a text analysis result;
when the content information contains a link, carrying out url analysis on the link to obtain a link analysis result;
when the content information contains a picture, sensitive feature analysis is carried out on the picture to obtain a picture analysis result;
and obtaining a second analysis result according to the text analysis result, the link analysis result and the picture analysis result.
Optionally, the step of determining the analysis manner corresponding to the target information includes:
if the attachment information is determined as target information to be analyzed, determining that an analysis mode corresponding to the target information is file analysis;
the step of analyzing the target information according to the determined analysis mode to obtain an analysis result comprises the following steps:
according to the determined file analysis mode, when the attachment corresponding to the attachment information is a document file, performing document analysis on the document file to obtain a document analysis result;
when the attachment corresponding to the attachment information is a non-document file, if the non-document file is an executable file or a macro/script file, performing file analysis on the executable file or the macro/script file to obtain a file analysis result;
and obtaining a third analysis result according to the document analysis result and the file analysis result.
Optionally, the step of determining whether the mail corresponding to the target information has abnormal information according to the analysis result includes:
judging whether an abnormal analysis result exists in the analysis result;
and if at least one analysis result in the analysis results is abnormal, judging that abnormal information exists in the corresponding mail.
Optionally, the step of determining whether the mail corresponding to the target information has abnormal information according to the analysis result includes:
judging whether an abnormal analysis result exists in the analysis result;
if at least one analysis result in the analysis results is abnormal, determining the abnormal degree of the abnormal analysis result;
and if the abnormal degree exceeds the corresponding preset degree, judging that the corresponding mail has abnormal information.
Optionally, after the step of determining whether the mail corresponding to the target information has abnormal information according to the target information, the method includes:
if not, judging whether characteristic information corresponding to the analyzed target information exists in a preset threat information library or not;
and when corresponding characteristic information exists in a preset threat information library, determining the mail corresponding to the target information as a malicious mail.
Optionally, after the step of determining the mail with abnormal information as a malicious mail, the method includes:
and determining category information of the corresponding malicious mails according to the abnormal information, and classifying the corresponding malicious mails according to the category information to obtain the malicious mails of different categories.
Optionally, after the step of classifying the corresponding malicious emails according to the category information to obtain the malicious emails of different categories, the method further includes:
acquiring characteristic information of different classes of malicious mails;
and adding the characteristic information to a corresponding category of information library in a preset threat information library so as to update the preset threat information library.
In addition, to achieve the above object, the present invention also provides a mail threat detection apparatus, including:
an acquisition module: the mail information acquisition module is used for acquiring mail information of a plurality of mails;
an extraction module: the system is used for extracting target information to be analyzed from the mail information;
a judging module: the mail server is used for judging whether the mail corresponding to the target information has abnormal information or not according to the target information;
a determination module: and the mail processing module is used for judging the mail with the abnormal information as a malicious mail when the mail corresponding to the target information has the abnormal information.
In addition, in order to achieve the above object, the present invention further provides a mail threat detection apparatus, where the mail threat detection apparatus includes a memory, a processor, and a mail threat detection program stored on the processor and operable on the processor, and the processor implements the steps of the mail threat detection method as described above when executing the mail threat detection program.
Further, to achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a mail threat detection program which, when executed by a processor, implements the steps of the mail threat detection method as described above.
In the embodiment of the invention, the mail information of a plurality of mails is acquired, the target information to be analyzed is extracted from the mail information, then whether the mail corresponding to the target information has abnormal information or not is judged according to the target information, when the corresponding mail has the abnormal information, the mail with the abnormal information is judged to be a malicious mail, and meanwhile, the mail threat detection is carried out on the mails, thereby being beneficial to improving the detection efficiency of the malicious mail detection, and being beneficial to pertinently improving the detection effect of the malicious mail detection by analyzing the extracted target information.
Drawings
FIG. 1 is a schematic diagram of an email threat detection apparatus for a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart diagram of a first embodiment of a mail threat detection method of the present invention;
FIG. 3 is a schematic flow chart diagram illustrating a mail threat detection method according to a second embodiment of the present invention;
FIG. 4 is a schematic flow chart diagram illustrating a mail threat detection method according to a third embodiment of the present invention;
fig. 5 is a functional block diagram of an embodiment of the mail threat detection apparatus according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The main solution of the invention is: acquiring mail information of a plurality of mails; extracting target information to be analyzed from the mail information; judging whether the mail corresponding to the target information has abnormal information or not according to the target information; if the mail exists, the mail with the abnormal information is judged to be a malicious mail.
Because the current mail threat detection scheme is mostly limited to the detection of a single mail, the sending conditions of all mails in the network cannot be detected, and the detected reference information is less, the mail threat detection effect is difficult to further improve. Therefore, the invention provides a mail threat detection method, a device, equipment and a computer readable storage medium, which are characterized in that mail information of a plurality of mails is obtained, target information to be analyzed is extracted from the mail information, whether abnormal information exists in the mail corresponding to the target information is judged according to the target information, when the abnormal information exists in the corresponding mail, the mail with the abnormal information is judged to be a malicious mail, and the plurality of mails are simultaneously detected, so that the detection efficiency of malicious mail detection is improved, and the detection effect of the malicious mail detection is improved by analyzing the plurality of target information.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a mail threat detection apparatus in a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the mail threat detection apparatus may include: a communication bus 1002, a processor 1001, such as a CPU, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the mail threat detection apparatus configuration shown in FIG. 1 does not constitute a limitation of the mail threat detection apparatus, and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a mail threat detection program.
In the mail threat detection apparatus shown in fig. 1, the network interface 1004 is mainly used for connecting with a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and the processor 1001 may be configured to invoke the mail threat detection program stored in the memory 1005 and perform the following operations:
acquiring mail information of a plurality of mails;
extracting target information to be analyzed from the mail information;
judging whether the mail corresponding to the target information has abnormal information or not according to the target information;
if the mail exists, the mail with the abnormal information is judged to be a malicious mail.
Alternatively, the processor 1001 may call the mail threat detection program stored in the memory 1005, and further perform the following operations:
determining information types corresponding to different mail information according to the mail information;
determining target information types corresponding to different attack types according to the information types;
and extracting the mail information corresponding to the target information type as target information to be analyzed.
Alternatively, the processor 1001 may call the mail threat detection program stored in the memory 1005, and further perform the following operations:
determining an analysis mode corresponding to the target information;
analyzing the target information according to the determined analysis mode to obtain an analysis result;
and judging whether the mail corresponding to the target information has abnormal information according to the analysis result.
Alternatively, the processor 1001 calls the mail threat detection program stored in the memory 1005 and performs the following operations:
if the communication information is determined as the target information to be analyzed, determining that the analysis mode corresponding to the target information is sending behavior analysis;
the step of analyzing the target information according to the determined analysis mode to obtain an analysis result comprises the following steps:
according to the determined sending behavior analysis mode, carrying out feature analysis on first feature information contained in the communication information to obtain an initial analysis result;
when the initial analysis result is normal, carrying out sending rule analysis on second characteristic information contained in the communication information to obtain a sending rule analysis result;
and obtaining a first analysis result according to the initial analysis result and the sending rule analysis result.
Alternatively, the processor 1001 may call the mail threat detection program stored in the memory 1005, and further perform the following operations:
if the content information is determined as target information to be analyzed, determining that an analysis mode corresponding to the target information is document analysis;
the step of analyzing the target information according to the determined analysis mode to obtain an analysis result comprises the following steps:
according to the determined document analysis mode, when the content information contains a text, performing text analysis on the text to obtain a text analysis result;
when the content information contains a link, carrying out url analysis on the link to obtain a link analysis result;
when the content information contains a picture, sensitive feature analysis is carried out on the picture to obtain a picture analysis result;
and obtaining a second analysis result according to the text analysis result, the link analysis result and the picture analysis result.
Alternatively, the processor 1001 may call the mail threat detection program stored in the memory 1005, and further perform the following operations:
if the attachment information is determined as target information to be analyzed, determining that an analysis mode corresponding to the target information is file analysis; the step of analyzing the target information according to the determined analysis mode to obtain an analysis result comprises the following steps:
according to the determined file analysis mode, when the attachment corresponding to the attachment information is a document file, performing document analysis on the document file to obtain a document analysis result;
when the attachment corresponding to the attachment information is a non-document file, if the non-document file is an executable file or a macro/script file, performing file analysis on the executable file or the macro/script file to obtain a file analysis result;
and obtaining a third analysis result according to the document analysis result and the file analysis result.
Alternatively, the processor 1001 may call the mail threat detection program stored in the memory 1005, and further perform the following operations:
judging whether an abnormal analysis result exists in the analysis result;
and if at least one analysis result in the analysis results is abnormal, judging that abnormal information exists in the corresponding mail.
Alternatively, the processor 1001 may call the mail threat detection program stored in the memory 1005, and further perform the following operations:
judging whether an abnormal analysis result exists in the analysis result;
if at least one analysis result in the analysis results is abnormal, determining the abnormal degree of the abnormal analysis result;
and if the abnormal degree exceeds the corresponding preset degree, judging that the corresponding mail has abnormal information.
Optionally, after the step of determining whether the mail corresponding to the target information has abnormal information according to the target information, the processor 1001 may call a mail threat detection program stored in the memory 1005, and further perform the following operations:
if not, judging whether characteristic information corresponding to the analyzed target information exists in a preset threat information library or not;
and when corresponding characteristic information exists in a preset threat information library, determining the mail corresponding to the target information as a malicious mail.
Alternatively, after the step of determining the mail with abnormal information as a malicious mail, the processor 1001 may call the mail threat detection program stored in the memory 1005, and further perform the following operations:
and determining category information of the corresponding malicious mails according to the abnormal information, and classifying the corresponding malicious mails according to the category information to obtain the malicious mails of different categories.
Optionally, after the step of classifying the corresponding malicious mails according to the category information to obtain different categories of malicious mails, the processor 1001 may call the mail threat detection program stored in the memory 1005, and further perform the following operations:
acquiring characteristic information of different classes of malicious mails;
and adding the characteristic information to a corresponding category of information library in a preset threat information library so as to update the preset threat information library.
Referring to fig. 2, fig. 2 is a flowchart of a first embodiment of a mail threat detection method according to the present invention, in this embodiment, the mail threat detection method includes the following steps:
step S10: acquiring mail information of a plurality of mails;
mail information of a plurality of mails is acquired from a network data stream in a flow auditing mode, wherein the data stream refers to a digital coding signal sequence of information used in a data transmission process. In this embodiment, for the original mail protocol (SMTP, IMAP, POP3) traffic, a bypass mirroring device is used to perform preliminary audit, and a log with actual sending information (actual information such as text content and attachments) is kept to reduce the storage space occupied by the log, and the log stores the mail information of a plurality of mails. The bypass mirroring device is especially a device providing a port mirroring function, allows a manager to set a monitoring management port to monitor data of a monitored port, and allows a user to copy all traffic from a specific port to a mirroring port; the mail information can comprise mail landing information, mail header information, mail subject information, mail body information, mail attachment information, mail receiving and sending time information, mail sending and receiving address information and the like. SMTP (Simple Mail Transfer Protocol) is a Protocol that is established on an FTP file Transfer service and provides reliable and efficient e-Mail Transfer; independent of a specific transmission subsystem, only reliable and ordered data stream channel support is needed; the system is mainly used for mail information transfer between systems and provides notification about incoming mails; the method can transmit the mails across the network, namely 'SMTP mail relay', can realize the mail transmission among the same network processing processes, and can also realize the mail transmission between a certain processing process and other networks through a repeater or a gateway. IMAP (Post Office Protocol-Version 3, "Post Office Protocol Version 3") is a member of the TCP/IP family of protocols, defined by RFC 1939; the system is mainly used for supporting the remote management of the e-mails on the server by using the client; is the first offline protocol standard for internet email. POP3(Internet Mail Access Protocol) is an application layer Protocol, through which a Mail client can obtain Mail information from a Mail server, download Mail, etc., and the current authority definition is RFC 3501. It is noted that the main difference between the IMAP protocol and the POP3 protocol is that the user can directly operate the mail on the server through the client without downloading all mails.
Step S20: extracting target information to be analyzed from the mail information;
after the mail information of a plurality of mails is acquired, because the mail information may include more information content, corresponding processing operation needs to be performed on the mail information to extract target information to be analyzed from the mail information. The processing operation may be to classify the acquired mail information according to common features of the mail information of each mail, and then extract target information to be analyzed from the mail information according to each classified type of information. Such as: each mail has corresponding sending and receiving addresses, subjects, texts and attachment contents, acquired mail information can be divided into address information, subject information, text information and attachment information, and then the subject information, the text information and the attachment information can be determined as target information to be analyzed according to specific application requirements; the processing operation may also be to determine target information to be analyzed from the mail information according to mail characteristics corresponding to different attack types, such as: common types of mail attacks include: the system comprises a luroson software attack, a phishing mail, a vulnerability attack and the like, wherein the phishing mail usually obtains information such as an account number, a password and the like of a receiver in a disguised mode, and at the moment, special attention needs to be paid to link information in a body text and address information of the receiver and the transmitter in the mail, so that the link information in the body text and the address information of the transmitter and the receiver can be used as target information corresponding to the phishing mail.
Therefore, in a specific embodiment, the information types corresponding to different mail information are determined according to the mail information, the target information types corresponding to different attack types are determined according to the information types, and then the mail information corresponding to the target information types is extracted as the target information to be analyzed. Since the mail information may include: after acquiring the mail information of a plurality of mails, firstly determining the information types corresponding to different mail information according to the mail information, such as text information, attachment information, communication mode information, communication time information, communication address information, subject information, historical sending information and the like, wherein the information types are as follows: the communication mode information, the communication time information, the communication address information and the historical posting information may be determined as communication information, and the body information, the attachment information and the subject information may be determined as content information. The step of determining the information types corresponding to different mail messages may be to classify the mail messages first, and determine the information types corresponding to different mail messages according to the classified mail messages. The classification of the mail information may be based on the same characteristics corresponding to a plurality of mails, or based on the data type of the obtained mail information, or based on application requirements (e.g., whether malicious links are included or not, whether the malicious links are included or not, or whether the Legend information is included or not, etc.). And then, determining target information types corresponding to different attack types according to the classified information types. According to the attack objects and the characteristics thereof corresponding to different attack types, the attack information types corresponding to different attack types are determined, according to the classified information types, the information types containing the attack information types are determined as target information types corresponding to different attack types, for example, according to the classified information types, the information types containing the link information and/or the address information of the receiving and sending piece can be determined as the target information types corresponding to the fishing mails. Then, after the target information type is determined, the mail information corresponding to the target information type can be directly extracted from the obtained mail information to be used as the target information to be analyzed.
Step S30: judging whether the mail corresponding to the target information has abnormal information or not according to the target information;
the method comprises the steps of obtaining mail information, determining whether abnormal information exists in a corresponding mail after the target information to be analyzed is determined from the obtained mail information, and needing to perform corresponding analysis processing on each determined target information.
Step S40: and judging the mail with the abnormal information as a malicious mail.
After analyzing the extracted target information and judging whether the mail corresponding to the target information has abnormal information, if the judgment result is that the corresponding mail has abnormal information (at least one information analysis result in the information contained in the target information is abnormal), judging the mail with the abnormal information as a malicious mail, and judging the mail without the abnormal information as a normal mail; if the judgment result shows that the corresponding mails do not have abnormal information, the judgment result shows that malicious mails do not exist in the currently acquired mails, namely the currently acquired mails are all normal mails. Therefore, the malicious mails in the acquired mails can be found out, and protective measures can be taken for the found malicious mails, so that the user is prevented from being cheated, and information leakage and the like caused by network attack are prevented.
In the embodiment, the mail information of the multiple mails is acquired, the target information to be analyzed is extracted from the mail information, the extracted target information is analyzed to judge whether the mail corresponding to the target information has abnormal information, and the mail with the abnormal information is judged to be a malicious mail.
Referring to fig. 3, fig. 3 is a flowchart of a mail threat detection method according to a second embodiment of the present invention, in this embodiment, the mail threat detection method includes the following steps:
step S11: acquiring mail information of a plurality of mails;
step S12: extracting target information to be analyzed from the mail information;
step S13: determining an analysis mode corresponding to the target information;
step S14: analyzing the target information according to the determined analysis mode to obtain an analysis result;
step S15: judging whether the mail corresponding to the target information has abnormal information or not according to the analysis result;
step S16: and judging the mail with the abnormal information as a malicious mail.
In this embodiment, after the step of obtaining the mail information of a plurality of mails and extracting target information to be analyzed from the mail information, in order to determine whether the mail corresponding to the target information has abnormal information according to the target information, it is first necessary to determine analysis modes corresponding to different target information, analyze the corresponding target information according to the determined analysis modes to obtain corresponding analysis results, and then determine whether the mail corresponding to the target information has abnormal information according to the obtained analysis results. The target information may include at least one information type, such as at least one of communication information, content information, and attachment information.
In an embodiment, communication information is used as target information to be analyzed, so that it is determined that an analysis mode corresponding to the communication information is sending behavior analysis, a first analysis result is obtained by performing the sending behavior analysis on the target information, and whether abnormal information exists in a mail corresponding to the target information is judged according to the first analysis result. Since some specific fields are generated during the sending of the mail (for example, based on the smtp protocol, special fields such as hello, hello _ reply, date, message _ id, x-mail, user, x-addressing _ ip, and receivers are generated during the sending of the mail, the hello field is generally the host name of the sending host, date is the sending time of the mail, and x-mail is the client UA sending the mail), first feature information is extracted from the communication information, and the feature analysis is performed on the first feature information included in the communication information to obtain an initial analysis result. Specifically, whether a corresponding specific field exists in the extracted first feature information is judged, and when the corresponding specific field does not exist or exists but the format of the specific field is abnormal, the initial analysis result is abnormal; if the extracted feature information has a corresponding specific field and a normal format, the initial analysis result is normal, when the initial analysis result is normal, sending rule analysis is performed on second feature information contained in the communication information to obtain a sending rule analysis result, the second feature information can include feature information of historical mail information, a time range, a host name, a mail theme and the like of the current IP/host, whether the sending rule of the current mail conforms to the sending rule of the historical mail is judged according to the second feature information, and if the sending rule does not conform to the sending rule of the historical mail, the sending rule analysis result is judged to be abnormal. And then obtaining a first analysis result according to the initial analysis result and the sending rule analysis result, wherein the first analysis result is abnormal in communication information when one of the initial analysis result and the sending rule analysis result is abnormal. And if the first analysis result is that the communication information is abnormal, judging that the mail corresponding to the target information has abnormal information, and judging the mail corresponding to the target information as a malicious mail.
In another embodiment, the content information is determined as target information to be analyzed, so that the analysis mode corresponding to the communication information is determined to be document analysis, a second analysis result is obtained by performing document analysis on the target information, and whether the mail corresponding to the target information has abnormal information is judged according to the second analysis result. The content information includes a mail body and a mail subject, and the content information is usually text, a link or a picture. After the document analysis is carried out on the content information, whether the content information contains text or not is judged, if the content information contains the text, the text analysis is carried out on the text to obtain a text analysis result, the process of the text analysis mainly comprises the steps of extracting keywords, and whether the text contains sensitive keywords or not is judged, wherein the sensitive keywords can comprise words with sensitive political tendency, violence tendency and unhealthy color or non-civilized words, and can also comprise special sensitive words set according to the actual situation of the text. The sensitive keywords are pre-stored in a sensitive keyword library, and whether the text contains the sensitive keywords is judged by matching the characteristic keywords extracted from the text with the sensitive keywords stored in the sensitive keyword library. When the corresponding characteristic keywords exist in the sensitive keyword library, the sensitive keywords exist in the text, and the text is judged to be abnormal, namely the text analysis result is text abnormity; and then, judging whether the content information contains a link, and if so, performing url analysis on the link to judge whether the link is a malicious link to obtain a link analysis result. The analyzing process may be to detect whether each level of domain name of the link meets the domain name rule, and then determine whether a malicious behavior exists according to an access behavior generated by the link (e.g., invoking a specific system function, executing and loading a specific code, allocating a specific memory, storing a file in a specific location, etc.). And if the domain name of the link does not accord with the domain name rule or the link has malicious behavior, judging the link to be the malicious link. And if the link is a malicious link, judging that the link is abnormal, namely, judging that the link analysis result is abnormal. And then, judging whether the content information contains a picture, if so, extracting the features of the picture to judge whether the picture contains sensitive features, and obtaining a picture analysis result. And if the picture contains sensitive features, judging that the picture is abnormal, namely, the picture analysis result is the picture abnormal. The sensitive features included in the picture may include: image features including pornographic information, image features including malicious links, image features including malicious code, and other image features that may constitute threats such as theft of numbers and fraud. And finally, obtaining a second analysis result according to the text analysis result, the link analysis result and the picture analysis result, and judging that the content information is abnormal as long as at least one of the text analysis result, the link analysis result and the picture analysis result is abnormal, namely the second analysis result is abnormal content information. Since the content information may only include any one of a text, a link, and an image, and may also include the text, the link, and the image at the same time, the step of determining whether the text includes a sensitive keyword, determining whether the content information includes a link, and determining whether the content information includes an image may be performed at the same time. And when the second analysis result is that the content information is abnormal, judging that the mail corresponding to the target information has abnormal information, and judging the mail corresponding to the target information as a malicious mail.
In another embodiment, the attachment information is used as target information to be analyzed, an analysis mode corresponding to the target information is determined to be file analysis, a third analysis result is obtained by performing file analysis on the target information, and whether the mail corresponding to the target information has abnormal information is judged according to the third analysis result. Before file analysis is performed on the attachment information, whether a file loaded by the attachment is an encrypted file is judged, if so, decryption processing needs to be performed first, if not, whether the file loaded by the attachment is a document file is judged directly, if so, corresponding document analysis is performed on the document file to obtain a document analysis result, the document analysis is the same as the embodiment, the document analysis result is obtained by analyzing texts, links and pictures contained in the document, the analysis process is the same as the analysis process for performing the document analysis on the content information, and details are not repeated here; if the file is a non-document file, judging whether the file loaded by the attachment is an executable file or a macro/script file, and if the file is the executable file or the macro/script file, performing file analysis on the executable file or the macro/script file to obtain a file analysis result. The file analysis of the executable file or the macro/script file refers to analyzing whether the file loaded by the attachment is an executable file disguised as a document or a picture, or a document file with malicious macro/script (here, referred to as a macro/script file), such as a file with malicious VBA (Visual Basic for Applications) code. If the attachment contains executable files disguised as documents or pictures and the like, judging that the executable files are abnormal; and if the attachment can extract the corresponding macro/script and the macro/script is a malicious macro/script, judging that the macro/script file is a malicious macro/script file. Similarly, when there is an abnormality in one of the document class file, the executable file and the macro/script file included in the attachment, it can be determined that there is an abnormality in the attachment information, that is, the file analysis result is a file abnormality. And obtaining a third analysis result according to the document analysis result and the file analysis result, wherein if one of the document analysis result and the file analysis result is abnormal, the third analysis result is that the attachment information is abnormal. And when the third analysis result is that the attachment information is abnormal, judging that the mail corresponding to the target information has abnormal information, and judging the mail corresponding to the target information as a malicious mail.
It is to be noted that two or three items of the communication information, the content information, and the attachment information may also be combined as the target information to be analyzed. In order to improve the accuracy of malicious mail detection, communication information, content information, and attachment information are generally used as target information to be analyzed at the same time. At the moment, sending behavior analysis is respectively carried out on the communication information to obtain a first analysis result, document analysis is carried out on the content information to obtain a second analysis result, file analysis is carried out on the attachment information to obtain a third analysis result, and whether the mail corresponding to the target information has abnormal information or not is judged according to the first analysis result, the second analysis result and the third analysis result. In fact, as long as at least one of the first analysis result, the second analysis result and the third analysis result is abnormal, it may be determined that the mail corresponding to the target information has abnormal information. Namely, when at least one of the first analysis result is communication information abnormity, the second analysis result is content information abnormity, and the third analysis result is attachment information abnormity, the mail corresponding to the target information is judged to have abnormity information. Therefore, in a specific embodiment, the step of determining whether the mail corresponding to the target information has abnormal information according to the analysis result includes: judging whether an abnormal analysis result exists in the analysis result; and if at least one analysis result in the analysis results is abnormal, judging that the corresponding mail has abnormal information. Namely, no matter the target information contains several types of information, if at least one type of information corresponding to the analysis result is abnormal, the mail corresponding to the target information is judged to have abnormal information, and the mail corresponding to the target information is judged to be a malicious mail, so that the judgment omission is avoided.
In another embodiment, the step of determining whether the mail corresponding to the target information has abnormal information according to the analysis result includes: judging whether an abnormal analysis result exists in the analysis result; if at least one analysis result in the analysis results is abnormal, determining the abnormal degree of the abnormal analysis result; and if the abnormal degree exceeds the corresponding preset degree, judging that the corresponding mail has abnormal information. In order to further improve the detection effect and avoid erroneous judgment, when at least one of the analysis results is abnormal, the abnormal degree of the abnormal analysis result is determined, and whether abnormal information exists in the mail corresponding to the target information is judged according to the comparison result of the abnormal degree and the corresponding preset degree. Here, first, the abnormality information corresponding to different types of information included in the target information is classified, the abnormality type corresponding to different types of abnormality information is determined, and the degree of abnormality of the analysis result in which an abnormality exists is determined based on the abnormality type. Such as: when the second analysis result is detected to be abnormal, if the content information is only SPF (SenderPolicyFramework ) check fails, determining the content information as a first type of abnormality; if the content information only contains simple invoice abnormal information, determining the content information as a second type of abnormal (junk mail); if the content information contains the Lesoh vocabulary and abnormal information such as a bit payment mode appears, the content information is determined as a third type of abnormality (Lesoh mail). According to the determined exception types, determining the exception degrees of the three exceptions in sequence from low to high as follows: a first type of exception, a second type of exception, and a third type of exception. Here, the abnormal degree corresponding to the third abnormality is used as a preset degree, and when the abnormal degree reaches a third abnormality, it is determined that the mail corresponding to the third abnormality has abnormal information. Because the abnormal degrees corresponding to different information are different, and the corresponding preset degrees are different, the preset degrees need to be set according to specific conditions.
In a preferred embodiment, after the step of judging whether the mail corresponding to the target information has abnormal information according to the target information, if the acquired mail does not have abnormal information, judging whether characteristic information corresponding to the analyzed target information exists in a preset threat information library; and when corresponding characteristic information exists in a preset threat information library, determining the mail corresponding to the target information as a malicious mail. The threat intelligence library comprises various abnormal characteristics of the mails with abnormal information, such as abnormal keywords in the body text, malicious links in the mails, file names of malicious attachments and the like, and the various abnormal characteristics are classified and stored in the intelligence library of corresponding categories to finally form a threat intelligence library. The preset threat intelligence library refers to a pre-stored threat intelligence library corresponding to the current mail threat detection network, and the preset threat intelligence library stores: and before detecting malicious mails in the plurality of currently acquired mails, detecting abnormal characteristics corresponding to the detected abnormal information. Because the abnormal characteristic information stored in the preset threat information base is limited, when the result of analyzing and judging each determined target information is that no abnormal information exists, whether the characteristic information corresponding to the analyzed target information exists in the preset threat information base is further judged, and if the corresponding characteristic information exists in the preset threat information base, the mail corresponding to the target information can be directly determined as the malicious mail.
In this embodiment, the mail information of a plurality of mails is acquired, the target information is extracted from the mail information, then the analysis mode corresponding to the target information is determined, the target information is analyzed according to the analysis mode to obtain the analysis result, whether the mail corresponding to the target information has abnormal information or not is judged according to the analysis result, if yes, the mail corresponding to the target information is judged to be a malicious mail, and different types of target information are analyzed in a targeted manner, so that not only is malicious mail detection on the plurality of mails realized, but also the detection effect of the malicious mail can be improved.
Referring to fig. 4, fig. 4 is a flowchart of a third embodiment of the mail threat detection method of the present invention, in this embodiment, the mail threat detection method includes the following steps:
step S21: acquiring mail information of a plurality of mails;
step S22: determining target information to be analyzed from the mail information;
step S23: judging whether the mail corresponding to the target information has abnormal information or not according to the target information;
step S24: judging the mail with abnormal information as a malicious mail;
step S25: and determining category information of the corresponding malicious mails according to the abnormal information, and classifying the corresponding malicious mails according to the category information to obtain the malicious mails of different categories.
In this embodiment, after determining a mail with abnormal information as a malicious mail, the method determines category information corresponding to the malicious mail according to the abnormal information, where the category information may include junk mails, phishing mails, luro mails, and the like, the junk mails may be subdivided into erotic gambling, advertising, and the like according to mail contents, the phishing mails may be subdivided into malicious url phishing, malicious attachment phishing, and the like according to information formats, and the luro mails may be also divided into commercial fraud, money luro, and the like according to the luro formats. The specific category information can be determined according to the actual application scene, and when the category information of the malicious mails is determined, the corresponding malicious mails can be classified according to the category information to obtain the malicious mails of different categories, so that corresponding protective measures can be taken in time according to the malicious mails of different categories.
In an embodiment, after classifying the corresponding malicious emails according to the category information to obtain malicious emails of different categories, the method further includes: acquiring characteristic information of different classes of malicious mails; and adding the characteristic information to a corresponding category of information library in a preset threat information library so as to update the preset threat information library. The feature information may include: sensitive keywords, sensitive image features and malicious links in the content information, and the file name of malicious files in the attachment information. After malicious mails of different categories are obtained each time, the characteristic information is added to the corresponding category of the information libraries in the preset threat information libraries, so that the preset threat information libraries can be updated, and the detection capability of the threat mail detection platform is continuously improved.
In the embodiment, mail information of a plurality of mails is acquired, target information to be analyzed is determined from the mail information, each determined target information is analyzed to judge whether abnormal information exists in the corresponding mail, the mail with the abnormal information is judged to be a malicious mail, then category information of the corresponding malicious mail is determined according to the abnormal information, the corresponding malicious mail is classified according to the category information to obtain malicious mails of different categories, so that corresponding protection or remedial measures are taken in time according to the classified malicious mail, and the characteristics of the classified malicious mail are extracted to update a preset threat information database, so that the detection effect of the malicious mail can be improved.
In addition, an embodiment of the present invention further provides a mail threat detection apparatus, and referring to fig. 5, fig. 5 is a schematic diagram of functional modules of an embodiment of the mail threat detection apparatus.
In this embodiment, the mail threat detection apparatus includes:
the acquisition module 10: the mail information acquisition module is used for acquiring mail information of a plurality of mails;
the extraction module 20: the system is used for extracting target information to be analyzed from the mail information;
the judging module 30: the mail server is used for judging whether the mail corresponding to the target information has abnormal information or not according to the target information;
the determination module 40: and the mail processing module is used for judging the mail with the abnormal information as a malicious mail when the mail corresponding to the target information has the abnormal information.
It should be noted that each embodiment of the mail threat detection apparatus is substantially the same as each embodiment of the mail threat detection method, and details are not described here.
The mail threat detection apparatus provided in this embodiment acquires mail information of a plurality of mails through the acquisition module 10, then the determination module 20 extracts target information to be analyzed from the mail information, then the determination module 30 determines whether the mail corresponding to the target information has abnormal information according to the target information, and then the determination module 40 determines the mail having the abnormal information as a malicious mail when the mail corresponding to the target information has the abnormal information, so that not only can simultaneous detection of a plurality of mails be achieved and detection efficiency of the malicious mail be improved, but also analysis and determination are performed according to the extracted target information, and when the target information includes a plurality of types of mail information, a detection effect of the malicious mail can be improved, and a user can conveniently and specifically prevent and process the malicious mail.
In addition, an embodiment of the present invention further provides a mail threat detection apparatus, where the mail threat detection apparatus includes a memory, a processor, and a mail threat detection program that is stored on the processor and can be run on the processor, and the processor implements the steps of the mail threat detection method when executing the mail threat detection program.
In addition, an embodiment of the present invention further provides a computer readable storage medium, where a mail threat detection program is stored on the computer readable storage medium, and when the mail threat detection program is executed by a processor, the steps of the mail threat detection method described above are implemented.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the above embodiment method can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) as described above, and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, a television, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (14)
1. A mail threat detection method, characterized by comprising the steps of:
acquiring mail information of a plurality of mails;
extracting target information to be analyzed from the mail information;
judging whether the mail corresponding to the target information has abnormal information or not according to the target information;
if the mail exists, the mail with the abnormal information is judged to be a malicious mail.
2. The mail threat detection method of claim 1, wherein the step of extracting target information to be analyzed from the mail information comprises:
determining information types corresponding to different mail information according to the mail information;
determining target information types corresponding to different attack types according to the information types;
and extracting the mail information corresponding to the target information type as target information to be analyzed.
3. The mail threat detection method according to claim 1, wherein the step of determining whether the mail corresponding to the target information has abnormal information according to the target information comprises:
determining an analysis mode corresponding to the target information;
analyzing the target information according to the determined analysis mode to obtain an analysis result;
and judging whether the mail corresponding to the target information has abnormal information according to the analysis result.
4. The mail threat detection method of claim 3, wherein the step of determining an analysis mode corresponding to the target information comprises:
if the communication information is determined as the target information to be analyzed, determining that the analysis mode corresponding to the target information is sending behavior analysis;
the step of analyzing the target information according to the determined analysis mode to obtain an analysis result comprises the following steps:
according to the determined sending behavior analysis mode, carrying out feature analysis on first feature information contained in the communication information to obtain an initial analysis result;
when the initial analysis result is abnormal, carrying out sending rule analysis on second characteristic information contained in the communication information to obtain a sending rule analysis result;
and obtaining a first analysis result according to the initial analysis result and the sending rule analysis result.
5. The mail threat detection method of claim 3, wherein the step of determining an analysis mode corresponding to the target information comprises:
if the content information is determined as target information to be analyzed, determining that an analysis mode corresponding to the target information is document analysis;
the step of analyzing the target information according to the determined analysis mode to obtain an analysis result comprises the following steps:
according to the determined document analysis mode, when the content information contains a text, performing text analysis on the text to obtain a text analysis result;
when the content information contains a link, carrying out url analysis on the link to obtain a link analysis result;
when the content information contains a picture, sensitive feature analysis is carried out on the picture to obtain a picture analysis result;
and obtaining a second analysis result according to the text analysis result, the link analysis result and the picture analysis result.
6. The mail threat detection method of claim 3, wherein the step of determining an analysis mode corresponding to the target information comprises:
if the attachment information is determined as target information to be analyzed, determining that an analysis mode corresponding to the target information is file analysis;
the step of analyzing the target information according to the determined analysis mode to obtain an analysis result comprises the following steps:
according to the determined file analysis mode, when the attachment corresponding to the attachment information is a document file, performing document analysis on the document file to obtain a document analysis result;
when the attachment corresponding to the attachment information is a non-document file, if the non-document file is an executable file or a macro/script file, performing file analysis on the executable file or the macro/script file to obtain a file analysis result;
and obtaining a third analysis result according to the document analysis result and the file analysis result.
7. The mail threat detection method according to claim 3, wherein the step of determining whether the mail corresponding to the target information has abnormal information according to the analysis result comprises:
judging whether an abnormal analysis result exists in the analysis result;
and if at least one analysis result in the analysis results is abnormal, judging that the corresponding mail has abnormal information.
8. The mail threat detection method according to claim 3, wherein the step of determining whether the mail corresponding to the target information has abnormal information according to the analysis result comprises:
judging whether an abnormal analysis result exists in the analysis result;
if at least one analysis result in the analysis results is abnormal, determining the abnormal degree of the abnormal analysis result;
and if the abnormal degree exceeds the corresponding preset degree, judging that the corresponding mail has abnormal information.
9. The mail threat detection method according to claim 1, wherein after the step of determining whether the mail corresponding to the target information has abnormal information according to the target information, the method comprises:
if not, judging whether characteristic information corresponding to the analyzed target information exists in a preset threat information library or not;
and when corresponding characteristic information exists in a preset threat information library, determining the mail corresponding to the target information as a malicious mail.
10. The mail threat detection method according to claim 1, wherein after the step of determining the mail in which the abnormal information exists as the malicious mail, the method comprises:
and determining category information of the corresponding malicious mails according to the abnormal information, and classifying the corresponding malicious mails according to the category information to obtain the malicious mails of different categories.
11. The mail threat detection method according to claim 10, wherein after the step of classifying the corresponding malicious mails according to the category information to obtain different categories of malicious mails, the method further comprises:
acquiring characteristic information of different classes of malicious mails;
and adding the characteristic information to a corresponding category of information library in a preset threat information library so as to update the preset threat information library.
12. A mail threat detection apparatus, characterized in that the mail threat detection apparatus comprises:
an acquisition module: the mail information acquisition module is used for acquiring mail information of a plurality of mails;
an extraction module: the system is used for extracting target information to be analyzed from the mail information;
a judging module: the mail server is used for judging whether the mail corresponding to the target information has abnormal information or not according to the target information;
a determination module: and the mail processing module is used for judging the mail with the abnormal information as a malicious mail when the mail corresponding to the target information has the abnormal information.
13. A mail threat detection apparatus, characterized in that the device comprises a memory, a processor and a mail threat detection program stored on the memory and executable on the processor, the processor implementing the steps of the mail threat detection method according to any one of claims 1 to 11 when executing the mail threat detection program.
14. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a mail threat detection program, which when executed by a processor implements the steps of the mail threat detection method according to any one of claims 1 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010185057.9A CN111404939B (en) | 2020-03-16 | 2020-03-16 | Mail threat detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010185057.9A CN111404939B (en) | 2020-03-16 | 2020-03-16 | Mail threat detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111404939A true CN111404939A (en) | 2020-07-10 |
| CN111404939B CN111404939B (en) | 2022-08-09 |
Family
ID=71432547
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010185057.9A Active CN111404939B (en) | 2020-03-16 | 2020-03-16 | Mail threat detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111404939B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111866002A (en) * | 2020-07-27 | 2020-10-30 | 中国工商银行股份有限公司 | Method, apparatus, system, and medium for detecting mail security |
| CN115134147A (en) * | 2022-06-29 | 2022-09-30 | 中国工商银行股份有限公司 | E-mail detection method and device |
| CN115396184A (en) * | 2022-08-23 | 2022-11-25 | 北京时代亿信科技股份有限公司 | Mail detection method and device and nonvolatile storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108259415A (en) * | 2016-12-28 | 2018-07-06 | 北京奇虎科技有限公司 | A kind of method and device of mail-detection |
| CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
| US20190238571A1 (en) * | 2018-01-29 | 2019-08-01 | International Business Machines Corporation | Method and system for email phishing attempts identification and notification through organizational cognitive solutions |
| CN110807468A (en) * | 2019-09-19 | 2020-02-18 | 平安科技(深圳)有限公司 | Method, device, equipment and storage medium for detecting abnormal mails |
| CN110868378A (en) * | 2018-12-17 | 2020-03-06 | 北京安天网络安全技术有限公司 | Phishing mail detection method and device, electronic equipment and storage medium |
-
2020
- 2020-03-16 CN CN202010185057.9A patent/CN111404939B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108259415A (en) * | 2016-12-28 | 2018-07-06 | 北京奇虎科技有限公司 | A kind of method and device of mail-detection |
| US20190238571A1 (en) * | 2018-01-29 | 2019-08-01 | International Business Machines Corporation | Method and system for email phishing attempts identification and notification through organizational cognitive solutions |
| CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
| CN110868378A (en) * | 2018-12-17 | 2020-03-06 | 北京安天网络安全技术有限公司 | Phishing mail detection method and device, electronic equipment and storage medium |
| CN110807468A (en) * | 2019-09-19 | 2020-02-18 | 平安科技(深圳)有限公司 | Method, device, equipment and storage medium for detecting abnormal mails |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111866002A (en) * | 2020-07-27 | 2020-10-30 | 中国工商银行股份有限公司 | Method, apparatus, system, and medium for detecting mail security |
| CN115134147A (en) * | 2022-06-29 | 2022-09-30 | 中国工商银行股份有限公司 | E-mail detection method and device |
| CN115396184A (en) * | 2022-08-23 | 2022-11-25 | 北京时代亿信科技股份有限公司 | Mail detection method and device and nonvolatile storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111404939B (en) | 2022-08-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10581898B1 (en) | Malicious message analysis system | |
| US10873597B1 (en) | Cyber attack early warning system | |
| US9560059B1 (en) | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection | |
| US10192052B1 (en) | System, apparatus and method for classifying a file as malicious using static scanning | |
| CN111404939B (en) | Mail threat detection method, device, equipment and storage medium | |
| US9197655B2 (en) | Steganography detection | |
| US11882140B1 (en) | System and method for detecting repetitive cybersecurity attacks constituting an email campaign | |
| US20020004908A1 (en) | Electronic mail message anti-virus system and method | |
| US20150096023A1 (en) | Fuzzy hash of behavioral results | |
| US20120239751A1 (en) | Multi-dimensional reputation scoring | |
| US20110179487A1 (en) | Method and system for using spam e-mail honeypots to identify potential malware containing e-mails | |
| CN111092902B (en) | Attachment camouflage-oriented fishfork attack mail discovery method and device | |
| US7958557B2 (en) | Determining a source of malicious computer element in a computer network | |
| US11489867B2 (en) | Cybersecurity email classification and mitigation platform | |
| US9628513B2 (en) | Electronic message manager system, method, and computer program product for scanning an electronic message for unwanted content and associated unwanted sites | |
| US20210126944A1 (en) | Analysis of potentially malicious emails | |
| CN109450929B (en) | Safety detection method and device | |
| US20140040403A1 (en) | System, method and computer program product for gathering information relating to electronic content utilizing a dns server | |
| KR20180031570A (en) | Technique for Detecting Suspicious Electronic Messages | |
| US8473556B2 (en) | Apparatus, a method, a program and a system for processing an e-mail | |
| US9092624B2 (en) | System, method, and computer program product for conditionally performing a scan on data based on an associated data structure | |
| US8655959B2 (en) | System, method, and computer program product for providing a rating of an electronic message | |
| CN113938311B (en) | Mail attack tracing method and system | |
| US20230091440A1 (en) | A method and a system for identifying a security breach or a data theft | |
| KR101959534B1 (en) | A security system and method for e-mail |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |