CN103546449A - E-mail virus detection method and device based on attachment formats - Google Patents
E-mail virus detection method and device based on attachment formats Download PDFInfo
- Publication number
- CN103546449A CN103546449A CN201210564964.XA CN201210564964A CN103546449A CN 103546449 A CN103546449 A CN 103546449A CN 201210564964 A CN201210564964 A CN 201210564964A CN 103546449 A CN103546449 A CN 103546449A
- Authority
- CN
- China
- Prior art keywords
- file
- email attachment
- format
- executable format
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses an e-mail virus detection method based on attachment formats. The method includes acquiring a complete e-mail file and parsing the e-mail protocols, and acquiring transmitted e-mail attachments; judging the file format of the e-mail attachments and recording the file format information; counting information of the file with executable format in the e-mail attachments, and judging whether the file with executable format in the transmitted e-mail attachments is a threat or not. The invention further provides an e-mail virus detection device based on the attachment formats. According to the method, massive counting of the number of PE files in the e-mail attachments is studied, and detection is performed according to studied rules. Owing to particularity of the e-mails, low false alarm rate and high detection rate can be guaranteed by the aid of the method.
Description
Technical field
The present invention relates to computer network security technology field, relate in particular to a kind of use dynamic and intelligent learning method, Email attachment is carried out to the method and apparatus that virus detects.
Background technology
Along with the fast development of the Internet, utilizing Email attachment transmitted virus is one of conventional means of virus-spreader.Owing to using Email attachment transmitted virus to possess very strong disguise, it is very important for Email attachment, carrying out virus detection.Traditional way is resolved mail, obtains Email attachment, uses anti-viral software to detect annex.As everyone knows, traditional virus detection techniques is based on signature detection, has obvious hysteresis quality, therefore can not well address this problem.
Summary of the invention
The present invention is according to executable file under PE(Winows in Email attachment) quantity and ratio, carry out the statistics of mass data, dynamically update PE file Hash list storehouse.PE quantity and ratio are reported to the police over the mail of threshold value, thereby reach the object that detects mail virus.
The present invention carries out stored counts to carrying out annex, surpasses threshold value and directly sentences black (black, to have threat file).Can be based on executable format specifically, utilize hash to calculate number of repetition.
In order to reduce wrong report, rule itself, only for mail protocol, only detects mail transmission data flow; The annex of normal email is seldom executable format; Even if, can there is not large in batches transmission in transmission executable file, so the method can not brought very large rate of false alarm for mail-detection in principle.This is dynamic, a to constantly update process, and unknown virus that can pop has good recall rate.For sentencing black file, sentence black Email attachment (being also executable file) extracting rule, the rule of extracting can be used for again Anti-Virus Engine and judges alternative document.This is a closed loop procedure generating from capturing rule.In simple terms, the present invention mainly provides a kind of mail virus detection method based on attachment format, comprising:
Step a, from network data flow, obtain complete mail document and mail protocol is resolved, obtaining transmitted Email attachment;
Step b, judge the file format of described Email attachment and record its file format information;
The number of transmissions of the file of executable format in step c, statistics Email attachment, if the number of times that the file of same executable format repeated, repeated transmission in setting-up time interval is over threshold value, the file of judging executable format in the Email attachment transmitting is to threaten file.
The present invention also provides a kind of mail virus checkout gear based on attachment format, comprising:
Parsing module, for obtaining complete mail document from network data flow and mail protocol being resolved, obtains transmitted Email attachment;
Statistical module, for judging the file format of described Email attachment and recording its file format information;
The first judge module, for adding up the number of transmissions of the file of Email attachment executable format, if the number of times that the file of same executable format repeated, repeated transmission in setting-up time interval is over threshold value, the file of judging executable format in the Email attachment transmitting is to threaten file.
Key of the present invention is the statistical learning based on mass data, and annex PE number of files in mail is added up, and the mail higher than dangerous threshold value is reported to the police.And the dangerous threshold value of regular update.Can also add up based on magnanimity, the ratio of PE number of files in Email attachment is reported to the police higher than dangerous threshold value.And the dangerous threshold value of regular update.
The invention has the beneficial effects as follows:
The magnanimity statistics of the present invention to PE number of files in Email attachment, and detect according to the rule of statistics.Due to the particularity of mail, make this method can have very low rate of false alarm, there is higher recall rate simultaneously.All threshold values of the present invention, can learn to upgrade by dynamic statistics, and can guarantee has good recall rate to current comparatively popular virus.
Accompanying drawing explanation
In order to be illustrated more clearly in the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, the accompanying drawing the following describes is only some embodiment that record in the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the mail virus detection method embodiment flow chart that the present invention is based on attachment format;
Fig. 2 is another embodiment flow chart of mail virus detection method that the present invention is based on attachment format;
Fig. 3 is another embodiment flow chart of mail virus detection method that the present invention is based on attachment format;
Fig. 4 is the mail virus structure of the detecting device schematic diagram that the present invention is based on attachment format.
Embodiment
In order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail.
As shown in Figure 1, one of embodiment of the method for the present invention, as shown in the figure:
S101: obtain mail data stream from network data flow, obtain Email attachment information from described mail data stream;
Can be applied to the equipment such as gateway, can use Pcap etc. to catch job contract tool, according to mail format, split out Email attachment.
S102: judge the file format of described Email attachment according to described Email attachment information, record the file format information of described Email attachment;
If described Email attachment is wrapped file, after wrapped file being decompressed, record the file format information in described parcel.
After obtaining the whole PE files in Email attachment, calculate Hash (hash) value of this document.Can select the lower hashing algorithms of collision rate such as MD5, SHA1.Then hash value is for example recorded to, in data storage (database).
S103: the number of transmissions of the file of executable format in the Email attachment of statistics transmission, if the number of times that the file of an executable format repeats transmission in setting-up time interval over threshold value, judges that the Email attachment transmitting is to threaten file.
According to the record in database, the number of times that statistics Hash occurs (file that is same executable format repeats the number of times transmitting), if the number of times that Hash occurs surpasses dangerous threshold value, is judged to be the file of threat.The threshold value of mentioning, is to draw based on mass data statistics, and can constantly dynamically updates.
In addition according to actual conditions, the present invention also has other distortion, as shown in Figure 2,3, step 201, step 202 and step 301, step 302 are identical with step S101, S102 in embodiment 1, the main distinction be step S203 and step S103 different, step S301 is different from step S101, specifically, and as shown in Figure 2:
If the ratio that in the Email attachment that S203 transmits in setting-up time interval, the quantity of the file of executable format accounts for the Email attachment quantity of transmission exceeds threshold value, the file of judging executable format in the Email attachment transmitting is to threaten file.
If because PE file is virus, in transmitting procedure, partial content can change, hashed value can change, so just cannot add up with hash, the ratio of therefore can and then add up PE file, this ratio can be the statistics of rolling a time period, such as the ratio of script executable file be ten thousand/, suddenly become 100/10000ths, the danger of executable file is high.This ratio can be total mail and with the mail of PE annex, can be also with the mail of annex with for example, with the mail of PE annex, in Fig. 3:
If the ratio that in the Email attachment that S303 transmits in setting-up time interval, the quantity of the file of executable format accounts for the number of mail of transmission exceeds threshold value, the file of judging executable format in the Email attachment transmitting is to threaten file.
In addition, for above-mentioned three embodiment, after determining and threatening file, can be from threaten file extracting rule, extract virus signature, can be used for Anti-Virus Engine and judge alternative document.
And, between step S101 and step 102 (embodiment 2 and 3 is in like manner), can also to resulting annex, carry out virus in advance and detect, if testing result is the file that has threat, directly alarm.
The present invention also provides a kind of mail virus checkout gear based on attachment format, comprising:
The first judge module 103, for adding up the number of transmissions of the file of Email attachment executable format, if the number of times that the file of an executable format repeats in setting-up time interval surpasses threshold value, judge that the file of executable format in the Email attachment transmitting is as threatening file the second judge module, if account for the ratio of the Email attachment quantity of transmission for the quantity of the file of the Email attachment executable format that transmits in setting-up time interval, exceed threshold value, the file of judging executable format in the Email attachment transmitting is threat file;
The second judge module 104, if account for the ratio of the Email attachment quantity of transmission for the quantity of the file of the Email attachment executable format that transmits in setting-up time interval, exceed threshold value, the file of judging executable format in the Email attachment transmitting is threat file;
The 3rd judge module 105, if account for the ratio of the number of mail of transmission for the quantity of the file of the Email attachment executable format that transmits in setting-up time interval, exceed threshold value, the file of judging executable format in the Email attachment transmitting is threat file;
In this specification, the embodiment of method adopts mode arranged side by side to describe, and for system embodiment, because it is substantially similar in appearance to embodiment of the method, so description is fairly simple, relevant part is referring to the part explanation of embodiment of the method.
Although described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not depart from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not depart from spirit of the present invention.
Claims (10)
1. the mail virus detection method based on attachment format, is characterized in that, comprising:
Step a, from network data flow, obtain complete mail document and mail protocol is resolved, obtaining transmitted Email attachment;
Step b, judge the file format of described Email attachment and record its file format information;
The number of transmissions of the file of executable format in step c, statistics Email attachment, if the number of times that the file of same executable format repeats transmission in setting-up time interval is over threshold value, the file of judging executable format in the Email attachment transmitting is to threaten file.
2. the method for claim 1, is characterized in that, also comprises: from described threat file, extract virus signature.
3. the method for claim 1, is characterized in that, step b specifically comprises: judge the file format of described Email attachment and record its file format information; If described Email attachment is wrapped file, after wrapped file being decompressed, record the file format information in described parcel.
4. the method for claim 1, is characterized in that, step c is replaced by following steps:
If the ratio that in the Email attachment that steps d is transmitted in setting-up time interval, the quantity of the file of executable format accounts for the Email attachment quantity of transmission exceeds threshold value, the file of judging executable format in the Email attachment transmitting is to threaten file.
5. the method for claim 1, is characterized in that, step c is replaced by following steps:
If the ratio that in the Email attachment that step e transmits in setting-up time interval, the quantity of the file of executable format accounts for the number of mail of transmission exceeds threshold value, the file of judging executable format in the Email attachment transmitting is to threaten file.
6. the mail virus checkout gear based on attachment format, is characterized in that, comprising:
Parsing module, for obtaining complete mail document from network data flow and mail protocol being resolved, obtains transmitted Email attachment;
Statistical module, for judging the file format of described Email attachment and recording its file format information;
The first judge module, for adding up the number of transmissions of the file of Email attachment executable format, if the number of times that the file of same executable format repeats transmission in setting-up time interval is over threshold value, the file of judging executable format in the Email attachment transmitting is to threaten file.
7. device as claimed in claim 6, is characterized in that, also comprises:
Rule Extraction module, for extracting virus signature from described threat file.
8. device as claimed in claim 6, is characterized in that, described statistical module is specifically for judging the file format of described Email attachment and recording its file format information; If described Email attachment is wrapped file, after wrapped file being decompressed, record the file format information in described parcel.
9. device as claimed in claim 6, is characterized in that, also comprises:
The second judge module, if account for the ratio of the Email attachment quantity of transmission for the quantity of the file of the Email attachment executable format that transmits in setting-up time interval, exceed threshold value, the file of judging executable format in the Email attachment transmitting is threat file.
10. device as claimed in claim 6, is characterized in that, also comprises:
The 3rd judge module, if the ratio that accounts for the number of mail of transmission for the quantity of the file of the Email attachment executable format that transmits in setting-up time interval exceeds threshold value, the file of judging executable format in the Email attachment transmitting is to threaten file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210564964.XA CN103546449A (en) | 2012-12-24 | 2012-12-24 | E-mail virus detection method and device based on attachment formats |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210564964.XA CN103546449A (en) | 2012-12-24 | 2012-12-24 | E-mail virus detection method and device based on attachment formats |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103546449A true CN103546449A (en) | 2014-01-29 |
Family
ID=49969503
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210564964.XA Pending CN103546449A (en) | 2012-12-24 | 2012-12-24 | E-mail virus detection method and device based on attachment formats |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103546449A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105991395A (en) * | 2015-01-30 | 2016-10-05 | 杭州迪普科技有限公司 | Attachment replacing method and attachment replacing device |
| CN108337153A (en) * | 2018-01-19 | 2018-07-27 | 论客科技(广州)有限公司 | A kind of monitoring method of mail, system and device |
| CN109347819A (en) * | 2018-10-12 | 2019-02-15 | 杭州安恒信息技术股份有限公司 | A kind of virus mail detection method, system and electronic equipment and storage medium |
| CN109492399A (en) * | 2019-01-17 | 2019-03-19 | 腾讯科技(深圳)有限公司 | Risk file test method, device and computer equipment |
| WO2019237591A1 (en) * | 2018-06-14 | 2019-12-19 | 平安科技(深圳)有限公司 | File format conversion method and apparatus, computer device, and storage medium |
| CN110995576A (en) * | 2019-12-16 | 2020-04-10 | 深信服科技股份有限公司 | Mail detection method, device, equipment and storage medium |
| CN113792013A (en) * | 2021-11-12 | 2021-12-14 | 统信软件技术有限公司 | Retrieval method based on attachment content in mail, computing equipment and storage medium |
| CN116150752A (en) * | 2022-12-30 | 2023-05-23 | 广州尚融网络科技有限公司 | Mail attachment virus identification method, system, equipment and storable medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060077979A1 (en) * | 2004-10-13 | 2006-04-13 | Aleksandr Dubrovsky | Method and an apparatus to perform multiple packet payloads analysis |
| WO2006044697A1 (en) * | 2004-10-14 | 2006-04-27 | Intel Corporation | Method, apparatus and computer software for controlling receipt of undesired electronic mail by limiting the number of connections and messages |
| CN101119373A (en) * | 2007-09-04 | 2008-02-06 | 北京大学 | Gateway stream type virus scanning method and system |
| CN101632092A (en) * | 2006-11-13 | 2010-01-20 | 三星Sds株式会社 | Method for inferring maliciousness of email and detecting a virus pattern |
| CN101789105A (en) * | 2010-03-15 | 2010-07-28 | 北京安天电子设备有限公司 | Packet-level dynamic mail attachment virus detection method |
| CN102811213A (en) * | 2011-11-23 | 2012-12-05 | 北京安天电子设备有限公司 | Fuzzy hashing algorithm-based malicious code detection system and method |
-
2012
- 2012-12-24 CN CN201210564964.XA patent/CN103546449A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060077979A1 (en) * | 2004-10-13 | 2006-04-13 | Aleksandr Dubrovsky | Method and an apparatus to perform multiple packet payloads analysis |
| WO2006044697A1 (en) * | 2004-10-14 | 2006-04-27 | Intel Corporation | Method, apparatus and computer software for controlling receipt of undesired electronic mail by limiting the number of connections and messages |
| CN101632092A (en) * | 2006-11-13 | 2010-01-20 | 三星Sds株式会社 | Method for inferring maliciousness of email and detecting a virus pattern |
| CN101119373A (en) * | 2007-09-04 | 2008-02-06 | 北京大学 | Gateway stream type virus scanning method and system |
| CN101789105A (en) * | 2010-03-15 | 2010-07-28 | 北京安天电子设备有限公司 | Packet-level dynamic mail attachment virus detection method |
| CN102811213A (en) * | 2011-11-23 | 2012-12-05 | 北京安天电子设备有限公司 | Fuzzy hashing algorithm-based malicious code detection system and method |
Non-Patent Citations (1)
| Title |
|---|
| 陈培: "基于行为分析的恶意代码识别系统研究与实现", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105991395A (en) * | 2015-01-30 | 2016-10-05 | 杭州迪普科技有限公司 | Attachment replacing method and attachment replacing device |
| CN105991395B (en) * | 2015-01-30 | 2019-04-09 | 杭州迪普科技股份有限公司 | Attachment replacement method and device |
| CN108337153A (en) * | 2018-01-19 | 2018-07-27 | 论客科技(广州)有限公司 | A kind of monitoring method of mail, system and device |
| WO2019237591A1 (en) * | 2018-06-14 | 2019-12-19 | 平安科技(深圳)有限公司 | File format conversion method and apparatus, computer device, and storage medium |
| CN109347819A (en) * | 2018-10-12 | 2019-02-15 | 杭州安恒信息技术股份有限公司 | A kind of virus mail detection method, system and electronic equipment and storage medium |
| CN109492399A (en) * | 2019-01-17 | 2019-03-19 | 腾讯科技(深圳)有限公司 | Risk file test method, device and computer equipment |
| CN110995576A (en) * | 2019-12-16 | 2020-04-10 | 深信服科技股份有限公司 | Mail detection method, device, equipment and storage medium |
| CN110995576B (en) * | 2019-12-16 | 2022-04-29 | 深信服科技股份有限公司 | Mail detection method, device, equipment and storage medium |
| CN113792013A (en) * | 2021-11-12 | 2021-12-14 | 统信软件技术有限公司 | Retrieval method based on attachment content in mail, computing equipment and storage medium |
| CN116150752A (en) * | 2022-12-30 | 2023-05-23 | 广州尚融网络科技有限公司 | Mail attachment virus identification method, system, equipment and storable medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103546449A (en) | E-mail virus detection method and device based on attachment formats | |
| US11516248B2 (en) | Security system for detection and mitigation of malicious communications | |
| US10708288B2 (en) | Computerized system and method for automatically determining malicious IP clusters using network activity data | |
| CN108471429B (en) | Network attack warning method and system | |
| CN108683687B (en) | Network attack identification method and system | |
| CN102609515B (en) | Quick file scanning method and quick file scanning system | |
| US8990938B2 (en) | Analyzing response traffic to detect a malicious source | |
| CN104462509A (en) | Review spam detection method and device | |
| CN110519150B (en) | Mail detection method, device, equipment, system and computer readable storage medium | |
| CN112511517B (en) | Mail detection method, device, equipment and medium | |
| CN102609653B (en) | File quick-scanning method and file quick-scanning system | |
| CN107995179B (en) | Unknown threat sensing method, device, equipment and system | |
| US20210126944A1 (en) | Analysis of potentially malicious emails | |
| CN102819713A (en) | Method and system for detecting security of popup window | |
| JP6174520B2 (en) | Malignant communication pattern detection device, malignant communication pattern detection method, and malignant communication pattern detection program | |
| KR102119718B1 (en) | Technique for Detecting Suspicious Electronic Messages | |
| CN102594809B (en) | Method and system for rapidly scanning files | |
| CN104009964A (en) | Network link detection method and system | |
| CN103428249B (en) | A kind of Collecting and dealing method of HTTP request bag, system and server | |
| CN103632094A (en) | Virus defense system for uploading cloud computing big data | |
| CN109474510B (en) | Mailbox safety cross audit method, system and storage medium | |
| KR20170083494A (en) | Technique for Detecting Malicious Electronic Messages | |
| CN113507455A (en) | Network security detection method and system based on big data | |
| US20150150132A1 (en) | Intrusion detection system false positive detection apparatus and method | |
| CN111967064A (en) | Webpage tamper-proofing method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140129 |