CN113132305A - Mail threat detection method, device, computing equipment and computer storage medium - Google Patents
Mail threat detection method, device, computing equipment and computer storage medium Download PDFInfo
- Publication number
- CN113132305A CN113132305A CN201911406167.7A CN201911406167A CN113132305A CN 113132305 A CN113132305 A CN 113132305A CN 201911406167 A CN201911406167 A CN 201911406167A CN 113132305 A CN113132305 A CN 113132305A
- Authority
- CN
- China
- Prior art keywords
- information
- threat
- detected
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/308—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
Abstract
The invention discloses a mail threat detection method, a device, a computing device and a computer storage medium, wherein the method comprises the following steps: acquiring mail flow data generated by a network side based on a mail gateway mirror image; according to the mail flow data, the mail bypass is utilized to restore and obtain the mail information to be detected; dynamically detecting the mail information to be detected, and determining whether the mail information carries threat information; if yes, the mail information is intercepted. By using the mail threat method, whether the mail contains threat information or not can be effectively detected, the mail containing the threat information is intercepted, and the safety of receiving the mail is guaranteed. Furthermore, the dynamic detection can be used for detecting unknown threat information without being limited by the existing known threat information, and the problems of detection omission and the like caused by the detection only according to the known threat information are avoided.
Description
Technical Field
The invention relates to the technical safety field, in particular to a mail threat detection method and a device.
Background
The mail can send and receive information, and the information communication can be conveniently carried out among different users regardless of the influence of external factors such as time zone span, distance span and the like. Such as communicating information using mail content, mail attachments, etc.
However, when the mail is actually used, some mails with threat intelligence, such as spam mails and malicious mails, are often received, and these mails may carry viruses, illegal information stealing and other problems, which may cause the mail terminal used by the user to be poisoned, information to be divulged, and the like. The prior art can intercept the mails by means of mail firewalls, interception rules and the like to avoid the mails from being received by a user, but the methods intercept the mails based on confirmed mail sending addresses needing to be intercepted, confirmed mail contents needing to be intercepted and the like, and when the mail contents or mail attachments are not the confirmed contents needing to be intercepted, the prior art cannot detect whether the mails have threat information or not and cannot intercept the mails.
Disclosure of Invention
In view of the above, the present invention has been developed to provide a mail threat detection method, apparatus, computing device, and computer storage medium that overcome, or at least partially address, the above-discussed problems.
According to an aspect of the present invention, there is provided a mail threat detection method, including:
acquiring mail flow data generated by a network side based on a mail gateway mirror image;
according to the mail flow data, the mail bypass is utilized to restore and obtain the mail information to be detected;
dynamically detecting the mail information to be detected, and determining whether the mail information carries threat information;
if yes, the mail information is intercepted.
According to another aspect of the present invention, there is provided a mail threat detection apparatus, comprising:
the acquisition module is suitable for acquiring mail flow data generated by a network side based on the mail gateway mirror image;
the restoration module is suitable for restoring the mail flow data by using the mail bypass to obtain the mail information to be detected;
the detection module is suitable for dynamically detecting the mail information to be detected and determining whether the mail information carries threat information;
and the interception module is suitable for intercepting the mail information if the detection module detects that the mail information carries threat information.
According to another aspect of the present invention, there is provided a computing device comprising: the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the mail threat detection method.
According to another aspect of the present invention, a computer storage medium is provided, in which at least one executable instruction is stored, and the executable instruction causes a processor to execute operations corresponding to the mail threat detection method.
According to the mail threat detection method, the device, the computing equipment and the computer storage medium provided by the invention, mail flow data generated by a network side is obtained based on the mail gateway mirror image; according to the mail flow data, the mail bypass is utilized to restore and obtain the mail information to be detected; dynamically detecting the mail information to be detected, and determining whether the mail information carries threat information; if yes, the mail information is intercepted. By using the mail threat method, whether the mail contains threat information or not can be effectively detected, the mail containing the threat information is intercepted, and the safety of receiving the mail is guaranteed. Furthermore, the dynamic detection can be used for detecting unknown threat information without being limited by the existing known threat information, and the problems of detection omission and the like caused by the detection only according to the known threat information are avoided.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 illustrates a schematic flow diagram of a mail threat detection method according to one embodiment of the invention;
FIG. 2 illustrates a schematic flow diagram of a mail threat detection method according to another embodiment of the invention;
FIG. 3 illustrates a block diagram of a mail threat detection apparatus, according to one embodiment of the invention;
FIG. 4 shows a schematic structural diagram of a computing device according to an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Fig. 1 is a flow chart illustrating a mail threat detection method according to an embodiment of the present invention, as shown in fig. 1, the method includes the following steps:
and step S101, acquiring mail flow data generated by a network side based on the mail gateway mirror image.
The mail is received through the mail gateway, and then the user receives the mail sent to the user mailbox at the mail receiving terminal, namely the client. In this embodiment, the mail gateway may be a mail gateway of an enterprise, or may also be a mail gateway corresponding to a personal mailbox, and for convenience of description, the following mail gateway is taken as an example of a mail gateway of an enterprise.
When the mail contains threat intelligence, such as virus and malicious link, and the user does not realize that the mail carries the threat intelligence and directly opens the mail or opens the mail attachment, the mail receiving terminal of the user is attacked, and when the mail receiving terminal of the user is any client in an enterprise, the client of the whole enterprise is possibly attacked, and the like. Based on the above problems, the present embodiment needs to detect threats for the received mails. Specifically, mail traffic data generated by the network side of the mail gateway is acquired from the mail gateway of the enterprise through a mirroring technology. In actual implementation, the mirror image technology can be used for acquiring the mail flow data generated by the network side of the mail gateway in real time.
And S102, according to the mail flow data, utilizing a mail bypass to restore and obtain the mail information to be detected.
And restoring to obtain the specific mail information to be detected by using the mail bypass according to the acquired mail flow data. The mail bypass can intercept mail communication, and capture a data packet of the mail communication according to the mail flow data, so as to restore and obtain the mail information to be detected.
The mail information includes, for example, mail content, mail sending address, mail receiving address, mail attachment, etc. The mail content includes the mail body, mail subject, mail sending time, mail size and other information. The format of the mail text can be various, such as characters, pictures, links and the like.
And step S103, dynamically detecting the mail information to be detected, and determining whether the mail information carries threat intelligence.
In the prior art, when detecting mail information to be detected, a static detection mode is often adopted, and the collected known mail threat types, known detection rules and the like are used for detecting the mail information to be detected. However, this approach can only detect known mail threats, which cannot detect mail messages that do not exist in known mail threats.
In the embodiment, the mail information to be detected is dynamically detected, for example, the mail information is isolated by using a sandbox technology, the mail attachment is dynamically simulated and operated in the sandbox, and the operation information of the mail attachment during the dynamic simulation operation is collected. The mail attachment is dynamically simulated and operated in the sandbox, so that the mail attachment can be isolated, the threat to the mail receiving terminal of the user, which is possibly generated in the operation process of the mail attachment, is prevented from being leaked, and the operation safety of the mail receiving terminal of the user is included. And determining whether the mail attachment carries threat intelligence or not according to the operation information collected by the dynamic simulation operation mail attachment. If the operation information for acquiring the client privacy of the user, attacking the client of the user and the like to attack the client of the user exists in the operation information, and it can be determined that the mail attachment carries threat intelligence, step S104 is executed, otherwise, the mail attachment is determined to be a safe mail attachment. The mail attachment can be determined according to the collected operation information by utilizing the sandbox to dynamically simulate the operation, and when the collected operation information is different from the known threat information, the judgment can be carried out according to the operation information, so that the problems that the new threat information cannot be identified and the threat information cannot be judged due to comparison only according to the known threat information and the like are avoided. Furthermore, after the mail information is determined to carry threat information according to the collected operation information, the threat information in the mail information can be extracted and used as a malicious sample to be updated to the sandbox for the convenience of subsequent detection.
Alternatively, the mail content can be detected by using a machine learning algorithm. Specifically, the URL links included in the mail content are classified and analyzed, and whether the URL links are correct URL links or not is detected, and whether the URL links are call type links or not is determined. When a user clicks a URL call-type link in mail content, the problem of intranet security caused by calling and jumping to other malicious websites can be caused. And when the URL link is detected to be the call link, confirming that the mail information carries threat intelligence, and executing step S104. Alternatively, the sandbox may be used to simulate and call the URL link to determine whether the URL link is a call-class link, whether the call is to jump to another malicious website, or the like, and if the URL link is determined to be a call-class link, step S104 is executed.
Further, in addition to the above dynamic detection of the mail information to be detected, the embodiment may further include, for example, performing static detection on the mail information to be detected, for example, detecting the mail information by using known threat intelligence, malicious samples, detection rules, and the like, and detecting whether the mail sending address is a common sending address carrying the threat intelligence; detecting whether the mail receiving address meets the known threat intelligence sending rule or not; and executing step S104 when the mail information is confirmed to carry threat intelligence.
And step S104, intercepting the mail information.
The interception processing of the mail information can directly carry out processing such as warning, network disconnection, right reduction and the like on a receiving mail receiving terminal, namely a client when the mail is detected and confirmed to carry the threat information, so that the safety problem caused by the threat information in the mail information is reduced to the lowest risk.
Or, an alarm work order may be generated according to the mail information, and the alarm work order may include, for example, threat information extracted from the mail information; and carrying out threat risk rating on the mail information according to the collected operation information, determining the threat level and the like of the mail information according to the operation information, and carrying out corresponding interception processing on the mail information by a user according to an alarm work order.
Or threat intelligence in the mail information can be extracted, blocking processing is carried out aiming at the specific threat intelligence, and safety problems such as information leakage of the client and the like caused by the threat intelligence are avoided.
According to the mail threat detection method provided by the invention, mail flow data generated by a network side is obtained based on a mail gateway mirror image; according to the mail flow data, the mail bypass is utilized to restore and obtain the mail information to be detected; dynamically detecting the mail information to be detected, and determining whether the mail information carries threat information; if yes, the mail information is intercepted. By using the mail threat method, whether the mail contains threat information or not can be effectively detected, the mail containing the threat information is intercepted, and the safety of receiving the mail is guaranteed. Furthermore, the dynamic detection can be used for detecting unknown threat information without being limited by the existing known threat information, and the problems of detection omission and the like caused by the detection only according to the known threat information are avoided.
Fig. 2 is a schematic flow chart of a mail threat detection method according to another embodiment of the present invention, as shown in fig. 2, the method includes the following steps:
step S201, mail flow data generated by the network side is obtained based on the mail gateway mirror image.
And acquiring the mail flow data generated by the network side of the mail gateway from the mail gateway by using a mirror image technology. The mail flow data obtained based on the mirror image of the mail gateway is the same as the mail flow data actually generated, and the receiving and sending of the actual mail are not influenced.
And S202, according to the mail flow data, utilizing a mail bypass to restore and obtain the mail information to be detected.
And analyzing and intercepting the mail flow data by using a mail bypass according to the acquired mail flow data, so as to restore and obtain the mail information to be detected received by the network side.
Step S203, obtaining the log information of the mail firewall at the network side.
And step S204, confirming whether the mail information to be detected is intercepted or not according to the log information.
When a network side is used for receiving mails, sometimes a network side mail firewall also detects and processes the mails, for example, a third party mail firewall is used for setting an interception rule, setting a mail blacklist and the like, so as to intercept some mails. For the mails intercepted by the mail firewall at the network side, the mail receiving terminal of the user can not receive the mails, and the intercepted mails do not need to be detected.
The operation of intercepting the mail information by the network side mail firewall can be realized by acquiring the log information of the network side mail firewall, confirming which mail information is intercepted according to the content recorded by the log information, detecting the intercepted mail information without detecting the intercepted mail information, and executing a subsequent detection step for detecting the non-intercepted mail information.
Step S205, acquiring the mail receiving terminal installed mail detection application.
Step S206, according to the log information in the mail detection application, confirming whether the mail information is intercepted.
It is considered that the mail receiving terminal, i.e., the client of the user, may install a detection application for protecting the security of the client system, which detects the mail information, processes the mail information, etc. Such as security guards, antivirus software, etc. The method comprises the steps of obtaining an installed mail detection application of a mail receiving terminal, confirming whether mail information is intercepted or not according to log information in the installed mail detection application, detecting the intercepted mail information without detecting the intercepted mail information, and executing a subsequent detection step for detecting the non-intercepted mail information.
Steps S203-S204 and steps S205-S206 may be determined according to specific implementation conditions, and if no network-side mail firewall intercepts the mail information, steps S203-S204 may not be executed; if the mail receiving terminal does not have any mail detection application installed, steps S205-S206 may not be performed. According to the specific implementation, the corresponding steps are selected for execution, and are not limited herein.
And step S207, dynamically detecting the mail information to be detected, and determining whether the mail information carries threat intelligence.
The mail information which is not intercepted by the mail firewall or the mail detection application on the network side is dynamically detected, and the specific detection processing refers to the description of step S103. After the mail information to be detected is dynamically detected, whether threat intelligence is carried in the mail information can be determined. If the mail information carries threat intelligence, extracting the threat intelligence in the mail information, and executing step S208.
And step S208, intercepting the mail information.
When the mail information is intercepted, the threat information in the extracted mail information can be blocked at the mail receiving terminal. Specifically, threat information in the mail is sent to a mail detection application, the mail detection application is linked, processing such as network disconnection, searching and killing and the like is carried out on a mail receiving terminal, relevant information such as a mail sending address and the like can be added into a blacklist and the like, and the mail information is intercepted at a mail receiving terminal.
Furthermore, besides the interception processing of the mail information at the mail receiving terminal, the method can also perform security management and the like on the threat information from the enterprise perspective, report the threat information in the extracted mail information as a malicious sample to be updated to the sandbox detection for the subsequent use in the sandbox detection.
According to the mail threat detection method provided by the invention, log information of a mail firewall on the network side and/or log information in a mail detection application are/is obtained, and the mail information intercepted by the mail firewall on the network side or the mail detection application of a mail receiving terminal is not detected any more. And detecting the information of the mail which is not intercepted so as to avoid repeated detection. Meanwhile, when the mail information is detected to carry the threat information, the threat information is extracted and linked with the mail detection application to intercept the mail information, the threat information is processed in time, and the safety of the mail receiving and sending terminal and the safety of enterprises are guaranteed.
Fig. 3 is a block diagram showing a structure of a mail threat detection apparatus according to an embodiment of the present invention, as shown in fig. 3, the apparatus including:
the obtaining module 310 is adapted to obtain the mail traffic data generated on the network side based on the mail gateway image.
The restoring module 320 is adapted to restore the mail information to be detected by using the mail bypass according to the mail flow data.
The detection module 330 is adapted to dynamically detect the mail information to be detected and determine whether the mail information carries threat intelligence.
The interception module 340 is adapted to intercept the mail information if the detection module detects that the mail information carries threat intelligence.
Optionally, the detection module 330 is further adapted to: and dynamically simulating and operating the mail attachment by using the sandbox, and determining whether the mail attachment carries threat intelligence or not according to the collected operation information.
Optionally, the apparatus further comprises: a rating module 350.
The rating module 350 is adapted to rate the mail message for threat risk based on the operational information and determine a threat level for the mail message.
Optionally, the apparatus further comprises: an extraction update module 360.
The extraction update module 360 is adapted to extract threat intelligence in the mail information as a malicious sample to be updated into the sandbox detection.
Optionally, the detection module 330 is further adapted to: classifying and analyzing URL links contained in the mail content by using a machine learning algorithm, and detecting whether the URL links are calling links or not; if yes, confirming that the mail information carries threat intelligence.
Optionally, the intercepting module 340 is further adapted to: and generating an alarm work order according to the mail information so that the user can intercept the mail information.
Optionally, the intercepting module 340 is further adapted to: extracting threat information in the mail information and blocking the threat information.
Optionally, the apparatus further comprises: the first interception confirmation module 370.
The first interception confirmation module 370 is adapted to obtain log information of a network-side mail firewall; confirming whether the mail information to be detected is intercepted or not according to the log information; if not, the detection module 330 is executed.
Optionally, the apparatus further comprises: a second interception confirmation module 380.
The second interception confirmation module 380 is adapted to obtain the mail detection application installed on the mail receiving terminal; according to log information in the mail detection application, whether the mail information is intercepted or not is confirmed; if not, the detection module 330 is executed.
The descriptions of the modules refer to the corresponding descriptions in the method embodiments, and are not repeated herein.
The invention also provides a nonvolatile computer storage medium, wherein the computer storage medium stores at least one executable instruction, and the executable instruction can execute the mail threat detection method in any method embodiment.
Fig. 4 is a schematic structural diagram of a computing device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device.
As shown in fig. 4, the computing device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
Wherein:
the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408.
A communication interface 404 for communicating with network elements of other devices, such as clients or other servers.
The processor 402 is configured to execute the program 410, and may specifically execute relevant steps in the above-described mail threat detection method embodiment.
In particular, program 410 may include program code comprising computer operating instructions.
The processor 402 may be a central processing unit CPU or an application Specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
Program 410 may be specifically configured to cause processor 402 to perform the mail threat detection method in any of the method embodiments described above. For specific implementation of each step in the program 410, reference may be made to corresponding steps and corresponding descriptions in units in the above-described mail threat detection embodiment, which are not described herein again. It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described devices and modules may refer to the corresponding process descriptions in the foregoing method embodiments, and are not described herein again.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components in accordance with embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
The invention discloses: A1. a mail threat detection method, comprising:
acquiring mail flow data generated by a network side based on a mail gateway mirror image;
according to the mail flow data, mail bypass is utilized to restore and obtain mail information to be detected;
dynamically detecting the mail information to be detected, and determining whether the mail information carries threat information;
and if so, intercepting the mail information.
A2. The method according to A1, wherein the mail information includes mail content, mail delivery address, mail receiving address and/or mail attachment.
A3. The method according to a2, wherein the dynamically detecting the mail message to be detected and determining whether the mail message carries threat intelligence further comprises:
and dynamically simulating and operating the mail attachment by using the sandbox, and determining whether the mail attachment carries threat intelligence or not according to the collected operation information.
A4. The method of a3, wherein the method further comprises:
and carrying out threat risk rating on the mail information according to the operation information, and determining the threat level of the mail information.
A5. The method of a3, wherein the method further comprises:
threat intelligence in the mail information is extracted and serves as a malicious sample to be updated to the sandbox detection.
A6. The method according to a2, wherein the dynamically detecting the mail message to be detected and determining whether the mail message carries threat intelligence further comprises:
classifying and analyzing URL links contained in the mail content by using a machine learning algorithm, and detecting whether the URL links are calling links or not;
and if so, confirming that the mail information carries threat intelligence.
A7. The method of any of a1-a6, wherein the intercepting the mail information further comprises:
and generating an alarm work order according to the mail information so that a user can intercept the mail information.
A8. The method of any of a1-a7, wherein the intercepting the mail information further comprises:
and extracting threat intelligence in the mail information, and blocking the threat intelligence.
A9. The method according to any one of a1-A8, wherein before dynamically detecting the mail information to be detected and determining whether the mail information carries threat intelligence, the method further comprises:
acquiring log information of a mail firewall on a network side;
confirming whether the mail information to be detected is intercepted or not according to the log information;
and if not, executing the step of dynamically detecting the mail information to be detected and determining whether the mail information carries threat intelligence or not.
A10. The method according to any one of a1-a9, wherein before dynamically detecting the mail information to be detected and determining whether the mail information carries threat intelligence, the method further comprises:
acquiring an installed mail detection application of a mail receiving terminal;
according to the log information in the mail detection application, whether the mail information is intercepted or not is confirmed;
and if not, executing the step of dynamically detecting the mail information to be detected and determining whether the mail information carries threat intelligence or not.
The invention also discloses: B11. a mail threat detection apparatus, comprising:
the acquisition module is suitable for acquiring mail flow data generated by a network side based on the mail gateway mirror image;
the restoration module is suitable for restoring the mail flow data by using the mail bypass to obtain the mail information to be detected;
the detection module is suitable for dynamically detecting the mail information to be detected and determining whether the mail information carries threat information;
and the interception module is suitable for intercepting the mail information if the detection module detects that the mail information carries threat information.
B12. The apparatus of B11, wherein the mail information includes mail content, mail delivery address, mail receiving address, and/or mail attachment.
B13. The apparatus of B12, wherein the detection module is further adapted to:
and dynamically simulating and operating the mail attachment by using the sandbox, and determining whether the mail attachment carries threat intelligence or not according to the collected operation information.
B14. The apparatus of B13, wherein the apparatus further comprises:
and the grading module is suitable for grading the threat risk of the mail information according to the operation information and determining the threat level of the mail information.
B15. The apparatus of B13, wherein the apparatus further comprises:
and the extraction and update module is suitable for extracting the threat intelligence in the mail information as a malicious sample to update to the sandbox detection.
B16. The apparatus of B12, wherein the detection module is further adapted to:
classifying and analyzing URL links contained in the mail content by using a machine learning algorithm, and detecting whether the URL links are calling links or not; and if so, confirming that the mail information carries threat intelligence.
B17. The apparatus of any one of B11-B16, wherein the intercepting module is further adapted to:
and generating an alarm work order according to the mail information so that a user can intercept the mail information.
B18. The apparatus of any one of B11-B17, wherein the intercepting module is further adapted to:
and extracting threat intelligence in the mail information, and blocking the threat intelligence.
B19. The apparatus of any one of B11-B18, wherein the apparatus further comprises:
the first interception confirming module is suitable for acquiring log information of a mail firewall on a network side; confirming whether the mail information to be detected is intercepted or not according to the log information; and if not, executing the detection module.
B20. The apparatus of any one of B11-B19, wherein the apparatus further comprises:
the second interception confirming module is suitable for acquiring the mail detection application installed on the mail receiving terminal; according to the log information in the mail detection application, whether the mail information is intercepted or not is confirmed; and if not, executing the detection module.
The invention also discloses: C21. a computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform operations corresponding to the mail threat detection method of any one of A1-A10.
The invention also discloses: D22. a computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the mail threat detection method of any one of a1-a 10.
Claims (10)
1. A mail threat detection method, comprising:
acquiring mail flow data generated by a network side based on a mail gateway mirror image;
according to the mail flow data, mail bypass is utilized to restore and obtain mail information to be detected;
dynamically detecting the mail information to be detected, and determining whether the mail information carries threat information;
and if so, intercepting the mail information.
2. The method of claim 1, wherein the mail information comprises mail content, a mail delivery address, a mail recipient address, and/or a mail attachment.
3. The method according to claim 2, wherein the dynamically detecting the mail message to be detected and determining whether the mail message carries threat intelligence further comprises:
and dynamically simulating and operating the mail attachment by using the sandbox, and determining whether the mail attachment carries threat intelligence or not according to the collected operation information.
4. The method of claim 3, wherein the method further comprises:
and carrying out threat risk rating on the mail information according to the operation information, and determining the threat level of the mail information.
5. The method of claim 3, wherein the method further comprises:
threat intelligence in the mail information is extracted and serves as a malicious sample to be updated to the sandbox detection.
6. The method according to claim 2, wherein the dynamically detecting the mail message to be detected and determining whether the mail message carries threat intelligence further comprises:
classifying and analyzing URL links contained in the mail content by using a machine learning algorithm, and detecting whether the URL links are calling links or not;
and if so, confirming that the mail information carries threat intelligence.
7. The method of any of claims 1-6, wherein the intercepting the mail information further comprises:
and generating an alarm work order according to the mail information so that a user can intercept the mail information.
8. A mail threat detection apparatus, comprising:
the acquisition module is suitable for acquiring mail flow data generated by a network side based on the mail gateway mirror image;
the restoration module is suitable for restoring the mail flow data by using the mail bypass to obtain the mail information to be detected;
the detection module is suitable for dynamically detecting the mail information to be detected and determining whether the mail information carries threat information;
and the interception module is suitable for intercepting the mail information if the detection module detects that the mail information carries threat information.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform operations corresponding to the mail threat detection method of any one of claims 1-7.
10. A computer storage medium having stored therein at least one executable instruction that causes a processor to perform operations corresponding to the mail threat detection method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911406167.7A CN113132305A (en) | 2019-12-31 | 2019-12-31 | Mail threat detection method, device, computing equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911406167.7A CN113132305A (en) | 2019-12-31 | 2019-12-31 | Mail threat detection method, device, computing equipment and computer storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113132305A true CN113132305A (en) | 2021-07-16 |
Family
ID=76768678
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911406167.7A Pending CN113132305A (en) | 2019-12-31 | 2019-12-31 | Mail threat detection method, device, computing equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113132305A (en) |
-
2019
- 2019-12-31 CN CN201911406167.7A patent/CN113132305A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11681803B2 (en) | Malware identification using multiple artificial neural networks | |
| US10523609B1 (en) | Multi-vector malware detection and analysis | |
| US10225280B2 (en) | System and method for verifying and detecting malware | |
| EP2859494B1 (en) | Dashboards for displaying threat insight information | |
| US11562068B2 (en) | Performing threat detection by synergistically combining results of static file analysis and behavior analysis | |
| US10216931B2 (en) | Detecting an attempt to exploit a memory allocation vulnerability | |
| US11477214B2 (en) | Cloud-based orchestration of incident response using multi-feed security event classifications with machine learning | |
| CN111737696A (en) | Method, system and equipment for detecting malicious file and readable storage medium | |
| CN110119619B (en) | System and method for creating anti-virus records | |
| US9742796B1 (en) | Automatic repair of corrupt files for a detonation engine | |
| CN107979581B (en) | Detection method and device for zombie characteristics | |
| US11252167B2 (en) | System and method for detecting and classifying malware | |
| US20220217164A1 (en) | Inline malware detection | |
| US11909761B2 (en) | Mitigating malware impact by utilizing sandbox insights | |
| US20210200859A1 (en) | Malware detection by a sandbox service by utilizing contextual information | |
| US11636208B2 (en) | Generating models for performing inline malware detection | |
| Grégio et al. | Ontology for malware behavior: A core model proposal | |
| Kim et al. | Attack detection application with attack tree for mobile system using log analysis | |
| CN108345795B (en) | System and method for detecting and classifying malware | |
| CN109672607A (en) | A kind of email processing method, device and storage equipment, program product | |
| US20230188499A1 (en) | Electronic message processing systems and methods | |
| US20230252148A1 (en) | Efficient usage of sandbox environments for malicious and benign documents with macros | |
| CN113132305A (en) | Mail threat detection method, device, computing equipment and computer storage medium | |
| EP3999985A1 (en) | Inline malware detection | |
| JP2017129893A (en) | Malware detection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |