CN114004604B - Method and device for detecting URL data in mail and electronic equipment - Google Patents

Method and device for detecting URL data in mail and electronic equipment Download PDF

Info

Publication number
CN114004604B
CN114004604B CN202111641303.8A CN202111641303A CN114004604B CN 114004604 B CN114004604 B CN 114004604B CN 202111641303 A CN202111641303 A CN 202111641303A CN 114004604 B CN114004604 B CN 114004604B
Authority
CN
China
Prior art keywords
icon
data
detection result
matching
hash value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111641303.8A
Other languages
Chinese (zh)
Other versions
CN114004604A (en
Inventor
张海昆
赵林林
童兆丰
薛锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing ThreatBook Technology Co Ltd
Original Assignee
Beijing ThreatBook Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing ThreatBook Technology Co Ltd filed Critical Beijing ThreatBook Technology Co Ltd
Priority to CN202111641303.8A priority Critical patent/CN114004604B/en
Publication of CN114004604A publication Critical patent/CN114004604A/en
Application granted granted Critical
Publication of CN114004604B publication Critical patent/CN114004604B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • G06Q10/107Computer-aided management of electronic mailing [e-mailing]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Human Resources & Organizations (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Databases & Information Systems (AREA)
  • Strategic Management (AREA)
  • Computer Hardware Design (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the application provides a method and a device for detecting URL data in a mail, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring a mail protocol corresponding to the mail; analyzing the mail protocol to obtain URL data in the mail protocol; matching the URL data with threat intelligence data of a threat intelligence database, and if the matching is successful, taking the threat intelligence data as a detection result; if the matching fails, acquiring page information corresponding to the URL data; acquiring a file corresponding to the page information; analyzing the file to obtain a first detection result; acquiring an ICON ICON in the page information, and matching the ICON ICON with an ICON database to obtain a second detection result; and generating a detection result according to the first detection result and the second detection result. By implementing the method and the device, malicious URL data in the mail can be detected, so that the mail can be normally received, and the filtering speed of the mail is greatly improved.

Description

Method and device for detecting URL data in mail and electronic equipment
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting URL data in an email, an electronic device, and a computer-readable storage medium.
Background
With the rapid development of information technology, e-mail has become a necessary tool and approach for daily office work, communication and cooperative interaction. With the widespread application of e-mail, the increasing number of e-mails containing malicious content has become a significant problem threatening the security of enterprises. Therefore, it is of great significance to research an accurate and efficient malicious mail detection system. Among them, a method for accurately identifying malicious URL data in a mail and identifying the type of the malicious URL data is a very important challenge.
In the detection method for recognizing the malicious URL data in the mail in the prior art, model training is usually carried out under the support of historical mails, the false alarm rate and the detection rate depend on the quality of a training model, and meanwhile, the dependency on the historical mails is too large, so that the malicious mails can not be normally detected or normal mails can be frequently used as the malicious mails.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for detecting URL data in an email, an electronic device, and a computer-readable storage medium, which can detect malicious URL data in an email, so that the email can be normally received, and the filtering speed of the email is greatly increased.
In a first aspect, an embodiment of the present application provides a method for detecting URL data in an email, where the method includes:
acquiring a mail protocol corresponding to the mail;
analyzing the mail protocol to obtain URL data in the mail protocol;
matching the URL data with threat intelligence data of a threat intelligence database, and if the matching is successful, taking the threat intelligence data as a detection result; if the matching fails, acquiring page information corresponding to the URL data;
acquiring a file corresponding to the page information;
analyzing the file to obtain a first detection result;
acquiring an ICON ICON in the page information, and matching the ICON ICON with an ICON database to obtain a second detection result;
and generating a detection result according to the first detection result and the second detection result.
In the implementation process, malicious URL data in the mail protocol is identified by the methods of analysis and multiple matching, so that the threat of the malicious URL data to the mail is effectively prevented, the mail can be normally received and sent, and meanwhile, the detection speed of the URL data in the mail and the operation speed of the mail are improved.
Further, the step of analyzing the file to obtain the first detection result includes:
reading document information in the file;
extracting intelligence data of the document information in the operation process;
and obtaining a first detection result according to the intelligence data.
In the implementation process, the document information can further detect malicious URL data in detail, so that omission of the malicious URL data is effectively prevented, the detection speed of the malicious URL data is increased, and the calculation time and the occupied memory in the detection process are reduced.
Further, the step of obtaining a first detection result according to the informative data includes:
matching the intelligence data with threat intelligence data in the threat intelligence database;
and if the matching is successful, taking the threat intelligence data matched in the intelligence data as the first detection result.
In the implementation process, the threat information data hidden in the information data is further matched, the detection accuracy is guaranteed, omission of the threat information data is avoided, meanwhile, the calculation time is saved, and the detection efficiency is improved.
Further, the step of obtaining the ICON in the page information, and matching the ICON with an ICON database to obtain a second detection result includes:
obtaining a hash value of the ICON ICON;
comparing the hash value of the ICON with the hash value of each ICON in the ICON database, and if the hash value of the ICON is equal to the hash value of any ICON in the ICON database, acquiring a domain name corresponding to the ICON;
and obtaining the second detection result according to the domain name corresponding to the ICON ICON.
In the implementation process, the hash values are directly compared, so that the calculation process can be saved, the difference between the ICON and each ICON in the ICON database can be quickly obtained, and malicious URL data cannot exist in the ICON.
Further, the step of obtaining the second detection result according to the domain name corresponding to the ICON includes:
and matching the domain name corresponding to the ICON with the hash value, and taking the ICON and the corresponding domain name as the second detection result if the matching fails.
In the implementation process, by comparing the domain name corresponding to the ICON of the ICON with the domain name corresponding to the ICON with the same hash value, whether the ICON identical to the ICON in the ICON database exists in the ICON of the ICON can be directly obtained, and further malicious URL data can be detected.
Further, the step of generating the first detection result and the second detection result into the detection result includes:
if the intelligence data is successfully matched with threat intelligence data in the threat intelligence database, and the hash value of the ICON ICON is not equal to the hash value of any ICON in the ICON database, the detection result is the threat intelligence data matched in the intelligence data;
if the matching of the intelligence data and threat intelligence data in the threat intelligence database fails, the Hash value of the ICON ICON is equal to the Hash value of any ICON in the ICON database, the matching of the domain name corresponding to the ICON with the Hash value and the domain name corresponding to the ICON ICON fails, and the detection result is the ICON ICON and the corresponding domain name;
if the intelligence data is successfully matched with threat intelligence data in the threat intelligence database, the Hash value of the ICON ICON is equal to the Hash value of any ICON in the ICON database, the domain name corresponding to the ICON with the Hash value is failed to be matched with the domain name corresponding to the ICON ICON, and the detection result is the threat intelligence data matched with the ICON ICON, the domain name corresponding to the ICON ICON and the intelligence data.
In the implementation process, the detection result is generated according to the first detection result and the second detection result, and if one of the first detection result and the second detection result detects a corresponding detection result, it indicates that malicious URL data exists therein.
Further, matching the URL data with threat intelligence data of a threat intelligence database, and if matching is successful, taking the threat intelligence data as a detection result; if the matching fails, the step of obtaining the page information corresponding to the URL data comprises the following steps:
if the URL data contains threat intelligence data of the threat intelligence database, matching is successful, and the threat intelligence data matched in the URL data is used as a detection result;
and if the URL data does not contain the threat intelligence data of the threat intelligence database, the matching fails, and page information corresponding to the URL data is obtained.
In the implementation process, if matching is successful, the fact that the factors threatening the mail exist in the URL data is indicated, and if matching is failed, next detection is carried out, so that the fact that threat report data cannot be omitted in the URL data is ensured.
In a second aspect, an embodiment of the present application further provides an apparatus for detecting URL data in an email, where the apparatus includes:
the acquisition module is used for acquiring a mail protocol corresponding to the mail;
the URL analysis module is used for analyzing the mail protocol to obtain URL data in the mail protocol;
the URL matching module is used for matching the URL data with threat intelligence data of a threat intelligence database, and if the matching is successful, the threat intelligence data is used as a detection result; if the matching fails, acquiring page information corresponding to the URL data;
the acquisition module is also used for acquiring a file corresponding to the page information;
the file analysis module is used for analyzing the file to obtain a first detection result;
the ICON matching module is used for acquiring an ICON ICON in the page information, and matching the ICON ICON with an ICON database to obtain a second detection result;
and the generating module is used for generating a detection result according to the first detection result and the second detection result.
In the implementation process, malicious URL data in the mail protocol is identified by the methods of analysis and multiple matching, so that the threat of the malicious URL data to the mail is effectively prevented, the mail can be normally received and sent, and meanwhile, the detection speed of the malicious URL data in the mail and the operation speed of the mail are improved.
In a third aspect, an electronic device provided in an embodiment of the present application includes: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any of the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium having instructions stored thereon, which, when executed on a computer, cause the computer to perform the method according to any one of the first aspect.
In a fifth aspect, embodiments of the present application provide a computer program product, which when run on a computer, causes the computer to perform the method according to any one of the first aspect.
Additional features and advantages of the disclosure will be set forth in the description which follows, or in part may be learned by the practice of the above-described techniques of the disclosure, or may be learned by practice of the disclosure.
The present invention can be implemented in accordance with the content of the specification, and the following detailed description of the preferred embodiments of the present application is made with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a method for detecting URL data in an email according to an embodiment of the present disclosure;
fig. 2 is a schematic structural component diagram of a device for detecting URL data in an email according to an embodiment of the present application;
fig. 3 is a schematic structural component diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
The following detailed description of embodiments of the present application will be described in conjunction with the accompanying drawings and examples. The following examples are intended to illustrate the present application but are not intended to limit the scope of the present application.
Example one
Fig. 1 is a schematic flowchart of a method for detecting URL data in an email according to an embodiment of the present application, and as shown in fig. 1, the method includes:
s1, acquiring a mail protocol corresponding to the mail;
s2, analyzing the mail protocol to obtain URL data in the mail protocol;
s3, matching the URL data with threat intelligence data of a threat intelligence database, and if matching is successful, using the threat intelligence data as a detection result; if the matching fails, acquiring page information corresponding to the URL data;
s4, acquiring a file corresponding to the page information;
s5, analyzing the file to obtain a first detection result;
s6, acquiring an ICON ICON in the page information, and matching the ICON ICON with the ICON database to obtain a second detection result;
s7, the first detection result and the second detection result are used to generate a detection result.
In the implementation process, malicious URL data in the mail protocol is identified by the methods of analysis and multiple matching, so that the threat of the malicious URL data to the mail is effectively prevented, the mail can be normally received and sent, and meanwhile, the detection speed of the URL data in the mail and the operation speed of the mail are improved.
The mails may include phishing mails or malicious mails, which may cause paralysis or property loss of the terminal receiving the mails, and may also cause unsmooth mail forwarding and receiving, so the phishing mails and the malicious mails in the mails need to be detected. Phishing mails and malicious mails in the incoming mails are detected by analyzing malicious URL data in the mails.
Analyzing the mail protocol to obtain URL data in the mail protocol, matching the URL data in the mail protocol with a threat intelligence database, wherein the threat intelligence database contains a plurality of threat intelligence data which can possibly threaten the mail protocol, if the matched URL data has the threat intelligence data in the threat intelligence database, the mail protocol is the mail protocol containing malicious URL data, the corresponding mail is a malicious mail, the detected threat intelligence data is used as a detection result, if the threat intelligence data in the threat intelligence database is not matched in the URL data, page information corresponding to the URL data is obtained, and the mail protocol is further detected.
Further, the step of analyzing the file to obtain the first detection result includes:
reading document information in a file;
extracting information data of the document information in the operation process;
and obtaining a first detection result according to the intelligence data.
Illustratively, the file includes Document information such as a PE, Microsoft Word Document or Portable Document (PDF), and the Document information read into the file realizes further detection of the Document information.
Illustratively, the document information in the file can be put in a sandbox environment for operation, and the intelligence data of the document information can be extracted in the operation process, so as to further screen the threat intelligence data in the intelligence data. Optionally, the process of extracting the information data of the document information when the document information is placed in a sandbox environment is recursive detection, that is, threat information data in the information data can be screened for many times until the screening is completed, so that the information data is ensured not to be missed, and the detection accuracy is improved.
In the implementation process, the document information can further detect malicious URL data in detail, so that omission of the malicious URL data is effectively prevented, the detection speed of the malicious URL data is increased, and the calculation time and the occupied memory in the detection process are reduced.
Further, the step of obtaining the first detection result according to the informative data includes:
matching the intelligence data with threat intelligence data in a threat intelligence database;
and if the matching is successful, using the threat intelligence data matched in the intelligence data as a first detection result.
Matching threat intelligence data in a threat intelligence database with intelligence data in document information, if the matched intelligence data contains the threat intelligence data, proving that the mail contains the threat intelligence data, using the matched threat intelligence data as a first detection result, and if the matching fails, namely no threat intelligence data is detected, indicating that no threat intelligence data capable of threatening the mail exists in the document information.
Optionally, the threat intelligence data includes inbound intelligence, outbound intelligence, Hash intelligence, and feature rules, wherein inbound intelligence refers to an IP source address of an attacker that initiates an attack; the outbound information refers to domain name information or a host IP address of a phishing server and a remote control server used by an attacker; hash intelligence, which refers to the Hash of an attacker using Trojan; and the characteristic rule refers to the flow of the attack tool used by the attacker.
In the implementation process, the threat information data hidden in the information data is further matched, the detection accuracy is guaranteed, omission of the threat information data is avoided, meanwhile, the calculation time is saved, and the detection efficiency is improved.
Further, the step of obtaining an ICON in the page information, and matching the ICON with the ICON database to obtain a second detection result includes:
obtaining a hash value of the ICON ICON;
comparing the hash value of the ICON with the hash value of each ICON in the ICON database, and if the hash value of the ICON is equal to the hash value of any ICON in the ICON database, acquiring a domain name corresponding to the ICON;
and obtaining a second detection result according to the domain name corresponding to the ICON ICON.
In the implementation process, the hash values are directly compared, so that the calculation process can be saved, the difference between the ICON and each ICON in the ICON database can be quickly obtained, and malicious URL data cannot exist in the ICON.
Further, the step of obtaining a second detection result according to the domain name corresponding to the ICON includes:
and matching the domain name corresponding to the ICON with the hash value and the domain name corresponding to the ICON ICON, and if the matching fails, taking the ICON ICON and the corresponding domain name as a second detection result.
The Hash value (Hash Function), also called Hash Function, is a method for creating a small digital "fingerprint" from any kind of data, and can obtain the "fingerprint" of the ICON through the pHash algorithm (perceptual Hash algorithm), i.e. Hash value, by comparing the "fingerprint" with the pHash of ICON of a large number of ICON databases collected by comparison before, if the two Hash values are the same and the corresponding domain names are also the same, it is indicated that the ICON is the same as the ICON in the ICON database, i.e. a normal website, if the two Hash values are the same and the corresponding domain names are different at the same time, it is considered that the URL data corresponding to the ICON is not all of the normal website, and the URL data is the URL data of a phishing class, i.e. the mail is a phishing mail.
Optionally, if the hash value of the ICON is equal to the hash value of the ICON, it is proved that the URL data corresponding to the ICON does not have the URL data of the phishing type.
In the implementation process, whether the ICON identical to the ICON in the ICON database exists in the ICON can be directly obtained by comparing the hash value of the ICON with the hash value of the ICON, and further malicious URL data can be detected.
Further, the step of generating the first detection result and the second detection result into the detection result includes:
if the intelligence data is successfully matched with the threat intelligence data in the threat intelligence database, and the hash value of the ICON ICON is not equal to the hash value of any ICON in the ICON database, the detection result is the threat intelligence data matched in the intelligence data;
if the matching of the intelligence data and the threat intelligence data in the threat intelligence database fails, the hash value of the ICON ICON is equal to the hash value of any ICON in the ICON database, the matching of the domain name corresponding to the ICON with the hash value and the domain name corresponding to the ICON ICON fails, and the detection result is the ICON ICON and the corresponding domain name;
and if the intelligence data is successfully matched with the threat intelligence data in the threat intelligence database, the Hash value of the ICON ICON is equal to the Hash value of any ICON in the ICON database, the domain name corresponding to the ICON with the same Hash value and the domain name corresponding to the ICON ICON, and the detection result is the threat intelligence data matched with the ICON ICON, the domain name corresponding to the ICON ICON and the intelligence data.
In the implementation process, the detection result is generated according to the first detection result and the second detection result, and if one of the first detection result and the second detection result detects a corresponding detection result, it indicates that malicious URL data exists therein.
Further, matching the URL data with threat information data of a threat information database, and if the matching is successful, taking the threat information data as a detection result; if the matching fails, the step of obtaining the page information corresponding to the URL data comprises the following steps:
if the URL data contains threat intelligence data of the threat intelligence database, matching is successful, and the threat intelligence data matched in the URL data is used as a detection result;
and if the URL data does not contain the threat information data of the threat information database, the matching fails, and the page information corresponding to the URL data is obtained.
In the implementation process, if matching is successful, the fact that the factors threatening the mail exist in the URL data is indicated, and if matching is failed, next detection is carried out, so that the fact that threat report data cannot be omitted in the URL data is ensured.
Optionally, if the URL data does not include threat intelligence data of the threat intelligence database, and the hash value of the ICON is not equal to the hash value of the ICON, it indicates that the URL data does not include malicious URL data and phishing-type URL data, that is, the mail is neither malicious mail nor phishing mail.
Example two
In order to implement the method corresponding to the above embodiment to achieve the corresponding functions and technical effects, the following provides an apparatus for detecting URL data in a mail, as shown in fig. 2, the apparatus comprising:
the acquisition module 1 is used for acquiring a mail protocol corresponding to a mail;
the URL analysis module 2 is used for analyzing the mail protocol to obtain URL data in the mail protocol;
the URL matching module 3 is used for matching the URL data with threat information data of the threat information database, and if the matching is successful, the threat information data is used as a detection result; if the matching fails, acquiring page information corresponding to the URL data;
the acquisition module 1 is further used for acquiring a file corresponding to the page information;
the file analysis module 4 is used for analyzing the file to obtain a first detection result;
the ICON matching module 5 is used for acquiring an ICON in the page information, and matching the ICON with the ICON database to obtain a second detection result;
and the generating module 6 is used for generating a detection result according to the first detection result and the second detection result.
In the implementation process, malicious URL data in the mail protocol is identified by the methods of analysis and multiple matching, so that the threat of the malicious URL data to the mail is effectively prevented, the mail can be normally received and sent, and meanwhile, the detection speed of the malicious URL data in the mail and the operation speed of the mail are improved.
Further, the URL matching module 3 is further configured to:
if the URL data contains threat intelligence data of the threat intelligence database, matching is successful, and the threat intelligence data matched in the URL data is used as a detection result;
and if the URL data does not contain the threat information data of the threat information database, the matching fails, and the page information corresponding to the URL data is obtained.
Further, the file parsing module 4 is further configured to:
reading document information in a file;
extracting information data of the document information in the operation process;
obtaining a first detection result according to the intelligence data;
matching the intelligence data with threat intelligence data in a threat intelligence database;
and if the matching is successful, using the threat intelligence data matched in the intelligence data as a first detection result.
Further, the icon matching module 5 is further configured to:
obtaining a hash value of the ICON ICON;
comparing the hash value of the ICON with the hash value of each ICON in the ICON database, and if the hash value of the ICON is equal to the hash value of any ICON in the ICON database, acquiring a domain name corresponding to the ICON;
and obtaining a second detection result according to the domain name corresponding to the ICON ICON.
Further, the icon matching module 5 is further configured to:
and matching the domain name corresponding to the ICON with the hash value and the domain name corresponding to the ICON ICON, and if the matching fails, taking the ICON ICON and the corresponding domain name as a second detection result.
Further, the generating module 6 is further configured to:
if the intelligence data is successfully matched with the threat intelligence data in the threat intelligence database, and the hash value of the ICON ICON is not equal to the hash value of any ICON in the ICON database, the detection result is the threat intelligence data matched in the intelligence data;
if the matching of the intelligence data and the threat intelligence data in the threat intelligence database fails, the hash value of the ICON ICON is equal to the hash value of any ICON in the ICON database, the matching of the domain name corresponding to the ICON with the hash value and the domain name corresponding to the ICON ICON fails, and the detection result is the ICON ICON and the corresponding domain name;
and if the intelligence data is successfully matched with the threat intelligence data in the threat intelligence database, the Hash value of the ICON ICON is equal to the Hash value of any ICON in the ICON database, the domain name corresponding to the ICON with the Hash value is equal to the domain name corresponding to the ICON ICON, and the detection result is the threat intelligence data matched with the ICON ICON, the domain name corresponding to the ICON ICON and the intelligence data.
The apparatus for detecting URL data in a mail can implement the method of the first embodiment. The alternatives in the first embodiment are also applicable to the present embodiment, and are not described in detail here.
The rest of the embodiments of the present application may refer to the contents of the first embodiment, and in this embodiment, details are not repeated.
EXAMPLE III
An embodiment of the present application provides an electronic device, which includes a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to enable the electronic device to execute the method for detecting URL data in an email according to the first embodiment.
Alternatively, the electronic device may be a server.
Referring to fig. 3, fig. 3 is a schematic structural composition diagram of an electronic device according to an embodiment of the present disclosure. The electronic device may include a processor 31, a communication interface 32, a memory 33, and at least one communication bus 34. Wherein the communication bus 34 is used for realizing direct connection communication of these components. The communication interface 32 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The processor 31 may be an integrated circuit chip having signal processing capabilities.
The Processor 31 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 31 may be any conventional processor or the like.
The Memory 33 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 33 has stored therein computer readable instructions which, when executed by the processor 31, enable the apparatus to perform the various steps involved in the method embodiment of fig. 1 described above.
Optionally, the electronic device may further include a memory controller, an input output unit. The memory 33, the memory controller, the processor 31, the peripheral interface, and the input/output unit are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, these components may be electrically connected to each other via one or more communication buses 34. The processor 31 is adapted to execute executable modules stored in the memory 33, such as software functional modules or computer programs comprised by the device.
The input and output unit is used for providing a task for a user to create and start an optional time period or preset execution time for the task creation so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 3 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 3 or have a different configuration than shown in fig. 3. The components shown in fig. 3 may be implemented in hardware, software, or a combination thereof.
In addition, an embodiment of the present application further provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program implements the method for detecting URL data in an email according to the first embodiment.
Embodiments of the present application further provide a computer program product, which when running on a computer, causes the computer to execute the method described in the method embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (6)

1. A method for detecting URL data in a mail, which is characterized by comprising the following steps:
acquiring a mail protocol corresponding to the mail;
analyzing the mail protocol to obtain URL data in the mail protocol;
matching the URL data with threat intelligence data of a threat intelligence database, and if the matching is successful, taking the threat intelligence data as a detection result; if the matching fails, acquiring page information corresponding to the URL data;
acquiring a file corresponding to the page information;
analyzing the file to obtain a first detection result;
the step of analyzing the file to obtain a first detection result includes:
reading document information in the file;
extracting intelligence data of the document information in the operation process;
obtaining a first detection result according to the intelligence data;
acquiring an ICON ICON in the page information, and matching the ICON ICON with an ICON database to obtain a second detection result;
generating a detection result from the first detection result and the second detection result;
the step of obtaining the ICON in the page information, matching the ICON with an ICON database, and obtaining a second detection result includes:
obtaining a hash value of the ICON ICON;
comparing the hash value of the ICON with the hash value of each ICON in the ICON database, and if the hash value of the ICON is equal to the hash value of any ICON in the ICON database, acquiring a domain name corresponding to the ICON;
obtaining the second detection result according to the domain name corresponding to the ICON ICON;
wherein, the step of obtaining the second detection result according to the domain name corresponding to the ICON comprises:
matching the domain name corresponding to the ICON with the hash value, and taking the ICON and the corresponding domain name as the second detection result if the matching fails;
wherein the step of generating the first detection result and the second detection result into the detection result comprises:
if the intelligence data is successfully matched with threat intelligence data in the threat intelligence database, and the hash value of the ICON ICON is not equal to the hash value of any ICON in the ICON database, the detection result is the threat intelligence data matched in the intelligence data;
if the matching of the intelligence data and threat intelligence data in the threat intelligence database fails, the Hash value of the ICON ICON is equal to the Hash value of any ICON in the ICON database, the matching of the domain name corresponding to the ICON with the Hash value and the domain name corresponding to the ICON ICON fails, and the detection result is the ICON ICON and the corresponding domain name;
if the intelligence data is successfully matched with threat intelligence data in the threat intelligence database, the Hash value of the ICON ICON is equal to the Hash value of any ICON in the ICON database, the domain name corresponding to the ICON with the Hash value is failed to be matched with the domain name corresponding to the ICON ICON, and the detection result is the threat intelligence data matched with the ICON ICON, the domain name corresponding to the ICON ICON and the intelligence data.
2. The method as claimed in claim 1, wherein the step of obtaining a first detection result according to the informative data comprises:
matching the intelligence data with threat intelligence data in the threat intelligence database;
and if the matching is successful, taking the threat intelligence data matched in the intelligence data as the first detection result.
3. The method for detecting URL data in mail according to claim 1, wherein the URL data is matched with threat intelligence data in a threat intelligence database, and if matching is successful, the threat intelligence data is used as a detection result; if the matching fails, the step of obtaining the page information corresponding to the URL data comprises the following steps:
if the URL data contains threat intelligence data of the threat intelligence database, matching is successful, and the threat intelligence data matched in the URL data is used as a detection result;
and if the URL data does not contain the threat intelligence data of the threat intelligence database, the matching fails, and page information corresponding to the URL data is obtained.
4. An apparatus for detecting URL data in a mail, the apparatus comprising:
the acquisition module is used for acquiring a mail protocol corresponding to the mail;
the URL analysis module is used for analyzing the mail protocol to obtain URL data in the mail protocol;
the URL matching module is used for matching the URL data with threat intelligence data of a threat intelligence database, and if the matching is successful, the threat intelligence data is used as a detection result; if the matching fails, acquiring page information corresponding to the URL data;
the acquisition module is also used for acquiring a file corresponding to the page information;
the file analysis module is used for analyzing the file to obtain a first detection result;
the ICON matching module is used for acquiring an ICON ICON in the page information, and matching the ICON ICON with an ICON database to obtain a second detection result;
the generating module is used for generating a detection result from the first detection result and the second detection result;
the file parsing module is further configured to:
reading document information in the file;
extracting intelligence data of the document information in the operation process;
obtaining a first detection result according to the intelligence data;
the icon matching module is further configured to: obtaining a hash value of the ICON ICON; comparing the hash value of the ICON with the hash value of each ICON in the ICON database, and if the hash value of the ICON is equal to the hash value of any ICON in the ICON database, acquiring a domain name corresponding to the ICON; obtaining the second detection result according to the domain name corresponding to the ICON ICON;
the icon matching module is further configured to:
matching the domain name corresponding to the ICON with the hash value, and taking the ICON and the corresponding domain name as the second detection result if the matching fails;
the generation module is further to:
if the intelligence data is successfully matched with threat intelligence data in the threat intelligence database, and the hash value of the ICON ICON is not equal to the hash value of any ICON in the ICON database, the detection result is the threat intelligence data matched in the intelligence data;
if the matching of the intelligence data and threat intelligence data in the threat intelligence database fails, the Hash value of the ICON ICON is equal to the Hash value of any ICON in the ICON database, the matching of the domain name corresponding to the ICON with the Hash value and the domain name corresponding to the ICON ICON fails, and the detection result is the ICON ICON and the corresponding domain name;
if the intelligence data is successfully matched with threat intelligence data in the threat intelligence database, the Hash value of the ICON ICON is equal to the Hash value of any ICON in the ICON database, the domain name corresponding to the ICON with the Hash value is failed to be matched with the domain name corresponding to the ICON ICON, and the detection result is the threat intelligence data matched with the ICON ICON, the domain name corresponding to the ICON ICON and the intelligence data.
5. An electronic device, comprising a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to execute the method for detecting URL data in a mail according to any one of claims 1 to 3.
6. A computer-readable storage medium, characterized in that it stores a computer program which, when executed by a processor, implements the method for detecting URL data in a mail according to any one of claims 1 to 3.
CN202111641303.8A 2021-12-30 2021-12-30 Method and device for detecting URL data in mail and electronic equipment Active CN114004604B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111641303.8A CN114004604B (en) 2021-12-30 2021-12-30 Method and device for detecting URL data in mail and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111641303.8A CN114004604B (en) 2021-12-30 2021-12-30 Method and device for detecting URL data in mail and electronic equipment

Publications (2)

Publication Number Publication Date
CN114004604A CN114004604A (en) 2022-02-01
CN114004604B true CN114004604B (en) 2022-03-29

Family

ID=79932280

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111641303.8A Active CN114004604B (en) 2021-12-30 2021-12-30 Method and device for detecting URL data in mail and electronic equipment

Country Status (1)

Country Link
CN (1) CN114004604B (en)

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9602523B2 (en) * 2012-06-07 2017-03-21 Proofpoint, Inc. Dashboards for displaying threat insight information
CN104580092B (en) * 2013-10-21 2018-01-02 航天信息股份有限公司 The method and apparatus that safety detection is carried out to Webpage
CN108418777A (en) * 2017-02-09 2018-08-17 中国移动通信有限公司研究院 A kind of fishing mail detection method, apparatus and system
CN110868378A (en) * 2018-12-17 2020-03-06 北京安天网络安全技术有限公司 Phishing mail detection method and device, electronic equipment and storage medium
CN110474889A (en) * 2019-07-26 2019-11-19 湖北乾智科技有限公司 One kind being based on the recognition methods of web graph target fishing website and device
CN110648118A (en) * 2019-09-27 2020-01-03 深信服科技股份有限公司 Fish fork mail detection method and device, electronic equipment and readable storage medium
CN111737696A (en) * 2020-06-28 2020-10-02 杭州安恒信息技术股份有限公司 Method, system and equipment for detecting malicious file and readable storage medium
CN113489734A (en) * 2021-07-13 2021-10-08 杭州安恒信息技术股份有限公司 Phishing mail detection method and device and electronic device
CN113630397B (en) * 2021-07-28 2023-04-25 上海纽盾网安科技有限公司 E-mail security control method, client and system

Also Published As

Publication number Publication date
CN114004604A (en) 2022-02-01

Similar Documents

Publication Publication Date Title
US11948379B2 (en) Systems and methods of detecting email-based attacks through machine learning
US11973799B2 (en) Domain name processing systems and methods
US10243989B1 (en) Systems and methods for inspecting emails for malicious content
US20130333026A1 (en) Malicious message detection and processing
US20100254567A1 (en) Fingerprint Development in Image Based Spam Blocking
CN107733581B (en) Rapid internet asset feature detection method and device based on whole network environment
WO2012112944A2 (en) Managing unwanted communications using template generation and fingerprint comparison features
CN107395650B (en) Method and device for identifying Trojan back connection based on sandbox detection file
US10454967B1 (en) Clustering computer security attacks by threat actor based on attack features
CN111460445A (en) Method and device for automatically identifying malicious degree of sample program
CN110868378A (en) Phishing mail detection method and device, electronic equipment and storage medium
CN114006778A (en) Threat information identification method and device, electronic equipment and storage medium
CN111586005A (en) Scanner scanning behavior identification method and device
JP5731361B2 (en) Character string conversion method and character string conversion program
CN113709147B (en) Network security event response method, device and equipment
US9740858B1 (en) System and method for identifying forged emails
CN114004604B (en) Method and device for detecting URL data in mail and electronic equipment
CN115146263B (en) User account collapse detection method and device, electronic equipment and storage medium
CN108268775B (en) Web vulnerability detection method and device, electronic equipment and storage medium
Althobaiti et al. Using Clustering Algorithms to Automatically Identify Phishing Campaigns
JP7140268B2 (en) WARNING DEVICE, CONTROL METHOD AND PROGRAM
CN114003914A (en) File security detection method and device, electronic equipment and storage medium
CN115603924A (en) Detection method and device for phishing mails, electronic equipment and storage medium
CN111625825A (en) Virus detection method, device, equipment and storage medium
US11962618B2 (en) Systems and methods for protection against theft of user credentials by email phishing attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant