CN115208850A - Mail detection method, system and related equipment - Google Patents
Mail detection method, system and related equipment Download PDFInfo
- Publication number
- CN115208850A CN115208850A CN202210830862.1A CN202210830862A CN115208850A CN 115208850 A CN115208850 A CN 115208850A CN 202210830862 A CN202210830862 A CN 202210830862A CN 115208850 A CN115208850 A CN 115208850A
- Authority
- CN
- China
- Prior art keywords
- score
- detected
- abnormal
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 40
- 230000002159 abnormal effect Effects 0.000 claims abstract description 69
- 230000005856 abnormality Effects 0.000 claims abstract description 25
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 31
- 238000000034 method Methods 0.000 claims description 31
- 238000004364 calculation method Methods 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 7
- 244000035744 Hura crepitans Species 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 10
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Abstract
The invention discloses a mail detection method, a mail detection system and related equipment, which can be applied to the field of network security. When detecting that a user to be monitored receives a mail to be detected, requesting a management end to acquire a first abnormal index of a sender of the mail to be detected and a second abnormal index of the user to be monitored; calculating a first safety score according to the first abnormality index and the second abnormality index; calculating a second security score by using the link information of the mail to be detected, and calculating a third security score by using the attachment information of the mail to be detected; determining to obtain a final safety score based on the first safety score, the second safety score and the third safety score; and if the final security score is larger than the security threshold value, adding a specific mark to the mail to be detected. The phishing mails are detected, and therefore the network security of the intranet of the enterprise is improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a mail detection method, a mail detection system and related equipment.
Background
With the development of the internet, the modes of invading the intranet are more and more. Because some employees have low security awareness, phishing mails are a common intrusion mode at present. When the employee views the phishing mails, the intranet of an enterprise (such as a financial enterprise like a bank) may be invaded, so that the enterprise suffers loss; therefore, there is a need for a way to detect phishing mail.
Disclosure of Invention
In view of the above, embodiments of the present invention provide a method, a system and a related device for detecting phishing mails.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
the first aspect of the embodiments of the present invention discloses a mail detection method, which includes:
when a user to be monitored is detected to receive a mail to be detected, requesting a management end to acquire a first abnormal index of a sender of the mail to be detected and requesting to acquire a second abnormal index of the user to be monitored;
calculating a first safety score according to the first abnormality index and the second abnormality index;
calculating a second security score by using the link information of the mail to be detected, and calculating a third security score by using the attachment information of the mail to be detected;
determining to obtain a final security score based on the first security score, the second security score and the third security score;
and if the final security score is larger than a security threshold value, adding a specific mark to the mail to be detected, wherein the specific mark is used for indicating that the mail to be detected is a phishing mail.
Preferably, calculating a first safety score according to the first abnormality index and the second abnormality index includes:
acquiring a first abnormal behavior score and a first mail content abnormal score of a sender of the mail to be detected from the first abnormal index, and acquiring a second abnormal behavior score and a second mail content abnormal score of the user to be monitored from the second abnormal index;
and summing the first abnormal behavior score, the first mail content abnormal score, the second abnormal behavior score and the second mail content abnormal score to obtain a first safety score.
Preferably, the process of calculating the second security score by using the link information of the mail to be detected includes:
judging whether the mail to be detected contains link information or not;
if the link information is not contained, determining that the second safety score is a preset original score;
if the link information is contained, calculating a region corresponding to the domain name of the link information according to preset threat information, and determining the number of various threat events matched with the link information;
and calculating a second security score based on the original score, the geographical region and the number of various threat events matched by the link information and by combining the event grades of the various threat events.
Preferably, the process of calculating the third security score by using the attachment information of the mail to be detected includes:
judging whether the mail to be detected contains attachment information or not;
if the accessory information is not contained, determining that the third safety score is 0;
if the attachment information is contained, processing the attachment information through a local sandbox to determine the number of various threat events matched with the attachment information;
and calculating a third security score based on the number of the various types of threat events matched by the accessory information and the event grades of the various types of threat events.
Preferably, after adding the specific mark to the mail to be detected, the method further comprises:
and sending the information of the sender of the mail to be detected to the management terminal.
Preferably, after adding the specific mark to the mail to be detected, the method further comprises:
intercepting the operation and displaying warning information when the operation of opening the mail to be detected is detected;
and if the mail to be detected is detected to be opened, sending the information of the user to be monitored to the management end so that the management end updates the second abnormal index of the user to be monitored.
A second aspect of the embodiments of the present invention discloses a mail detection system, including:
the system comprises an acquisition unit, a monitoring unit and a sending unit, wherein the acquisition unit is used for requesting a management terminal to acquire a first abnormal index of a sender of a mail to be detected and requesting to acquire a second abnormal index of the user to be monitored when the user to be monitored is detected to receive the mail to be detected;
the first calculation unit is used for calculating a first safety score according to the first abnormality index and the second abnormality index;
the second calculation unit is used for calculating a second security score by using the link information of the mail to be detected and calculating a third security score by using the attachment information of the mail to be detected;
a determining unit, configured to determine to obtain a final security score based on the first security score, the second security score, and the third security score;
and the marking unit is used for adding a specific mark to the mail to be detected if the final security score is greater than a security threshold, wherein the specific mark is used for indicating that the mail to be detected is a phishing mail.
Preferably, the first calculation unit includes:
the acquisition module is used for acquiring a first abnormal behavior score and a first mail content abnormal score of a sender of the mail to be detected from the first abnormal index, and acquiring a second abnormal behavior score and a second mail content abnormal score of the user to be monitored from the second abnormal index;
and the calculation module is used for summing the first abnormal behavior score, the first mail content abnormal score, the second abnormal behavior score and the second mail content abnormal score to obtain a first security score.
A third aspect of an embodiment of the present invention discloses an electronic device, including: the system comprises a processor and a memory, wherein the processor and the memory are connected through a communication bus; the processor is used for calling and executing the program stored in the memory; the memory is used for storing a program, and the program is used for realizing the mail detection method disclosed by the first aspect of the embodiment of the invention.
A fourth aspect of the present invention discloses a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and the computer-executable instructions are used to execute the mail detection method disclosed in the first aspect of the present invention.
Based on the mail detection method, the mail detection system and the related equipment provided by the embodiment of the invention, when the user to be monitored is detected to receive the mail to be detected, the management terminal is requested to acquire a first abnormal index of a sender of the mail to be detected and a second abnormal index of the user to be monitored; calculating a first safety score according to the first abnormality index and the second abnormality index; calculating a second security score by using the link information of the mail to be detected, and calculating a third security score by using the attachment information of the mail to be detected; determining to obtain a final safety score based on the first safety score, the second safety score and the third safety score; and if the final security score is larger than the security threshold value, adding a specific mark to the mail to be detected. In the scheme, when the user to be monitored receives the mail to be detected, the final safety score is calculated by utilizing the first abnormal index of the sender of the mail to be detected, the second abnormal index of the user to be monitored, the link information of the mail to be detected and the attachment information of the mail to be detected. And if the final security score is larger than the security threshold value, determining that the mail to be detected is the phishing mail and adding a specific mark to the mail to be detected, so that the phishing mail is detected, and the network security of the intranet of the enterprise is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a mail detection method according to an embodiment of the present invention;
fig. 2 is a block diagram of a mail detection system according to an embodiment of the present invention;
fig. 3 is another block diagram of a mail detection system according to an embodiment of the present invention;
fig. 4 is a block diagram of another structure of a mail detection system according to an embodiment of the present invention;
fig. 5 is a block diagram of another structure of a mail detection system according to an embodiment of the present invention;
fig. 6 is a block diagram of another structure of a mail detection system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
It should be noted that the mail detection method, the mail detection system and the related equipment provided by the invention can be used in the field of network security. The above description is only an example, and does not limit the application fields of the mail detection method, the mail detection system, and the related device provided by the present invention.
As known from the background art, phishing mails are a common intrusion mode at present, and when an employee views the phishing mails, an intranet of an enterprise (e.g., a financial enterprise such as a bank) may be intruded, so that the enterprise suffers from loss.
Therefore, the embodiment of the invention provides a mail detection method, a mail detection system and related equipment, when a user to be monitored receives a mail to be detected, a final security score is calculated by using a first abnormal index of a sender of the mail to be detected, a second abnormal index of the user to be monitored, link information of the mail to be detected and attachment information of the mail to be detected. And if the final security score is larger than the security threshold value, determining that the mail to be detected is a phishing mail and adding a specific mark to the mail to be detected, so that the phishing mail is detected, and the network security of the intranet of the enterprise is improved.
Referring to fig. 1, a flowchart of a mail detection method provided by an embodiment of the present invention is shown, where the mail detection method includes:
step S101: when the user to be monitored is detected to receive the mail to be detected, the management terminal is requested to acquire a first abnormal index of a sender of the mail to be detected and a second abnormal index of the user to be monitored.
It should be noted that the user to be monitored specifically means: there is a need to monitor whether the received mail is a user of phishing mail.
In the process of implementing step S101 specifically, when it is detected that the user to be monitored receives the mail to be detected (for example, when a new mail is received), the management end is requested to obtain a first abnormal index of the sender of the mail to be detected, and the management end is requested to obtain a second abnormal index of the user to be monitored.
It should be noted that the management side maintains abnormality indexes of a plurality of users, and the abnormality indexes include abnormal behavior scores of the users and abnormal mail content scores.
Step S102: and calculating a first safety score according to the first abnormality index and the second abnormality index.
In the process of the specific implementation step S102, a first abnormal behavior score and a first mail content abnormal score of a sender of the mail to be detected are obtained from the first abnormal index, and a second abnormal behavior score and a second mail content abnormal score of the user to be monitored are obtained from the second abnormal index.
In some embodiments, the historical behavior information of the sender of the mail to be detected is used for carrying out abnormal behavior analysis to obtain a first abnormal behavior score; and analyzing the mail content by using the content of the historical mail sent by the sender of the mail to be detected to obtain the abnormal score of the first mail content.
In some embodiments, performing abnormal behavior analysis by using historical behavior information of a user to be monitored to obtain a second abnormal behavior score; and analyzing the mail content by using the content of the historical mails received by the user to be monitored so as to obtain a second mail content abnormal score.
And summing the first abnormal behavior score, the first mail content abnormal score, the second abnormal behavior score and the second mail content abnormal score to obtain a first safety score. Specifically, the first security score P1 is calculated by formula (1).
P1=S a +S b +R a +R b (1)
In the formula (1), S a Scoring the first abnormal behavior, S b Rating the first mail content anomaly, R a Scoring the second abnormal behavior, R b And scoring the second mail content anomaly.
Step S103: and calculating a second security score by using the link information of the mail to be detected, and calculating a third security score by using the attachment information of the mail to be detected.
In the process of specifically implementing step S103, the specific way of calculating the second security score by using the link information of the mail to be detected is as follows: and judging whether the mail to be detected contains link information or not, or judging whether a link exists in the mail to be detected.
And if the mail to be detected does not contain the link information (no link exists), determining that the second safety score is a preset original score.
If the mail to be detected contains link information (links exist), calculating a region corresponding to the domain name of the link information according to preset threat information, and determining the number of various threat events matched with the link information, wherein the threat events include but are not limited to: events such as external connection, registry modification and system file modification; and calculating a second security score based on the number of various threat events matched by the original score, the geographical division and the link information and by combining the event grades of the various threat events.
Specifically, the second security score P2 is calculated by formula (2).
In formula (2), origin is the raw score, f is the region score, th 1 Event rank, th, of the type 1 threat event matched to the linking information 2 Event rank, n, of a type 2 threat event matched to linking information 1 Number of class 1 threat events matched to linking information, n 2 The number of threat events of type 2 that are matched by the link information, and n is the total number of threat events.
It should be noted that, whether each user receives the phishing mails is respectively monitored through each user host; the threat information is maintained by the management terminal, when the threat information is updated, the management base updates the information base in an off-line way, and then the updated threat information is distributed to each user host.
The specific way of calculating the third security score by using the attachment information of the mail to be detected is as follows: and judging whether the mail to be detected contains the attachment information or not, or judging whether the mail to be detected carries the attachment or not.
And if the mail to be detected does not contain the attachment information (does not carry the attachment), determining that the third safety score is 0.
If the mail to be detected contains attachment information (carrying attachments), processing the attachment information through a local sandbox to determine the number of various threat events matched with the attachment information; specifically, the attachment information is input into a local sandbox for processing, and the number of various threat events matched with the attachment information is determined. And calculating a third security score based on the number of the various types of threat events matched by the accessory information and the event grades of the various types of threat events.
Specifically, the third security score P3 is calculated by formula (3).
In the formula (3), th 1 Event rating, th, of type 1 threat events matched to attachment information 2 Event rank, n, of a type 2 threat event matched to attachment information 1 Number of type 1 threat events, n, matched to attachment information 2 The number of threat events of type 2 matched to the attachment information, and n is the total number of threat events.
Step S104: and determining to obtain a final safety score based on the first safety score, the second safety score and the third safety score.
In the process of specifically implementing the step S104, after the first security score, the second security score and the third security score are obtained by calculation, the first security score, the second security score and the third security score are summed up to determine to obtain a final security score; that is, the final security score = P1+ P2+ P3.
Step S105: and if the final security score is larger than the security threshold value, adding a specific mark to the mail to be detected, wherein the specific mark is used for indicating that the mail to be detected is a phishing mail.
In the process of implementing step S105, if the final security score is less than or equal to the security threshold, it is determined that the mail to be detected is not a phishing mail.
And if the final security score is larger than the security threshold value, determining that the mail to be detected is the phishing mail, and adding a specific mark to the mail to be detected, wherein the specific mark is used for indicating that the mail to be detected is the phishing mail. For example: and if the final safety score is larger than the safety threshold value, adding a mark of danger to the mail to be detected so as to indicate that the mail to be detected is the phishing mail.
Preferably, if the final security score is larger than the security threshold, after a specific mark is added to the mail to be detected, the information of the sender of the mail to be detected is sent to the management terminal.
It should be noted that after the mail to be detected is added with the specific mark, the user to be monitored may click on the mail to be detected, so as to further ensure the security of the intranet of the enterprise; in some embodiments, after adding a specific mark to the mail to be detected, when an operation of opening the mail to be detected is detected, the operation is intercepted and warning information is displayed, for example: after a specific mark is added to a mail to be detected, if the operation of opening the mail to be detected is detected, the operation is intercepted, and warning information of 'suspected fishing mail and not turning on' of the mail is displayed.
And after the warning information is displayed, if the mail to be detected is detected to be opened, sending the information of the user to be monitored to the management terminal so that the management terminal updates the second abnormal index of the user to be monitored. That is to say, after the warning information is displayed to remind the user to be monitored, if the user to be monitored does not look at the warning information and opens the mail to be detected, the information (user information) of the user to be monitored is sent to the management terminal, so that the management terminal updates the second abnormal index of the user to be monitored.
It should be noted that, after receiving the information of the user to be monitored, the management terminal may analyze the information according to the condition that the user to be monitored has no sight of the warning information, so as to determine the "bogging down" condition of the user to be monitored, thereby forming the mail communication security situation of the intranet of the enterprise.
In the embodiment of the invention, when the user to be monitored receives the mail to be detected, the final security score is calculated by utilizing the first abnormal index of the sender of the mail to be detected, the second abnormal index of the user to be monitored, the link information of the mail to be detected and the attachment information of the mail to be detected. And if the final security score is larger than the security threshold value, determining that the mail to be detected is the phishing mail and adding a specific mark to the mail to be detected, so that the phishing mail is detected, and the network security of the intranet of the enterprise is improved.
Corresponding to the above-mentioned email detection method provided by the embodiment of the present invention, referring to fig. 2, the embodiment of the present invention further provides a structural block diagram of an email detection system, where the email detection system includes: an acquisition unit 201, a first calculation unit 202, a second calculation unit 203, a determination unit 204, and a marking unit 205;
the obtaining unit 201 is configured to, when it is detected that the user to be monitored receives the mail to be detected, request the management end to obtain a first abnormality index of a sender of the mail to be detected, and request to obtain a second abnormality index of the user to be monitored.
A first calculating unit 202, configured to calculate a first security score according to the first abnormality index and the second abnormality index.
And the second calculating unit 203 is used for calculating a second security score by using the link information of the mail to be detected and calculating a third security score by using the attachment information of the mail to be detected.
The determining unit 204 is configured to determine to obtain a final security score based on the first security score, the second security score, and the third security score.
And the marking unit 205 is configured to add a specific mark to the mail to be detected if the final security score is greater than the security threshold, where the specific mark is used to indicate that the mail to be detected is a phishing mail.
Preferably, the marking unit 205 is further configured to: and after adding a specific mark to the mail to be detected, sending the information of the sender of the mail to be detected to a management terminal.
In the embodiment of the invention, when the user to be monitored receives the mail to be detected, the final security score is calculated by utilizing the first abnormal index of the sender of the mail to be detected, the second abnormal index of the user to be monitored, the link information of the mail to be detected and the attachment information of the mail to be detected. And if the final security score is larger than the security threshold value, determining that the mail to be detected is the phishing mail and adding a specific mark to the mail to be detected, so that the phishing mail is detected, and the network security of the intranet of the enterprise is improved.
Preferably, referring to fig. 3 in conjunction with fig. 2, another structural block diagram of a mail detection system provided in an embodiment of the present invention is shown, where the first computing unit 202 includes:
the obtaining module 2021 is configured to obtain a first abnormal behavior score and a first mail content abnormal score of a sender of the mail to be detected from the first abnormal index, and obtain a second abnormal behavior score and a second mail content abnormal score of the user to be monitored from the second abnormal index.
The calculating module 2022 is configured to sum the first abnormal behavior score, the first mail content abnormal score, the second abnormal behavior score, and the second mail content abnormal score to obtain a first security score.
Preferably, referring to fig. 4 in conjunction with fig. 2, a block diagram of another structure of the mail detection system provided in the embodiment of the present invention is shown, and the second calculating unit 203 for calculating the second security score by using the link information of the mail to be detected includes: a first judging module 2031, a first determining module 2032, a first calculating module 2033, and a second calculating module 2034;
the first determining module 2031 is configured to determine whether the mail to be detected contains link information.
The first determining module 2032 is configured to determine that the second security score is a preset original score if the link information is not included.
The first calculating module 2033 is configured to calculate, if the link information is included, a region corresponding to the domain name of the link information according to preset threat information, and determine the number of various threat events matched with the link information.
The second calculating module 2034 is configured to calculate a second security score based on the number of the various threat events matched by the original score, the geographical region, and the link information, and by combining the event levels of the various threat events.
Preferably, referring to fig. 5 in conjunction with fig. 2, there is shown another structural block diagram of a mail detection system provided in the embodiment of the present invention, in which the second calculating unit 203 for calculating the third security score by using the attachment information of the mail to be detected includes: a second determination module 2035, a second determination module 2036, a processing module 2037, and a third calculation module 2038;
the second judging module 2035 is configured to judge whether the mail to be detected contains the attachment information.
A second determining module 2036 is configured to determine that the third security score is 0 if the accessory information is not included.
And the processing module 2037 is configured to, if the attachment information is included, process the attachment information through the local sandbox to determine the number of the various types of threat events matched with the attachment information.
The third calculating module 2038 is configured to calculate a third security score based on the number of the various types of threat events matched by the accessory information and the event levels of the various types of threat events.
Preferably, referring to fig. 6 in conjunction with fig. 2, a further structural block diagram of a mail detection system provided in the embodiment of the present invention is shown, where the mail detection system further includes:
the processing unit 206 is configured to intercept the operation and display warning information when the operation of opening the to-be-detected email is detected, and send information of the to-be-monitored user to the management terminal if the to-be-detected email is detected to be opened, so that the management terminal updates the second abnormality index of the to-be-monitored user.
Preferably, an embodiment of the present invention further provides an electronic device, including: the processor and the memory are connected through a communication bus; the processor is used for calling and executing the program stored in the memory; a memory for storing a program for implementing the mail detection method as disclosed in the above method embodiments.
Preferably, the embodiment of the present invention further provides a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and the computer-executable instructions are used to execute the mail detection method disclosed in the foregoing method embodiment.
In summary, embodiments of the present invention provide a method, a system, and a related device for detecting a mail, where when a user to be monitored receives a mail to be detected, a final security score is calculated by using a first abnormal index of a sender of the mail to be detected, a second abnormal index of the user to be monitored, link information of the mail to be detected, and attachment information of the mail to be detected. And if the final security score is larger than the security threshold value, determining that the mail to be detected is the phishing mail and adding a specific mark to the mail to be detected, so that the phishing mail is detected, and the network security of the intranet of the enterprise is improved.
All the embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are only illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for mail detection, the method comprising:
when a user to be monitored is detected to receive a mail to be detected, requesting a management end to acquire a first abnormal index of a sender of the mail to be detected and requesting to acquire a second abnormal index of the user to be monitored;
calculating a first safety score according to the first abnormality index and the second abnormality index;
calculating a second security score by using the link information of the mail to be detected, and calculating a third security score by using the attachment information of the mail to be detected;
determining to obtain a final security score based on the first security score, the second security score and the third security score;
and if the final security score is larger than a security threshold value, adding a specific mark to the mail to be detected, wherein the specific mark is used for indicating that the mail to be detected is a phishing mail.
2. The method of claim 1, wherein calculating a first security score based on the first abnormality index and the second abnormality index comprises:
acquiring a first abnormal behavior score and a first mail content abnormal score of a sender of the mail to be detected from the first abnormal index, and acquiring a second abnormal behavior score and a second mail content abnormal score of the user to be monitored from the second abnormal index;
and summing the first abnormal behavior score, the first mail content abnormal score, the second abnormal behavior score and the second mail content abnormal score to obtain a first safety score.
3. The method according to claim 1, wherein the step of calculating the second security score using the link information of the mail to be detected comprises:
judging whether the mail to be detected contains link information or not;
if the link information is not contained, determining that the second safety score is a preset original score;
if the link information is contained, calculating a region corresponding to the domain name of the link information according to preset threat information, and determining the number of various threat events matched with the link information;
and calculating a second security score based on the original score, the geographical region and the number of various threat events matched by the link information and by combining the event grades of the various threat events.
4. The method according to claim 1, wherein the step of calculating the third security score using the attachment information of the mail to be detected comprises:
judging whether the mail to be detected contains attachment information or not;
if the accessory information is not contained, determining that the third safety score is 0;
if the attachment information is contained, processing the attachment information through a local sandbox to determine the number of various threat events matched with the attachment information;
and calculating a third security score based on the number of the various types of threat events matched by the accessory information and the event grades of the various types of threat events.
5. The method of claim 1, wherein after adding the specific mark to the mail to be detected, the method further comprises:
and sending the information of the sender of the mail to be detected to the management terminal.
6. The method of claim 1, wherein after adding the specific mark to the mail to be detected, the method further comprises:
intercepting the operation and displaying warning information when the operation of opening the mail to be detected is detected;
and if the mail to be detected is detected to be opened, sending the information of the user to be monitored to the management end so that the management end updates the second abnormal index of the user to be monitored.
7. A mail detection system, the system comprising:
the device comprises an acquisition unit, a sending unit and a monitoring unit, wherein the acquisition unit is used for requesting a management terminal to acquire a first abnormal index of a sender of a mail to be monitored and requesting to acquire a second abnormal index of the user to be monitored when the user to be monitored is detected to receive the mail to be monitored;
the first calculation unit is used for calculating a first safety score according to the first abnormality index and the second abnormality index;
the second calculation unit is used for calculating a second security score by using the link information of the mail to be detected and calculating a third security score by using the attachment information of the mail to be detected;
a determining unit, configured to determine to obtain a final security score based on the first security score, the second security score, and the third security score;
and the marking unit is used for adding a specific mark to the mail to be detected if the final security score is greater than a security threshold, wherein the specific mark is used for indicating that the mail to be detected is a phishing mail.
8. The system of claim 7, wherein the first computing unit comprises:
the acquisition module is used for acquiring a first abnormal behavior score and a first mail content abnormal score of a sender of the mail to be detected from the first abnormal index, and acquiring a second abnormal behavior score and a second mail content abnormal score of the user to be monitored from the second abnormal index;
and the calculation module is used for summing the first abnormal behavior score, the first mail content abnormal score, the second abnormal behavior score and the second mail content abnormal score to obtain a first safety score.
9. An electronic device, comprising: the system comprises a processor and a memory, wherein the processor and the memory are connected through a communication bus; the processor is used for calling and executing the program stored in the memory; the memory for storing a program for implementing the mail detection method according to any one of claims 1 to 6.
10. A computer-readable storage medium having computer-executable instructions stored thereon for performing the mail detection method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210830862.1A CN115208850A (en) | 2022-07-15 | 2022-07-15 | Mail detection method, system and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210830862.1A CN115208850A (en) | 2022-07-15 | 2022-07-15 | Mail detection method, system and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115208850A true CN115208850A (en) | 2022-10-18 |
Family
ID=83581486
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210830862.1A Pending CN115208850A (en) | 2022-07-15 | 2022-07-15 | Mail detection method, system and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115208850A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103841094A (en) * | 2012-11-27 | 2014-06-04 | 阿里巴巴集团控股有限公司 | Method and device for judging mail types |
| US20160057167A1 (en) * | 2014-08-21 | 2016-02-25 | Salesforce.Com, Inc. | Phishing and threat detection and prevention |
| CN111092902A (en) * | 2019-12-26 | 2020-05-01 | 中国科学院信息工程研究所 | Attachment camouflage-oriented fishfork attack mail discovery method and device |
| CN112003779A (en) * | 2020-07-28 | 2020-11-27 | 杭州安恒信息技术股份有限公司 | Phishing mail detection method and medium based on dynamic and static link characteristic identification |
| CN113240297A (en) * | 2021-05-19 | 2021-08-10 | 清华大学 | Phishing mail detection method and system |
| CN113489734A (en) * | 2021-07-13 | 2021-10-08 | 杭州安恒信息技术股份有限公司 | Phishing mail detection method and device and electronic device |
-
2022
- 2022-07-15 CN CN202210830862.1A patent/CN115208850A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103841094A (en) * | 2012-11-27 | 2014-06-04 | 阿里巴巴集团控股有限公司 | Method and device for judging mail types |
| US20160057167A1 (en) * | 2014-08-21 | 2016-02-25 | Salesforce.Com, Inc. | Phishing and threat detection and prevention |
| CN111092902A (en) * | 2019-12-26 | 2020-05-01 | 中国科学院信息工程研究所 | Attachment camouflage-oriented fishfork attack mail discovery method and device |
| CN112003779A (en) * | 2020-07-28 | 2020-11-27 | 杭州安恒信息技术股份有限公司 | Phishing mail detection method and medium based on dynamic and static link characteristic identification |
| CN113240297A (en) * | 2021-05-19 | 2021-08-10 | 清华大学 | Phishing mail detection method and system |
| CN113489734A (en) * | 2021-07-13 | 2021-10-08 | 杭州安恒信息技术股份有限公司 | Phishing mail detection method and device and electronic device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111404909B (en) | Safety detection system and method based on log analysis | |
| US8769695B2 (en) | Phish probability scoring model | |
| US20150222654A1 (en) | Method and system of assessing and managing risk associated with compromised network assets | |
| CN108040493A (en) | Security incident is detected using low confidence security incident | |
| US20080096526A1 (en) | Apparatus and a security node for use in determining security attacks | |
| US20140230050A1 (en) | Collaborative phishing attack detection | |
| CN105516130A (en) | Data processing method and device | |
| CN111786974B (en) | Network security assessment method and device, computer equipment and storage medium | |
| CN110401660B (en) | False flow identification method and device, processing equipment and storage medium | |
| CN108494806A (en) | Cyberthreat warning monitoring system based on artificial intelligence | |
| CN111786950A (en) | Situation awareness-based network security monitoring method, device, equipment and medium | |
| US8225407B1 (en) | Incident prioritization and adaptive response recommendations | |
| CN108111348A (en) | A kind of security policy manager method and system for enterprise's cloud application | |
| CN111600897B (en) | Network security event grade evaluation method, equipment and related equipment | |
| CN108092985A (en) | Network safety situation analysis method, device, equipment and computer storage media | |
| CN110430212A (en) | The Internet of Things of multivariate data fusion threatens cognitive method and system | |
| CN111107057A (en) | Abnormal user account detection method, device, equipment and storage medium | |
| CN113778806A (en) | Method, device, equipment and storage medium for processing safety alarm event | |
| CN110287703A (en) | The method and device of vehicle safety risk supervision | |
| CN111131203B (en) | External connection monitoring method and device | |
| CN115208850A (en) | Mail detection method, system and related equipment | |
| CN115632884B (en) | Network security situation perception method and system based on event analysis | |
| CN115022152B (en) | Method and device for judging threat degree of event and electronic equipment | |
| CN111131166A (en) | User behavior prejudging method and related equipment | |
| CN114884735A (en) | Multisource data intelligent evaluation system based on security situation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |