JP2008192122A - Malicious mail detector, detecting method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a malicious mail detecting technology detecting spam mail and malware even when a part of data included in a packet is intentionally modified. <P>SOLUTION: This malicious mail detector 50 has a storage means 170 storing the feature amount of a character string pattern included in mail to be compared; a computing means 120 computing the feature amount of the character string pattern within a computation range defined beforehand out of received mail; and determining means 130, 140 determining whether the mail is malicious mail from the similarity between the feature amount of the character string pattern of the received mail computed by the computing means and the feature amount of the stored character string pattern. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a malicious email detection device that detects malicious emails, and in particular, provides a malicious email detection technology that can detect even malicious emails in which part of data included in a packet is intentionally changed. About that.

  With the spread of the Internet, the damage caused by spam emails has become serious. Spam mail is so-called spam mail that is sent unilaterally without considering the convenience of the mail recipient. When a spam mail is received, resources such as the hard disk and memory of the received computer are consumed, and a load is imposed on the network connected to the computer. Spam mail is now one of the threats in the network, and various methods have been studied for various spam mail countermeasures.

  As a countermeasure conventionally taken, there is a pattern matching method for matching a pre-registered pattern with a received mail. This method is a method (URL filtering) for determining that the received mail is a spam mail when a certain character string such as a URL is included in the received mail. The spam mail often uses the URL of the destination site to be referred to by the recipient of the spam mail, and therefore uses this feature. Specifically, this is a technique in which a URL included in an email is compared with a URL registered in advance in a database, and the email is regarded as a spam email if the URL matches completely.

  However, such a conventional method has a problem in that maintenance is required each time, such as managing a database for verification on the administrator side, and operation costs are increased. The spam detection rate was also low.

  Against this background, several techniques have been proposed to increase the spam mail detection rate and reduce the burden on administrators.

  For example, if the number of email flows exceeds a predetermined threshold, or if a part of the judgment word is included in the body of the received email, it is determined that the email is spam and the email is determined to be spam There has been proposed a technique for registering the URL as a determination word candidate (Patent Document 1). According to the invention of Patent Document 1, not only when the URLs completely match, but also when some of the determination words match, it can be determined that the message is spam, and thus the detection accuracy is improved. Moreover, since the URL registration means extracts the URL from the junk mail and directly generates the black list, the burden on the administrator is reduced.

It also creates additional features (for example, features for character N-grams based on N-grams) to facilitate spam detection, creates features for entropy of character sequences, and filters using machine learning systems Has been proposed to detect and prevent spam (Patent Document 2). In the invention of Patent Document 2, the accuracy of spam mail detection is improved by including additional features that exceed those commonly used by the spam filter of the prior art.
JP 2005-208780 A JP 2005-018745 A

  However, although such techniques have been proposed, it has been difficult to reliably detect spam mails. For example, in the invention of Patent Document 1, it can be detected even when a part of the determination word is included in the received mail, but it cannot be detected if a part of the URL is intentionally changed. There was a problem. In the invention of Patent Document 2, although the accuracy of spam mail detection is improved by training a filter using a machine learning system, a part of data included in a packet is intentionally changed. There was a problem that cannot be detected.

  That is, the conventional detection method including the inventions of Patent Document 1 and Patent Document 2 is based on the premise that the time taken to register the URL included in the spam mail is shorter than the cycle of appearance frequency of new spam mail. It had been. Therefore, if a spam mail is received that intentionally changes a part of a known URL with almost no change in the body of the mail, the URL registration / filter update in the database cannot catch up, and the spam mail is URL filtered. There was a problem of slipping through.

  The problem that a part of the data contained in a packet is intentionally changed to avoid detection was not limited to spam mail. For example, with the conventional detection methods including the inventions of Patent Literature 1 and Patent Literature 2, it is difficult to detect malware (malicious software). There were several reasons for this.

  The first reason is that malware is unable to keep up with the creation of pattern files because its variants appear one after another.

  The second reason is that although there are many types of subspecies, the absolute number of each subspecies is small, it is difficult to obtain a specimen, and therefore it is difficult to create a pattern file.

  Third, the malware replicates itself during the infection process and sends it to the target computer, but the malware changes some of its data to avoid detection. Since duplication is performed, it is difficult to detect with the conventional detection methods including the inventions of Patent Document 1 and Patent Document 2.

  Furthermore, as described above, in the computer that receives the spam mail, resources such as a hard disk and a memory are consumed, and a load is imposed on the network connected to the computer. For example, when spam mail is detected in an environment where there is a large amount of traffic, a large amount of memory capacity is required for the process for managing the session by the received mail and for checking the text of the mail, and processing costs are high. If the hardware specifications are raised to solve this problem, this time, the problem that the apparatus cost becomes high arises.

  Therefore, the problem to be solved by the present invention is to provide a malicious mail detection technique capable of detecting spam mail and malware even when a part of data included in a packet is intentionally changed.

  Furthermore, a problem to be solved by the present invention is to provide a malicious mail detection technique that improves the efficiency of malicious mail detection processing and reduces processing costs.

  A first invention for solving the above-mentioned problems is a storage means for storing a character string pattern feature amount included in a mail used as a comparison target, and a character string pattern in a predefined calculation target range in the received mail. The mail is malicious due to similarity between the calculation means for calculating the feature quantity of the received mail, the feature quantity of the character string pattern of the received mail calculated by the calculation means, and the feature quantity of the stored character string pattern. And determining means for determining whether it is an e-mail.

  According to a second aspect of the present invention for solving the above problem, a calculation step of calculating a character string pattern feature amount in a predetermined calculation target range of received mail, and a character of the received mail calculated by the calculation step And determining whether or not the mail is a malicious mail based on the similarity between the feature quantity of the column pattern and the feature quantity of the stored character string pattern.

  A third invention for solving the above-described problem is a program for an information processing apparatus, which calculates a feature amount of a character string pattern in a predetermined calculation target range in a received mail in the information processing apparatus. Determining whether the mail is a malicious mail based on the similarity between the calculation processing to be performed, the character string pattern feature amount of the received mail calculated in the calculation step, and the stored character string pattern feature amount And determining processing to be executed.

  According to the present invention, it is possible to detect malicious mail even when a part of data is intentionally changed. The reason for this is that the malicious mail detection device of the present invention calculates the feature value of the character string pattern included in the received mail and the storage means for storing the feature value of the character string pattern included in the mail used as the comparison target. Whether the received mail is malicious or not, based on the similarity between the character string pattern feature quantity of the received mail calculated by the calculation means and the character string pattern feature quantity stored in advance. This is because it comprises a judging means for judging the above.

  Next, a first embodiment of the present invention will be described with reference to the block diagrams showing the first embodiment of FIGS. 1, 2 and 3. FIG.

  FIG. 1 is a diagram illustrating an example of a communication system using the malicious mail detection method according to the present embodiment. The detection device 50 is connected to the terminals 51, 52, and 53 through the same segment network. The detection device 50 receives all packets flowing on the same segment. This can be realized by a setting called a promiscuous mode in a general network interface card. The detection device 50 analyzes layer 7 (OSI model layer 7; hereinafter also referred to as “L7”) of the packets of the terminals 51, 52, and 53. The detection device 50 records the analysis result in a log.

  FIG. 2 is a diagram illustrating another example of a communication system using the malicious mail detection method according to the present embodiment. The communication device 60 and the terminals 61, 62, and 63 are connected by a network of the same segment. The communication device 60 is a communication device that provides an L7 level service, and is a proxy and a load balancer. The communication device 60 may be a switch hub that performs L2 level communication control, a router that performs L3 level communication control, or a firewall that performs L4 level communication control. The communication device 60 regulates the packet (discards / blocks the packet) according to the analysis result, and records the regulated packet in a log.

  FIG. 3 is a block diagram showing the configuration of the first embodiment of the present invention. Note that this embodiment may be applied to either the communication system of FIG. 1 or FIG.

  Referring to FIG. 3, the malicious mail detection method according to the first exemplary embodiment of the present invention includes a protocol determination unit 100, a specification unit 110, a target character instruction unit 160, an n-gram processing unit 120, and a determination unit 130. A detection unit 140, a storage unit 150, a reference pattern storage unit 170, and an action processing unit 180.

  The storage unit 150 is a storage medium, and stores an analysis target designated in advance by the user when judging the similarity of packets. The storage unit 150 includes a definition table 151. In the definition table 151, what kind of similarity the detection device 50 or the communication device 60 analyzes is specified in advance for each protocol. For example, in the case of a TCP No. 25 (smtp) packet, whether to see the similarity of the URL included in the mail or to see the similarity of the attached file for malware detection, identify the mail based on the appearance frequency of characters. In this way, it is pointed to see the similarity of mail. In the definition table 151, the number of characters (n) in the counting unit is designated. Specify the number of characters to divide the character string to be counted. For example, n = 1 is set when it is desired to divide and count the character string to be counted.

  When the protocol determination unit 100 receives the received packet, the protocol determination unit 100 determines the L7 protocol of the packet. If information necessary for protocol determination, such as a TCP port number, is added, the protocol can be determined even with stream data obtained by reconstructing a packet. If the TCP port number is 80, it is determined as HTTP, and if the TCP port number is 25, it is determined as SMTP.

  The identifying unit 110 refers to the result determined by the protocol determining unit 100 and the definition table 151, and parses data included in the packet. Specifically, in the definition table 151, when SMTP is specified as a protocol and text / plain is specified as Content-type, the specifying unit 110 analyzes the similarity of URLs included in an email. Judge as specified. Then, the specifying unit 110 searches for an http character and specifies the start position and end position of the URL. The data range to be counted (counted) obtained as a specific result is notified to the n-gram processing unit 120 that actually performs the counting process.

  Here, the counting process is a process of counting the number of character strings included in the character string pattern. The character string pattern is a word / phrase composed of a character string or characters, and is roughly classified into “character string pattern included in received mail” and “character string pattern registered in advance by the user”. The “character string pattern included in the received mail” is a phrase specified in a predefined range in the received mail body or in the attached file of the received mail. Further, the “character string pattern registered in advance by the user” is a characteristic word / phrase included in an email used as a comparison target registered in advance by the user. The character string is one or more characters included in the character string pattern and divided by n characters. In the case of n = 1, the unit delimited by one character is not a character string but strictly a character, but in the following description of the embodiment, even if n = 1, it is expressed as a character string for convenience of explanation. There is a case.

  The target character instruction unit 160 refers to the definition table 151 and specifies the character to be counted. If alphabets and symbols are specified as counting objects in the definition table 151, the target character instruction unit 160 specifies that the characters to be counted are alphabets and symbols. The specified character to be counted is notified to the n-gram processing unit 120.

  The n-gram processing unit 120 generates a received mail based on the information on the count target character, the count target range, and the unit (n) that divides the character string notified from the specifying unit 110 and the target character instruction unit 160. The feature amount of the included character string pattern is calculated. Here, the feature amount is a set of appearance frequencies of one or more character strings constituting the character string pattern.

  In the n-gram processing unit 120, the feature amount is calculated as follows. First, the character string pattern included in the received mail is separated by adjacent character strings of n characters, and the number of occurrences indicating how many of the divided character strings exist in the character string pattern is counted. To do. Further, the appearance frequency for each character string is calculated by dividing the counted value (number of appearances) by the total number of character strings delimited. For example, when n = 1, if the character string pattern is URL (http://example3.com/ex1/top.html), the calculation result of the feature value by the n-gram processing unit 120 is as shown in FIG. It is output as a counting table as shown in the example.

  In this embodiment, the n-gram method of “delimiting the character string of the counting unit to be counted as a character string of n characters” is adopted, and how many combinations of character strings are divided as the character string of n characters. The appearance rate of occurrence will be investigated for each delimited character. The unit (n) for dividing the character string is specified by the user in the definition table.

  The reference pattern storage unit 170 is a storage area for registering a character string pattern included in malicious mail. Specifically, the feature amount of the character string pattern included in the mail certified as malicious mail by the user is registered in advance in this storage unit. Furthermore, the appearance frequency of each character constituting the character string pattern is also calculated and registered in advance. That is, as shown in the example of FIG. 5, a plurality of reference patterns in which each character string constituting the character string pattern is associated with the appearance frequency of each character string are stored for each character string pattern.

  The determination unit 130 searches the reference pattern storage unit for a reference pattern having an appearance pattern including a character string whose appearance is confirmed in the counting table. Here, the “character string whose appearance has been confirmed” is a character whose appearance frequency exceeds 0, and the “appearance pattern” is a combination of characters whose appearance frequency exceeds 0. For example, the appearance pattern in the counting table of FIG. 7 is [a, c, e], and a reference pattern including at least the characters “a”, “c”, or “e” is extracted from the reference pattern storage unit 170.

  When a reference pattern including a character string whose appearance is confirmed in the counting table by the determining unit 130 is found, the detecting unit 140 then compares the counting table with the reference pattern stored in the reference pattern storage unit 170. Then, it is determined whether or not the feature amount of the character string pattern of the received mail is similar to the feature amount of the character string pattern included in the mail certified as malicious mail.

  Specifically, the detection unit 140 calculates, for each character string, the difference between the appearance frequency of each character string included in the counting table and the appearance frequency of each character string of the reference pattern. Then, the average value of the difference values for each character string is compared with the threshold value held by the detection unit. If the difference value is smaller than the threshold value, it is assumed that the similarity of the feature amount has been confirmed, and action processing such as packet restriction and recording in a log is performed.

  Next, the operation of the malicious mail detection apparatus according to the present invention will be described with reference to the flowchart of FIG. 4 showing the malicious mail detection process.

  Here, an example will be described in which malicious mail is detected from the similarity between the URL character string pattern registered in advance as malicious mail and the URL included in the received packet (mail).

  Here, it is assumed that the URL included in the mail is a character string pattern as shown in FIG. In the following description, it is assumed that the number n of characters in the counting unit is designated as 1 (n = 1), and the character string pattern is divided in units of one character.

  When the detection apparatus receives a packet flowing on the network (step S1), the protocol determination unit 100 performs protocol determination at the L7 level (step S2). That is, the protocol determination unit 100 determines that the packet is the SMTP protocol. This protocol determination may be performed at the L2, L3, and L4 levels.

  Next, the data included in the packet is analyzed by the specifying unit 110 and the count target range is specified. Specifically, when the definition unit 151 is referred to by the specifying unit 110 and the content-type: text / plain is included in the data as illustrated in FIG. 6, the specifying unit 110 displays the definition table 151. The character of http is searched based on the information defined in the above, and the start position and end position of the URL are notified to the n-gram processing unit 120 (step S3). In addition, the number of characters in the counting unit (n = 1) is notified to the n-gram processing unit 120.

  Next, the target character instruction unit 160 specifies the character to be counted. In this case, since the alphabet and the symbol are designated as the characters to be counted in the definition file, the alphabet and the symbol are specified as the characters to be counted. This specified information is notified to the n-gram processing unit 120 (step S4).

  Subsequently, characters are counted by the n-gram processing unit 120 in response to instructions from the specifying unit 110 and the target character instruction unit 160 (step S2). Specifically, since the URL included in the received mail is a URL (http://example3.com/ex1/top.html) as shown in FIG. 6, the number of characters is determined in order from the top of the URL. It will be counted. h: +1 (total 1), t: +1 (total 1), t: +1 (total 2), p: +1 (total 1), and so on, and the final count result is a : (Total 1), b: (total 0), c: (total 1), d (total 0), e: (total 3), and so on.

  Eventually, the number of appearances (counter value) of each character is as shown in the counter item column of the counting table in FIG. Further, for normalization, the appearance frequency is calculated by dividing the appearance count of each character by the total number of characters included in the character string pattern to be counted. For example, in the case of the present embodiment, since the total number of characters in the URL of FIG. 6 is 32, each character is divided by 32, and a character string as shown in the “appearance frequency” item of the counting table shown in FIG. The appearance frequency for each is obtained. Information on the number of appearances and the appearance frequency, which are the calculated results, is stored in the count table.

  Next, the determination unit 130 searches the reference pattern storage unit 170 for a reference pattern having an appearance pattern that includes at least a character string that has been confirmed to appear and is stored in the counting table. In this case, as shown in FIG. 7, since the character string (character) whose appearance has been confirmed is [a, c, e], at least one of “a”, “c”, and “e” is set. The reference pattern storage unit 170 searches for a reference pattern to be included. Here, the reference pattern shown in FIG. 5 is extracted.

  When a reference pattern close to the appearance pattern shown in the count table is found after the processing of the determination unit 130 is completed, the detection unit 140 determines whether the appearance frequency item of the count table and the appearance frequency item of the reference pattern are A difference value is calculated for each character string (step S7). Furthermore, the detection unit 140 compares the average value of the difference values calculated for each character string with a threshold value, and if the average value of the difference values is smaller than the threshold value (step S8), there is similarity (malicious mail is transmitted). Detection). Then, the action processing unit 380 performs action processing such as packet restriction and log recording (step S9).

  Even the malicious mail in which a part of the URL is intentionally changed can be detected by the malicious mail detecting apparatus configured as described above.

  In the first embodiment, after the determination unit 130 extracts the reference pattern including the appearance pattern of the character string pattern included in the mail, the detection unit 140 determines the frequency item of the count table and the frequency of the reference pattern. Although it is configured to calculate the difference with the item and determine whether it is a malicious email based on the magnitude relationship between the average value of the difference and the threshold value to be held, the determination unit 130 does not extract the reference pattern described above. And the detection unit 140 may function simultaneously. That is, the difference between the frequency item of the count table and the frequency item of the reference pattern is calculated, and the character string pattern stored in the received mail character string pattern according to the magnitude relationship between the average value of the difference and the threshold value to be held The similarity with the pattern may be directly judged.

  In the first embodiment, the difference value between the appearance frequency item of the count table and the appearance frequency item of the reference pattern is calculated for each character string, and the average value of the difference values for each character string is calculated as follows: The threshold value is compared, and when the average value of the difference values is smaller than the threshold value, it is determined that there is similarity. However, the present invention is not limited to this. After calculating the difference value between the appearance frequency item of the count table and the reference pattern appearance frequency item for each character string, the maximum value of the calculated difference value is compared with a threshold value, and the maximum value of the difference value is calculated. It may be determined that there is similarity when is smaller than the threshold. Alternatively, it may be determined that there is similarity when the degree of deviation of the difference value is smaller than a predetermined threshold.

  In the first embodiment, attention is paid to a URL as a character string pattern included in a malicious mail, and it is determined whether or not the mail is spam based on the similarity between the registered URL and the URL included in the mail. However, according to the present invention, malware can be detected based on the similarity of the attached file.

  Next, a second embodiment of the present invention will be described with reference to a block diagram showing the second embodiment of FIG.

  The malicious mail detection device of the second embodiment includes a specifying unit 210, an n-gram processing unit 220, a determination unit 230, a detection unit 240, a target character instruction unit 260, a reference pattern storage unit 270, an action And a processing unit 280.

  The specifying unit 210 refers to the definition table 251 and instructs the n-gram processing unit 220 of a predefined count target range included in the attached file of the received mail.

  The n-gram processing unit 220 calculates a feature amount for the character string pattern in the calculation target range specified by the specifying unit 210 and the target character specifying unit 260.

  The target character instruction unit 260 refers to the definition table 251 and specifies the character to be counted in the data included in the attached file.

  The reference pattern storage unit 270 is a storage area for registering a character string pattern included in a malicious mail (malware). It is desirable that the character string pattern to be registered is a characteristic character string pattern that is not included in normal mail but included only in malware. Furthermore, the appearance frequency of each character constituting the character string pattern is also calculated and registered in advance. Since the functions of the other components are the same as those in the first embodiment, detailed description thereof is omitted.

  Next, the operation in the second embodiment will be described.

  Here, in the definition file, in the case of the conditions of “protocol: SMTP” and “Content-type: application”, “all ranges of attached files are subject to counting” and “all characters are subject to counting”. Is defined. Also here, the case where the number of characters n in the counting unit is designated as 1 (n = 1) will be described as an example.

  The identification unit 210 confirming that the protocol determination result by the protocol determination unit 200 is SMTP and application is written in the Content-type, in the data portion corresponding to the attached file, Whether to count) is instructed to the n-gram processing unit 220 with reference to the definition file.

  The target character instruction unit 260 instructs the n-gram processing unit 220 to count all characters. The n-gram processing unit 220 calculates a feature amount for the character string pattern in the calculation target range in the attached file of the received mail, and stores the calculated result in the count table.

  Subsequently, the determination unit 230 searches the reference pattern storage unit 270 for a reference pattern having an appearance pattern that includes a character string that is stored in the count table and has been confirmed to appear.

  When a reference pattern close to the appearance pattern shown in the count table is found after the processing of the determination unit 230 is completed, the detection unit 240 determines whether the appearance frequency item of the count table and the appearance frequency item of the reference pattern are The difference value is calculated for each character string. Furthermore, the detection unit 240 compares the average value of the difference values calculated for each character string with a threshold value, and determines that there is similarity (malware detection) if the average value of the difference values is smaller than the threshold value. The action processing unit 280 performs action processing such as packet restriction and recording in a log.

  In the second embodiment configured as described above, a set of appearance frequencies of the character strings constituting the character string pattern included in the malware attached mail is stored in advance in the reference pattern storage unit, and the received mail is attached. Since there is a judging means for judging whether or not a malicious mail is based on the similarity with the set of appearance frequencies of the character strings constituting the character string pattern included in the file, one of the attached file data included in the mail is included. It is possible to detect even malware whose part has been changed.

  Now, the appearance frequency of characters is characteristic for each type of mail. Focusing on this feature, the detection device of the present invention can also function as a mail identification device.

  Next, a third embodiment of the present invention will be described with reference to a block diagram showing the third embodiment of FIG.

  In the third embodiment, the specifying unit 310, the n-gram processing unit 320, the determination unit 330, the detection unit 340, the target character instruction unit 360, the reference pattern storage unit 370, the action processing unit 380, Have

  The specifying unit 310 refers to the definition table 351 and instructs the n-gram processing unit 320 of a predefined count target range included in the received mail.

  The target character instruction unit 360 refers to the definition table 351 and specifies the character to be counted in the data included in the attached file.

  The n-gram processing unit 320 calculates a feature amount for the character string pattern in the calculation target range instructed by the specifying unit 310 and the target character instruction unit 360.

  The reference pattern storage unit 370 is a storage area for registering in advance a character string pattern that is characteristic enough to specify the mail type. The character string pattern to be registered is preferably a characteristic character string pattern suitable for specifying the type of mail. Furthermore, the appearance frequency for each character string constituting the character string pattern is also calculated and registered in advance. Since the functions of the other components are the same as those in the first embodiment, detailed description thereof is omitted.

  In the first and second embodiments, a mail that is recognized as a malicious mail is registered in advance, and the appearance frequency of each character constituting the character string pattern of the received mail and the stored character string are stored. The difference between the appearance frequency of each character constituting the pattern is calculated, and when the average value of the difference value calculated for each character is smaller than a predetermined threshold, the received mail is determined to be malicious mail. This is not a limitation. Mail that has been certified as not malicious mail is registered in advance, and the difference between the appearance frequency of each character constituting the character string pattern of the received mail and the appearance frequency of each character constituting the stored character string pattern Of course, it is possible to adopt a configuration in which the received mail is determined to be malicious mail when the average value of is greater than a predetermined threshold.

  Next, the operation in the third embodiment will be described.

  Here, in the case of the conditions of “protocol: SMTP” and “Content-type: text / plain”, the definition file includes “from 1st byte to 100th byte of data included in mail”. It is assumed that the definition that “all characters are to be counted” is made. Also here, the case where the number of characters n in the counting unit is designated as 1 (n = 1) will be described as an example.

  The identification unit 310 that has confirmed that the protocol determination result by the protocol determination unit 300 is SMTP and that text / plain is described in the content-type in the definition file 351 refers to the definition file, and the count target range Instructs the n-gram processing unit 320 to set the counting range from the first byte to the 100th byte of the data included in the mail.

  The target character instruction unit 360 instructs the n-gram processing unit 320 to count all characters (alphabets, numbers, symbols, kanji, kana, etc.). The n-gram processing unit 320 stores the counted result in the counting table.

  Subsequently, the determination unit 330 searches the reference pattern storage unit 370 for a reference pattern having an appearance pattern including a character string that is stored in the count table and has been confirmed to appear.

  When the reference pattern close to the appearance pattern shown in the counting table is found after the processing of the determination unit 330 is completed, the received mail type is the same as the mail type registered in the reference pattern. Can be identified.

  In the third embodiment configured as described above, a character string pattern capable of specifying the type of mail is associated with a set of appearance frequencies of character strings constituting the character string pattern in advance in the reference pattern storage unit. Since it has a judgment means to store and determine the similarity with the set of appearance frequencies of the character strings constituting the character string pattern included in the received mail, what type of mail the received mail is, Mail can be identified.

  Next, a fourth embodiment will be described with reference to the overall block diagram of FIG. 11 and the block diagram of FIG.

  Referring to FIG. 11, the configuration of the fourth embodiment further includes a memory release function unit 490 in addition to the configurations of the first to third embodiments. The memory release function unit 490 constructs at least one stream from the received mail according to a predetermined stream construction rule. Here, the “predetermined stream construction rule” is, for example, “concatenates received mail packets to a certain size to construct a stream” or “line feed code included in the received data smtp command” The rule is defined in advance for constructing a stream, such as “construct stream until confirmation”. Then, the constructed stream is managed, and when the feature amount calculation by the n-gram processing unit 420 is completed, the memory area used for managing the stream is released.

  The stream constructed here is a processing unit of data parsing by the specifying unit 410 and counting processing / feature amount calculation processing by the n-gram processing unit 420.

  When receiving the instruction from the memory release function unit 490, the specifying unit 410 starts syntax analysis. At this time, the identifying unit 410 uses the stream data passed from the memory release function unit 490 as a processing unit for parsing. After the parsing process, the identifying unit 410 passes the stream to the n-gram processing unit 420 together with the parsing result.

  The n-gram processing unit 420 calculates a feature amount for each stream passed from the specifying unit 410. When the calculation process of the feature value for each stream ends, the memory release function unit 490 is notified of the end. In addition, the specifying unit 410 and the n-gram processing unit 420 have the functions described in detail in the first to third embodiments, but detailed description thereof is omitted here. Further, the functions of the other components are the same as those in the first to third embodiments, and thus detailed description thereof is omitted here.

  Next, the internal configuration of the memory release function unit 490 will be described in detail with reference to the block diagram of FIG.

  The memory release function unit 490 includes a session management unit 4000, a stream reconstruction processing unit 4001, a protocol state transition management unit 4002, an instruction unit 4003, a session management table 4010, a stream management table 4011, and a protocol state transition management. Part 4012.

  When the session management unit 4000 receives a mail packet via the protocol determination unit 400, the session management unit 4000 determines whether or not the session by the received mail is new. If it is determined that the session is a new session, a session ID, which is identification information for specifying the session by the received mail, is assigned.

  In addition, the session management unit 4000 registers connection information of a new session by the received mail packet in the table in association with the session ID. Further, the connection information of the session that is no longer needed is deleted from the table. Here, the connection information is information for specifying a session (connection). For example, the source / destination IP address, the source / destination port number, and the protocol information. This connection information registration / deletion is performed on the session management table 4010 of the session management unit 4000.

  Also, the session management unit 4000 passes the packet that has been registered / deleted to the session management table 4010 to the stream reconstruction processing unit 4001.

  Here, a method for determining whether or not the session is a new session is performed by referring to at least five tuples of a transmission source IP address, a transmission destination IP address, a transmission source port number, a transmission destination port number, and a protocol. Is called. That is, the session management unit 4000 refers to the 5-tuple of the arrived packet, and if it is not registered in the session management table 4010, registers the connection information of the received packet as a new session. If the session has already been registered, the registration process is not performed. Also, in response to an instruction from the instruction unit 4003, connection information of a session that is no longer needed is deleted, and the memory area is released.

  The stream reconstruction processing unit 4001 newly constructs at least one stream based on the mail packet received from the session management unit 4000 according to the stream construction rule. Further, a stream ID that is identification information for specifying the stream is given to the constructed stream. Here, the stream reconstruction processing unit 4001 manages a stream to which a stream ID is assigned using a stream management table 4011 provided for stream management. The stream reconstruction processing unit 4001 registers the assigned stream ID in association with the stream information (stream data size, head pointer address, etc.) in the stream management table 4011 and further manages the stream ID in association with the session ID. .

  Further, the stream reconstruction processing unit 4001 releases a memory area for managing the constructed stream in response to the instruction from the instruction unit 4003 and the notification of the stream ID. Specifically, the stream information corresponding to the notified stream ID is deleted from the stream management table 4011.

  FIG. 13 shows an example of a session management table, and FIG. 14 shows an example of a stream management table. When receiving the mail, the stream reconstruction processing unit 4001 refers to the session management table 4010 shown in the example of FIG. 13 and checks the session ID based on the connection information of the received mail packet. Then, referring to the stream management table 4011 shown in the example of FIG. 14, a stream is constructed according to the value of the “stream construction flag” (hereinafter also referred to as flag value) corresponding to the acquired session ID.

  Here, the stream construction flag is an identifier that is referred to when a construction unit is determined in stream construction. Until the mail body data is received, the flag value of the stream construction flag is set to “0”. When the mail text data is received, the flag value “1” is set. The stream construction flag is set by the stream construction processing unit 4001 that has received notification of the transition of the smtp command.

  The stream reconstruction processing unit 4001 displays up to “line feed code” when the value of the stream construction flag is “0”, and “1” as “predetermined size or the end of the mail text (“. The stream is constructed until “Reception of line” ”, and the stream reconstruction processing unit 4001 passes the constructed stream to the protocol state transition management unit 4002.

  Upon receiving the stream constructed by the stream reconstruction processing unit 4001, the protocol state transition management unit 4002 tracks the protocol state transition and manages the protocol state transition status. Further, the received stream is passed to the specifying unit 410. Specifically, when a stream constructed in the state of “flag value 0” is received from the stream reconstruction processing unit 4001, tracking of the protocol state transition is started.

  The tracking of this transition is performed using a protocol state transition management table 4012 in which protocol transition information (smtp command) is registered. Specifically, the protocol state transition management unit 4002 performs tracking based on the match / mismatch between the smtp command included in the received data and the smtp command registered in the protocol state transition management table 4012 in advance. When the smtp command included in the received data matches the smtp command registered in advance in the protocol state transition management table 4012, the tracking of the transition of the protocol state (the state of the smtp command) is continued. If they do not match, the tracking of this transition is interrupted, and further, the stream construction process from the received mail is also interrupted. As a result, a stream with an illegal protocol command is excluded from the analysis target. This is because it is not necessary to construct / analyze a stream with an obviously invalid protocol command.

  On the other hand, when the stream is received from the stream reconstruction processing unit 4001 in the state of “flag value 1”, the protocol state transition management unit 4002 identifies the stream without tracking the transition of the protocol state (the state of the smtp command). To the unit 410. This is because in the case of “flag value 1”, it is obvious that the state has already transitioned to the “DATA” command, and it is not necessary to trace the transition.

  Further, the protocol state transition management unit 4002 collates the information in the protocol state transition management table 4012 with the stream data, and when the transition to “DATA” is confirmed, notifies the stream reconstruction processing unit 4001 of the completion of the transition. . This notification is performed via the instruction unit 4003. Further, when the tracking of the transition is finished, information indicating the status of the protocol state transition is deleted from the protocol state transition management table 4012 in response to the notification from the instruction unit.

  The instruction unit 4003 controls memory release in cooperation with each unit (session management unit, stream reconstruction processing unit, protocol state transition management unit). Also, it instructs each unit to start stream construction and syntax analysis. Specifically, when the notification of completion of transition to “DATA” is received from the protocol state transition management unit 4002, the stream reconstruction processing unit 4001 is notified of “a predetermined size (or end of the mail text (“. “Receive line”)) ”to instruct to build a stream.

  In addition, when the instruction unit 4003 receives a notification from the stream reconstruction processing unit 4001 that the stream construction is completed until a predetermined size is reached, the instruction unit 4003 instructs the specifying unit 410 to start parsing. Further, upon receiving a notification from the n-gram processing unit 420 that the “feature amount calculation processing” has been completed, the instruction unit 4003 responds to the notification and sends a stream reconstruction processing unit to release the session with the constructed stream. An instruction is notified to 4001. At the time of notification of this instruction, the stream ID assigned to the constructed stream is also notified.

  Upon receiving this notification, the stream reconstruction unit 4001 deletes information related to the session ID corresponding to the notified stream ID from the stream management table 4011.

  Further, when the instruction unit 4003 receives a notification from the stream reconstruction processing unit 4001 that the deletion of the information associated with the session ID including the stream ID assigned to the constructed stream has been completed, the instruction unit 4003 An instruction to delete the connection information from the session management table 4010 is notified to the session management unit 4000. Similarly, the protocol state transition management unit 4002 is notified of an instruction to delete the protocol transition information from the protocol state transition management table 4012. The stream ID is also notified when this instruction is notified.

  Upon receiving this notification, the session management unit 4000 and the protocol state transition management unit 4002 delete information registered in association with the notified stream ID from the session management table 4010 and the protocol state transition management table 4012, respectively.

  Next, the operation of the malicious mail detection device according to the fourth embodiment will be described with reference to the flowcharts shown in FIGS.

  In the present embodiment, a case will be described as an example where the present apparatus installed in a network environment in which packets other than mail are mixed in addition to mail packets processes smtp protocol packets as analysis targets.

  In the present embodiment, it is assumed that a session ID “0001” is given to a received mail (hereinafter also referred to as received mail A). In the following description, it is assumed that “source IP address, destination IP address, source port number, destination port number, protocol number” are “s1, d1, sp1, dp1, TCP25”, respectively.

  In the present embodiment, a case where a stream corresponding to a data amount of 500 bytes is constructed after reception of mail body data, and a feature amount is calculated using the 500-byte stream as a processing unit will be described as an example.

  In the following, stream IDs “stream1 to stream4” are assigned to the stream constructed “until the line feed code is confirmed”, and the stream constructed “until it reaches a certain size (500 bytes)” It is assumed that the stream ID “stream5” is given. The fixed size is described here as being 500 bytes, but is not limited to 500 bytes. For example, the data size is set to 300 bytes in advance, a stream corresponding to the data amount of 300 bytes is constructed, and the memory area is released after the feature amount calculation for the processing unit of 300 bytes is completed. You may make it comprise.

  Further, the present embodiment may be applied to either the detection device shown in the example of FIG. 1 or the communication device shown in the example of FIG.

  When the packet stream flows into the apparatus, the protocol determination unit 400 determines the L7 protocol of the packet. As a result of the determination by the protocol determination unit 400, the packet of the stream determined to be the SMTP protocol is passed to the memory release function unit 490. When this packet is received by the session management unit 4000 of the memory release function unit 490 (step T2), the session management unit 4000 determines whether or not the session by the received packet is new. Specifically, the session management table 4010 is referred to by referring to information (hereinafter also referred to as connection information) of a 5-tuple (a combination of transmission source IP, transmission destination IP, transmission source port, transmission destination port, and protocol) of the arrived packet. If not registered (step T3: No), it is determined whether the session is a new session.

  When it is determined that the session is a new session (step T3: No), a new session ID is assigned to this session by the session management unit 4000. Here, “0001” is assigned. Further, the stream reconstruction processing unit 4001 sets the value of the stream construction flag corresponding to the session ID “0001” to “0” (step T5).

  In this way, as shown in FIG. 13, the assigned session ID “0001” and the connection information by the session are associated and registered in the session management table 4010. If already registered, registration is not performed (step T3: Yes).

  Subsequently, the stream reconstruction processing unit 4001 refers to the stream construction flag and starts stream construction. Here, since the flag value is “0”, a stream is constructed until there is a line feed code in the received data (step T8).

  The stream constructed here is passed to the protocol state transition management unit 4002. Then, the protocol state transition management unit 4002 checks whether or not the received mail packet includes a normal protocol command (steps T9 and T10). Specifically, this check is performed depending on whether the smtp command included in the received data matches the smtp command registered in the protocol state transition management table 4012 in advance.

  If it does not match the smtp command registered in advance, the protocol state transition management unit 4002 determines that the received mail packet is a packet including an invalid protocol command. Then, the construction of the stream is terminated, and the process proceeds to reception processing for the next packet (step T10: No, step T30).

  If they match, the protocol state transition management unit 4002 determines that the received mail packet is a packet including a correct protocol command. Then, an instruction is notified to the stream reconstruction processing unit 4001 so as to construct a stream with reference to the session management table 4010. Here, since the stream construction flag is “0”, the packet of the received mail A is connected and the stream is constructed until “line feed code” is confirmed (step T11). A stream ID is assigned to the constructed stream by the stream reconstruction processing unit 4001 (step T12). Here, the stream ID “stream1” is assigned.

  In addition, the stream constructed at this time is transferred to the protocol state transition management unit 4002, and the state transition of the protocol is tracked (step T13).

Here, the reason is that a stream is constructed for each “line feed code”, so that the protocol state transition management unit 4002 correctly recognizes a protocol command. SMTP has a line feed code after a character string of a command. Therefore, if the stream is constructed up to the “line feed code”, the protocol command can be accurately recognized even when the SMTP command extends over a plurality of packets. For example, the received packet is the first packet: [HE], the second packet: [LO
example. co. jp "line feed code"], if the stream is constructed up to "line feed code", the data of "HELO example.co.jp" line feed code "" is obtained by concatenating the first packet and the second packet. Can do. As a result, the existence of the smtp command “HELO” can be confirmed. When the SMTP command is contained in one packet, the packets are not connected. This is because the protocol command can be confirmed without connecting the packets.

  In this way, the process of constructing a packet up to “carriage return code” as a stream based on the received packet is repeated until the “DATA” command is received (step T8 to step T11). As a result, here, four streams including ““ HELO ”command”, ““ MAIL FROM ”command”, ““ RCPR TO ”command”, and ““ DATA ”command” are constructed by the stream reconstruction processing unit 4001. The stream ID “stream1 to stream4” is assigned to the constructed stream by the stream reconstruction processing unit 4001, and is managed for each session ID in the stream management table 4011. Specifically, the assigned “ “stream1” to “stream4” are associated with the session ID “0001” and managed in the stream management table together with other stream information. At this time, the flag value corresponding to the session ID “0001” is 0.

  Further, the protocol state transition management unit 4002 tracks the transition of the protocol state (step T13), and checks whether or not the smtp command, which is a protocol command, has transitioned to the ““ Data ”command” (step S13). T14).

  Here, the confirmation of the transition to the “DATA” command by the protocol state transition management unit 4002 is specifically performed as follows.

  Protocol transition information is registered in the protocol state transition management table 4012 in advance. For example, a command “HELO”-> “MAIL FROM”-> “RCPT TO”-> “DATA” is registered as transition information of the protocol to be tracked. The protocol state transition management unit 4002 checks the match / mismatch of the command information registered in the protocol state transition management table 4012 and the command information of the data included in the packets constituting the traffic, thereby determining the protocol state. It is confirmed whether or not the transition to the “DATA” command has been made.

  The flag value is 0 until the transition to the “DATA” command is confirmed, and the stream reconstruction processing unit 4001 performs the process of constructing the stream until the line feed code in the received mail is confirmed.

  When the transition to the “DATA” command is confirmed by the protocol state transition management unit 4002 (step T14: Yes), the protocol state transition management unit 4002 notifies the stream reconstruction processing unit 4001 of the completion of the transition to the “DATA” command. Notice. This notification is performed via the instruction unit 4003. Upon receiving this notification, the stream reconstruction processing unit 4001 recognizes that the reception of the mail body data has started. Then, the stream reconstruction processing unit 4001 updates / sets the stream construction flag from 0 to 1 (step T15).

  In the stream reconstruction processing unit 4001 in which the stream construction flag is set to 1, the stream size to be constructed is subsequently changed. As a result, the process is switched from the “construct stream to“ line feed code ”” process to “construct stream to 500 bytes or the end of the mail text (until the“. ”Line is received)” (step T16).

  The purpose of switching the construction process and changing the stream size as described above is as follows. In other words, the data received after receiving the “DATA” command is the data of the mail body, but the stream can be built only for one line of the mail body with the “build stream to“ line feed code ”” construction process. After receiving the “DATA” command, the stream is built up to a certain size (500 bytes in the embodiment) or until the end of the mail text (until the “.” Line is received), and processing required for analysis processing It is necessary to secure a unit.

  When the stream reconstruction processing unit 4001 completes the stream construction up to the end of 500 bytes or the mail body (reception of the “.” Line) (step T17: Yes), the stream ID “stream5” is assigned to the constructed stream. Is given (step T18). The stream to which “stream5” is assigned is passed to the specifying unit 410 via the protocol state transition management unit 4002. In addition, a notification that “stream construction has been completed up to 500 bytes” is transmitted to the instruction unit 4003 together with the stream ID “stream5”. The registration status of the stream management table at this time is shown in the example of FIG.

  Upon receiving this stream construction end notification, the instruction unit 4003 notifies the specifying unit 410 of an instruction to notify the start of syntax analysis of the stream data and the stream ID “stream5” (step T19). In response to this notification, the identifying unit 410 starts parsing data using a stream having a data amount of 500 bytes as a processing unit (step T20). Further, the n-gram processing unit 420 calculates a feature amount for the stream with the notified stream ID “stream5”, with a stream having a data amount of 500 bytes as a processing unit (step T22).

  When the feature amount calculation processing by the n-gram processing unit 420 ends (step T23: Yes), a processing completion notification is sent from the n-gram processing unit 420 to the stream reconstruction processing unit 4001 via the instruction unit 4003. (Step T24). At this time, the stream ID “stream5” is also notified to the stream reconstruction processing unit 4001 (step T25).

  Upon receiving this processing completion notification, the stream reconstruction processing unit 4001 releases the memory area for managing the notified stream ID “stream5” (step T26). At this time, the memory area for stream management is also released for other streams having the same session ID “0001” as the stream corresponding to the stream ID “stream5” (streams corresponding to the stream ID “stream1 to 4”). (Step T27). Thus, for the stream IDs “stream1 to stream5” associated with the session ID “0001” corresponding to the stream ID “stream5”, the stream information corresponding to these stream IDs is deleted from the stream management table 4011. Become.

  Subsequently, the stream reconstruction processing unit 4001 returns a completion notification indicating that the memory release has been completed, together with the stream ID, to the instruction unit 4003.

  Further, the instruction unit 4003 that has received the memory release completion notification instructs the session management unit 4000 and the protocol state transition management unit 4002 to delete the corresponding sessions in the remaining session management table 4010 and protocol state transition management table 4012. An instruction is notified to.

  Upon receiving this notification, the session management unit 4000 releases the memory area used to manage the session using the stream with the notified stream ID (step T28). Specifically, the session ID “0001” and the connection information associated with the session ID “0001” are deleted from the session management table 4010.

  Similarly, the protocol state transition management unit 4002 that has received the notification from the instruction unit 4003 also releases the memory area used to manage the stream with the notified stream ID (step T28). Specifically, information indicating the status of the protocol state transition tracked for each packet constituting the constructed stream is deleted from the protocol state transition management table 4012. Thus, the release of the memory area is completed (step T29).

  In the fourth embodiment configured as described above, when the data of the stream constructed from the received mail is prepared according to the stream construction rules without waiting for the data for one mail to be acquired, the data Can begin parsing. Accordingly, it is possible to further reduce the time required for detecting the malicious mail and to improve the efficiency of the malicious mail detection process.

  Further, in the fourth embodiment, the data parsing is started when the data of the stream constructed from the received mail is prepared according to the stream construction rules without waiting for the data for one mail to be prepared. Then, after the calculation of the feature value by the n-gram processing unit is completed, the memory area used for managing the stream of this processing unit is released. Therefore, the capacity of the mounted memory can be reduced, and the cost of the apparatus can be suppressed.

  Furthermore, in the fourth embodiment, the protocol state transition management unit in the memory releasing unit tracks the transition of the protocol state, and after confirming that the smtp command has transitioned to the “DATA” command, the stream is streamed to a certain size. Is building. For this reason, packets that violate the protocol are not subject to analysis, and only packets that comply with the correct protocol are subject to analysis. Therefore, the analysis target can be narrowed down and the processing efficiency can be further improved.

  In this embodiment, from the viewpoint of processing efficiency, only the stream constructed for the mail body data is set as the feature quantity calculation target. However, the present invention is not limited to this. The mail header may be included in the analysis target by including the stream constructed up to the line feed code as the feature amount calculation target. For example, not only the stream 5 stream, but also the feature amount is calculated for all streams 1 to 5, and the memory area used to manage these streams is released after the feature amount calculation. Also good.

  Further, in this embodiment, after the stream is constructed up to the line feed code, the stream is constructed until the data of the mail body reaches a certain size, but the stream construction processing up to the line feed code may be omitted. For example, only the presence / absence of reception of the “DATA” command may be monitored, and the stream may be constructed until the data of the mail text reaches a certain size upon receipt of the “DATA” command.

  In this embodiment, after the feature amount calculation by the n-gram processing unit is completed, the stream information related to the session ID managed in the stream management table and the session management table of received mail packets are managed. The connection information and the protocol transition information managed in the protocol state transition management table of the received mail packet are deleted, and the memory area used to manage the constructed stream is released. However, this need not be limited. At least one of the stream information, connection information, and protocol transition information related to the session ID described above may be deleted. Even if the information is other than the above, it may be deleted as long as the information is used for managing the data of the constructed stream to release the memory area.

  In the fourth embodiment, three tables are prepared, and the stream information, connection information, and protocol transition information related to the session ID are managed in each table. You may make it manage in a centralized manner with a table.

  In the fourth embodiment, a configuration having a memory release function unit in addition to the configurations shown in the first to third embodiments will be described as an example. However, the present invention is not limited to this. The protocol determination unit may have the function of a memory release function unit.

  In the first to fourth embodiments described above, for convenience of explanation, the terminal and the detection device of the present invention have been described as separate hardware, but each part of the malicious mail detection device of the present invention has been described. It may be incorporated in a terminal to realize a malicious mail detection function on the terminal.

  In the first to fourth embodiments, each unit of the apparatus is configured by hardware. However, part or all of the processing of each unit may be executed as a program by the information processing apparatus.

The figure which shows an example of the communication system using the malicious email detection apparatus in a present Example. The figure which shows another example of the communication system using the malicious email detection apparatus in a present Example. The block diagram which shows the structure of the 1st Example in this invention. The flowchart which shows the processing flow in the malicious email detection apparatus of this invention Diagram showing examples of reference patterns Figure showing an example of email Figure showing an example of a counting table Example of calculating the difference in appearance frequency of character strings The block diagram which shows the structure of the 2nd Example in this invention. The block diagram which shows the structure of the 3rd Example in this invention. The block diagram which shows the structure of the 4th Example in this invention. The block diagram which shows the structural example of the memory release function part in 4th Example The figure which shows the example of the session management table in a 4th Example. The figure which shows the example of the stream management table in a 4th Example. The flowchart which shows the processing flow in a 4th Example. The flowchart which shows the processing flow in a 4th Example.

Explanation of symbols

30 Network 40 Network 50 Detection Device 51 Terminal 52 Terminal 53 Terminal 60 Communication Device 61 Terminal 62 Terminal 63 Terminal 100 Protocol Determination Unit 110 Identification Unit 120 n-gram Processing Unit 130 Determination Unit 140 Detection Unit 150 Storage Unit 160 Count Target Character Indication Unit 170 Reference pattern storage unit 180 Action processing unit 200 Protocol determination unit 210 Identification unit 220 n-gram processing unit 230 Determination unit 240 Detection unit 250 Storage unit 260 Count target character instruction unit 270 Reference pattern storage unit 280 Action processing unit 300 Protocol determination unit 310 identification unit 320 n-gram processing unit 330 determination unit 340 detection unit 350 storage unit 351 definition table 360 counting target character instruction unit 370 reference pattern storage unit 380 action processing unit 00 protocol determination unit 410 identification unit 420 n-gram processing unit 430 determination unit 440 detection unit 450 storage unit 451 definition table 460 counting target character instruction unit 470 reference pattern storage unit 480 action processing unit 490 memory release function unit 4000 session management unit 4001 Stream reconstruction processing unit 4002 Protocol state transition management unit 4003 Instruction unit 4010 Session management table 4011 Stream management table 4012 Protocol state transition management table

Claims (23)

Storage means for storing a feature amount of a character string pattern included in an email used as a comparison target;
A calculation means for calculating a feature amount of a character string pattern in a predefined calculation target range in the received mail;
Determining means for determining whether or not the mail is a malicious mail based on the similarity between the characteristic amount of the character string pattern of the received mail calculated by the calculating means and the characteristic amount of the stored character string pattern; A malicious mail detection device comprising:   The malicious mail detection device according to claim 1, wherein the feature amount is a set of appearance frequencies of one or more character strings constituting a character string pattern.   The determination means determines the character of the received mail calculated by the arithmetic means when the mail used as the comparison target is a mail certified as malicious mail and the character string constituting the character string pattern is one character. The difference value calculated for each character is calculated by calculating the difference between the appearance frequency of each character with respect to all characters constituting the column pattern and the appearance frequency of each character with respect to all characters constituting the stored character string pattern. The malicious mail detection device according to claim 2, wherein the received mail is determined to be malicious mail when the average value is smaller than a predetermined threshold.   The determination means is an email certified as not being a malicious email as the comparison target, and when the character string constituting the character string pattern is one character, the received email calculated by the computing means The difference between the appearance frequency of each character with respect to all characters constituting the character string pattern and the appearance frequency of each character with respect to all characters constituting the stored character string pattern is calculated, and the difference calculated for each character The malicious mail detection device according to claim 2, wherein when the average value is larger than a predetermined threshold value, the received mail is determined to be malicious mail.   The character string pattern to be calculated by the calculation means is a URL included in a received mail, and the stored character string pattern is a URL extracted from spam mail. Item 5. The malicious mail detection device according to any one of items 4 to 6.   The character string pattern to be calculated by the calculation means is a character string pattern within a predetermined calculation target range in the attached file of the received mail, and the stored character string pattern is a character extracted from malware 5. The malicious mail detection device according to claim 1, wherein the malicious mail detection device is a column pattern.   The character string pattern to be calculated by the calculation means is a character string pattern within a predefined calculation target range of received mail, and the stored character string pattern is a character string pattern extracted from spam mail. The malicious mail detection device according to claim 1, wherein the malicious mail detection device is a malicious email detection device.   2. The malicious mail detection device according to claim 1, further comprising processing means for discarding, blocking, or recording the received mail when the received mail is determined to be malicious mail by the determining means. Item 8. The malicious mail detection device according to Item 7. The malicious email detection device includes:
Construction means for constructing at least one stream from the received mail according to a predetermined rule;
A memory release unit that manages a stream constructed by the construction unit for each stream, and that releases a memory area for managing the stream in units of streams in response to the end of calculation of the feature value by the computing unit; The malicious mail detection device according to claim 1, comprising:   The malicious mail detection device according to claim 9, wherein the calculation unit is configured to calculate a feature amount for each stream constructed by the construction unit.   The information stored in the memory area is at least one of connection information of received mail packets, status transition of protocol of received mail packets, and identification information for specifying a stream corresponding to the processing unit. The malicious mail detection device according to claim 9, wherein the malicious mail detection device is information including: A calculation step of calculating a feature amount of a character string pattern in a predefined calculation target range of the received mail;
A determination step of determining whether or not the mail is a malicious mail based on the similarity between the feature amount of the character string pattern of the received mail calculated in the calculation step and the feature amount of the stored character string pattern; A malicious email detection method comprising:   The malicious mail detection method according to claim 12, wherein the feature amount is a set of appearance frequencies of one or more character strings constituting a character string pattern.   In the determination step, when the mail used as the comparison target is a mail certified as malicious mail and the character string constituting the character string pattern is one character, the character string of the received mail calculated by the calculation step The difference between the appearance frequency of each character for all characters constituting the pattern and the appearance frequency of each character for all characters constituting the stored character string pattern is calculated, and the difference value calculated for each character is calculated. The malicious mail detection method according to claim 13, wherein when the average value is smaller than a predetermined threshold, the received mail is determined to be malicious mail.   In the determination step, when the mail used as the comparison target is a mail certified as not malicious mail and the character string constituting the character string pattern is one character, the character of the received mail calculated by the calculation step The difference value calculated for each character is calculated by calculating the difference between the appearance frequency of each character with respect to all characters constituting the column pattern and the appearance frequency of each character with respect to all characters constituting the stored character string pattern. The malicious mail detection method according to claim 13, wherein the received mail is determined to be malicious mail when the average value of the messages is larger than a predetermined threshold.   13. The character string pattern to be calculated in the calculation step is a URL included in a received mail, and the stored character string pattern is a URL extracted from spam mail. Item 16. The malicious mail detection method according to any one of items 15.   The character string pattern to be calculated in the calculation step is a character string pattern within a predetermined calculation target range in the attached file of the received mail, and the stored character string pattern is a character extracted from malware The malicious mail detection method according to claim 12, wherein the malicious mail detection method is a column pattern.   The character string pattern to be calculated in the calculation step is a character string pattern within a predetermined calculation target range of the received mail, and the stored character string pattern is a character string pattern extracted from spam mail. The malicious mail detection method according to any one of claims 12 to 15, wherein:   13. The malicious mail detection method includes a processing step of discarding, blocking, or recording the received mail when the received mail is determined to be malicious mail by the determining step. Item 19. The malicious mail detection method according to Item 18.   In accordance with a predetermined rule, at least one stream is constructed from the received mail, the constructed stream is managed for each stream, and upon completion of the calculation of the feature amount by the computation step, the management of the stream is performed. The malicious mail detection method according to claim 12, further comprising a step of releasing a memory area for each stream.   21. The malicious mail detection method according to claim 20, wherein the calculating step calculates a feature amount for each constructed stream.   The information stored in the memory area is at least one of connection information of received mail packets, status transition of protocol of received mail packets, and identification information for specifying a stream corresponding to the processing unit. 22. The malicious mail detection method according to claim 20, wherein the malicious mail detection method is information including: An information processing apparatus program, the program is stored in the information processing apparatus,
A calculation process for calculating a characteristic amount of a character string pattern in a predetermined calculation target range in the received mail;
A determination process for determining whether or not the mail is a malicious mail based on the similarity between the feature amount of the character string pattern of the received mail calculated in the calculation step and the feature amount of the stored character string pattern; A program characterized by being executed.

Images