CN105337993B - It is a kind of based on the mail security detection device being association of activity and inertia and method - Google Patents

Abstract

The present invention relates to field of computer technology, more particularly to a kind of based on the mail security detection device being association of activity and inertia and method, device includes mail reception device, mail preprocessing module, static engine analysis module, mail sending module, customize secure browser module, nework analysis module, dynamic engine analysis module, log analysis module and output device module, the advantages of present invention detects the detection of static engine and dynamic engine is effectively combined, static analysis detection first is decoded to malious email, give out a contract for a project again for there is the mail of abnormal behavior to be parsed, it is detected in the secure browser of customization into Mobile state engine analysis.Be association of activity and inertia more efficiently to obtain more malicious act information comprehensively, while extracting the oss message of malicious act, and proposes effective reparation solution of mail malicious act, be a kind of efficient easily malious email detection device.

Description

It is a kind of based on the mail security detection device being association of activity and inertia and method

Technical field

The present invention relates to field of computer technology, and in particular to it is a kind of based on the mail security detection device being association of activity and inertia and Method.

Background technology

With internet+fast development, internet finance also Herba Gynostemmatis, the information transfer mail between internet is main One of mode wanted, third-party mail applications quotient is also more and more, and its also lack effective mail security testing mechanism and Method, the attack initiated using Email is one of most and most common attack pattern, will cause to steal user so hidden Private data frequently occur.In addition, user checks that the awareness of safety weakness of Email also leads to e-mail attack person and has an opportunity to take advantage of, A large amount of private datas for stealing user.

To the safety detection method of malious email attack, current main mode is whether detection mail is fishing mail, By the correlated characteristic of the link in Mail Contents to determine whether being fishing mail, although such method is effective, in the presence of very Big limitation.

It is to pass through that existing malious email detection platform, which is in conjunction with static engine and dynamic engine analysis, static engine analysis, Analysis is compared with condition code after being decoded to mail, for there are the mails of malice condition code further to draw into Mobile state Hold up analysis detection；The detection of dynamic engine analysis is to integrate transmission again by mail pretreatment, allows mail in customization secure browser Middle operation, simulation are clicked, and whether detection mail initiates the request etc. in not trusted domain in dynamic engine analysis, to determine whether Including malicious attack behavior.

There are bigger limitations for existing mail security detecting system, for example give out a contract for a project again to Mail Contents parsing, The ability of dynamic auto analysis seems that comparison is weak in the browser of customization, gives out a contract for a project again without parsing mostly, in the browsing of customization Monitoring daily record is added in device；The trigger condition of some malious emails is more special, and label event or attribute are not enough to trigger, and also need It could be triggered in conjunction with mail head, just there is an urgent need to the devices that we design to be triggered to simulate for the mail of this state, to find It is malious email truly.

Patent " a kind of fishing mail detection side based on text feature analysis that application publication number is CN201110020896 Method " and patent " anti-phishing mailing system and side based on link domain name and user feedback that publication No. is CN200910073046 The correlated characteristic of the web site url in extraction mail is mentioned in method " to determine whether being fishing mail, although so effectively, Accuracy rate substantially reduces, for example, feature database can not reasons, the detection of static engine such as real-time update tend not to effectively examine Measure malicious act.

Invention content

Above-mentioned technical problem is solved, the present invention provides a kind of based on the mail security detection device being association of activity and inertia and side The advantages of detection of static engine and detection of dynamic engine, is effectively combined, is first decoded static state to malious email by method Analysis detection, give out a contract for a project again for there is the mail of abnormal behavior to be parsed, in the secure browser of customization into Mobile state Engine analysis detects.Be association of activity and inertia more efficiently to obtain more malicious act information comprehensively, while extracting malice row For oss message, and propose effective reparation solution of mail malicious act, be a kind of efficiently easily malious email Detection device.

In order to achieve the above object, the technical solution adopted in the present invention is, a kind of based on the mail security being association of activity and inertia Detection device, including：Mail reception device, mail preprocessing module, static engine analysis module, mail sending module, customization Secure browser module, nework analysis module, dynamic engine analysis module, log analysis module and output device module,

Mail reception device：Standard mail for importing eml.txt formats receives automatically according to account number cipher information The mail of mail server or the Email for receiving controlled network, and corresponding e-mail messages are preserved,

Mail preprocessing module：Type of coding according to mail etc. obtains mail header, Mail Contents, attachment by decoding The information such as title, attachment content and interim storage,

Static engine analysis module：The e-mail messages of mail preprocessing module are obtained, and the e-mail messages are passed through into canonical Expression formula matching algorithm combination static nature library, the code content of despiteful feature and link in e-mail messages are extracted Come, and record mail unique mark, mail header, malice feature, link, Referer information, be not detected malice feature and The mail of link is considered as normal email and lets pass, and has the mail for detecting malice feature and link further into Mobile state engine point Analysis intercepts bounce processing for there is the mail of real malice to do.

Mail sending module：It is again whole according to the mail relevant information of parsing for there is the mail of malice feature and link It closes and keeps malice feature and link, the form that the address of original malice feature request is replaced with to device individual character daily record exports, It constitutes the new mail of an envelope and is sent to mail server, it is ensured that malice feature and link triggered as normal and can not be revealed personal hidden Private data,

Customize secure browser module：Compatible a variety of browser kernels can efficiently be detected under a variety of kernel environments and be disliked The behavior of meaning mail, while certified mail malicious act can effectively trigger under various complicated and can intercept related data packets Leaking data is prevented,

Nework analysis module：Access log can be stored with big data frame and be made historical data accumulation,

Dynamic engine analysis module：It is looked into automatically in the secure browser of customization using autoit automatized scripts technology It sees, automatically clicking associated button, link, and record sensitive behavior daily record, dynamic engine uses in the secure browser of customization API is monitored and injection technique, and the triggering of sensitive behavior one can automatically record daily record, some malious emails check mail, clicking chain Malicious act can't be triggered when connecing, but can just be triggered under given conditions.

Log analysis module：Determine whether malious email for being based on log analysis, is detected simultaneously by malious email, it will The correlated characteristic write-in behavioral characteristics library of malicious link address.

Output device module：The device will export normal email and malious email, postal of the static detection for malicious act Part will record malice feature code, malicious link, and dynamic engine detects the trigger position that sectional drawing is recorded to malious email, finally By the information recorded output at the report that format is pdf and the solution for providing reparation mailbox.

Further, big data analysis frame is Hadoop, Solr or Mongodb, using Hadoop, Solr or The mass data storage of Mongodb big data analysis frames, analysis, query capability improve log analysis ability.

Further, the mail that mail sending module is sent will be run in the secure browser of customization automatically by system, The mail of malicious act is prevented to be triggered.

Further, log analysis module completes following steps：

1, system dynamic engine detection outputs device personalization daily record, then is considered as malious email,

2, initiation request, which is connected to behavioral characteristics library, can be matched to correlated characteristic, then is considered as malious email,

3, initiating the page asked, there are code input controls, then are considered as malious email,

4, it initiates the page under this domain or subdomain to there is acquisition cookies or operate cookies behaviors, is then considered as malice Mail.

Another technical solution of the present invention is, a kind of based on the mail security detection method being association of activity and inertia, including Following steps：

Mail reception and pre-treatment step：Import the standard mail or automatic according to account number cipher information of eml.txt formats The mail of receipt mail server or the Email for receiving controlled network, and corresponding e-mail messages are preserved, according to mail Type of coding etc. obtains the information such as mail header, Mail Contents, Attachment Name, attachment content and interim storage by decoding,

Static engine analysis step：The e-mail messages of mail preprocessing module are obtained, and the e-mail messages are passed through into canonical Expression formula matching algorithm combination static nature library, the code content of despiteful feature and link in e-mail messages are extracted Come, and record mail unique mark, mail header, malice feature, link, Referer information, be not detected malice feature and The mail of link is considered as normal email and lets pass.

Mail is sent and analysis：For the mail for having malice feature and link, again according to the mail relevant information of parsing It integrates and keeps original feature, the form that the address of original malice feature request is replaced with to device individual character daily record exports, and constitutes The new mail of one envelope is sent to mail server, it is ensured that malice feature and link triggered as normal and can not reveal individual privacy number According to, the web access logs generated for acquiring customization secure browser module, and all e-mail messages and access log are passed through Customization secure browser accesses,

Dynamic engine analysis step：It is looked into automatically in the secure browser of customization using autoit automatized scripts technology It sees, automatically clicking associated button, link, and record sensitive behavior daily record, dynamic engine uses in the secure browser of customization API is monitored and injection technique, and the triggering of sensitive behavior one can automatically record daily record, some malious emails check mail, clicking chain Malicious act can't be triggered when connecing, but can just be triggered under given conditions,

Log analysis step：Determine whether malious email based on log analysis, is detected simultaneously by malious email, it will malice The correlated characteristic write-in behavioral characteristics library of chained address.

Export step：Static detection will record malice feature code, malicious link for the mail of malicious act, dynamically draw The trigger position that sectional drawing is recorded malious email by detection is held up, finally exports the information recorded at the report that format is pdf And provide the solution for repairing mailbox.

Further, log analysis step specifically includes：

1, system dynamic engine detection outputs device personalization daily record, then is considered as malious email,

2, initiation request, which is connected to behavioral characteristics library, can be matched to correlated characteristic, then is considered as malious email,

3, initiating the page asked, there are code input controls, then are considered as malious email,

4, it initiates the page under this domain or subdomain to there is acquisition cookies or operate cookies behaviors, is then considered as malice Mail.

The present invention is by using above-mentioned technical proposal, compared with prior art, has the following advantages that：The present invention uses dynamic The automatic testing method of quiet combination, can effectively carry out mail safe, reliable, efficient detection, this detecting system is not necessarily to Automatic mail detection is supported in manual intervention, can be that the mailbox user in third party's mailbox provider or controllable network carries For efficiently easily safety detection scheme, for being tested with mail malicious act, it will thus provide effective reliable to repair solution Certainly scheme is a kind of market prospects application more extensive mail security automatic testing method and device.

Description of the drawings

Fig. 1 is the system schematic of the embodiment of the present invention.

Fig. 2 is the flow diagram of the embodiment of the present invention.

Fig. 3 is the log analysis flow chart of the embodiment of the present invention.

Specific implementation mode

In conjunction with the drawings and specific embodiments, the present invention is further described.

As a specific embodiment, as shown in Figure 1, the present invention's is a kind of based on the mail security being association of activity and inertia detection Device, including：Mail reception device S100, mail preprocessing module S110, static engine analysis module S120 (static natures Library), mail sending module S130, nework analysis module S150, customization secure browser module S140, dynamic engine analysis module S160, log analysis module S170 (behavioral characteristics library) and output device module S180

Mail reception device S100：Standard mail or automatic according to account number cipher information for importing eml.txt formats The mail of receipt mail server or the Email for receiving controlled network, and corresponding e-mail messages are preserved,

Mail preprocessing module S110：Type of coding according to mail etc. by decoding obtain mail header, Mail Contents, The information such as Attachment Name, attachment content and interim storage,

Static engine analysis module S120：Mail preprocessing module e-mail messages are obtained, and the e-mail messages are passed through just Then expression formula matching algorithm combination static nature library extracts the code content of despiteful feature and link in e-mail messages Come, and record the information such as mail unique mark, mail header, malice feature, link, Referer, is provided convenient for log analysis Reliable basis, the mail that malice feature and link is not detected will be regarded as normal email and let pass,

Mail sending module S130：For there is the mail of malice feature and link, then according to the mail relevant information of parsing It reintegrates and keeps original feature, the form that the address of original malice feature request is replaced with to device individual character daily record exports, It constitutes the new mail of an envelope and is sent to mail server, it is ensured that malice feature and link triggered as normal and can not be revealed personal hidden Private data,

Customize secure browser module S140：The secure browser of customization would be compatible with a variety of browser kernels (in Trident Core, Webkit kernels, Gecko kernels, Presto kernels etc.), it can efficiently detect malious email under a variety of kernel environments Behavior, while certified mail malicious act can effectively trigger under various complicated and can intercept related data packets and prevent data Leakage.The mail that mail sending module is sent will be run in the secure browser of customization automatically by system, prevent malice row For mail be triggered, cause unnecessary loss.

Nework analysis module S150：The web access logs generated for acquiring customization secure browser module, access log It can be stored and be made historical data accumulation with big data frame, big data analysis frame is Hadoop, Solr, Mongodb etc., Log analysis ability is improved using the mass data storage of the big data analysis frame such as Hadoop, analysis, query capability,

Dynamic engine analysis module S160：Dynamic analysis analysis method is by mail sending module by mail to be measured by postal Part is sent to mail server, system checked using autoit automatized scripts technology in the secure browser of customization automatically, Automatically clicking associated button, link etc., and sensitive behavior daily record is recorded, dynamic engine uses in the secure browser of customization API is monitored and injection technique, and the triggering of sensitive behavior one can automatically record daily record.Some malious emails check mail, are clicking chain Malicious act can't be triggered when connecing, but can just be triggered under given conditions, for example needs to click by right key or mouse is slided Cross specific position occur moving again to after new mask layer mask layer specific position user click again after can just trigger.

Log analysis module S170：Log analysis module is classified into following steps progress, while if detecting evil The mail of meaning behavior, by the correlated characteristic of malicious link address, such as ip, domain name, url write-in behavioral characteristics library, this device energy Whether enough significantly more efficient each malicious acts of detection or link are really effective, improve recognition efficiency, without False Rate.

1, system dynamic engine detection outputs device personalization daily record, then is considered as malious email.

2, initiation request, which is connected to behavioral characteristics library, can be matched to correlated characteristic, then is considered as malious email.

3, initiating the page asked, there are code input controls, then are considered as malious email.

4, it initiates the page under this domain or subdomain to there is acquisition cookies or operate cookies behaviors, is then considered as malice Mail.

Output device module S180：The device will export normal email and malious email, and static detection is for malicious act Mail will record malice feature code, malicious link, dynamic engine detects the trigger position that sectional drawing is recorded to malious email, Finally the information recorded is exported into the report that format is pdf and the solution for providing reparation mailbox.

Refering to what is shown in Fig. 2, the embodiment of the present invention is a kind of based on the mail security detection method being association of activity and inertia, including with Lower step：

Mail reception and pre-treatment step：Import the standard mail or automatic according to account number cipher information of eml.txt formats The mail of receipt mail server or the Email for receiving controlled network, and corresponding e-mail messages are preserved, according to mail Type of coding etc. obtains the information such as mail header, Mail Contents, Attachment Name, attachment content and interim storage by decoding,

Static engine analysis step：The e-mail messages of mail preprocessing module are obtained, and the e-mail messages are passed through into canonical Expression formula matching algorithm combination static nature library, the code content of despiteful feature and link in e-mail messages are extracted Come, and record mail unique mark, mail header, malice feature, link, Referer information, be not detected malice feature and The mail of link is considered as normal email and lets pass.

Mail is sent and analysis：For the mail for having malice feature and link, again according to the mail relevant information of parsing It integrates and keeps original feature, the form that the address of original malice feature request is replaced with to device individual character daily record exports, and constitutes The new mail of one envelope is sent to mail server, it is ensured that malice feature and link triggered as normal and can not reveal individual privacy number According to, the web access logs generated for acquiring customization secure browser module, and all e-mail messages and access log are passed through Customization secure browser accesses,

Dynamic engine analysis step：It is looked into automatically in the secure browser of customization using autoit automatized scripts technology It sees, automatically clicking associated button, link, and record sensitive behavior daily record, dynamic engine uses in the secure browser of customization API is monitored and injection technique, and the triggering of sensitive behavior one can automatically record daily record, some malious emails check mail, clicking chain Malicious act can't be triggered when connecing, but can just be triggered under given conditions,

Refering to what is shown in Fig. 3, log analysis step：Determine whether malious email based on log analysis, is detected simultaneously by evil Meaning mail, by the correlated characteristic write-in behavioral characteristics library of malicious link address.

1, system dynamic engine detection outputs device personalization daily record, then is considered as malious email；

2, initiation request, which is connected to behavioral characteristics library, can be matched to correlated characteristic, then is considered as malious email；

3, initiating the page asked, there are code input controls, then are considered as malious email；

4, it initiates the page under this domain or subdomain to there is acquisition cookies or operate cookies behaviors, is then considered as malice Mail.

Export step：Static detection will record malice feature code, malicious link for the mail of malicious act, dynamically draw The trigger position that sectional drawing is recorded malious email by detection is held up, finally exports the information recorded at the report that format is pdf And provide the solution for repairing mailbox.

Although specifically showing and describing the present invention in conjunction with preferred embodiment, those skilled in the art should be bright In vain, it is not departing from the spirit and scope of the present invention defined by the appended claims, it in the form and details can be right The present invention makes a variety of changes, and is protection scope of the present invention.

Claims (6)

1. a kind of based on the mail security detection device being association of activity and inertia, it is characterised in that：Including：Mail reception device, mail are pre- Processing module, mail sending module, customization secure browser module, nework analysis module, is dynamically drawn at static engine analysis module Hold up analysis module, log analysis module and output device module；

Mail reception device：Standard mail for importing eml.txt formats receives mail automatically according to account number cipher information The mail of server or the Email for receiving controlled network, and preserve corresponding e-mail messages；

Mail preprocessing module：According to the type of coding of mail by decoding obtain mail header, Mail Contents, Attachment Name, Attachment content information and interim storage；

Static engine analysis module：The e-mail messages of mail preprocessing module are obtained, and the e-mail messages are passed through into regular expressions Formula matching algorithm combination static nature library, the code content of despiteful feature and link in e-mail messages are extracted, and Mail unique mark, mail header, malice feature, link, Referer information are recorded, malice feature and link is not detected Mail be considered as normal email and let pass, have and detect the mail of malice feature and link further into Mobile state engine analysis, Bounce processing is intercepted for there is the mail of real malice to do；

Mail sending module：For there is the mail of malice feature and link, guarantor is reintegrated according to the mail relevant information of parsing Malice feature and link are held, the form that the address of original malice feature request is replaced with to device individual character daily record exports, and constitutes The new mail of one envelope is sent to mail server, it is ensured that malice feature and link triggered as normal and can not reveal individual privacy number According to；

Customize secure browser module：Compatible a variety of browser kernels, can efficiently detect malice postal under a variety of kernel environments The behavior of part, while certified mail malicious act can effectively trigger under various complicated and can intercept related data packets and prevent Leaking data；

Nework analysis module：Access log can be stored with big data frame and make historical data accumulation；

Dynamic engine analysis module：It is checked automatically in the secure browser of customization using autoit automatized scripts technology, certainly It is dynamic to click associated button, link, and sensitive behavior daily record is recorded, dynamic engine is supervised in the secure browser of customization using API Control and injection technique, sensitive behavior one triggering can automatically record daily record, some malious emails when checking mail, clickthrough simultaneously Malicious act will not be triggered, but can just be triggered under given conditions；

Log analysis module：Determine whether malious email for being based on log analysis, is detected simultaneously by malious email, it will malice The correlated characteristic write-in behavioral characteristics library of chained address；

Output device module：The device will export normal email and malious email, and static detection will for the mail of malicious act Malice feature code, malicious link are recorded, dynamic engine detects the trigger position that sectional drawing is recorded to malious email, finally will note Information output under record is at the report that format is pdf and the solution for providing reparation mailbox.

2. according to claim 1 a kind of based on the mail security detection device being association of activity and inertia, it is characterised in that：Big data Analytical framework is Hadoop, Solr or Mongodb, utilizes the magnanimity number of Hadoop, Solr or Mongodb big data analysis frame Log analysis ability is improved according to storage, analysis, query capability.

3. according to claim 1 a kind of based on the mail security detection device being association of activity and inertia, it is characterised in that：Mail is sent out Sending the mail that module is sent will be run in the secure browser of customization automatically by system, prevent the mail of malicious act from being touched Hair.

4. according to claim 1 a kind of based on the mail security detection device being association of activity and inertia, it is characterised in that：Daily record point It analyses module and completes following steps：

1, system dynamic engine detection outputs device personalization daily record, then is considered as malious email,

2, initiation request, which is connected to behavioral characteristics library, can be matched to correlated characteristic, then is considered as malious email,

3, initiating the page asked, there are code input controls, then are considered as malious email,

4, it initiates the page under this domain or subdomain to there is acquisition cookies or operate cookies behaviors, is then considered as malice postal Part.

5. a kind of based on the mail security detection method being association of activity and inertia, it is characterised in that：Include the following steps：

Mail reception and pre-treatment step：It imports the standard mail of eml.txt formats or is received automatically according to account number cipher information The mail of mail server or the Email for receiving controlled network, and corresponding e-mail messages are preserved, according to the coding of mail Type obtains mail header, Mail Contents, Attachment Name, attachment content information and interim storage by decoding；

Static engine analysis step：The e-mail messages of mail preprocessing module are obtained, and the e-mail messages are passed through into regular expressions Formula matching algorithm combination static nature library, the code content of despiteful feature and link in e-mail messages are extracted, and Mail unique mark, mail header, malice feature, link, Referer information are recorded, malice feature and link is not detected Mail be considered as normal email and let pass；

Mail is sent and analysis：For the mail for having malice feature and link, reintegrated according to the mail relevant information of parsing Original feature is kept, the form that the address of original malice feature request is replaced with to device individual character daily record exports, and constitutes an envelope New mail is sent to mail server, it is ensured that and malice feature and link triggered as normal and can not reveal individual privacy data, The web access logs generated for acquiring customization secure browser module, and all e-mail messages and access log are passed through and are determined Secure browser processed accesses；

Dynamic engine analysis step：It is checked automatically in the secure browser of customization using autoit automatized scripts technology, certainly It is dynamic to click associated button, link, and sensitive behavior daily record is recorded, dynamic engine is supervised in the secure browser of customization using API Control and injection technique, sensitive behavior one triggering can automatically record daily record, some malious emails when checking mail, clickthrough simultaneously Malicious act will not be triggered, but can just be triggered under given conditions；

Log analysis step：Determine whether malious email based on log analysis, be detected simultaneously by malious email, by malicious link The correlated characteristic write-in behavioral characteristics library of address；

Export step：Static detection will record malice feature code, malicious link, the inspection of dynamic engine for the mail of malicious act The trigger position that sectional drawing is recorded to malious email is surveyed, finally the information recorded is exported into the report that format is pdf and carried For repairing the solution of mailbox.

6. according to claim 5 a kind of based on the mail security detection method being association of activity and inertia, it is characterised in that：Daily record point Analysis step specifically includes：

1, system dynamic engine detection outputs device personalization daily record, then is considered as malious email,

2, initiation request, which is connected to behavioral characteristics library, can be matched to correlated characteristic, then is considered as malious email,

3, initiating the page asked, there are code input controls, then are considered as malious email,

4, it initiates the page under this domain or subdomain to there is acquisition cookies or operate cookies behaviors, is then considered as malice postal Part.