CN105337993B - It is a kind of based on the mail security detection device being association of activity and inertia and method - Google Patents
It is a kind of based on the mail security detection device being association of activity and inertia and method Download PDFInfo
- Publication number
- CN105337993B CN105337993B CN201510838834.4A CN201510838834A CN105337993B CN 105337993 B CN105337993 B CN 105337993B CN 201510838834 A CN201510838834 A CN 201510838834A CN 105337993 B CN105337993 B CN 105337993B
- Authority
- CN
- China
- Prior art keywords
- module
- link
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/42—Mailbox-related aspects, e.g. synchronisation of mailboxes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to field of computer technology, more particularly to a kind of based on the mail security detection device being association of activity and inertia and method, device includes mail reception device, mail preprocessing module, static engine analysis module, mail sending module, customize secure browser module, nework analysis module, dynamic engine analysis module, log analysis module and output device module, the advantages of present invention detects the detection of static engine and dynamic engine is effectively combined, static analysis detection first is decoded to malious email, give out a contract for a project again for there is the mail of abnormal behavior to be parsed, it is detected in the secure browser of customization into Mobile state engine analysis.Be association of activity and inertia more efficiently to obtain more malicious act information comprehensively, while extracting the oss message of malicious act, and proposes effective reparation solution of mail malicious act, be a kind of efficient easily malious email detection device.
Description
Technical field
The present invention relates to field of computer technology, and in particular to it is a kind of based on the mail security detection device being association of activity and inertia and
Method.
Background technology
With internet+fast development, internet finance also Herba Gynostemmatis, the information transfer mail between internet is main
One of mode wanted, third-party mail applications quotient is also more and more, and its also lack effective mail security testing mechanism and
Method, the attack initiated using Email is one of most and most common attack pattern, will cause to steal user so hidden
Private data frequently occur.In addition, user checks that the awareness of safety weakness of Email also leads to e-mail attack person and has an opportunity to take advantage of,
A large amount of private datas for stealing user.
To the safety detection method of malious email attack, current main mode is whether detection mail is fishing mail,
By the correlated characteristic of the link in Mail Contents to determine whether being fishing mail, although such method is effective, in the presence of very
Big limitation.
It is to pass through that existing malious email detection platform, which is in conjunction with static engine and dynamic engine analysis, static engine analysis,
Analysis is compared with condition code after being decoded to mail, for there are the mails of malice condition code further to draw into Mobile state
Hold up analysis detection;The detection of dynamic engine analysis is to integrate transmission again by mail pretreatment, allows mail in customization secure browser
Middle operation, simulation are clicked, and whether detection mail initiates the request etc. in not trusted domain in dynamic engine analysis, to determine whether
Including malicious attack behavior.
There are bigger limitations for existing mail security detecting system, for example give out a contract for a project again to Mail Contents parsing,
The ability of dynamic auto analysis seems that comparison is weak in the browser of customization, gives out a contract for a project again without parsing mostly, in the browsing of customization
Monitoring daily record is added in device;The trigger condition of some malious emails is more special, and label event or attribute are not enough to trigger, and also need
It could be triggered in conjunction with mail head, just there is an urgent need to the devices that we design to be triggered to simulate for the mail of this state, to find
It is malious email truly.
Patent " a kind of fishing mail detection side based on text feature analysis that application publication number is CN201110020896
Method " and patent " anti-phishing mailing system and side based on link domain name and user feedback that publication No. is CN200910073046
The correlated characteristic of the web site url in extraction mail is mentioned in method " to determine whether being fishing mail, although so effectively,
Accuracy rate substantially reduces, for example, feature database can not reasons, the detection of static engine such as real-time update tend not to effectively examine
Measure malicious act.
Invention content
Above-mentioned technical problem is solved, the present invention provides a kind of based on the mail security detection device being association of activity and inertia and side
The advantages of detection of static engine and detection of dynamic engine, is effectively combined, is first decoded static state to malious email by method
Analysis detection, give out a contract for a project again for there is the mail of abnormal behavior to be parsed, in the secure browser of customization into Mobile state
Engine analysis detects.Be association of activity and inertia more efficiently to obtain more malicious act information comprehensively, while extracting malice row
For oss message, and propose effective reparation solution of mail malicious act, be a kind of efficiently easily malious email
Detection device.
In order to achieve the above object, the technical solution adopted in the present invention is, a kind of based on the mail security being association of activity and inertia
Detection device, including:Mail reception device, mail preprocessing module, static engine analysis module, mail sending module, customization
Secure browser module, nework analysis module, dynamic engine analysis module, log analysis module and output device module,
Mail reception device:Standard mail for importing eml.txt formats receives automatically according to account number cipher information
The mail of mail server or the Email for receiving controlled network, and corresponding e-mail messages are preserved,
Mail preprocessing module:Type of coding according to mail etc. obtains mail header, Mail Contents, attachment by decoding
The information such as title, attachment content and interim storage,
Static engine analysis module:The e-mail messages of mail preprocessing module are obtained, and the e-mail messages are passed through into canonical
Expression formula matching algorithm combination static nature library, the code content of despiteful feature and link in e-mail messages are extracted
Come, and record mail unique mark, mail header, malice feature, link, Referer information, be not detected malice feature and
The mail of link is considered as normal email and lets pass, and has the mail for detecting malice feature and link further into Mobile state engine point
Analysis intercepts bounce processing for there is the mail of real malice to do.
Mail sending module:It is again whole according to the mail relevant information of parsing for there is the mail of malice feature and link
It closes and keeps malice feature and link, the form that the address of original malice feature request is replaced with to device individual character daily record exports,
It constitutes the new mail of an envelope and is sent to mail server, it is ensured that malice feature and link triggered as normal and can not be revealed personal hidden
Private data,
Customize secure browser module:Compatible a variety of browser kernels can efficiently be detected under a variety of kernel environments and be disliked
The behavior of meaning mail, while certified mail malicious act can effectively trigger under various complicated and can intercept related data packets
Leaking data is prevented,
Nework analysis module:Access log can be stored with big data frame and be made historical data accumulation,
Dynamic engine analysis module:It is looked into automatically in the secure browser of customization using autoit automatized scripts technology
It sees, automatically clicking associated button, link, and record sensitive behavior daily record, dynamic engine uses in the secure browser of customization
API is monitored and injection technique, and the triggering of sensitive behavior one can automatically record daily record, some malious emails check mail, clicking chain
Malicious act can't be triggered when connecing, but can just be triggered under given conditions.
Log analysis module:Determine whether malious email for being based on log analysis, is detected simultaneously by malious email, it will
The correlated characteristic write-in behavioral characteristics library of malicious link address.
Output device module:The device will export normal email and malious email, postal of the static detection for malicious act
Part will record malice feature code, malicious link, and dynamic engine detects the trigger position that sectional drawing is recorded to malious email, finally
By the information recorded output at the report that format is pdf and the solution for providing reparation mailbox.
Further, big data analysis frame is Hadoop, Solr or Mongodb, using Hadoop, Solr or
The mass data storage of Mongodb big data analysis frames, analysis, query capability improve log analysis ability.
Further, the mail that mail sending module is sent will be run in the secure browser of customization automatically by system,
The mail of malicious act is prevented to be triggered.
Further, log analysis module completes following steps:
1, system dynamic engine detection outputs device personalization daily record, then is considered as malious email,
2, initiation request, which is connected to behavioral characteristics library, can be matched to correlated characteristic, then is considered as malious email,
3, initiating the page asked, there are code input controls, then are considered as malious email,
4, it initiates the page under this domain or subdomain to there is acquisition cookies or operate cookies behaviors, is then considered as malice
Mail.
Another technical solution of the present invention is, a kind of based on the mail security detection method being association of activity and inertia, including
Following steps:
Mail reception and pre-treatment step:Import the standard mail or automatic according to account number cipher information of eml.txt formats
The mail of receipt mail server or the Email for receiving controlled network, and corresponding e-mail messages are preserved, according to mail
Type of coding etc. obtains the information such as mail header, Mail Contents, Attachment Name, attachment content and interim storage by decoding,
Static engine analysis step:The e-mail messages of mail preprocessing module are obtained, and the e-mail messages are passed through into canonical
Expression formula matching algorithm combination static nature library, the code content of despiteful feature and link in e-mail messages are extracted
Come, and record mail unique mark, mail header, malice feature, link, Referer information, be not detected malice feature and
The mail of link is considered as normal email and lets pass.
Mail is sent and analysis:For the mail for having malice feature and link, again according to the mail relevant information of parsing
It integrates and keeps original feature, the form that the address of original malice feature request is replaced with to device individual character daily record exports, and constitutes
The new mail of one envelope is sent to mail server, it is ensured that malice feature and link triggered as normal and can not reveal individual privacy number
According to, the web access logs generated for acquiring customization secure browser module, and all e-mail messages and access log are passed through
Customization secure browser accesses,
Dynamic engine analysis step:It is looked into automatically in the secure browser of customization using autoit automatized scripts technology
It sees, automatically clicking associated button, link, and record sensitive behavior daily record, dynamic engine uses in the secure browser of customization
API is monitored and injection technique, and the triggering of sensitive behavior one can automatically record daily record, some malious emails check mail, clicking chain
Malicious act can't be triggered when connecing, but can just be triggered under given conditions,
Log analysis step:Determine whether malious email based on log analysis, is detected simultaneously by malious email, it will malice
The correlated characteristic write-in behavioral characteristics library of chained address.
Export step:Static detection will record malice feature code, malicious link for the mail of malicious act, dynamically draw
The trigger position that sectional drawing is recorded malious email by detection is held up, finally exports the information recorded at the report that format is pdf
And provide the solution for repairing mailbox.
Further, log analysis step specifically includes:
1, system dynamic engine detection outputs device personalization daily record, then is considered as malious email,
2, initiation request, which is connected to behavioral characteristics library, can be matched to correlated characteristic, then is considered as malious email,
3, initiating the page asked, there are code input controls, then are considered as malious email,
4, it initiates the page under this domain or subdomain to there is acquisition cookies or operate cookies behaviors, is then considered as malice
Mail.
The present invention is by using above-mentioned technical proposal, compared with prior art, has the following advantages that:The present invention uses dynamic
The automatic testing method of quiet combination, can effectively carry out mail safe, reliable, efficient detection, this detecting system is not necessarily to
Automatic mail detection is supported in manual intervention, can be that the mailbox user in third party's mailbox provider or controllable network carries
For efficiently easily safety detection scheme, for being tested with mail malicious act, it will thus provide effective reliable to repair solution
Certainly scheme is a kind of market prospects application more extensive mail security automatic testing method and device.
Description of the drawings
Fig. 1 is the system schematic of the embodiment of the present invention.
Fig. 2 is the flow diagram of the embodiment of the present invention.
Fig. 3 is the log analysis flow chart of the embodiment of the present invention.
Specific implementation mode
In conjunction with the drawings and specific embodiments, the present invention is further described.
As a specific embodiment, as shown in Figure 1, the present invention's is a kind of based on the mail security being association of activity and inertia detection
Device, including:Mail reception device S100, mail preprocessing module S110, static engine analysis module S120 (static natures
Library), mail sending module S130, nework analysis module S150, customization secure browser module S140, dynamic engine analysis module
S160, log analysis module S170 (behavioral characteristics library) and output device module S180
Mail reception device S100:Standard mail or automatic according to account number cipher information for importing eml.txt formats
The mail of receipt mail server or the Email for receiving controlled network, and corresponding e-mail messages are preserved,
Mail preprocessing module S110:Type of coding according to mail etc. by decoding obtain mail header, Mail Contents,
The information such as Attachment Name, attachment content and interim storage,
Static engine analysis module S120:Mail preprocessing module e-mail messages are obtained, and the e-mail messages are passed through just
Then expression formula matching algorithm combination static nature library extracts the code content of despiteful feature and link in e-mail messages
Come, and record the information such as mail unique mark, mail header, malice feature, link, Referer, is provided convenient for log analysis
Reliable basis, the mail that malice feature and link is not detected will be regarded as normal email and let pass,
Mail sending module S130:For there is the mail of malice feature and link, then according to the mail relevant information of parsing
It reintegrates and keeps original feature, the form that the address of original malice feature request is replaced with to device individual character daily record exports,
It constitutes the new mail of an envelope and is sent to mail server, it is ensured that malice feature and link triggered as normal and can not be revealed personal hidden
Private data,
Customize secure browser module S140:The secure browser of customization would be compatible with a variety of browser kernels (in Trident
Core, Webkit kernels, Gecko kernels, Presto kernels etc.), it can efficiently detect malious email under a variety of kernel environments
Behavior, while certified mail malicious act can effectively trigger under various complicated and can intercept related data packets and prevent data
Leakage.The mail that mail sending module is sent will be run in the secure browser of customization automatically by system, prevent malice row
For mail be triggered, cause unnecessary loss.
Nework analysis module S150:The web access logs generated for acquiring customization secure browser module, access log
It can be stored and be made historical data accumulation with big data frame, big data analysis frame is Hadoop, Solr, Mongodb etc.,
Log analysis ability is improved using the mass data storage of the big data analysis frame such as Hadoop, analysis, query capability,
Dynamic engine analysis module S160:Dynamic analysis analysis method is by mail sending module by mail to be measured by postal
Part is sent to mail server, system checked using autoit automatized scripts technology in the secure browser of customization automatically,
Automatically clicking associated button, link etc., and sensitive behavior daily record is recorded, dynamic engine uses in the secure browser of customization
API is monitored and injection technique, and the triggering of sensitive behavior one can automatically record daily record.Some malious emails check mail, are clicking chain
Malicious act can't be triggered when connecing, but can just be triggered under given conditions, for example needs to click by right key or mouse is slided
Cross specific position occur moving again to after new mask layer mask layer specific position user click again after can just trigger.
Log analysis module S170:Log analysis module is classified into following steps progress, while if detecting evil
The mail of meaning behavior, by the correlated characteristic of malicious link address, such as ip, domain name, url write-in behavioral characteristics library, this device energy
Whether enough significantly more efficient each malicious acts of detection or link are really effective, improve recognition efficiency, without False Rate.
1, system dynamic engine detection outputs device personalization daily record, then is considered as malious email.
2, initiation request, which is connected to behavioral characteristics library, can be matched to correlated characteristic, then is considered as malious email.
3, initiating the page asked, there are code input controls, then are considered as malious email.
4, it initiates the page under this domain or subdomain to there is acquisition cookies or operate cookies behaviors, is then considered as malice
Mail.
Output device module S180:The device will export normal email and malious email, and static detection is for malicious act
Mail will record malice feature code, malicious link, dynamic engine detects the trigger position that sectional drawing is recorded to malious email,
Finally the information recorded is exported into the report that format is pdf and the solution for providing reparation mailbox.
Refering to what is shown in Fig. 2, the embodiment of the present invention is a kind of based on the mail security detection method being association of activity and inertia, including with
Lower step:
Mail reception and pre-treatment step:Import the standard mail or automatic according to account number cipher information of eml.txt formats
The mail of receipt mail server or the Email for receiving controlled network, and corresponding e-mail messages are preserved, according to mail
Type of coding etc. obtains the information such as mail header, Mail Contents, Attachment Name, attachment content and interim storage by decoding,
Static engine analysis step:The e-mail messages of mail preprocessing module are obtained, and the e-mail messages are passed through into canonical
Expression formula matching algorithm combination static nature library, the code content of despiteful feature and link in e-mail messages are extracted
Come, and record mail unique mark, mail header, malice feature, link, Referer information, be not detected malice feature and
The mail of link is considered as normal email and lets pass.
Mail is sent and analysis:For the mail for having malice feature and link, again according to the mail relevant information of parsing
It integrates and keeps original feature, the form that the address of original malice feature request is replaced with to device individual character daily record exports, and constitutes
The new mail of one envelope is sent to mail server, it is ensured that malice feature and link triggered as normal and can not reveal individual privacy number
According to, the web access logs generated for acquiring customization secure browser module, and all e-mail messages and access log are passed through
Customization secure browser accesses,
Dynamic engine analysis step:It is looked into automatically in the secure browser of customization using autoit automatized scripts technology
It sees, automatically clicking associated button, link, and record sensitive behavior daily record, dynamic engine uses in the secure browser of customization
API is monitored and injection technique, and the triggering of sensitive behavior one can automatically record daily record, some malious emails check mail, clicking chain
Malicious act can't be triggered when connecing, but can just be triggered under given conditions,
Refering to what is shown in Fig. 3, log analysis step:Determine whether malious email based on log analysis, is detected simultaneously by evil
Meaning mail, by the correlated characteristic write-in behavioral characteristics library of malicious link address.
1, system dynamic engine detection outputs device personalization daily record, then is considered as malious email;
2, initiation request, which is connected to behavioral characteristics library, can be matched to correlated characteristic, then is considered as malious email;
3, initiating the page asked, there are code input controls, then are considered as malious email;
4, it initiates the page under this domain or subdomain to there is acquisition cookies or operate cookies behaviors, is then considered as malice
Mail.
Export step:Static detection will record malice feature code, malicious link for the mail of malicious act, dynamically draw
The trigger position that sectional drawing is recorded malious email by detection is held up, finally exports the information recorded at the report that format is pdf
And provide the solution for repairing mailbox.
Although specifically showing and describing the present invention in conjunction with preferred embodiment, those skilled in the art should be bright
In vain, it is not departing from the spirit and scope of the present invention defined by the appended claims, it in the form and details can be right
The present invention makes a variety of changes, and is protection scope of the present invention.
Claims (6)
1. a kind of based on the mail security detection device being association of activity and inertia, it is characterised in that:Including:Mail reception device, mail are pre-
Processing module, mail sending module, customization secure browser module, nework analysis module, is dynamically drawn at static engine analysis module
Hold up analysis module, log analysis module and output device module;
Mail reception device:Standard mail for importing eml.txt formats receives mail automatically according to account number cipher information
The mail of server or the Email for receiving controlled network, and preserve corresponding e-mail messages;
Mail preprocessing module:According to the type of coding of mail by decoding obtain mail header, Mail Contents, Attachment Name,
Attachment content information and interim storage;
Static engine analysis module:The e-mail messages of mail preprocessing module are obtained, and the e-mail messages are passed through into regular expressions
Formula matching algorithm combination static nature library, the code content of despiteful feature and link in e-mail messages are extracted, and
Mail unique mark, mail header, malice feature, link, Referer information are recorded, malice feature and link is not detected
Mail be considered as normal email and let pass, have and detect the mail of malice feature and link further into Mobile state engine analysis,
Bounce processing is intercepted for there is the mail of real malice to do;
Mail sending module:For there is the mail of malice feature and link, guarantor is reintegrated according to the mail relevant information of parsing
Malice feature and link are held, the form that the address of original malice feature request is replaced with to device individual character daily record exports, and constitutes
The new mail of one envelope is sent to mail server, it is ensured that malice feature and link triggered as normal and can not reveal individual privacy number
According to;
Customize secure browser module:Compatible a variety of browser kernels, can efficiently detect malice postal under a variety of kernel environments
The behavior of part, while certified mail malicious act can effectively trigger under various complicated and can intercept related data packets and prevent
Leaking data;
Nework analysis module:Access log can be stored with big data frame and make historical data accumulation;
Dynamic engine analysis module:It is checked automatically in the secure browser of customization using autoit automatized scripts technology, certainly
It is dynamic to click associated button, link, and sensitive behavior daily record is recorded, dynamic engine is supervised in the secure browser of customization using API
Control and injection technique, sensitive behavior one triggering can automatically record daily record, some malious emails when checking mail, clickthrough simultaneously
Malicious act will not be triggered, but can just be triggered under given conditions;
Log analysis module:Determine whether malious email for being based on log analysis, is detected simultaneously by malious email, it will malice
The correlated characteristic write-in behavioral characteristics library of chained address;
Output device module:The device will export normal email and malious email, and static detection will for the mail of malicious act
Malice feature code, malicious link are recorded, dynamic engine detects the trigger position that sectional drawing is recorded to malious email, finally will note
Information output under record is at the report that format is pdf and the solution for providing reparation mailbox.
2. according to claim 1 a kind of based on the mail security detection device being association of activity and inertia, it is characterised in that:Big data
Analytical framework is Hadoop, Solr or Mongodb, utilizes the magnanimity number of Hadoop, Solr or Mongodb big data analysis frame
Log analysis ability is improved according to storage, analysis, query capability.
3. according to claim 1 a kind of based on the mail security detection device being association of activity and inertia, it is characterised in that:Mail is sent out
Sending the mail that module is sent will be run in the secure browser of customization automatically by system, prevent the mail of malicious act from being touched
Hair.
4. according to claim 1 a kind of based on the mail security detection device being association of activity and inertia, it is characterised in that:Daily record point
It analyses module and completes following steps:
1, system dynamic engine detection outputs device personalization daily record, then is considered as malious email,
2, initiation request, which is connected to behavioral characteristics library, can be matched to correlated characteristic, then is considered as malious email,
3, initiating the page asked, there are code input controls, then are considered as malious email,
4, it initiates the page under this domain or subdomain to there is acquisition cookies or operate cookies behaviors, is then considered as malice postal
Part.
5. a kind of based on the mail security detection method being association of activity and inertia, it is characterised in that:Include the following steps:
Mail reception and pre-treatment step:It imports the standard mail of eml.txt formats or is received automatically according to account number cipher information
The mail of mail server or the Email for receiving controlled network, and corresponding e-mail messages are preserved, according to the coding of mail
Type obtains mail header, Mail Contents, Attachment Name, attachment content information and interim storage by decoding;
Static engine analysis step:The e-mail messages of mail preprocessing module are obtained, and the e-mail messages are passed through into regular expressions
Formula matching algorithm combination static nature library, the code content of despiteful feature and link in e-mail messages are extracted, and
Mail unique mark, mail header, malice feature, link, Referer information are recorded, malice feature and link is not detected
Mail be considered as normal email and let pass;
Mail is sent and analysis:For the mail for having malice feature and link, reintegrated according to the mail relevant information of parsing
Original feature is kept, the form that the address of original malice feature request is replaced with to device individual character daily record exports, and constitutes an envelope
New mail is sent to mail server, it is ensured that and malice feature and link triggered as normal and can not reveal individual privacy data,
The web access logs generated for acquiring customization secure browser module, and all e-mail messages and access log are passed through and are determined
Secure browser processed accesses;
Dynamic engine analysis step:It is checked automatically in the secure browser of customization using autoit automatized scripts technology, certainly
It is dynamic to click associated button, link, and sensitive behavior daily record is recorded, dynamic engine is supervised in the secure browser of customization using API
Control and injection technique, sensitive behavior one triggering can automatically record daily record, some malious emails when checking mail, clickthrough simultaneously
Malicious act will not be triggered, but can just be triggered under given conditions;
Log analysis step:Determine whether malious email based on log analysis, be detected simultaneously by malious email, by malicious link
The correlated characteristic write-in behavioral characteristics library of address;
Export step:Static detection will record malice feature code, malicious link, the inspection of dynamic engine for the mail of malicious act
The trigger position that sectional drawing is recorded to malious email is surveyed, finally the information recorded is exported into the report that format is pdf and carried
For repairing the solution of mailbox.
6. according to claim 5 a kind of based on the mail security detection method being association of activity and inertia, it is characterised in that:Daily record point
Analysis step specifically includes:
1, system dynamic engine detection outputs device personalization daily record, then is considered as malious email,
2, initiation request, which is connected to behavioral characteristics library, can be matched to correlated characteristic, then is considered as malious email,
3, initiating the page asked, there are code input controls, then are considered as malious email,
4, it initiates the page under this domain or subdomain to there is acquisition cookies or operate cookies behaviors, is then considered as malice postal
Part.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510838834.4A CN105337993B (en) | 2015-11-27 | 2015-11-27 | It is a kind of based on the mail security detection device being association of activity and inertia and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510838834.4A CN105337993B (en) | 2015-11-27 | 2015-11-27 | It is a kind of based on the mail security detection device being association of activity and inertia and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105337993A CN105337993A (en) | 2016-02-17 |
CN105337993B true CN105337993B (en) | 2018-09-07 |
Family
ID=55288275
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510838834.4A Active CN105337993B (en) | 2015-11-27 | 2015-11-27 | It is a kind of based on the mail security detection device being association of activity and inertia and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105337993B (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108256323A (en) * | 2016-12-29 | 2018-07-06 | 武汉安天信息技术有限责任公司 | A kind of detection method and device for phishing application |
US10503899B2 (en) | 2017-07-10 | 2019-12-10 | Centripetal Networks, Inc. | Cyberanalysis workflow acceleration |
CN109040016B (en) * | 2018-06-25 | 2021-04-09 | 深信服科技股份有限公司 | Information processing method and device and computer readable storage medium |
US10778689B2 (en) * | 2018-09-06 | 2020-09-15 | International Business Machines Corporation | Suspicious activity detection in computer networks |
CN112784293B (en) * | 2019-11-08 | 2024-06-04 | 游戏橘子数位科技股份有限公司 | Method for recording notice of picture acquisition |
CN111130993B (en) * | 2019-11-22 | 2022-03-29 | 北京知道创宇信息技术股份有限公司 | Information extraction method and device and readable storage medium |
CN110933067A (en) * | 2019-11-26 | 2020-03-27 | 北京知道创宇信息技术股份有限公司 | Malicious mail identification method and device, electronic equipment and storage medium |
CN111083133B (en) * | 2019-12-11 | 2021-10-22 | 公安部第三研究所 | Method and system for analyzing correlation between mail information and malicious code information |
CN112003779A (en) * | 2020-07-28 | 2020-11-27 | 杭州安恒信息技术股份有限公司 | Phishing mail detection method and medium based on dynamic and static link characteristic identification |
CN117201208B (en) * | 2023-11-08 | 2024-02-23 | 新华三网络信息安全软件有限公司 | Malicious mail identification method, malicious mail identification device, electronic equipment and storage medium |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101667979B (en) * | 2009-10-12 | 2012-06-06 | 哈尔滨工程大学 | System and method for anti-phishing emails based on link domain name and user feedback |
CN102098235B (en) * | 2011-01-18 | 2013-08-07 | 南京邮电大学 | Fishing mail inspection method based on text characteristic analysis |
CN103297394B (en) * | 2012-02-24 | 2016-12-14 | 阿里巴巴集团控股有限公司 | Website security detection method and device |
US9317696B2 (en) * | 2012-07-10 | 2016-04-19 | Microsoft Technology Licensing, Llc | Data detection and protection policies for e-mail |
CN102833240B (en) * | 2012-08-17 | 2016-02-03 | 中国科学院信息工程研究所 | A kind of malicious code catching method and system |
-
2015
- 2015-11-27 CN CN201510838834.4A patent/CN105337993B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN105337993A (en) | 2016-02-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105337993B (en) | It is a kind of based on the mail security detection device being association of activity and inertia and method | |
US11997115B1 (en) | Message platform for automated threat simulation, reporting, detection, and remediation | |
US11716348B2 (en) | Malicious script detection | |
Englehardt et al. | I never signed up for this! Privacy implications of email tracking | |
US11570211B1 (en) | Detection of phishing attacks using similarity analysis | |
Joo et al. | S-Detector: an enhanced security model for detecting Smishing attack for mobile computing | |
US9509714B2 (en) | Web page and web browser protection against malicious injections | |
US9712560B2 (en) | Web page and web browser protection against malicious injections | |
Iqbal et al. | Fcfraud: Fighting click-fraud from the user side | |
US11258811B2 (en) | Email attack detection and forensics | |
CN111835777A (en) | Abnormal flow detection method, device, equipment and medium | |
Geng et al. | RRPhish: Anti-phishing via mining brand resources request | |
Zhang et al. | Detecting malicious activities with user‐agent‐based profiles | |
Mishra et al. | Intelligent phishing detection system using similarity matching algorithms | |
Zhang et al. | Cross-site scripting (XSS) detection integrating evidences in multiple stages | |
CN113992623B (en) | Web page mail cross-site scripting attack detection method based on content and source code | |
Kumar Birthriya et al. | A comprehensive survey of phishing email detection and protection techniques | |
CN107018152A (en) | Message block method, device and electronic equipment | |
CN109284465A (en) | A kind of Web page classifying device construction method and its classification method based on URL | |
Das et al. | Detection of cross-site scripting attack under multiple scenarios | |
Lekshmi et al. | Detecting malicious URLs using machine learning techniques: a comparative literature review | |
Morovati et al. | Detection of Phishing Emails with Email Forensic Analysis and Machine Learning Techniques. | |
Majd et al. | A Comprehensive Review of Anomaly Detection in Web Logs | |
Bo et al. | Tom: A threat operating model for early warning of cyber security threats | |
Akande et al. | Development of a Real Time Smishing Detection Mobile Application using Rule Based Techniques |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |