CN106685803A - Method and system of tracing APT attack event based on phishing mail - Google Patents

Method and system of tracing APT attack event based on phishing mail Download PDF

Info

Publication number
CN106685803A
CN106685803A CN201611248582.0A CN201611248582A CN106685803A CN 106685803 A CN106685803 A CN 106685803A CN 201611248582 A CN201611248582 A CN 201611248582A CN 106685803 A CN106685803 A CN 106685803A
Authority
CN
China
Prior art keywords
source
storehouse
attack
mail
attachment files
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611248582.0A
Other languages
Chinese (zh)
Inventor
任洪伟
李柏松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Ahtech Network Safe Technology Ltd
Original Assignee
Beijing Ahtech Network Safe Technology Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Ahtech Network Safe Technology Ltd filed Critical Beijing Ahtech Network Safe Technology Ltd
Priority to CN201611248582.0A priority Critical patent/CN106685803A/en
Publication of CN106685803A publication Critical patent/CN106685803A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/07User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail characterised by the inclusion of specific contents
    • H04L51/08Annexed information, e.g. attachments
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and system for tracing an APT attack event based on a phishing mail. The method includes the steps of analyzing a known phishing mail, and obtaining mail metadata, text information and attachment information; analyzing the mail metadata, text information and attachment information, and generating an attack tracing library; and associating an unknown message with the attack tracing library, and performing a depth detection if the preset condition is satisfied, wherein, the mail metadata includes: the sending server IP, sending time, sender, recipient and subject, the text information includes text content and a URL in the text content, and the attachment information includes the attachment file and the URL in the attachment file. The technical scheme of the invention can discover the APT attack event by analyzing the known phishing mail.

Description

A kind of method and system of APT attacks of being traced to the source based on fishing mail
Technical field
The present invention relates to technical field of network security, more particularly to a kind of traced to the source APT attacks based on fishing mail Method and system.
Background technology
With the development of computer network, internet has become indispensable part in people's daily life.And by In the leak that operating system and software application etc. emerge in an endless stream, cause the safety problem of internet increasingly severe.
Current email has become the important tool of people's routine work exchange, and for APT attacks, passes through The attack that social engineering initiates fishing mail is also the most frequently used attack meanses, and attacker collects a large amount of by target of attack Information, and steal that target is believable or counterfeit believable mode, launch a offensive target, so that user is attacked Hit.
And for APT attack for, mainly including several stages, such as orientation information gathering, set up strong point, remote control, Horizontal infiltration, data collection passback etc., wherein rely on fishing mail launch a offensive shared large percentage, by fishing mail Carry out information search to target and launch a offensive to set up strong point, so if success, attacker can be carried out follow-up hiding Or sensitive data is collected, therefore the treatment of fishing mail is very important, and may be usually ignored for fishing mail Or without further Source Tracing, lead to not find follow-up attack.
The content of the invention
For above-mentioned technical problem, technical solutions according to the invention are traced back by analyzing known fishing mail and generating attack Source storehouse, and unknown mails and the storehouse of tracing to the source of attacking are associated analysis and then find APT attacks in time.
The present invention adopts with the following method to realize:A kind of method of APT attacks of being traced to the source based on fishing mail, including:
The known fishing mail of parsing, obtains mail metadata, text message and accessory information;
Analysis mail metadata, text message and accessory information, and generate attack and trace to the source storehouse;
Unknown mails and the attack storehouse of tracing to the source are associated analysis, if meet it is pre-conditioned if carry out depth detection;
Wherein, the mail metadata includes:Outbox server ip, outbox time, sender, addressee, theme;The text Information includes the URL in body matter and body matter;The accessory information includes the URL in attachment files and attachment files.
Further, the analysis mail metadata, text message and accessory information, and generate attack and trace to the source storehouse, including:
The sender of mail metadata is analyzed, sender's email address and outbox mailbox domain is obtained and is charged to attack and trace to the source storehouse;
The addressee of mail metadata is analyzed, addressee mailbox domain is obtained and is charged to attack and trace to the source storehouse;
Analysis body matter and attachment files, and word segmentation processing is carried out, obtain keyword and the frequency of occurrences and charge to attack and trace to the source Storehouse;
URL in analysis body matter and attachment files, obtains domain name registration people relevant information and charges to attack and trace to the source storehouse;
Analysis attachment files, obtain the version information of attachment files and charge to attack and trace to the source storehouse.
Further, acquisition domain name registration people's relevant information, including:Domain name registration people, registration mailbox, the domain Other domain-name informations of name registrant's registration.
It is described by unknown mails and the attack storehouse of tracing to the source is associated analysis in the above method, if meeting pre-conditioned Depth detection is then carried out, including:
The sender of unknown mails and attack are traced to the source sender's email address and the contrast of outbox mailbox domain in storehouse, if matching degree is super Preset value is crossed, then carries out depth detection;
The addressee people domain of unknown mails is analyzed, the industry keyword involved by addressee people domain is obtained;
The body matter and attachment files of unknown mails are analyzed, and carries out word segmentation processing, obtained keyword and closed with the industry Keyword is contrasted, and depth detection is carried out if the match is successful;
The keyword that unknown mails are related to is contrasted with the keyword and the frequency of occurrences attacked in storehouse of tracing to the source, if the frequency of occurrences is suitable Then carry out depth detection;
By the URL in the body matter and attachment files of unknown mails and the domain name registration people's relevant information pair attacked in storehouse of tracing to the source Than carrying out depth detection if the match is successful;
Obtain the version information of the attachment files of unknown mails and contrasted with the version information attacked in storehouse of tracing to the source, if the match is successful Then carry out depth detection.
Wherein, it is described to carry out depth detection, including:
The attachment files of unknown mails are detected with the presence or absence of malicious, the unknown mails and attack trace to the source in storehouse if judging in the presence of if Related fishing mail belong to an APT attack;
Dynamic analyzes unknown mails and whether there is malicious act, if the phase for the unknown mails being judged in the presence of and if attack in storehouse of tracing to the source Close fishing mail and belong to an APT attack.
The present invention can be realized using following system:A kind of system of APT attacks of being traced to the source based on fishing mail, bag Include:
Fishing mail parsing module, for parsing known fishing mail, obtains mail metadata, text message and accessory information;
Attack is traced to the source storehouse generation module, is traced to the source for analyzing mail metadata, text message and accessory information, and generating attack Storehouse;
Mail association analysis module, for unknown mails and the storehouse of tracing to the source of attacking to be associated into analysis, if meeting default bar Part then carries out depth detection;
Wherein, the mail metadata includes:Outbox server ip, outbox time, sender, addressee, theme;The text Information includes the URL in body matter and body matter;The accessory information includes the URL in attachment files and attachment files.
Further, it is described to attack storehouse generation module of tracing to the source, specifically for:
The sender of mail metadata is analyzed, sender's email address and outbox mailbox domain is obtained and is charged to attack and trace to the source storehouse;
The addressee of mail metadata is analyzed, addressee mailbox domain is obtained and is charged to attack and trace to the source storehouse;
Analysis body matter and attachment files, and word segmentation processing is carried out, obtain keyword and the frequency of occurrences and charge to attack and trace to the source Storehouse;
URL in analysis body matter and attachment files, obtains domain name registration people relevant information and charges to attack and trace to the source storehouse;
Analysis attachment files, obtain the version information of attachment files and charge to attack and trace to the source storehouse.
Further, acquisition domain name registration people's relevant information, including:Domain name registration people, registration mailbox, the domain Other domain-name informations of name registrant's registration.
In said system, the mail association analysis module, specifically for:
The sender of unknown mails and attack are traced to the source sender's email address and the contrast of outbox mailbox domain in storehouse, if matching degree is super Preset value is crossed, then carries out depth detection;
The addressee people domain of unknown mails is analyzed, the industry keyword involved by addressee people domain is obtained;
The body matter and attachment files of unknown mails are analyzed, and carries out word segmentation processing, obtained keyword and closed with the industry Keyword is contrasted, and depth detection is carried out if the match is successful;
The keyword that unknown mails are related to is contrasted with the keyword and the frequency of occurrences attacked in storehouse of tracing to the source, if the frequency of occurrences is suitable Then carry out depth detection;
By the URL in the body matter and attachment files of unknown mails and the domain name registration people's relevant information pair attacked in storehouse of tracing to the source Than carrying out depth detection if the match is successful;
Obtain the version information of the attachment files of unknown mails and contrasted with the version information attacked in storehouse of tracing to the source, if the match is successful Then carry out depth detection.
Wherein, it is described to carry out depth detection, including:
The attachment files of unknown mails are detected with the presence or absence of malicious, the unknown mails and attack trace to the source in storehouse if judging in the presence of if Related fishing mail belong to an APT attack;
Dynamic analyzes unknown mails and whether there is malicious act, if the phase for the unknown mails being judged in the presence of and if attack in storehouse of tracing to the source Close fishing mail and belong to an APT attack.
To sum up, the present invention provides a kind of method and system of APT attacks of being traced to the source based on fishing mail, by fishing Mail is analyzed traces to the source, so as to find to find APT attacks with the related attack of the fishing mail.First Fishing mail is parsed, mail metadata, text message and the accessory information of fishing mail is obtained, and to mail metadata Carry out fractionation and set up mail metadatabase;Body matter and attachment files to mail are carried out at participle by segmenter to it Reason, sets up participle storehouse;The version information of attachment files is extracted, and sets up version information storehouse.With reference to the mail metadatabase, divide Dictionary and the generation attack of version information storehouse are traced to the source storehouse, and then determine attacker's information of known fishing mail, and unknown with other Mail carries out similarity association analysis, therefrom finds the related mail data of attacker's information therewith, and examine by multi engine The mode such as survey or behavioural analysis automates the malicious act for judging Email attachment, if it find that there is malicious code, and is leakage Hole, wooden horse or the remote control Trojan etc. of stealing secret information and carry power and related malicious code of stealing secret information, then can be determined that associated unknown postal Part belongs to same APT attacks with the fishing mail.
Have the beneficial effect that:Technical scheme of the present invention can in time be found using known fishing mail and positioning APT is attacked Event is hit, and then reduces the loss that may be brought.
Brief description of the drawings
In order to illustrate more clearly of technical scheme, letter will be made to the accompanying drawing to be used needed for embodiment below Singly introduce, it should be apparent that, drawings in the following description are only some embodiments described in the present invention, for this area For those of ordinary skill, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
A kind of embodiment of the method flow chart of APT attacks of being traced to the source based on fishing mail that Fig. 1 is provided for the present invention;
A kind of system embodiment structure chart of APT attacks of being traced to the source based on fishing mail that Fig. 2 is provided for the present invention.
Specific embodiment
The present invention gives a kind of method and system embodiment of APT attacks of being traced to the source based on fishing mail, in order that Those skilled in the art more fully understand the technical scheme in the embodiment of the present invention, and make above-mentioned purpose of the invention, feature Can be more obvious understandable with advantage, technical scheme in the present invention is described in further detail below in conjunction with the accompanying drawings:
Present invention firstly provides a kind of embodiment of the method for APT attacks of being traced to the source based on fishing mail, as shown in figure 1, bag Include:
S101:The known fishing mail of parsing, obtains mail metadata, text message and accessory information;Due to for fishing mail The detection method of itself is very ripe and not emphasis of the invention, will not be described here.
Wherein, the mail metadata includes:Outbox server ip, outbox time, sender, addressee, theme;It is described Text message includes the URL in body matter and body matter;The accessory information is included in attachment files and attachment files URL。
S102:Analysis mail metadata, text message and accessory information, and generate attack and trace to the source storehouse;Purpose is to count Attacker's relevant information of fishing mail.
Specifically, the combination for more than following one or two kinds ofs operating is selected as needed:
The sender of mail metadata is analyzed, sender's email address and outbox mailbox domain is obtained and is charged to attack and trace to the source storehouse;Its In, the outbox mailbox domain is the part behind@in sender's email address, for example:@qq.com;
The addressee of mail metadata is analyzed, addressee mailbox domain is obtained and is charged to attack and trace to the source storehouse;For statistical attack, person is directed to Target zone;
Analysis body matter and attachment files, and word segmentation processing is carried out, obtain keyword and the frequency of occurrences and charge to attack and trace to the source Storehouse;Wherein, the word segmentation processing belongs to the participle technique in machine learning, i.e., object content is split according to word, such as stammers Participle etc.;
URL in analysis body matter and attachment files, obtains domain name registration people relevant information and charges to attack and trace to the source storehouse;Its In, also included before acquisition domain name registration people's relevant information:White list is carried out to URL in body matter and attachment files Filtering;Acquisition domain name registration people's relevant information, including:Domain name registration people, registration mailbox and reversely looked into by whois Ask other domain-name informations for obtaining the registrant or registration mailbox registration.
Analysis attachment files, obtain the version information of attachment files and charge to attack and trace to the source storehouse.The version information includes: Creation time, modification time, modification people etc..Purpose is that can therefrom extract developing instrument, the developer in version information Title, first time compilation time(Create the time of document), the Last modification time(Can be used to find its work time zone) Deng.
S103:Unknown mails and the attack storehouse of tracing to the source are associated analysis, if meet it is pre-conditioned if carry out depth Detection;
Specifically, the combination for more than following one or two kinds ofs operating is selected as needed:
The sender of unknown mails and attack are traced to the source sender's email address and the contrast of outbox mailbox domain in storehouse, if matching degree is super Preset value is crossed, then carries out depth detection;
For example:Similar sender address:Xyz-0006@xxx.com are similar to xyz-0007@xxx.com;
Similar sender address:0049002459@yyy.com are similar to 0049003451@yyy.com;
The addressee people domain of unknown mails is analyzed, the industry keyword involved by addressee people domain is obtained;Continue to analyze unknown mails Body matter and attachment files, and word segmentation processing is carried out, obtain keyword and contrasted with the industry keyword, if the match is successful Then carry out depth detection;Think that the unknown mails are targetedly suspicious mails if the match is successful;
The keyword that unknown mails are related to is contrasted with the keyword and the frequency of occurrences attacked in storehouse of tracing to the source, if the frequency of occurrences is suitable Then carry out depth detection;Wherein, if the frequency of occurrences quite if illustrate that unknown mails are a lot of fishings that doubtful same attacker initiates One of fish mail, after it is determined that the unknown mails are fishing mail, can be analyzed to it and more new attack is traced to the source storehouse;
By the URL in the body matter and attachment files of unknown mails and the domain name registration people's relevant information pair attacked in storehouse of tracing to the source Than carrying out depth detection if the match is successful;
Obtain the version information of the attachment files of unknown mails and contrasted with the version information attacked in storehouse of tracing to the source, if the match is successful Then carry out depth detection.
Wherein, it is described to carry out depth detection, including:
The attachment files of unknown mails are detected with the presence or absence of malicious, the unknown mails and attack trace to the source in storehouse if judging in the presence of if Related fishing mail belong to an APT attack;Wherein, it is described it is malicious including:There is leak, back door, wooden horse of stealing secret information Deng to carry power or related rogue program of stealing secret information;
Dynamic analyzes unknown mails and whether there is malicious act, if the phase for the unknown mails being judged in the presence of and if attack in storehouse of tracing to the source Close fishing mail and belong to an APT attack.Wherein, the malicious act includes and above-mentioned malicious related malicious code Behavior.
Secondly the present invention provides a kind of system embodiment of APT attacks of being traced to the source based on fishing mail, such as Fig. 2 institutes Show, including:
Fishing mail parsing module 201, for parsing known fishing mail, obtains mail metadata, text message and annex letter Breath;
Attack is traced to the source storehouse generation module 202, is traced back for analyzing mail metadata, text message and accessory information, and generating attack Source storehouse;
Mail association analysis module 203, for unknown mails and the storehouse of tracing to the source of attacking to be associated into analysis, if meeting default Condition then carries out depth detection;
Wherein, the mail metadata includes:Outbox server ip, outbox time, sender, addressee, theme;The text Information includes the URL in body matter and body matter;The accessory information includes the URL in attachment files and attachment files.
Preferably, it is described to attack storehouse generation module of tracing to the source, specifically for:
The sender of mail metadata is analyzed, sender's email address and outbox mailbox domain is obtained and is charged to attack and trace to the source storehouse;
The addressee of mail metadata is analyzed, addressee mailbox domain is obtained and is charged to attack and trace to the source storehouse;
Analysis body matter and attachment files, and word segmentation processing is carried out, obtain keyword and the frequency of occurrences and charge to attack and trace to the source Storehouse;
URL in analysis body matter and attachment files, obtains domain name registration people relevant information and charges to attack and trace to the source storehouse;
Analysis attachment files, obtain the version information of attachment files and charge to attack and trace to the source storehouse.
It is highly preferred that acquisition domain name registration people's relevant information, including:Domain name registration people, registration mailbox, domain name Other domain-name informations of registrant's registration.
In said system embodiment, the mail association analysis module, specifically for:
The sender of unknown mails and attack are traced to the source sender's email address and the contrast of outbox mailbox domain in storehouse, if matching degree is super Preset value is crossed, then carries out depth detection;
The addressee people domain of unknown mails is analyzed, the industry keyword involved by addressee people domain is obtained;
The body matter and attachment files of unknown mails are analyzed, and carries out word segmentation processing, obtained keyword and closed with the industry Keyword is contrasted, and depth detection is carried out if the match is successful;
The keyword that unknown mails are related to is contrasted with the keyword and the frequency of occurrences attacked in storehouse of tracing to the source, if the frequency of occurrences is suitable Then carry out depth detection;
By the URL in the body matter and attachment files of unknown mails and the domain name registration people's relevant information pair attacked in storehouse of tracing to the source Than carrying out depth detection if the match is successful;
Obtain the version information of the attachment files of unknown mails and contrasted with the version information attacked in storehouse of tracing to the source, if the match is successful Then carry out depth detection.
Wherein, it is described to carry out depth detection, including:
The attachment files of unknown mails are detected with the presence or absence of malicious, the unknown mails and attack trace to the source in storehouse if judging in the presence of if Related fishing mail belong to an APT attack;
Dynamic analyzes unknown mails and whether there is malicious act, if the phase for the unknown mails being judged in the presence of and if attack in storehouse of tracing to the source Close fishing mail and belong to an APT attack.
Each embodiment in this specification is described by the way of progressive, same or analogous between each embodiment Part is mutually referring to what each embodiment was stressed is the difference with other embodiment.Especially for system For embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is implemented referring to method The part explanation of example.
Above-described embodiment carries out Source Tracing by known fishing mail, then obtains the related attack of fishing mail and traces back Unknown mails are associated analysis by source storehouse with the attack storehouse of tracing to the source of generation, final judgement unknown mails whether be and known fishing The associated APT attacks of fish mail.
Above example is used to illustrative and not limiting technical scheme.Appointing for spirit and scope of the invention is not departed from What modification or local replacement, all should cover in the middle of scope of the presently claimed invention.

Claims (10)

1. a kind of method of APT attacks of being traced to the source based on fishing mail, it is characterised in that including:
The known fishing mail of parsing, obtains mail metadata, text message and accessory information;
Analysis mail metadata, text message and accessory information, and generate attack and trace to the source storehouse;
Unknown mails and the attack storehouse of tracing to the source are associated analysis, if meet it is pre-conditioned if carry out depth detection;
Wherein, the mail metadata includes:Outbox server ip, outbox time, sender, addressee, theme;The text Information includes the URL in body matter and body matter;The accessory information includes the URL in attachment files and attachment files.
2. the method for claim 1, it is characterised in that the analysis mail metadata, text message and accessory information, And generate attack and trace to the source storehouse, including:
The sender of mail metadata is analyzed, sender's email address and outbox mailbox domain is obtained and is charged to attack and trace to the source storehouse;
The addressee of mail metadata is analyzed, addressee mailbox domain is obtained and is charged to attack and trace to the source storehouse;
Analysis body matter and attachment files, and word segmentation processing is carried out, obtain keyword and the frequency of occurrences and charge to attack and trace to the source Storehouse;
URL in analysis body matter and attachment files, obtains domain name registration people relevant information and charges to attack and trace to the source storehouse;
Analysis attachment files, obtain the version information of attachment files and charge to attack and trace to the source storehouse.
3. method as claimed in claim 2, it is characterised in that acquisition domain name registration people's relevant information, including:Domain name is noted Volume people, registration mailbox, other domain-name informations of domain name registrant registration.
4. method as claimed in claim 2 or claim 3, it is characterised in that described to carry out unknown mails and the attack storehouse of tracing to the source Association analysis, if meet it is pre-conditioned if carry out depth detection, including:
The sender of unknown mails and attack are traced to the source sender's email address and the contrast of outbox mailbox domain in storehouse, if matching degree is super Preset value is crossed, then carries out depth detection;
The addressee people domain of unknown mails is analyzed, the industry keyword involved by addressee people domain is obtained;
The body matter and attachment files of unknown mails are analyzed, and carries out word segmentation processing, obtained keyword and closed with the industry Keyword is contrasted, and depth detection is carried out if the match is successful;
The keyword that unknown mails are related to is contrasted with the keyword and the frequency of occurrences attacked in storehouse of tracing to the source, if the frequency of occurrences is suitable Then carry out depth detection;
By the URL in the body matter and attachment files of unknown mails and the domain name registration people's relevant information pair attacked in storehouse of tracing to the source Than carrying out depth detection if the match is successful;
Obtain the version information of the attachment files of unknown mails and contrasted with the version information attacked in storehouse of tracing to the source, if the match is successful Then carry out depth detection.
5. method as claimed in claim 4, it is characterised in that described to carry out depth detection, including:
The attachment files of unknown mails are detected with the presence or absence of malicious, the unknown mails and attack trace to the source in storehouse if judging in the presence of if Related fishing mail belong to an APT attack;
Dynamic analyzes unknown mails and whether there is malicious act, if the phase for the unknown mails being judged in the presence of and if attack in storehouse of tracing to the source Close fishing mail and belong to an APT attack.
6. a kind of system of APT attacks of being traced to the source based on fishing mail, it is characterised in that including:
Fishing mail parsing module, for parsing known fishing mail, obtains mail metadata, text message and accessory information;
Attack is traced to the source storehouse generation module, is traced to the source for analyzing mail metadata, text message and accessory information, and generating attack Storehouse;
Mail association analysis module, for unknown mails and the storehouse of tracing to the source of attacking to be associated into analysis, if meeting default bar Part then carries out depth detection;
Wherein, the mail metadata includes:Outbox server ip, outbox time, sender, addressee, theme;The text Information includes the URL in body matter and body matter;The accessory information includes the URL in attachment files and attachment files.
7. system as claimed in claim 6, it is characterised in that the attack is traced to the source storehouse generation module, specifically for:
The sender of mail metadata is analyzed, sender's email address and outbox mailbox domain is obtained and is charged to attack and trace to the source storehouse;
The addressee of mail metadata is analyzed, addressee mailbox domain is obtained and is charged to attack and trace to the source storehouse;
Analysis body matter and attachment files, and word segmentation processing is carried out, obtain keyword and the frequency of occurrences and charge to attack and trace to the source Storehouse;
URL in analysis body matter and attachment files, obtains domain name registration people relevant information and charges to attack and trace to the source storehouse;
Analysis attachment files, obtain the version information of attachment files and charge to attack and trace to the source storehouse.
8. system as claimed in claim 7, it is characterised in that acquisition domain name registration people's relevant information, including:Domain name is noted Volume people, registration mailbox, other domain-name informations of domain name registrant registration.
9. system as claimed in claim 7 or 8, it is characterised in that the mail association analysis module, specifically for:
The sender of unknown mails and attack are traced to the source sender's email address and the contrast of outbox mailbox domain in storehouse, if matching degree is super Preset value is crossed, then carries out depth detection;
The addressee people domain of unknown mails is analyzed, the industry keyword involved by addressee people domain is obtained;
The body matter and attachment files of unknown mails are analyzed, and carries out word segmentation processing, obtained keyword and closed with the industry Keyword is contrasted, and depth detection is carried out if the match is successful;
The keyword that unknown mails are related to is contrasted with the keyword and the frequency of occurrences attacked in storehouse of tracing to the source, if the frequency of occurrences is suitable Then carry out depth detection;
By the URL in the body matter and attachment files of unknown mails and the domain name registration people's relevant information pair attacked in storehouse of tracing to the source Than carrying out depth detection if the match is successful;
Obtain the version information of the attachment files of unknown mails and contrasted with the version information attacked in storehouse of tracing to the source, if the match is successful Then carry out depth detection.
10. system as claimed in claim 9, it is characterised in that described to carry out depth detection, including:
The attachment files of unknown mails are detected with the presence or absence of malicious, the unknown mails and attack trace to the source in storehouse if judging in the presence of if Related fishing mail belong to an APT attack;
Dynamic analyzes unknown mails and whether there is malicious act, if the phase for the unknown mails being judged in the presence of and if attack in storehouse of tracing to the source Close fishing mail and belong to an APT attack.
CN201611248582.0A 2016-12-29 2016-12-29 Method and system of tracing APT attack event based on phishing mail Pending CN106685803A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611248582.0A CN106685803A (en) 2016-12-29 2016-12-29 Method and system of tracing APT attack event based on phishing mail

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611248582.0A CN106685803A (en) 2016-12-29 2016-12-29 Method and system of tracing APT attack event based on phishing mail

Publications (1)

Publication Number Publication Date
CN106685803A true CN106685803A (en) 2017-05-17

Family

ID=58873496

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611248582.0A Pending CN106685803A (en) 2016-12-29 2016-12-29 Method and system of tracing APT attack event based on phishing mail

Country Status (1)

Country Link
CN (1) CN106685803A (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107171950A (en) * 2017-07-20 2017-09-15 国网上海市电力公司 A kind of Email Body threatens the recognition methods of behavior
CN108875364A (en) * 2017-12-29 2018-11-23 北京安天网络安全技术有限公司 Menace determination method, device, electronic equipment and the storage medium of unknown file
CN109039874A (en) * 2018-09-17 2018-12-18 杭州安恒信息技术股份有限公司 A kind of the mail auditing method and device of Behavior-based control analysis
CN109474567A (en) * 2017-10-19 2019-03-15 公安部第三研究所 DDOS attack source tracing method, device, storage medium and electronic equipment
CN109861995A (en) * 2019-01-17 2019-06-07 安徽谛听信息科技有限公司 A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium
CN110730193A (en) * 2019-10-29 2020-01-24 腾讯科技(深圳)有限公司 Method, device, server and storage medium for guaranteeing network security
CN110868378A (en) * 2018-12-17 2020-03-06 北京安天网络安全技术有限公司 Phishing mail detection method and device, electronic equipment and storage medium
CN110995576A (en) * 2019-12-16 2020-04-10 深信服科技股份有限公司 Mail detection method, device, equipment and storage medium
CN111083110A (en) * 2019-11-14 2020-04-28 国网河南省电力公司驻马店供电公司 Information network abnormal mail monitoring system linked with manageable switch
CN111083133A (en) * 2019-12-11 2020-04-28 公安部第三研究所 Method and system for analyzing correlation between mail information and malicious code information
CN111092902A (en) * 2019-12-26 2020-05-01 中国科学院信息工程研究所 Attachment camouflage-oriented fishfork attack mail discovery method and device
CN111147489A (en) * 2019-12-26 2020-05-12 中国科学院信息工程研究所 Link camouflage-oriented fishfork attack mail discovery method and device
CN112839061A (en) * 2021-03-04 2021-05-25 哈尔滨安天科技集团股份有限公司 Tracing method and device based on regional characteristics
CN113938311A (en) * 2021-11-12 2022-01-14 北京中睿天下信息技术有限公司 Mail attack tracing method and system
CN114143112A (en) * 2021-12-08 2022-03-04 赛尔网络有限公司 Malicious attack mail analysis method, device, equipment and medium
CN115001868A (en) * 2022-08-01 2022-09-02 北京微步在线科技有限公司 APT attack homologous analysis method and device, electronic equipment and storage medium
CN115952207A (en) * 2022-12-21 2023-04-11 北京中睿天下信息技术有限公司 Threat mail storage method and system based on StarRocks database

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101667979A (en) * 2009-10-12 2010-03-10 哈尔滨工程大学 System and method for anti-phishing emails based on link domain name and user feedback
CN105721416A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Apt event attack organization homology analysis method and apparatus
CN105743876A (en) * 2015-08-28 2016-07-06 哈尔滨安天科技股份有限公司 Method and system for discovering targeted attack based on email source data

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101667979A (en) * 2009-10-12 2010-03-10 哈尔滨工程大学 System and method for anti-phishing emails based on link domain name and user feedback
CN105743876A (en) * 2015-08-28 2016-07-06 哈尔滨安天科技股份有限公司 Method and system for discovering targeted attack based on email source data
CN105721416A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Apt event attack organization homology analysis method and apparatus

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107171950A (en) * 2017-07-20 2017-09-15 国网上海市电力公司 A kind of Email Body threatens the recognition methods of behavior
CN109474567A (en) * 2017-10-19 2019-03-15 公安部第三研究所 DDOS attack source tracing method, device, storage medium and electronic equipment
CN108875364A (en) * 2017-12-29 2018-11-23 北京安天网络安全技术有限公司 Menace determination method, device, electronic equipment and the storage medium of unknown file
CN109039874B (en) * 2018-09-17 2021-08-20 杭州安恒信息技术股份有限公司 Mail auditing method and device based on behavior analysis
CN109039874A (en) * 2018-09-17 2018-12-18 杭州安恒信息技术股份有限公司 A kind of the mail auditing method and device of Behavior-based control analysis
CN110868378A (en) * 2018-12-17 2020-03-06 北京安天网络安全技术有限公司 Phishing mail detection method and device, electronic equipment and storage medium
CN109861995A (en) * 2019-01-17 2019-06-07 安徽谛听信息科技有限公司 A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium
CN110730193A (en) * 2019-10-29 2020-01-24 腾讯科技(深圳)有限公司 Method, device, server and storage medium for guaranteeing network security
CN110730193B (en) * 2019-10-29 2021-12-31 腾讯科技(深圳)有限公司 Method, device, server and storage medium for guaranteeing network security
CN111083110A (en) * 2019-11-14 2020-04-28 国网河南省电力公司驻马店供电公司 Information network abnormal mail monitoring system linked with manageable switch
CN111083133A (en) * 2019-12-11 2020-04-28 公安部第三研究所 Method and system for analyzing correlation between mail information and malicious code information
CN111083133B (en) * 2019-12-11 2021-10-22 公安部第三研究所 Method and system for analyzing correlation between mail information and malicious code information
CN110995576A (en) * 2019-12-16 2020-04-10 深信服科技股份有限公司 Mail detection method, device, equipment and storage medium
CN110995576B (en) * 2019-12-16 2022-04-29 深信服科技股份有限公司 Mail detection method, device, equipment and storage medium
CN111092902B (en) * 2019-12-26 2020-12-25 中国科学院信息工程研究所 Attachment camouflage-oriented fishfork attack mail discovery method and device
CN111147489A (en) * 2019-12-26 2020-05-12 中国科学院信息工程研究所 Link camouflage-oriented fishfork attack mail discovery method and device
CN111092902A (en) * 2019-12-26 2020-05-01 中国科学院信息工程研究所 Attachment camouflage-oriented fishfork attack mail discovery method and device
CN112839061A (en) * 2021-03-04 2021-05-25 哈尔滨安天科技集团股份有限公司 Tracing method and device based on regional characteristics
CN112839061B (en) * 2021-03-04 2022-11-25 安天科技集团股份有限公司 Tracing method and device based on regional characteristics
CN113938311A (en) * 2021-11-12 2022-01-14 北京中睿天下信息技术有限公司 Mail attack tracing method and system
CN113938311B (en) * 2021-11-12 2023-07-25 北京中睿天下信息技术有限公司 Mail attack tracing method and system
CN114143112A (en) * 2021-12-08 2022-03-04 赛尔网络有限公司 Malicious attack mail analysis method, device, equipment and medium
CN114143112B (en) * 2021-12-08 2024-03-29 赛尔网络有限公司 Malicious attack mail analysis method, device, equipment and medium
CN115001868A (en) * 2022-08-01 2022-09-02 北京微步在线科技有限公司 APT attack homologous analysis method and device, electronic equipment and storage medium
CN115001868B (en) * 2022-08-01 2022-10-11 北京微步在线科技有限公司 APT attack homologous analysis method and device, electronic equipment and storage medium
CN115952207A (en) * 2022-12-21 2023-04-11 北京中睿天下信息技术有限公司 Threat mail storage method and system based on StarRocks database
CN115952207B (en) * 2022-12-21 2024-02-20 北京中睿天下信息技术有限公司 Threat mail storage method and system based on Starblocks database

Similar Documents

Publication Publication Date Title
CN106685803A (en) Method and system of tracing APT attack event based on phishing mail
Patil et al. Detection and prevention of phishing websites using machine learning approach
CN109510815B (en) Multi-level phishing website detection method and system based on supervised learning
Mahajan et al. Phishing website detection using machine learning algorithms
US11030311B1 (en) Detecting and protecting against computing breaches based on lateral movement of a computer file within an enterprise
US11188650B2 (en) Detection of malware using feature hashing
Blum et al. Lexical feature based phishing URL detection using online learning
Al-Asli et al. Review of signature-based techniques in antivirus products
US10397256B2 (en) Spam classification system based on network flow data
Verma et al. Detecting phishing emails the natural language way
US9043917B2 (en) Automatic signature generation for malicious PDF files
JP4672285B2 (en) Source and destination features and lists for spam prevention
JP4916316B2 (en) Method and system for URL-based screening of electronic communications
US10038706B2 (en) Systems, devices, and methods for separating malware and background events
WO2021136314A1 (en) Threat intelligence knowledge graph construction method and device based on mail data
JP2007503660A (en) Method and apparatus for filtering email spam based on similarity measures
Lee et al. LARGen: automatic signature generation for Malwares using latent Dirichlet allocation
CN110177114A (en) The recognition methods of network security threats index, unit and computer readable storage medium
CN106529294B (en) A method of determine for mobile phone viruses and filters
CN112333185A (en) Domain name shadow detection method and device based on DNS (Domain name Server) resolution
Priya et al. Detection of phishing websites using C4. 5 data mining algorithm
US8910281B1 (en) Identifying malware sources using phishing kit templates
CN110245195B (en) Structured query language injection detection method and device based on honeypot system
US12067120B2 (en) Classifier generator
US12041076B2 (en) Detecting visual similarity between DNS fully qualified domain names

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20170517