CN108200105A - A kind of method and device for detecting fishing mail - Google Patents

A kind of method and device for detecting fishing mail Download PDF

Info

Publication number
CN108200105A
CN108200105A CN201810279466.8A CN201810279466A CN108200105A CN 108200105 A CN108200105 A CN 108200105A CN 201810279466 A CN201810279466 A CN 201810279466A CN 108200105 A CN108200105 A CN 108200105A
Authority
CN
China
Prior art keywords
targeted mails
mail
information
fishing
fishing mail
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201810279466.8A
Other languages
Chinese (zh)
Inventor
林裕金
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201810279466.8A priority Critical patent/CN108200105A/en
Publication of CN108200105A publication Critical patent/CN108200105A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application provides a kind of method and device for detecting fishing mail, and applied to safety equipment, the safety equipment is docked with several terminal devices in target LAN, the method includes:Receive the log information for the targeted mails that the terminal device reports;The log information in preset threat information bank is matched, determines whether above-mentioned log information hits any threat information;If matching is unsuccessful, the attachment of the targeted mails is launched and carries out dynamic detection, and determine whether the targeted mails are fishing mail based on testing result into preset sandbox, if it is, generation warning information.In present techniques, safety equipment, which combines, threatens intelligence technology and sandbox technology to be detected fishing mail, effectively increases the accuracy of testing result.

Description

A kind of method and device for detecting fishing mail
Technical field
This application involves safety protection field, more particularly to a kind of method and device for detecting fishing mail.
Background technology
Network attack person usually forges normal email, using social engineering skill inveigle user click mail link or Attachment files are downloaded, so as to cause to attack to end host.Such attack as phishing attacks, the fishing mail sent A wide range of infection and propagation for malicious code (including extorting software) provide many facilities, very harmful, be easy to cause use The leakage of family account information and the loss of property.
In the prior art, to the filtering of fishing mail, mainly there are " key word method " and " check code method " etc..The former refers to foundation Determine word (such as:" tax avoidance ", " in generation, opens " etc.) mail is filtered;The latter is then the verification of the text or attachment that calculate mail Code (such as:Cryptographic Hash), then above-mentioned identifying code is compared with the check code of known fishing mail, it filters out and fishing postal The identical mail of the check code of part.
However, said program needs that constantly the feature database for recording specified word or check code is updated and safeguarded, and It is unsatisfactory that unmatched fishing mail, effect in feature database can not be filtered.
Invention content
In view of this, the application provides a kind of method and device for detecting fishing mail, effectively to filter fishing postal Part.
Specifically, the application is achieved by the following technical solution:
A kind of method for detecting fishing mail, applied to safety equipment, if in the safety equipment and target LAN Dry terminal device docking;Including:
Receive the log information for the targeted mails that the terminal device reports;
The log information in preset threat information bank is matched, it is any to determine whether above-mentioned log information hits Threaten information;
If matching is unsuccessful, the attachment of the targeted mails is launched and carries out dynamic detection into preset sandbox, and Determine whether the targeted mails are fishing mail based on testing result, if it is, generation warning information.
In the method for the detection fishing mail, the method further includes:
If successful match, determine that the targeted mails for fishing mail, generate warning information.
In the method for the detection fishing mail, the gateway that the target LAN further includes carrying Mail Gateway is set Standby, the targeted mails first pass through the Mail Gateway filtering in advance;
The method further includes:
When determining that the targeted mails are fishing mail, the specific characteristic of the targeted mails is extracted;
The specific characteristic of the targeted mails is added in the feature database of the Mail Gateway.
In the method for the detection fishing mail, the method further includes:
When determining the targeted mails as fishing mail, the log information based on the targeted mails generates new threat feelings Report, and the threat information is added in the threat information bank.
In the method for the detection fishing mail, the method further includes:
It is when determining the targeted mails as fishing mail, the warning information is associated with designated user's mark, it generates Alert work order.
A kind of device for detecting fishing mail, applied to safety equipment, if in the safety equipment and target LAN Dry terminal device docking;Including:
Receiving unit, for receiving the log information for the targeted mails that the terminal device reports;
Matching unit for the log information to be matched in preset threat information bank, determines above-mentioned daily record letter Whether breath hits any threat information;
Alarm Unit, if unsuccessful for matching, by the attachmentes of the targeted mails launch into preset sandbox into Mobile state detects, and determines whether the targeted mails are fishing mail based on testing result, if it is, generation alarm letter Breath.
In the device of the detection fishing mail, described device further includes:
The Alarm Unit if being further used for successful match, determines the targeted mails as fishing mail, generation is accused Alert information.
In the device of the detection fishing mail, the gateway that the target LAN further includes carrying Mail Gateway is set Standby, the targeted mails first pass through the Mail Gateway filtering in advance;
Described device further includes:
Extraction unit, for when determining that the targeted mails are fishing mail, extracting the specific characteristic of the targeted mails;
First updating unit, for the specific characteristic of the targeted mails to be added to the feature database of the Mail Gateway In.
In the device of the detection fishing mail, described device further includes:
Second updating unit determines the targeted mails as fishing mail, the daily record based on the targeted mails for working as Information generates new threat information, and the threat information is added in the threat information bank.
In the device of the detection fishing mail, the Alarm Unit is further used for:
It is when determining the targeted mails as fishing mail, the warning information is associated with designated user's mark, it generates Alert work order.
In technical scheme, safety equipment receives the targeted mails that the terminal device in target LAN reports Log information after, by the log information it is preset threat information bank in match, whether determine the log information Hit any threat information;If matching is unsuccessful, the attachment of the targeted mails is launched into preset sandbox into action State detects, and determines whether the targeted mails are fishing mail based on testing result, if it is, generation warning information;
Since in this application, safety equipment can utilize the threat information bank that the whole network is shared first to the day of targeted mails Will information is filtered, and is thrown in the case where not can determine that whether targeted mails are fishing mail, then by the attachment of targeted mails It is put into sandbox and carries out dynamic detection, so as to be judged based on testing result is further to targeted mails, improve detection and fish The accuracy of fish mail.
Description of the drawings
Fig. 1 is a kind of flow chart of the method for detection fishing mail shown in the application;
Fig. 2 is a kind of LAN backbone figure shown in the application;
Fig. 3 is a kind of embodiment block diagram of the device of detection fishing mail shown in the application;
Fig. 4 is a kind of hardware structure diagram of the device of detection fishing mail shown in the application.
Specific embodiment
In order to which those skilled in the art is made to more fully understand the technical solution in the embodiment of the present invention, and make of the invention real Apply the above-mentioned purpose of example, feature and advantage can be more obvious understandable, below in conjunction with the accompanying drawings to prior art and the present invention Technical solution in embodiment is described in further detail.
Detection fishing mail can realize that both of which needs to constantly update by " key word method " and " check code method " With maintenance features library;Wherein, for " key word method ", features described above library records specified word to be matched;For " check code Method ", the text of fishing mail or the check code of attachment known to the record of features described above library.
The defects of above method, is, can not filter the unmatched fishing mail in feature database, and filter effect is simultaneously paid no attention to Think.
In view of this, the application proposes a kind of scheme for detecting fishing mail, and the program, which combines, threatens intelligence technology and sand Box technology is repeatedly detected mail, improves the accuracy of detection fishing mail.
Referring to Fig. 1, the course diagram of the method for a kind of detection fishing mail shown in the application, the method is applied to peace Full equipment, the described method comprises the following steps:
Step 101:Receive the log information for the targeted mails that the terminal device reports.
Wherein, safety equipment is docked with several terminal devices in target LAN, can be received in any terminal equipment The log information of the targeted mails of report.Terminal device refers to receiving the terminal of mail in LAN, can include computer, hand Machine etc..
It is a kind of LAN backbone figure shown in the application referring to Fig. 2, as shown in Fig. 2, LAN includes 4 calculating Machine, safety equipment are docked by connecting the gateway device of LAN with each computer.
As a kind of embodiment, the gateway device of above-mentioned target LAN can carry Mail Gateway, Mail Gateway tool There is corresponding feature database, including the specific characteristic of mail.The specific characteristic can include source address, protocol number, destination Location, port numbers etc..Certainly, which may include other contents, specifically can refer in the existing scheme for realizing Mail Gateway Used feature, details are not described herein by the application.
Above-mentioned gateway device receives the targeted mails for being sent to the target LAN, first can be by Mail Gateway to upper It states targeted mails to be filtered, be detected so as to fulfill to the first time of above-mentioned targeted mails.
On the one hand, if the specific characteristic of the above-mentioned targeted mails extracted hits any specified spy in features described above library Sign, then can directly delete above-mentioned targeted mails;
On the other hand, if any finger in the specific characteristic miss features described above library of the above-mentioned targeted mails extracted Determine feature, then forward the terminal device in above-mentioned targeted mails to target LAN.
Certainly, the gateway device of above-mentioned target LAN can not also carry Mail Gateway, the target that will directly receive Terminal device in email relaying to target LAN.
Any terminal equipment receives above-mentioned targeted mails, can extract the log information of the targeted mails.Wherein, the day Will information can include the attachment of above-mentioned targeted mails, the addressee time, source address, sender's mailbox, body matter, entrained One or more combinations such as URL (Uniform Resoure Locator, uniform resource locator).
It is generated it should be pointed out that above-mentioned log information can be based on preset form, to facilitate subsequent processing.Than Such as:The attachment of above-mentioned targeted mails, which can pass through MD5 (Message-Digest Algorithm5, Message-Digest Algorithm 5), to be counted It calculates, is recorded in the form of MD5 values in above-mentioned log information.And each feature that above-mentioned log information includes can be according to pre- If sequential arrangement.
As a kind of embodiment, above-mentioned log information can also be included through DPI (Deep Packet Inspection, depth Degree packet check) contents such as the traffic log that detects of technology so that safety equipment subsequently can be based on more targeted mails Feature realizes the detection of fishing mail.
Step 102:The log information in preset threat information bank is matched, whether determines above-mentioned log information Hit any threat information.
Wherein, the threat information in above-mentioned threat information bank is mainly derived from global network environment, can be pre-configured a large amount of Information is threatened, so as to when detecting fishing mail by threatening intelligence technology, ensure that the accuracy of testing result.Above-mentioned threat Information can include fishing mail criterion (such as:The MD5 values of the attachment of fishing mail, source address, sender's mailbox, Body matter etc.) and attack (such as:Propagate wooden horse, attacking system loophole etc.).
On the one hand, if successful match, i.e., above-mentioned log information has hit any threat feelings in above-mentioned threat information bank Report, then it is fishing mail that can determine above-mentioned targeted mails.In this case, safety equipment can generate warning information, should Warning information indicates that above-mentioned targeted mails are fishing mail.
Further, if carrying Mail Gateway on the gateway device of above-mentioned target LAN, safety equipment can carry The specific characteristic of above-mentioned targeted mails is taken, and the above-mentioned specific characteristic extracted is added to the feature database of above-mentioned Mail Gateway In, to filter out the fishing mail with new specific characteristic by above-mentioned Mail Gateway.
On the other hand, if matching is unsuccessful and the above-mentioned above-mentioned threat information bank of log information miss in any prestige Information is coerced, then needs to do further detection to above-mentioned targeted mails.In this case, safety equipment can be by above-mentioned target postal The attachment of part is launched carries out dynamic detection into preset sandbox.
Safety equipment can determine whether above-mentioned targeted mails are fishing mail based on testing result.Such as:If detection Registration table, read-write disk or download wooden horse that the attachment of above-mentioned targeted mails has modification local etc. threaten terminal device safety Operation, then it is fishing mail that can determine above-mentioned targeted mails.
On the one hand, if above-mentioned attachment does not have the operation for threatening terminal device safety, it may be determined that above-mentioned targeted mails It is not fishing mail, terminates the testing process to above-mentioned targeted mails.
On the other hand if above-mentioned attachment has the operation for threatening terminal security, it may be determined that above-mentioned targeted mails are fishing Mail.In this case, safety equipment can generate warning information, which indicates above-mentioned targeted mails for fishing postal Part.
Further, if carrying Mail Gateway on the gateway device of above-mentioned target LAN, safety equipment can carry The specific characteristic of above-mentioned targeted mails is taken, and the above-mentioned specific characteristic extracted is added to the feature database of above-mentioned Mail Gateway In, to filter out the fishing mail with new specific characteristic by above-mentioned Mail Gateway.
In addition, when determining that above-mentioned targeted mails are fishing mail, safety equipment is also based on the day of above-mentioned targeted mails Will information generates new threat information, and the threat information is added in above-mentioned threat information bank so that later use is above-mentioned Threaten information bank that can filter out the targeted mails for hitting the threat information.
Specifically, safety equipment can be believed based on the form of the threat information in above-mentioned threat information bank from above-mentioned daily record Extracted in breath necessary content (such as:If threaten sender's mailbox of the form including mail of information, MD5 values of attachment and just Literary content can then extract sender's mailbox of targeted mails, the MD5 values of attachment and body matter from above-mentioned log information), Then it is associated with the attack (operation for threatening terminal device safety) detected in sandbox, generate new threat feelings Report, and the threat information is added to above-mentioned threat information bank.
In a kind of embodiment shown, safety equipment determines that above-mentioned targeted mails for fishing mail, are alerted in generation Before information, the threat level of above-mentioned targeted mails can be determined based on preset threat rating model.
Wherein, predeterminable several threat levels in above-mentioned threat rating model (such as:Be divided into it is high-risk, it is middle danger and it is low Danger), each threat level corresponds to several attacks with different threat risks.Specific dividing mode can be based on practical application Depending on environment, if for example, applied to government department, the threat risk for carrying the fishing mail of reaction speech is higher;If Applied to educational institution, then the threat risk of the fishing mail of the hidden danger with steal information is higher;And advertisement matter etc. will not It generates the spam substantially threatened and can be considered that risk is relatively low.
If above-mentioned targeted mails hit any threat information of above-mentioned threat information bank, above-mentioned threat can be based on and graded Model assesses the attack in the threat information, determines the threat level of above-mentioned targeted mails.
If above-mentioned targeted mails detect that, with the operation for threatening terminal security, above-mentioned threat can be based in sandbox Rating model assesses aforesaid operations, determines the threat level of above-mentioned targeted mails.
Further, threat level can be added to by safety equipment in the warning information for generating above-mentioned targeted mails In above-mentioned warning information.
In the embodiment of the present application, to be further processed the fishing mail detected, safety equipment can be by above-mentioned alarm Information is associated with designated user's mark, generation alarm work order.
Wherein, above-mentioned designated user identifies the operation personnel of the operation platform of instruction network safety prevention.
Above-mentioned designated user identifies corresponding operation personnel and the fishing mail detected can be done by the alarm work order Further depth safety analysis, and the work of intranet security emergency disposal is performed at the time of necessity.
In conclusion in technical scheme, what the terminal device in safety equipment reception target LAN reported Then above-mentioned log information in preset threat information bank is matched, determines above-mentioned day by the log information of targeted mails Whether will newly hits any threat information, if matching is unsuccessful, the attachment of above-mentioned targeted mails is launched to preset sand Dynamic detection is carried out in case, and determines whether above-mentioned targeted mails are fishing mail based on testing result, if it is, generation is accused Alert information;
Since in this application, safety equipment can utilize the threat information bank that the whole network is shared first to the day of targeted mails Will information is filtered, and is thrown in the case where not can determine that whether targeted mails are fishing mail, then by the attachment of targeted mails It is put into sandbox and carries out dynamic detection, so as to be judged based on testing result is further to targeted mails, improve detection and fish The accuracy of fish mail;
In addition, the gateway device of above-mentioned target LAN carries Mail Gateway, therefore, gateway device is before forwarding by mail Primary filtering is performed to it, the application has closely taken precautions against the attack of fishing mail by repeated detection;
In application scheme, after fishing mail is detected, the feature database of the above-mentioned Mail Gateway of real-time update and above-mentioned prestige Coerce information bank so that the system of entire detection fishing mail can efficiently cope with the fishing mail with new feature.
Corresponding with the embodiment of the method for aforementioned detection fishing mail, present invention also provides the dresses of detection fishing mail The embodiment put.
Referring to Fig. 3, the embodiment block diagram of the device for a kind of detection fishing mail shown in the application.
As shown in figure 3, the device 30 of the detection fishing mail includes:
Receiving unit 310, for receiving the log information for the targeted mails that the terminal device reports.
Matching unit 320 for the log information to be matched in preset threat information bank, determines above-mentioned daily record Whether information hits any threat information.
If unsuccessful for matching, the attachment of the targeted mails is launched into preset sandbox for Alarm Unit 330 Dynamic detection is carried out, and determines whether the targeted mails are fishing mail based on testing result, if it is, generation alarm letter Breath.
In this example, described device further includes:
The Alarm Unit 330 if being further used for successful match, determines the targeted mails as fishing mail, raw Into warning information.
In this example, the target LAN further includes the gateway device for carrying Mail Gateway, and the targeted mails are advance It is filtered by the Mail Gateway;
Described device further includes:
340 (not shown) of extraction unit, for when determining that the targeted mails are fishing mail, extracting the target The specific characteristic of mail;
First updating unit, 350 (not shown), for the specific characteristic of the targeted mails to be added to the postal In the feature database of part gateway.
In this example, described device further includes:
Second updating unit, 360 (not shown), for being fishing mail when the determining targeted mails, based on described The log information of targeted mails generates new threat information, and the threat information is added in the threat information bank.
In this example, the Alarm Unit 330, is further used for:
It is when determining the targeted mails as fishing mail, the warning information is associated with designated user's mark, it generates Alert work order.
The embodiment that the application detects the device of fishing mail can be applied on a security device.Device embodiment can lead to Software realization is crossed, can also be realized by way of hardware or software and hardware combining.For implemented in software, as a logic Device in meaning is to be referred to computer program corresponding in nonvolatile memory by the processor of safety equipment where it It enables and reads what operation in memory was formed.For hardware view, as shown in figure 4, detecting the device of fishing mail for the application A kind of hardware structure diagram of place safety equipment in addition to processor shown in Fig. 4, memory, network interface and non-volatile is deposited Except reservoir, the safety equipment in embodiment where device is gone back generally according to the actual functional capability of the device of the detection fishing mail It can include other hardware, this is repeated no more.
The function of each unit and the realization process of effect specifically refer to and step are corresponded in the above method in above device Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related part is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separating component The unit of explanation may or may not be physically separate, and the component shown as unit can be or can also It is not physical unit, you can be located at a place or can also be distributed in multiple network element.It can be according to reality It needs that some or all of module therein is selected to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The foregoing is merely the preferred embodiment of the application, not limiting the application, all essences in the application God and any modification, equivalent substitution, improvement and etc. within principle, done, should be included within the scope of the application protection.

Claims (10)

1. it is a kind of detect fishing mail method, applied to safety equipment, the safety equipment with it is several in target LAN Terminal device docks;It is characterised in that it includes:
Receive the log information for the targeted mails that the terminal device reports;
The log information in preset threat information bank is matched, determines whether above-mentioned log information hits any threat Information;
If matching is unsuccessful, the attachment of the targeted mails is launched and carries out dynamic detection, and be based on into preset sandbox Testing result determines whether the targeted mails are fishing mail, if it is, generation warning information.
2. according to the method described in claim 1, it is characterized in that, the method further includes:
If successful match, determine that the targeted mails for fishing mail, generate warning information.
3. method according to claim 1 or 2, which is characterized in that the target LAN further includes carrying Mail Gateway Gateway device, the targeted mails first pass through Mail Gateway filtering in advance;
The method further includes:
When determining that the targeted mails are fishing mail, the specific characteristic of the targeted mails is extracted;
The specific characteristic of the targeted mails is added in the feature database of the Mail Gateway.
4. according to the method described in claim 1, it is characterized in that, the method further includes:
When determining the targeted mails as fishing mail, the log information based on the targeted mails generates new threat information, And the threat information is added in the threat information bank.
5. method according to claim 1 or 2, which is characterized in that the method further includes:
When determining the targeted mails as fishing mail, the warning information is associated with designated user's mark, and generation alerts Work order.
6. it is a kind of detect fishing mail device, applied to safety equipment, the safety equipment with it is several in target LAN Terminal device docks;It is characterised in that it includes:
Receiving unit, for receiving the log information for the targeted mails that the terminal device reports;
Matching unit for the log information to be matched in preset threat information bank, determines that above-mentioned log information is The no any threat information of hit;
If unsuccessful for matching, the attachment of the targeted mails is launched into preset sandbox into action for Alarm Unit State detects, and determines whether the targeted mails are fishing mail based on testing result, if it is, generation warning information.
7. device according to claim 6, which is characterized in that described device further includes:
The Alarm Unit if being further used for successful match, determines the targeted mails as fishing mail, generation alarm letter Breath.
8. the device described according to claim 6 or 7, which is characterized in that the target LAN further includes carrying Mail Gateway Gateway device, the targeted mails first pass through Mail Gateway filtering in advance;
Described device further includes:
Extraction unit, for when determining that the targeted mails are fishing mail, extracting the specific characteristic of the targeted mails;
First updating unit, for the specific characteristic of the targeted mails to be added in the feature database of the Mail Gateway.
9. device according to claim 6, which is characterized in that described device further includes:
Second updating unit determines the targeted mails as fishing mail, the log information based on the targeted mails for working as New threat information is generated, and the threat information is added in the threat information bank.
10. the device described according to claim 6 or 7, which is characterized in that the Alarm Unit is further used for:
When determining the targeted mails as fishing mail, the warning information is associated with designated user's mark, and generation alerts Work order.
CN201810279466.8A 2018-03-30 2018-03-30 A kind of method and device for detecting fishing mail Withdrawn CN108200105A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810279466.8A CN108200105A (en) 2018-03-30 2018-03-30 A kind of method and device for detecting fishing mail

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810279466.8A CN108200105A (en) 2018-03-30 2018-03-30 A kind of method and device for detecting fishing mail

Publications (1)

Publication Number Publication Date
CN108200105A true CN108200105A (en) 2018-06-22

Family

ID=62596575

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810279466.8A Withdrawn CN108200105A (en) 2018-03-30 2018-03-30 A kind of method and device for detecting fishing mail

Country Status (1)

Country Link
CN (1) CN108200105A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965350A (en) * 2018-10-23 2018-12-07 杭州安恒信息技术股份有限公司 A kind of mail auditing method, device and computer readable storage medium
CN109347819A (en) * 2018-10-12 2019-02-15 杭州安恒信息技术股份有限公司 A kind of virus mail detection method, system and electronic equipment and storage medium
CN109450929A (en) * 2018-12-13 2019-03-08 成都亚信网络安全产业技术研究院有限公司 A kind of safety detection method and device
CN109600304A (en) * 2018-12-21 2019-04-09 成都九洲电子信息系统股份有限公司 Based on time wheel mail data reduction, threat detection and trend behavior analysis method
CN110868378A (en) * 2018-12-17 2020-03-06 北京安天网络安全技术有限公司 Phishing mail detection method and device, electronic equipment and storage medium
CN111147518A (en) * 2019-12-30 2020-05-12 论客科技(广州)有限公司 Attack and defense countermeasure based e-mail system security evaluation method and device
CN111737696A (en) * 2020-06-28 2020-10-02 杭州安恒信息技术股份有限公司 Method, system and equipment for detecting malicious file and readable storage medium
CN112511517A (en) * 2020-11-20 2021-03-16 深信服科技股份有限公司 Mail detection method, device, equipment and medium
CN112688926A (en) * 2020-12-18 2021-04-20 杭州安恒信息技术股份有限公司 Method, system and device for detecting spear type phishing mails based on attachments
CN113489734A (en) * 2021-07-13 2021-10-08 杭州安恒信息技术股份有限公司 Phishing mail detection method and device and electronic device
CN113794674A (en) * 2021-03-09 2021-12-14 北京沃东天骏信息技术有限公司 Method, device and system for detecting mail
CN114760119A (en) * 2022-04-02 2022-07-15 北京安博通金安科技有限公司 Phishing mail attack detection method, device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150180896A1 (en) * 2013-02-08 2015-06-25 PhishMe, Inc. Collaborative phishing attack detection
CN105072137A (en) * 2015-09-15 2015-11-18 蔡丝英 Spear phishing mail detection method and device
CN105743876A (en) * 2015-08-28 2016-07-06 哈尔滨安天科技股份有限公司 Method and system for discovering targeted attack based on email source data
US20170048273A1 (en) * 2014-08-21 2017-02-16 Salesforce.Com, Inc. Phishing and threat detection and prevention

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150180896A1 (en) * 2013-02-08 2015-06-25 PhishMe, Inc. Collaborative phishing attack detection
US20170048273A1 (en) * 2014-08-21 2017-02-16 Salesforce.Com, Inc. Phishing and threat detection and prevention
CN105743876A (en) * 2015-08-28 2016-07-06 哈尔滨安天科技股份有限公司 Method and system for discovering targeted attack based on email source data
CN105072137A (en) * 2015-09-15 2015-11-18 蔡丝英 Spear phishing mail detection method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
360 MESHFIRE TEAM: "钓鱼邮件威胁检测实战及典型样本分析", 《HTTPS://WWW.ANQUANKE.COM/POST/ID/88145》 *

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109347819A (en) * 2018-10-12 2019-02-15 杭州安恒信息技术股份有限公司 A kind of virus mail detection method, system and electronic equipment and storage medium
CN108965350A (en) * 2018-10-23 2018-12-07 杭州安恒信息技术股份有限公司 A kind of mail auditing method, device and computer readable storage medium
CN108965350B (en) * 2018-10-23 2021-04-23 杭州安恒信息技术股份有限公司 Mail auditing method, device and computer readable storage medium
CN109450929A (en) * 2018-12-13 2019-03-08 成都亚信网络安全产业技术研究院有限公司 A kind of safety detection method and device
CN109450929B (en) * 2018-12-13 2021-05-14 成都亚信网络安全产业技术研究院有限公司 Safety detection method and device
CN110868378A (en) * 2018-12-17 2020-03-06 北京安天网络安全技术有限公司 Phishing mail detection method and device, electronic equipment and storage medium
CN109600304A (en) * 2018-12-21 2019-04-09 成都九洲电子信息系统股份有限公司 Based on time wheel mail data reduction, threat detection and trend behavior analysis method
CN111147518A (en) * 2019-12-30 2020-05-12 论客科技(广州)有限公司 Attack and defense countermeasure based e-mail system security evaluation method and device
CN111147518B (en) * 2019-12-30 2021-08-13 论客科技(广州)有限公司 Attack and defense countermeasure based e-mail system security evaluation method and device
CN111737696A (en) * 2020-06-28 2020-10-02 杭州安恒信息技术股份有限公司 Method, system and equipment for detecting malicious file and readable storage medium
CN112511517B (en) * 2020-11-20 2023-11-07 深信服科技股份有限公司 Mail detection method, device, equipment and medium
CN112511517A (en) * 2020-11-20 2021-03-16 深信服科技股份有限公司 Mail detection method, device, equipment and medium
CN112688926A (en) * 2020-12-18 2021-04-20 杭州安恒信息技术股份有限公司 Method, system and device for detecting spear type phishing mails based on attachments
CN113794674A (en) * 2021-03-09 2021-12-14 北京沃东天骏信息技术有限公司 Method, device and system for detecting mail
CN113794674B (en) * 2021-03-09 2024-04-09 北京沃东天骏信息技术有限公司 Method, device and system for detecting mail
CN113489734A (en) * 2021-07-13 2021-10-08 杭州安恒信息技术股份有限公司 Phishing mail detection method and device and electronic device
CN114760119A (en) * 2022-04-02 2022-07-15 北京安博通金安科技有限公司 Phishing mail attack detection method, device and system
CN114760119B (en) * 2022-04-02 2023-12-12 北京安博通金安科技有限公司 Phishing mail attack detection method, device and system

Similar Documents

Publication Publication Date Title
CN108200105A (en) A kind of method and device for detecting fishing mail
US11030311B1 (en) Detecting and protecting against computing breaches based on lateral movement of a computer file within an enterprise
US20190215335A1 (en) Method and system for delaying message delivery to users categorized with low level of awareness to suspicius messages
US10616272B2 (en) Dynamically detecting abnormalities in otherwise legitimate emails containing uniform resource locators (URLs)
Alazab et al. Spam and criminal activity
CN108337153B (en) Method, system and device for monitoring mails
US9106692B2 (en) System and method for advanced malware analysis
US7434261B2 (en) System and method of identifying the source of an attack on a computer network
US6763462B1 (en) E-mail virus detection utility
US20170244736A1 (en) Method and system for mitigating malicious messages attacks
CN100448203C (en) System and method for identifying and preventing malicious intrusions
CN110519150B (en) Mail detection method, device, equipment, system and computer readable storage medium
CN109040103A (en) A kind of mail account is fallen detection method, device, equipment and readable storage medium storing program for executing
US20230034035A1 (en) Cloud-based orchestration of incident response using multi-feed security event classifications
CN109328448A (en) Spam Classification system based on network flow data
CN107046535B (en) A kind of abnormality sensing and method for tracing and system
US11297024B1 (en) Chat-based systems and methods for data loss prevention
CN111147489B (en) Link camouflage-oriented fishfork attack mail discovery method and device
CN112511517B (en) Mail detection method, device, equipment and medium
CN109600362A (en) Zombie host recognition methods, identification equipment and medium based on identification model
US20190306192A1 (en) Detecting email sender impersonation
CN111147518B (en) Attack and defense countermeasure based e-mail system security evaluation method and device
CN109672607A (en) A kind of email processing method, device and storage equipment, program product
CN103716335A (en) Detecting and filtering method of spam mail based on counterfeit sender
US20040054742A1 (en) Method and system for detecting malicious activity and virus outbreak in email

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20180622