CN108418777A - A kind of fishing mail detection method, apparatus and system - Google Patents
A kind of fishing mail detection method, apparatus and system Download PDFInfo
- Publication number
- CN108418777A CN108418777A CN201710071611.9A CN201710071611A CN108418777A CN 108418777 A CN108418777 A CN 108418777A CN 201710071611 A CN201710071611 A CN 201710071611A CN 108418777 A CN108418777 A CN 108418777A
- Authority
- CN
- China
- Prior art keywords
- address
- fishing
- blacklist library
- dynamic blacklist
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/212—Monitoring or handling of messages using filtering or selective blocking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/42—Mailbox-related aspects, e.g. synchronisation of mailboxes
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The present invention relates to information security fields,More particularly to a kind of fishing mail detection method,Apparatus and system,In order to solve the problems, such as that detection efficiency is too low in existing fishing mail detecting system and accuracy rate is too low,This method is,The first header information based on mail,The detection of first kind fishing information is carried out to mail,To identify the fishing mail for including first kind fishing information,For can not just be capable of determining whether the mail for fishing mail by header information,Text message based on the mail,Carry out the detection of the second class fishing information,To identify the fishing mail for including the second class fishing information,In this way,By carrying out classification and Detection to mail,It can prevent from failing to judge to fishing mail,Improve accuracy rate,And,For the fishing mail that can just can determine that by header information,It no longer needs to carry out text message detection,Not only protect the sensitive information of user,Also improve detection efficiency,Reduce the consuming of resource.
Description
Technical field
The present invention relates to information security field more particularly to a kind of fishing mail detection method, apparatus and systems.
Background technology
With the rapid development of e-commerce, phishing has become current main and fastest-rising network and takes advantage of
Cheater's section, in recent years, phishing starts to become more rampant, and phishing means also become increasingly complex, wherein network
Most common means of going fishing are fishing mails.
Fishing mail refers to phishing attack person is sent to addressee with duplicity content by forging sender address
Email claims the duplicity spam from bank or other well-known mechanisms for example, being sent to addressee, lures receipts into
Part people accesses webpage (Web) website forged, alternatively, obtaining the sensitive information of addressee by way of replied mail.
Most common fishing mail is roughly divided into three classes:Counterfeit fishing mail, link fishing mail and attachment fishing mail,
Wherein, counterfeit fishing mail is:Cheat realizes by the outbox server oneself built and hides true sender information, and is pseudo-
Arbitrary sender is dressed up, and such fishing mail is that current mail user puzzlement is maximum, identifies difficulty highest, and letter
It is most powerless to cease safe prevention.Linking fishing mail is:It is embedded in fishing link (hyperlink directly links) in normal email,
And user is required to input account information to check order or sample in mail or in the open link page.Attachment fishing postal
Part is:By being implanted into virus in Email attachment, and there are many forms of attachment, e.g., Html webpage attachmentes, Exe/Scr attachmentes,
Doc attachmentes, Excel attachmentes, PDF attachmentes etc., wherein the degree of risk highest of Exe/Scr attachmentes, usually virus execute journey
Sequence.
Under the prior art, generally fishing mail is identified using the following two kinds mode:
Mode one:In obtaining network after mail data flow, Mail Contents are restored, check sender whether in addressee
Frequent contact list in, after confirming in frequent contact list, Mail Contents and the sender are sent to addressee
Historical communication mail be compared, extract current mail in occur IP address, domain name and link three in it is arbitrary
One, two or three, progress vision similarity corresponding with the mail of well-known authoritative website compare, to judge that the mail is
No is spear type fishing mail.
In aforesaid way, the text to all mails received is needed to analyze, and needs the institute with addressee
There is history mail to compare, consuming resource is larger, less efficient, and only by the link occurred in mail, IP address or domain
Name carries out vision comparison with authoritative website, and discrimination is relatively low, easy tos produce erroneous judgement and fails to judge.
Mode two:First, the header information of analyzing E-mail obtains the transmission path of Email, and corresponding clothes
The IP address of business device, determines whether the domain name that e-mail sender is claimed matches with the domain name of practical sender mail server,
It is considered legitimate mail if matching, is considered doubtful fishing mail if mismatching, then, then parses doubtful fishing postal
The text message of part, has checked whether chained address, obtains the corresponding domain name in chained address, judge the domain name whether with sender
The domain name claimed is consistent, if inconsistent, judges the mail for fishing mail.
In aforesaid way, although by the header information of analyzing E-mail, extraction carries out domain name comparison, can improve postal
The recognition efficiency of part, but when analyzing message body information, the domain name for only claiming link address information and sender carries out
It compares and differentiates, this discriminant approach is obviously too simple, easy tos produce erroneous judgement and fails to judge.
In addition, both the above mode when detecting message body, is all only capable of fishing mail of the identification with link information, nothing
Method effectively identifies the fishing mail without containing link information, has some limitations.
In conclusion need to design a kind of new fishing mail detection method, to improve the detection efficiency of fishing mail, with
And improve the accuracy and validity of fishing mail detection.
Invention content
A kind of fishing mail detection method of offer of the embodiment of the present invention, apparatus and system, to solve to deposit in the prior art
Fishing mail detection efficiency is relatively low and the relatively low problem of accuracy.
Specific technical solution provided in an embodiment of the present invention is as follows:
A kind of fishing mail detecting system, including header information detection device and text message detection device, wherein
Header information detection device, the header information for obtaining mail, and it is based on preset first kind dynamic blacklist
Whether library judges in the header information to include the specified first kind fishing in the first kind dynamic blacklist library
Information when determination includes, judges the mail for fishing mail, otherwise, the mail is sent into text message detection device;
Text message detection device, the mail sent for receiving the header information detection device, and extract the postal
The text message of part, and it is based on preset second class dynamic blacklist library, judge in the text message whether to include position
The second specified class fishing information in the second class dynamic blacklist library when determination includes, judges the mail to fish
Fish mail, otherwise, it is determined that the mail is non-fishing mail.
Optionally, further include:
User information feedback device, for indicating to determine exist and the associated fishing information of fishing mail according to user
When, using the associated fishing information, corresponding dynamic blacklist library is updated.
Optionally, the first kind dynamic blacklist library includes at least mail address dynamic blacklist library, IP address dynamic
Blacklist library and one kind in domain name dynamic blacklist library or arbitrary combination;
The first kind fishing information include at least fishing mail address, fishing IP address and go fishing domain name in one kind or
Arbitrary combination;
Second class dynamic blacklist library includes at least keyword dynamic blacklist library or/and the black name of chained address dynamic
Dan Ku;
The second class fishing information includes at least keyword or/and chained address.
Optionally, the header information detection device includes at least mail address detection sub-means:
The mail address detection sub-means are used for the header information of the mail based on acquisition, with determining corresponding mail
Location, and it is based on preset mail address dynamic blacklist library, judge whether the mail address is that the mail address dynamic is black
Otherwise the fishing mail address specified in list library, the mail is sent into if so, judging the mail for fishing mail
The text message detection device.
Optionally, the header information detection device further comprises IP address detection sub-means:
The IP address detection sub-means, for judging that the mail address is not in the mail address detection sub-means
When the fishing mail address specified in the mail address dynamic blacklist library, it is based on the header information, determines corresponding IP
Address, and it is based on preset IP address dynamic blacklist library, judge whether the IP address is the IP address dynamic blacklist
The fishing IP address specified in library, if so, judge the mail for fishing mail, otherwise, by the mail be sent into it is described just
Literary information detector.
Optionally, the header information detection device further comprises domain name detection sub-means:
Domain name detection sub-means are the IP for judging the IP address not in the IP address detection sub-means
When the fishing IP address specified in the dynamic blacklist library of address, it is based on the header information, determines corresponding domain name and IP address,
And it is based on the IP address, determine the corresponding mapping domain name of the IP address, and judge domain name and the mapping domain name
It is whether consistent;
If so, the mail is sent into the text message detection device;
Otherwise, it is based on preset domain name dynamic blacklist library, domain name and specified fishing domain name are subjected to matching degree
Detection, the matching degree of acquisition continue to judge whether first matching degree is more than preset first in advance as the first matching degree
If threshold value, if so, judging the mail for fishing mail, otherwise, the mail is sent into the text message detection device.
Optionally, the text message detection device includes at least keyword detection sub-device:
The keyword detection sub-device, the mail sent for receiving the header information detection device, and extract institute
The text message of mail is stated, and is based on preset keyword dynamic blacklist library, judges whether the text message includes position
The fishing keyword specified in the keyword dynamic blacklist library, if so, judge the mail for fishing mail, it is no
Then, judge that the mail is non-fishing mail.
Optionally, the text message detection device further comprises chained address detection sub-means:
The chained address detection sub-means, for judging that the keyword is not institute in the keyword detection sub-device
When stating the fishing keyword specified in keyword dynamic blacklist library, judge whether the text message includes chained address;
When determination does not include, the mail is sent into attachment detection sub-means;
When determination includes, the chained address is extracted, and be based on preset chained address dynamic blacklist library, by the chain
Be grounded location and carry out matching degree detection with specified fishing chained address, the matching degree of acquisition as the second matching degree, determine described in
When second matching degree is more than preset second predetermined threshold value, the mail is judged for fishing mail, determines second matching degree
When less than preset third predetermined threshold value, judge that the mail is non-fishing mail, otherwise, the mail is sent into attachment detection
Sub-device.
Optionally, the text message detection device further comprises attachment detection sub-means:
The attachment detection sub-means, for judging that the chained address is not institute in the chained address detection sub-means
When stating the fishing chained address specified in the dynamic blacklist library of chained address, attachment detection is carried out to the mail, determines and exists
When attachment, user is prompted to download the attachment with caution, otherwise, it is doubtful mail to prompt mail described in user, is clicked with caution;Or
Person,
The attachment detection sub-means, for judging that second matching degree is little in the chained address detection sub-means
In second predetermined threshold value and not less than be more than the third predetermined threshold value when, to the mail carry out attachment detection, determine
There are when attachment, user is prompted to download the attachment with caution, otherwise, it is doubtful mail to prompt mail described in user, is clicked with caution.
A kind of fishing mail detection method, including:
The header information of mail is obtained, and is based on preset first kind dynamic blacklist library, is judged in the header information
Whether include the specified first kind fishing information in the first kind dynamic blacklist library;
When determination includes, judge the mail for fishing mail;
When determination does not include, the text message of the mail is extracted, and be based on preset second class dynamic blacklist library,
Judge in the text message whether to include specified the second class fishing letter in the second class dynamic blacklist library
Breath when determination includes, judges the mail for fishing mail, when determination does not include, judges that the mail is non-fishing mail.
Optionally, further include:
When indicating to determine in the presence of fishing information associated with fishing mail according to user, believed using the associated fishing
Breath, is updated corresponding dynamic blacklist library.
Optionally, the first kind dynamic blacklist library includes at least mail address dynamic blacklist library, IP address dynamic
Blacklist library and one kind in domain name dynamic blacklist library or arbitrary combination;
The first kind fishing information include at least fishing mail address, fishing IP address and go fishing domain name in one kind or
Arbitrary combination;
Second class dynamic blacklist library includes at least keyword dynamic blacklist library or/and the black name of chained address dynamic
Dan Ku;
The second class fishing information includes at least keyword or/and chained address.
Optionally, the header information of mail is obtained, and is based on preset first kind dynamic blacklist library, judges the head
Whether include the specified first kind fishing information in the first kind dynamic blacklist library in information, including:
The header information of the mail of acquisition determines corresponding mail address;
Based on preset mail address dynamic blacklist library, judge whether the mail address is the mail address dynamic
The fishing mail address specified in blacklist library;
When judging that the mail address is the fishing mail address specified in the mail address dynamic blacklist library, determine
Including;
Judge the mail address not be the mail address dynamic blacklist library in specify fishing mail address when, really
Surely do not include.
Optionally, it is the fishing mail specified in the mail address dynamic blacklist library to judge the mail address not
When location, determines after not including, further comprise:
Based on the header information, corresponding IP address is determined;
Based on preset IP address dynamic blacklist library, judge whether the IP address is the IP address dynamic blacklist
The fishing IP address specified in library;
When judging that the IP address is the fishing IP address specified in the IP address dynamic blacklist library, determination includes;
Judge the IP address not be the IP address dynamic blacklist library in specify fishing IP address when, determination do not wrap
Contain.
Optionally, judge the IP address not be the IP address dynamic blacklist library in specify fishing IP address when,
It determines after not including, further comprises:
Based on the header information, corresponding domain name and IP address are determined;
Based on the IP address, the corresponding mapping domain name of the IP address is determined;
Judge whether domain name and the mapping domain name are consistent;
When judging consistent, determination does not include;
When judging inconsistent, be based on preset domain name dynamic blacklist library, by domain name and specified fishing domain name into
Row matching degree detects, and whether the matching degree of acquisition continues to judge first matching degree more than default as the first matching degree
The first predetermined threshold value, if so, determination includes, otherwise, it determines not including.
Optionally, the text message of the mail is extracted, and is based on preset second class dynamic blacklist library, judges institute
Whether include specified second class fishing information positioned at second class dynamic blacklist library in, packet if stating in text message
It includes:
Extract the text message of the mail;
Based on preset keyword dynamic blacklist library, judge whether the text message is dynamic comprising the keyword is located at
The fishing keyword specified in state blacklist library;
When judging that the text message includes the fishing keyword for being located at and being specified in the keyword dynamic blacklist library, really
Surely include;
When judging that the text message does not include the fishing keyword for being located at and being specified in the keyword dynamic blacklist library,
Determination does not include.
Optionally, judge that the text message does not include the fishing for being located at and being specified in the keyword dynamic blacklist library and closes
When keyword, determines after not including, further comprise:
Continue to judge whether the text message includes chained address;
When determining that the text message includes chained address, the chained address is extracted, and be based on preset chained address
The chained address and specified fishing chained address are carried out matching degree detection by dynamic blacklist library, and the matching degree of acquisition is made
For the second matching degree, when determining that second matching degree is more than preset second predetermined threshold value, determination includes to determine described second
When matching degree is less than preset third predetermined threshold value, determination does not include, and otherwise, attachment detection is carried out to the mail;
When determining that the text message does not include chained address, attachment detection is carried out to the mail.
Optionally, attachment detection is carried out to the mail, including:
It determines there are when attachment, user is prompted to download the attachment with caution, otherwise, it is doubtful postal to prompt mail described in user
Part is clicked with caution.
A kind of fishing mail detection device, including:
First processing units, the header information for obtaining mail, and it is based on preset first kind dynamic blacklist library, sentence
Whether include the specified first kind fishing information in the first kind dynamic blacklist library in the disconnected header information;
Second processing unit when including for determination, judges the mail for fishing mail;
Third processing unit extracts the text message of the mail when not including for determining, and based on preset the
Whether two class dynamic blacklist libraries judge in the text message to include the finger in the second class dynamic blacklist library
The second fixed class fishing information when determination includes, judges the mail for fishing mail, when determination does not include, judges the postal
Part is non-fishing mail.
Optionally, further include updating unit, the updating unit is used for:
When indicating to determine in the presence of fishing information associated with fishing mail according to user, believed using the associated fishing
Breath, is updated corresponding dynamic blacklist library.
Optionally, the first kind dynamic blacklist library includes at least mail address dynamic blacklist library, IP address dynamic
Blacklist library and one kind in domain name dynamic blacklist library or arbitrary combination;
The first kind fishing information include at least fishing mail address, fishing IP address and go fishing domain name in one kind or
Arbitrary combination;
Second class dynamic blacklist library includes at least keyword dynamic blacklist library or/and the black name of chained address dynamic
Dan Ku;
The second class fishing information includes at least keyword or/and chained address.
Optionally, the header information of mail is obtained, and is based on preset first kind dynamic blacklist library, judges the head
When whether including the specified first kind fishing information in the first kind dynamic blacklist library in information, described first
Processing unit is used for:
The header information of the mail of acquisition determines corresponding mail address;
Based on preset mail address dynamic blacklist library, judge whether the mail address is the mail address dynamic
The fishing mail address specified in blacklist library;
When judging that the mail address is the fishing mail address specified in the mail address dynamic blacklist library, determine
Including;
Judge the mail address not be the mail address dynamic blacklist library in specify fishing mail address when, really
Surely do not include.
Optionally, it is the fishing mail specified in the mail address dynamic blacklist library to judge the mail address not
When location, determine after not including, the first processing units are further used for:
Based on the header information, corresponding IP address is determined;
Based on preset IP address dynamic blacklist library, judge whether the IP address is the IP address dynamic blacklist
The fishing IP address specified in library;
When judging that the IP address is the fishing IP address specified in the IP address dynamic blacklist library, determination includes;
Judge the IP address not be the IP address dynamic blacklist library in specify fishing IP address when, determination do not wrap
Contain.
Optionally, judge the IP address not be the IP address dynamic blacklist library in specify fishing IP address when,
It determines after not including, the first processing units are further used for:
Based on the header information, corresponding domain name and IP address are determined;
Based on the IP address, the corresponding mapping domain name of the IP address is determined;
Judge whether domain name and the mapping domain name are consistent;
When judging consistent, determination does not include;
When judging inconsistent, be based on preset domain name dynamic blacklist library, by domain name and specified fishing domain name into
Row matching degree detects, and whether the matching degree of acquisition continues to judge first matching degree more than default as the first matching degree
The first predetermined threshold value, if so, determination includes, otherwise, it determines not including.
Optionally, the text message of the mail is extracted, and is based on preset second class dynamic blacklist library, judges institute
It states when whether including the second specified class fishing information in the second class dynamic blacklist library in text message, institute
Third processing unit is stated to be used for:
Extract the text message of the mail;
Based on preset keyword dynamic blacklist library, judge whether the text message is dynamic comprising the keyword is located at
The fishing keyword specified in state blacklist library;
When judging that the text message includes the fishing keyword for being located at and being specified in the keyword dynamic blacklist library, really
Surely include;
When judging that the text message does not include the fishing keyword for being located at and being specified in the keyword dynamic blacklist library,
Determination does not include.
Optionally, judge that the text message does not include the fishing for being located at and being specified in the keyword dynamic blacklist library and closes
When keyword, determine after not including, the third processing unit is further used for:
Continue to judge whether the text message includes chained address;
When determining that the text message includes chained address, the chained address is extracted, and be based on preset chained address
The chained address and specified fishing chained address are carried out matching degree detection by dynamic blacklist library, and the matching degree of acquisition is made
For the second matching degree, when determining that second matching degree is more than preset second predetermined threshold value, determination includes to determine described second
When matching degree is less than preset third predetermined threshold value, determination does not include, and otherwise, attachment detection is carried out to the mail;
When determining that the text message does not include chained address, attachment detection is carried out to the mail.
Optionally, when carrying out attachment detection to the mail, the third processing unit is used for:
It determines there are when attachment, user is prompted to download the attachment with caution, otherwise, it is doubtful postal to prompt mail described in user
Part is clicked with caution.
In the embodiment of the present invention, first the header information based on mail, carries out mail the detection of first kind fishing information, with
The fishing mail for including the first fishing information is identified, for can not be just capable of determining whether as fishing mail by header information
Mail, the text message based on the mail carry out the detection of the second class fishing information, to identify including the second class fishing information
Fishing mail, in this way, by mail carry out classification and Detection, can prevent from failing to judge to fishing mail, improve accuracy rate, and
And the fishing mail for can just can determine that by header information, it no longer needs to carry out text message detection, not only protects user
Sensitive information, also improve detection efficiency, reduce the consuming of resource.
Description of the drawings
Fig. 1 is fishing mail detection system structure in the embodiment of the present invention;
Fig. 2 is fishing mail detection method flow chart in the embodiment of the present invention;
Fig. 3 is the fishing mail detection method flow chart that concrete scene is combined in the embodiment of the present invention;
Fig. 4 is fishing mail structure of the detecting device schematic diagram in the embodiment of the present invention.
Specific implementation mode
In order to solve the problems, such as that fishing mail detection efficiency existing in the prior art is too low and accuracy rate is too low, the present invention
In embodiment, a kind of fishing mail detection method is redesigned, this method is first to detect the header information of mail, pass through head
Portion's information detects the fishing mail for including first kind fishing information, for can not determine whether to go fishing by header information
The mail of mail extracts the text message of the mail, by the further detection to text message, detects to fish comprising the second class
The fishing mail of fish information.
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, is not whole embodiment.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
The solution of the present invention will be described in detail by specific embodiment below, certainly, the present invention is not limited to
Lower embodiment.
As shown in fig.1, in the embodiment of the present invention, a kind of fishing mail detecting system is devised, head is included at least and believes
Cease detection device 10 and text message detection device 11, wherein
Header information detection device 10, the header information for obtaining mail, and based on the black name of preset first kind dynamic
Whether Dan Ku judge in header information to include the specified first kind fishing information in first kind dynamic blacklist library,
When determination includes, judgement mail is fishing mail, otherwise, mail is sent into text message detection device;
Text message detection device 11, the mail for receiving the transmission of header information detection device, and extract mail just
Literary information, and it is based on preset second class dynamic blacklist library, judge in text message whether to include dynamic positioned at the second class
The second specified class fishing information in state blacklist library, when determination includes, judgement mail is fishing mail, otherwise, it is determined that postal
Part is non-fishing mail.
In the embodiment of the present invention, fishing mail detecting system further includes user information feedback device 12, wherein
User information feedback device 12, for indicating to determine exist and the associated fishing information of fishing mail according to user
When, using the associated fishing information, corresponding dynamic blacklist library is updated.
Specifically, before starting to carry out fishing mail detection to mail, in the embodiment of the present invention, basis is first preset respectively
Mail address dynamic blacklist library, basis IP address dynamic blacklist library, basis keyword dynamic blacklist library and base
The chained address dynamic blacklist library of plinth, wherein spamhaus anti-spam groups may be used in the dynamic blacklist library on all kinds of bases
All kinds of blacklist libraries of offer are provided.
Further, user is in receiving and dispatching mail, once it is determined that a certain mail is fishing mail, then can exist according to determining
With the relevant fishing information of fishing mail (e.g., mail address, IP address, keyword, chained address etc.), respectively to corresponding
Dynamic blacklist library is updated.
For example, it is assumed that user determines that some mail for receiving carries fishing mail address, for the mail of webpage version,
Mail address dynamic blacklist library can be updated, for Mail Clients by reporting button present in webpage
Mail can be updated mail address dynamic blacklist library, certainly, both modes are simultaneously by way of periodically pushing
Do not indicate that whole embodiments, only specific implementation mode two.
When being updated to dynamic blacklist library, by taking keyword dynamic blacklist library as an example, following manner may be used,
First, keyword basis blacklist library is established, then, based on participle and the short essay of falling ranking index retrieval technique, utilizes basis
Keyword in keyword and inverted index in keyword blacklist library calculates point mutual information (Pointwise Mutual
Information, PMI) score, preferably, in the embodiment of the present invention, using following formula acquisition PMI scores:
Wherein, p (word1) is the probability that word1 this keyword occurs, and p (word2) is that word2 this keyword goes out
Existing probability, p (word1&word2) are the probability that word1 and word2 occur jointly.
Then, the frequency that word1, word2 occur respectively and the frequency that word1 and word2 occur jointly are calculated, compared with
Good, in the embodiment of the present invention, corresponding frequency is calculated separately using following formula:
Wherein, df (word) is the number that keyword occurs, and N is total number of documents.
Then, PMI scores are calculated using above-mentioned acquisition frequency, preferably, in the embodiment of the present invention, using following formula meter
It calculates and obtains PMI scores:
Finally, the keyword by PMI scores higher than setting score threshold (e.g., 7 points) is alarmed, and manual examination and verification, people
When work is determined as fishing keyword, which is added into the blacklist library of keyword basis.
As shown in fig.2, the preferred embodiment of the present invention is described in detail in conjunction with attached drawing, the embodiment of the present invention
In fishing mail detection method flow it is as follows:
Step 200:Obtain the header information of mail.
Specifically, header information detection sub-means obtain the header information of mail.
Step 210:Based on preset first kind dynamic blacklist library, judge whether in the header information obtained include position
The first kind fishing information specified in first kind dynamic blacklist library, if so, thening follow the steps 240;Otherwise, step is executed
220。
Specifically, first kind dynamic blacklist library includes at least mail address dynamic blacklist library, the black name of IP address dynamic
Single library and one kind in domain name dynamic blacklist library or arbitrary combination;First kind fishing information include at least fishing mail address,
IP address of going fishing and one kind in domain name of going fishing or arbitrary combination;It is black that second class dynamic blacklist library includes at least keyword dynamic
List library or/and chained address dynamic blacklist library;Second class fishing information includes at least keyword or/and chained address.
Further, header information detection device includes at least mail address detection sub-means, mail address detection son dress
The first header information based on mail is set, determines corresponding mail address, the header information of the mail based on acquisition determines corresponding
Mail address, and it is based on preset mail address dynamic blacklist library, judge whether mail address is the black name of mail address dynamic
Otherwise, continue to carry out the IP address in header information if so, thening follow the steps 240 in the fishing mail address specified in single library
Detection.
Further, mail can not be judged for fishing based on the mail address in header information in mail address sub-device
After mail, header information detection device can also include IP address detection sub-means, and IP address detection sub-means continue to head
IP address in information is detected, and then, is based on header information, determines corresponding IP address, and be based on preset IP address
Dynamic blacklist library judges whether IP address is the fishing IP address specified in IP address dynamic blacklist library, if so, executing
Step 240, otherwise, continue to be detected the domain name in header information.
Further, mail can not be judged for fishing based on the IP address in header information in IP address detection sub-means
After mail, header information detection device can also include domain name detection sub-means, and domain name detection sub-means continue to header information
In domain name be detected, and be based on header information, determine corresponding domain name and IP address, and be based on IP address, determine IP
The corresponding mapping domain name in address, and judge whether domain name and mapping domain name are consistent, if it is determined that domain name is consistent with mapping domain name,
Then by the mail be sent into text message detection device, to be subsequently detected to the text message of mail, if it is determined that domain name with
It is inconsistent to map domain name, then is based on preset domain name dynamic blacklist library, domain name and specified fishing domain name are subjected to matching degree
Detection, the matching degree of acquisition continue to judge whether the first matching degree is more than the preset first default threshold as the first matching degree
Otherwise the mail, is sent into text message detection device, with subsequently to the text of mail by value if so, thening follow the steps 240
Information is detected.
Step 220:Extract the text message of the mail.
Specifically, text message detection device extracts the text message of the mail.
Step 230:Judge whether in the text message of extraction include position based on preset second class dynamic blacklist library
The second specified class fishing information in the second class dynamic blacklist library, if so, thening follow the steps 240;Otherwise, step is executed
250。
Specifically, when header information detection device can not judge the mail for fishing mail based on header information, by just
Keyword detection sub-device in literary information detector is based on preset keyword dynamic blacklist library, judges text message
Whether comprising the fishing keyword specified in keyword dynamic blacklist library is located at, if so, thening follow the steps 240, otherwise, continue
Text message is detected.
Further, after keyword detection sub-device can not judge the mail for fishing mail based on text message, text
Information detector further includes chained address detection sub-means, and chained address detection sub-means judge in the text message extracted
Whether include chained address, when determination includes, extract the chained address, and be based on preset chained address dynamic blacklist library,
The chained address and specified fishing chained address are subjected to matching degree detection, the matching degree of acquisition is as the second matching degree, really
When fixed second matching degree is more than preset second predetermined threshold value, step 240 is executed, determines that the second matching degree is less than preset third
When predetermined threshold value, step 250 is executed, otherwise, which is sent into attachment detection sub-means.
Further, text message detection sub-means further include attachment detection sub-means, and attachment detection sub-means can be with
When it is fishing chained address specified in the dynamic blacklist library of chained address that link detection sub-device, which judges the chained address not,
Attachment detection is carried out to the mail, can also judge that the second matching degree calculated is not more than second in chained address detection sub-means
Predetermined threshold value and not less than be more than third predetermined threshold value when, to the mail carry out attachment detection.
Further, there are user when attachment, can be prompted to download with caution to be somebody's turn to do when determining mail for attachment detection sub-means
Attachment is clicked with caution when determining that there is no that when attachment, can prompt user's mail be doubtful mail.
Step 240:Judge the mail for fishing mail.
Specifically, judgement mail for fishing mail when, can be intercepted, it is fishing postal that can also prompt the user mail
Part.
Step 250:Judge the mail for non-fishing mail.
Specifically, when judgement mail is non-fishing mail, user mail can be prompted to have been subjected to detection, confirmed errorless.
Certainly, in the embodiment of the present invention, header information detection device can only include mail address detection sub-means, also may be used
Comprising mail address detection sub-means and IP address detection sub-means, can also include mail address detection sub-means, IP
Location detection sub-means and domain name detection sub-means.
If header information detection device only includes mail address detection sub-means, when mail address detection sub-means can not base
In mail address judge the mail for fishing mail when, which can be sent directly into text message detection device.
If header information detection device includes mail address detection sub-means and IP address detection sub-means, when IP address is examined
Survey sub-device can not judge based on IP address the mail for fishing mail when, which can be sent directly into text message detection fill
It sets, to detect text message.
Similarly, in the embodiment of the present invention, text message detection sub-means can only include keyword detection sub-device, also may be used
Can also include keyword detection sub-device, chain ground connection comprising keyword detection sub-device and chained address detection sub-means
Location detection sub-means and attachment detection sub-means.
If text message detection device includes only keyword detection sub-device, when keyword detection sub-device can not be based on closing
Keyword judge the mail for fishing mail when, can determine that the mail be non-fishing mail.
If text message detection device includes keyword detection sub-device and chained address detection sub-means, work as chained address
Detection sub-means can not be judged based on chained address the mail for fishing mail when, can determine that the mail be non-fishing mail.
As shown in fig.3, above-described embodiment is further detailed with reference to concrete scene.
Step 300:Mail is received, and the header information of the mail to receiving parses, with obtaining corresponding mail
Location, IP address and domain name, and respectively as the first mail address, the first IP address and the first domain name.
Specifically, the header information of the mail by header information detection device to receiving parses, in header information
Corresponding position, obtain the mail address, IP address and domain name of the mail.
The format of existing mail header information is as shown in Table 1.
Table one
Further, by being extracted to the domains From, mail address and domain name be can get, by the domains Received into
Row extraction, can get IP address, wherein the information recorded in the domains From is defined by sender, and Received is recorded in domain
Information be to be added automatically by each Relay Server of transmission mail.
For example, currently received mail is mail 1, in 1 corresponding header information of mail, the domains From include " lovelily
amy<amylove@gmail.com>" information, the domains Received include " from mail-pz0-f53.google.com
(unknown[209.85.210.53])by mx2(Coremail)with SMTP id
AQAAf3DLXQP3AN9PwxkBAA--.3381S3;Mon,18Jun 2012 18:20:39+0800 (CST) " information, by right
The domains From and the domains Received extract, and can get mail address " amylove@gmail.com ", the domain name of mail 1
" google.com " and IP address " 209.85.210.53 ".
Step 301:First mail address is judged whether in preset mail address dynamic blacklist library, if so,
Execute step 314;Otherwise, step 302 is executed.
Specifically, mail address detection sub-means in header information detection device are by the first mail address of extraction, with
Each mail address is compared one by one in preset mail address dynamic blacklist library, is judged dynamic in the preset mail address
It whether there is mail address identical with first mail address in state blacklist library, and if it exists, then follow the steps 314;Otherwise,
Execute step 302.
Further, since the information recorded in the domains From is by sender oneself definition, therefore, the letter of this part
Breath is also to be easiest to be forged, and in step 301, excludes the fishing mail that simplest mail address forges class first.
Step 302:First IP address is judged whether in preset IP address dynamic blacklist library, if so, executing
Step 314;Otherwise, step 303 is executed.
Specifically, the mail address detection sub-means in header information detection device are excluding current mail non-mail address
After the fishing mail for forging class, by the IP address detection sub-means in mail transmission to header information detection device, IP address inspection
Sub-device is surveyed to be compared each IP address in the first IP address of extraction, with preset IP address dynamic blacklist library one by one
It is right, judge to whether there is IP address identical with first IP address in the preset IP address dynamic blacklist library, if depositing
Thening follow the steps 314;Otherwise, step 303 is executed.
Further, although the information recorded in the domains Received is in each undergone in the process by mail transmission
It is added automatically after server, can be shown that the transmission path of mail, but in actual transmissions, hacker or criminal can pass through
Therefore the IP address for forging the Relay Server undergone during mail transmission, is eliminating to forge the IP address of mail
After the genuine mail address of mail address of the mail received, continue to being extracted in the domains Received in mail header information
First IP address is detected, and further to judge whether the mail is fishing mail, the IP address that avoids failing to judge forges the fishing of class
Fish mail.
Step 303:Based on the mapping relations between IP address and domain name, domain name corresponding with first IP address is obtained,
As the second domain name.
Specifically, being forged when the IP address detection sub-means in header information detection device exclude current mail non-ip address
After the fishing mail of class, by the domain name detection sub-means in the mail transmission to header information detection device, to be examined by domain name
It surveys sub-device to be detected the domain name of current mail, to judge whether current mail belongs to the fishing mail of malice domain name.
In general, there are one-to-one mapping relations between IP address and domain name, are based on the mapping relations, can obtain
The domain name mapped by the first IP address extracted in the domains Received to current mail, and as the second domain name.
For example, it is assumed that the first IP address of current mail is " 210.93.131.250 ", if " 210.93.131.250 " exists
Corresponding domain name is " Barclays.Com " in mapping relations, through mapping, it is known that the second domain name is " Barclays.Com ".
Step 304:Judge whether the first domain name is consistent with the second domain name, if so, thening follow the steps 307;Otherwise, step is executed
Rapid 305.
Specifically, after domain name detection sub-means determine the second domain name, and the first domain name is compared with the second domain name, if
Judgement is identical as second domain name by the first domain name extracted in the domains From, that is, judges the first domain name of extraction simultaneously
Not in the corresponding mapping table of the second domain name, 307 are thened follow the steps;Otherwise, step 305 is executed.
Further, it after the first domain name of judgement extraction is not in the corresponding mapping table of the second domain name, is executing
Before step 307, which can be labeled as " prime risk " mail.
Step 305:Malice domain name detection technique based on polynary attribute carries out matching degree detection to the first domain name, obtains
Matching degree as the first matching degree.
Specifically, the domain name detection sub-means in header information detection device judge current mail for suspected malicious domain name
Fishing mail after, continue further to detect the suspicious domain name of current mail, to judge whether current mail belongs to
The fishing mail of malice domain name.
Further, domain name detection sub-means can based on the malice domain name detection technique of polynary attribute, to the first domain name into
Row matching degree detects, and the matching degree of acquisition is as the first matching degree.
Further, domain name detection sub-means by using the malice domain name detection technique of polynary attribute to the domain name
Lexical characteristics and network attribute are analyzed, wherein network attribute includes registration behavior, parsing behavior and usage behavior etc..
Preferably, in the embodiment of the present invention, preferred 16 network attributes of domain name, and above-mentioned 20 network attributes are turned
Be changed to the input feature vector value as random forest grader after the feature vector of domain name, with calculate current mail domain name whether be
The matching degree of malice domain name, referring specifically to table two.
Table two
Step 306:Judge whether the first matching degree is more than the first predetermined threshold value, if so, thening follow the steps 314;Otherwise, it holds
Row step 307.
Specifically, matching degree of the domain name detection sub-means between the domain name based on current mail and malice domain name is sentenced
Before disconnected, dependent thresholds are first set, as the first predetermined threshold value, to judge whether the domain name of current mail is malice domain name, when
So, the first predetermined threshold value can be arranged by header information detection device, can also be arranged by domain name dubiety detection sub-means, also
It can be arranged by other devices.
Preferably, in the embodiment of the present invention, preferred first predetermined threshold value is 0.998, when domain name dubiety detects son dress
When setting the first matching degree of acquisition more than 0.998, step 314 is executed, otherwise, executes step 307.
Step 307:Obtain the text message of the mail.
Specifically, the domain name detection sub-means in header information detection device confirm that the domain name of current mail is not malice domain
After name, which is sent into text message detection device, the data traffic of the mail is obtained by text message detection device, so
Afterwards, the data traffic is restored according to the type of coding of the mail, obtains the text message of the mail.
Step 308:Whether judge in the text message obtained comprising the pass positioned at preset keyword dynamic blacklist library
Keyword, if so, thening follow the steps 314;Otherwise, step 309 is executed.
Specifically, after text message detection device gets the text message of current mail, by text message detection device
In keyword detection sub-device keyword detection is carried out to the text message, whether to determine in text message comprising being located at
The keyword in preset keyword dynamic blacklist library.
For example, for the fishing mail of financial swindling class, prize-winning, bank are included usually in the text message of mail
Account verification etc. contents, lure into user by fishing mail input with the relevant identity information of Bank Account Number (e.g., Bank Account Number,
Bank Account Number password, identification card number, check code etc.), to steal user's financial information, it is assumed that the keyword dynamic of current preset
There are four kinds of Bank Account Number, Bank Account Number password, identification card number and check code keywords in blacklist library, if keyword detection sub-device
The text message of acquisition contains any of the above one or more keyword, then the mail is labeled as " tertiary risk " mail,
And execute step 314;Otherwise, step 309 is executed.
Step 309:Judge in the text message obtained whether to include chained address, if so, thening follow the steps 310;Otherwise,
Execute step 316.
Specifically, current mail is sent into chained address detection by the keyword detection sub-device in text message detection device
Sub-device carries out detection further to the text of acquisition by chained address detection sub-means, first determines whether the text obtained
Whether include chained address in information, if so, thening follow the steps 310;Otherwise, step 316 is executed.
Step 310:Matching degree detection is carried out to the chained address based on preset chained address dynamic blacklist library, is obtained
Matching degree as the second matching degree.
Specifically, being based on preset chained address dynamic blacklist library, fuzzy matching is carried out to the chained address, that is, first
The distance difference of the chained address and each chained address in preset chained address dynamic blacklist library is calculated, then,
Each distance difference and the chained address ratio of gained are calculated separately, maximum value is as second in each ratio of selection gained
Matching degree.
Step 311:Judge whether the second matching degree reaches the second predetermined threshold value, if so, thening follow the steps 314;Otherwise, it holds
Row step 312.
Specifically, chained address detection sub-means are between the chained address based on current mail and fishing chained address
Before matching degree is judged, dependent thresholds are first set, respectively as the second predetermined threshold value and third predetermined threshold value, to judge to work as
Whether the chained address of preceding mail is fishing chained address, and certainly, the second predetermined threshold value and third predetermined threshold value can be by texts
Information detector is arranged, and can also be arranged by chained address detection sub-means, can also be arranged by other devices.
For example, in the embodiment of the present invention, the second predetermined threshold value may be set to 0.95, and preferred third predetermined threshold value can be set
It is 0.75.
Further, when the second matching degree that chained address detection sub-means obtain is more than 0.95, step 314 is executed;
Otherwise, step 312 is executed.
Step 312:Judge whether the second matching degree reaches third predetermined threshold value, if so, thening follow the steps 313;Otherwise, it holds
Row step 316.
Specifically, step 311 is accepted, for example, when the second matching degree that chained address detection sub-means obtain is not more than
When 0.95, continue to judge the second matching degree, judge whether the second matching degree is more than 0.75, if so, by the mail mark
It is denoted as " level Four risk " mail, and executes step 313;Otherwise, step 316 is executed.
Step 313:It detects the mail and whether there is attachment, if so, thening follow the steps 317;Otherwise, step 315 is executed.
Specifically, after chained address detection sub-means are completed to detect the chained address of mail, current mail is sent into
In attachment detection sub-means, whether attachment is carried to the mail by attachment detection sub-means, if so, thening follow the steps 317;It is no
Then, step 315 is executed.
Step 314:The mail is judged for fishing mail, and is intercepted to the mail.
Step 315:It is doubtful fishing mail to prompt user's mail, is clicked with caution.
Specifically, when attachment detection sub-means determine that attachment is not present in current mail, current mail can be pushed to user
Risk class for fishing mail is " level Four risk ", is clicked with caution.
Step 316:It is fishing mail to judge the mail not.
Specifically, it is fishing mail to judge the mail not, also it can prompt user that can check.
Step 317:Prompt user downloads Email attachment with caution.
Specifically, when attachment detection sub-means determine current mail there are when attachment, can push prompt message to user " should
Mail is there are attachment, row virus scan that come in, downloads with caution ".
Certainly, in the embodiment of the present invention, the domain name detection sub-means in header information detection device are also based on function
Subdivision, be divided into domain name consistency detection sub-device and domain name dubiety detection sub-means, domain name consistency detection sub-device master
It is used to judge the first domain name of acquisition and the consistency of the second domain name, domain name dubiety detection sub-means are to work as domain name
When consistency detection sub-device judges consistent, further dubiety is carried out to domain name and is screened.
Based on above-described embodiment, as shown in fig.4, in the embodiment of the present invention, fishing mail detection device includes at least the
One processing unit 40, second processing unit 41 and third processing unit 42, wherein
First processing units 40, the header information for obtaining mail, and it is based on preset first kind dynamic blacklist library,
Judge in the header information whether to include the specified first kind fishing letter in the first kind dynamic blacklist library
Breath;
Second processing unit 41 when including for determination, judges the mail for fishing mail;
Third processing unit 42 when not including for determining, extracts the text message of the mail, and based on preset
Whether the second class dynamic blacklist library judges in the text message to include in the second class dynamic blacklist library
The second specified class fishing information when determination includes, judges the mail for fishing mail, when determination does not include, described in judgement
Mail is non-fishing mail.
Optionally, further include updating unit 43, the updating unit 43 is used for:
When indicating to determine in the presence of fishing information associated with fishing mail according to user, believed using the associated fishing
Breath, is updated corresponding dynamic blacklist library.
Optionally, the first kind dynamic blacklist library includes at least mail address dynamic blacklist library, IP address dynamic
Blacklist library and one kind in domain name dynamic blacklist library or arbitrary combination;
The first kind fishing information include at least fishing mail address, fishing IP address and go fishing domain name in one kind or
Arbitrary combination;
Second class dynamic blacklist library includes at least keyword dynamic blacklist library or/and the black name of chained address dynamic
Dan Ku;
The second class fishing information includes at least keyword or/and chained address.
Optionally, the header information of mail is obtained, and is based on preset first kind dynamic blacklist library, judges the head
When whether including the specified first kind fishing information in the first kind dynamic blacklist library in information, described first
Processing unit 40 is used for:
The header information for obtaining mail, determines corresponding mail address;
Based on preset mail address dynamic blacklist library, judge whether the mail address is the mail address dynamic
The fishing mail address specified in blacklist library;
When judging that the mail address is the fishing mail address specified in the mail address dynamic blacklist library, determine
Including;
Judge the mail address not be the mail address dynamic blacklist library in specify fishing mail address when, really
Surely do not include.
Optionally, it is the fishing mail specified in the mail address dynamic blacklist library to judge the mail address not
When location, determine after not including, the first processing units 40 are further used for:
Based on the header information, corresponding IP address is determined;
Based on preset IP address dynamic blacklist library, judge whether the IP address is the IP address dynamic blacklist
The fishing IP address specified in library;
When judging that the IP address is the fishing IP address specified in the IP address dynamic blacklist library, determination includes;
Judge the IP address not be the IP address dynamic blacklist library in specify fishing IP address when, determination do not wrap
Contain.
Optionally, judge the IP address not be the IP address dynamic blacklist library in specify fishing IP address when,
It determines after not including, the first processing units 40 are further used for:
Based on the header information, corresponding domain name and IP address are determined;
Based on the IP address, the corresponding mapping domain name of the IP address is determined;
Judge whether domain name and the mapping domain name are consistent;
When judging consistent, determination does not include;
When judging inconsistent, be based on preset domain name dynamic blacklist library, by domain name and specified fishing domain name into
Row matching degree detects, and whether the matching degree of acquisition continues to judge first matching degree more than default as the first matching degree
The first predetermined threshold value, if so, determination includes, otherwise, it determines not including.
Optionally, the text message of the mail is extracted, and is based on preset second class dynamic blacklist library, judges institute
It states when whether including the second specified class fishing information in the second class dynamic blacklist library in text message, institute
Third processing unit 42 is stated to be used for:
Extract the text message of the mail;
Based on preset keyword dynamic blacklist library, judge whether the text message is dynamic comprising the keyword is located at
The fishing keyword specified in state blacklist library;
When judging that the text message includes the fishing keyword for being located at and being specified in the keyword dynamic blacklist library, really
Surely include;
When judging that the text message does not include the fishing keyword for being located at and being specified in the keyword dynamic blacklist library,
Determination does not include.
Optionally, judge that the text message does not include the fishing for being located at and being specified in the keyword dynamic blacklist library and closes
When keyword, determine after not including, the third processing unit 42 is further used for:
Continue to judge whether the text message includes chained address;
When determining that the text message includes chained address, the chained address is extracted, and be based on preset chained address
The chained address and specified fishing chained address are carried out matching degree detection by dynamic blacklist library, and the matching degree of acquisition is made
For the second matching degree, when determining that second matching degree is more than preset second predetermined threshold value, determination includes to determine described second
When matching degree is less than preset third predetermined threshold value, determination does not include, and otherwise, attachment detection is carried out to the mail;
When determining that the text message does not include chained address, attachment detection is carried out to the mail.
Optionally, when carrying out attachment detection to the mail, the third processing unit 42 is used for:
It determines there are when attachment, user is prompted to download the attachment with caution, otherwise, it is doubtful postal to prompt mail described in user
Part is clicked with caution.
In conclusion in the embodiment of the present invention, first the header information based on mail, first kind fishing information is carried out to mail
Detection, to identify the fishing mail for including first kind fishing information, for can not be just capable of determining whether by header information
For the mail of fishing mail, the text message based on the mail carries out the detection of the second class fishing information, to identify including the
The fishing mail of two class fishing informations can prevent from failing to judge to fishing mail, carry in this way, by carrying out classification and Detection to mail
High accuracy rate no longer needs to carry out text message detection moreover, for the fishing mail that can just can determine that by header information,
The sensitive information for not only protecting user, also improves detection efficiency, reduces the consuming of resource, meanwhile, either to head
Information is still detected text message, and all kinds of dynamic blacklists library can all indicate to determine presence and fishing mail based on user
Relevant fishing information, is updated in real time, improves the accuracy rate of detection.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, the present invention can be used in one or more wherein include computer usable program code computer
The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram
The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided
Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real
The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or
The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, those skilled in the art can carry out the embodiment of the present invention various modification and variations without departing from this hair
The spirit and scope of bright embodiment.In this way, if these modifications and variations of the embodiment of the present invention belong to the claims in the present invention
And its within the scope of equivalent technologies, then the present invention is also intended to include these modifications and variations.
Claims (27)
1. a kind of fishing mail detecting system, which is characterized in that including header information detection device and text message detection device,
Wherein,
Header information detection device, the header information for obtaining mail, and it is based on preset first kind dynamic blacklist library, sentence
Whether include the specified first kind fishing information in the first kind dynamic blacklist library in the disconnected header information,
When determination includes, the mail is judged for fishing mail, otherwise, the mail is sent into text message detection device;
Text message detection device, the mail sent for receiving the header information detection device, and extract the mail
Text message, and it is based on preset second class dynamic blacklist library, judge in the text message whether to include positioned at institute
The second specified class fishing information in the second class dynamic blacklist library is stated, when determination includes, judges the mail for postal of going fishing
Part, otherwise, it is determined that the mail is non-fishing mail.
2. the system as claimed in claim 1, which is characterized in that further include:
User information feedback device, for when indicating to determine in the presence of fishing information associated with fishing mail according to user, adopting
With the associated fishing information, corresponding dynamic blacklist library is updated.
3. the system as claimed in claim 1, which is characterized in that the first kind dynamic blacklist library includes at least mail address
Dynamic blacklist library, IP address dynamic blacklist library and one kind in domain name dynamic blacklist library or arbitrary combination;
The first kind fishing information includes at least fishing mail address, fishing IP address and one kind or arbitrary in domain name of going fishing
Combination;
Second class dynamic blacklist library includes at least keyword dynamic blacklist library or/and chained address dynamic blacklist
Library;
The second class fishing information includes at least keyword or/and chained address.
4. system as claimed in claim 1,2 or 3, which is characterized in that the header information detection device includes at least mail
Address detected sub-device:
The mail address detection sub-means are used for the header information of the mail based on acquisition, determine corresponding mail address, and
Based on preset mail address dynamic blacklist library, judge whether the mail address is the mail address dynamic blacklist library
In the fishing mail address specified, if so, judge the mail for fishing mail, otherwise, by the mail be sent into it is described just
Literary information detector.
5. system as claimed in claim 4, which is characterized in that the header information detection device further comprises that IP address is examined
Survey sub-device:
The IP address detection sub-means, for judging that the mail address is not described in the mail address detection sub-means
When the fishing mail address specified in mail address dynamic blacklist library, it is based on the header information, determines corresponding IP address,
And it is based on preset IP address dynamic blacklist library, judge whether the IP address is IP address dynamic blacklist library middle finger
Otherwise the mail, is sent into the text message by fixed fishing IP address if so, judging the mail for fishing mail
Detection device.
6. system as claimed in claim 5, which is characterized in that the header information detection device further comprises that domain name detects
Sub-device:
Domain name detection sub-means are the IP address for judging the IP address not in the IP address detection sub-means
When the fishing IP address specified in dynamic blacklist library, it is based on the header information, determines corresponding domain name and IP address, and
Based on the IP address, the corresponding mapping domain name of the IP address is determined, and judge whether are domain name and the mapping domain name
Unanimously;
If so, the mail is sent into the text message detection device;
Otherwise, it is based on preset domain name dynamic blacklist library, domain name and specified fishing domain name are subjected to matching degree detection,
The matching degree of acquisition continues to judge whether first matching degree is more than the preset first default threshold as the first matching degree
Otherwise the mail, is sent into the text message detection device by value if so, judging the mail for fishing mail.
7. system as claimed in claim 1,2 or 3, which is characterized in that the text message detection device includes at least key
Word detection sub-means:
The keyword detection sub-device, the mail sent for receiving the header information detection device, and extract the postal
The text message of part, and it is based on preset keyword dynamic blacklist library, judge the text message whether comprising positioned at institute
The fishing keyword specified in keyword dynamic blacklist library is stated, if so, judging that the mail for fishing mail, otherwise, is sentenced
The fixed mail is non-fishing mail.
8. system as claimed in claim 7, which is characterized in that the text message detection device further comprises chained address
Detection sub-means:
The chained address detection sub-means are the pass for judging the keyword not in the keyword detection sub-device
When the fishing keyword specified in keyword dynamic blacklist library, judge whether the text message includes chained address;
When determination does not include, the mail is sent into attachment detection sub-means;
When determination includes, the chained address is extracted, and be based on preset chained address dynamic blacklist library, the chain is grounded
Location carries out matching degree detection with specified fishing chained address, and the matching degree of acquisition determines described second as the second matching degree
When matching degree is more than preset second predetermined threshold value, the mail is judged for fishing mail, determines that second matching degree is less than
When preset third predetermined threshold value, judge that the mail is non-fishing mail, otherwise, the mail is sent into attachment detection son dress
It sets.
9. system as claimed in claim 8, which is characterized in that the text message detection device further comprises that attachment detects
Sub-device:
The attachment detection sub-means are the chain for judging the chained address not in the chained address detection sub-means
When being grounded the fishing chained address specified in the dynamic blacklist library of location, attachment detection is carried out to the mail, determines that there are attachmentes
When, prompt user to download the attachment with caution, otherwise, it is doubtful mail to prompt mail described in user, is clicked with caution;Alternatively,
The attachment detection sub-means, for judging that second matching degree is not more than institute in the chained address detection sub-means
When stating the second predetermined threshold value and being not less than the third predetermined threshold value, attachment detection is carried out to the mail, determines that there are attachmentes
When, prompt user to download the attachment with caution, otherwise, it is doubtful mail to prompt mail described in user, is clicked with caution.
10. a kind of fishing mail detection method, which is characterized in that including:
Obtain the header information of mail, and be based on preset first kind dynamic blacklist library, judge in the header information whether
It include the specified first kind fishing information being located in the first kind dynamic blacklist library;
When determination includes, judge the mail for fishing mail;
When determination does not include, the text message of the mail is extracted, and be based on preset second class dynamic blacklist library, judged
Whether include the second specified class fishing information in the second class dynamic blacklist library in the text message, really
When including surely, the mail is judged for fishing mail, when determination does not include, judges that the mail is non-fishing mail.
11. method as claimed in claim 10, which is characterized in that further include:
It is right using the associated fishing information when indicating to determine in the presence of fishing information associated with fishing mail according to user
Corresponding dynamic blacklist library is updated.
12. method as claimed in claim 10, which is characterized in that the first kind dynamic blacklist library is including at least mail
Location dynamic blacklist library, IP address dynamic blacklist library and one kind in domain name dynamic blacklist library or arbitrary combination;
The first kind fishing information includes at least fishing mail address, fishing IP address and one kind or arbitrary in domain name of going fishing
Combination;
Second class dynamic blacklist library includes at least keyword dynamic blacklist library or/and chained address dynamic blacklist
Library;
The second class fishing information includes at least keyword or/and chained address.
13. the method as described in claim 10,11 or 12, which is characterized in that obtain the header information of mail, and based on default
First kind dynamic blacklist library, judge in the header information whether to include in the first kind dynamic blacklist library
Specified first kind fishing information, including:
The header information of the mail of acquisition determines corresponding mail address;
Based on preset mail address dynamic blacklist library, judge whether the mail address is the black name of the mail address dynamic
The fishing mail address specified in single library;
When judging that the mail address is the fishing mail address specified in the mail address dynamic blacklist library, packet is determined
Contain;
Judge the mail address not be the mail address dynamic blacklist library in specify fishing mail address when, determine not
Including.
14. method as claimed in claim 13, which is characterized in that it is mail address dynamic to judge the mail address not
When the fishing mail address specified in blacklist library, determines after not including, further comprise:
Based on the header information, corresponding IP address is determined;
Based on preset IP address dynamic blacklist library, judge whether the IP address is in the IP address dynamic blacklist library
Specified fishing IP address;
When judging that the IP address is the fishing IP address specified in the IP address dynamic blacklist library, determination includes;
Judge the IP address not be the IP address dynamic blacklist library in specify fishing IP address when, determination do not include.
15. method as claimed in claim 14, which is characterized in that it is the black name of IP address dynamic to judge the IP address not
When the fishing IP address specified in single library, determines after not including, further comprise:
Based on the header information, corresponding domain name and IP address are determined;
Based on the IP address, the corresponding mapping domain name of the IP address is determined;
Judge whether domain name and the mapping domain name are consistent;
When judging consistent, determination does not include;
When judging inconsistent, it is based on preset domain name dynamic blacklist library, by domain name and specified fishing domain name progress
It is detected with degree, the matching degree of acquisition continues to judge whether first matching degree is more than preset the as the first matching degree
One predetermined threshold value, if so, determination includes, otherwise, it determines not including.
16. the method as described in claim 10,11 or 12, which is characterized in that extract the text message of the mail, Yi Jiji
In preset second class dynamic blacklist library, judge in the text message whether to include positioned at the black name of second class dynamic
The second specified class fishing information in single library, including:
Extract the text message of the mail;
Based on preset keyword dynamic blacklist library, judge whether the text message is black comprising keyword dynamic is located at
The fishing keyword specified in list library;
When judging that the text message includes the fishing keyword for being located at and being specified in the keyword dynamic blacklist library, packet is determined
Contain;
When judging that the text message does not include the fishing keyword for being located at and being specified in the keyword dynamic blacklist library, determine
Do not include.
17. the method described in claim 16, which is characterized in that judge that the text message does not include and be located at the keyword
When the fishing keyword specified in dynamic blacklist library, determines after not including, further comprise:
Continue to judge whether the text message includes chained address;
When determining that the text message includes chained address, the chained address is extracted, and based on preset chained address dynamic
The chained address and specified fishing chained address are carried out matching degree detection by blacklist library, and the matching degree of acquisition is as the
Two matching degrees, when determining that second matching degree is more than preset second predetermined threshold value, determination includes to determine second matching
When degree is less than preset third predetermined threshold value, determination does not include, and otherwise, attachment detection is carried out to the mail;
When determining that the text message does not include chained address, attachment detection is carried out to the mail.
18. method as claimed in claim 17, which is characterized in that attachment detection is carried out to the mail, including:
It determines there are when attachment, user is prompted to download the attachment with caution, otherwise, it is doubtful mail to prompt mail described in user,
It clicks with caution.
19. a kind of fishing mail detection device, which is characterized in that including:
First processing units, the header information for obtaining mail, and it is based on preset first kind dynamic blacklist library, judge institute
Whether state in header information includes the specified first kind fishing information in the first kind dynamic blacklist library;
Second processing unit when including for determination, judges the mail for fishing mail;
Third processing unit when not including for determining, extracts the text message of the mail, and be based on preset second class
Whether dynamic blacklist library judges in the text message to include specified in the second class dynamic blacklist library
Second class fishing information when determination includes, judges the mail for fishing mail, when determination does not include, judges that the mail is
Non- fishing mail.
20. device as claimed in claim 19, which is characterized in that further include updating unit, the updating unit is used for:
It is right using the associated fishing information when indicating to determine in the presence of fishing information associated with fishing mail according to user
Corresponding dynamic blacklist library is updated.
21. device as claimed in claim 19, which is characterized in that the first kind dynamic blacklist library is including at least mail
Location dynamic blacklist library, IP address dynamic blacklist library and one kind in domain name dynamic blacklist library or arbitrary combination;
The first kind fishing information includes at least fishing mail address, fishing IP address and one kind or arbitrary in domain name of going fishing
Combination;
Second class dynamic blacklist library includes at least keyword dynamic blacklist library or/and chained address dynamic blacklist
Library;
The second class fishing information includes at least keyword or/and chained address.
22. the device as described in claim 19,20 or 21, which is characterized in that obtain the header information of mail, and based on default
First kind dynamic blacklist library, judge in the header information whether to include in the first kind dynamic blacklist library
The specified first kind fishing information when, the first processing units are used for:
The header information for obtaining mail, determines corresponding mail address;
Based on preset mail address dynamic blacklist library, judge whether the mail address is the black name of the mail address dynamic
The fishing mail address specified in single library;
When judging that the mail address is the fishing mail address specified in the mail address dynamic blacklist library, packet is determined
Contain;
Judge the mail address not be the mail address dynamic blacklist library in specify fishing mail address when, determine not
Including.
23. device as claimed in claim 22, which is characterized in that it is mail address dynamic to judge the mail address not
When the fishing mail address specified in blacklist library, determine after not including, the first processing units are further used for:
Based on the header information, corresponding IP address is determined;
Based on preset IP address dynamic blacklist library, judge whether the IP address is in the IP address dynamic blacklist library
Specified fishing IP address;
When judging that the IP address is the fishing IP address specified in the IP address dynamic blacklist library, determination includes;
Judge the IP address not be the IP address dynamic blacklist library in specify fishing IP address when, determination do not include.
24. device as claimed in claim 23, which is characterized in that it is the black name of IP address dynamic to judge the IP address not
When the fishing IP address specified in single library, determine after not including, the first processing units are further used for:
Based on the header information, corresponding domain name and IP address are determined;
Based on the IP address, the corresponding mapping domain name of the IP address is determined;
Judge whether domain name and the mapping domain name are consistent;
When judging consistent, determination does not include;
When judging inconsistent, it is based on preset domain name dynamic blacklist library, by domain name and specified fishing domain name progress
It is detected with degree, the matching degree of acquisition continues to judge whether first matching degree is more than preset the as the first matching degree
One predetermined threshold value, if so, determination includes, otherwise, it determines not including.
25. the device as described in claim 19,20 or 21, which is characterized in that extract the text message of the mail, Yi Jiji
In preset second class dynamic blacklist library, judge in the text message whether to include positioned at the black name of second class dynamic
When the second specified class fishing information in single library, the third processing unit is used for:
Extract the text message of the mail;
Based on preset keyword dynamic blacklist library, judge whether the text message is black comprising keyword dynamic is located at
The fishing keyword specified in list library;
When judging that the text message includes the fishing keyword for being located at and being specified in the keyword dynamic blacklist library, packet is determined
Contain;
When judging that the text message does not include the fishing keyword for being located at and being specified in the keyword dynamic blacklist library, determine
Do not include.
26. device as claimed in claim 25, which is characterized in that judge that the text message does not include and be located at the keyword
When the fishing keyword specified in dynamic blacklist library, determine after not including, the third processing unit is further used for:
Continue to judge whether the text message includes chained address;
When determining that the text message includes chained address, the chained address is extracted, and based on preset chained address dynamic
The chained address and specified fishing chained address are carried out matching degree detection by blacklist library, and the matching degree of acquisition is as the
Two matching degrees, when determining that second matching degree is more than preset second predetermined threshold value, determination includes to determine second matching
When degree is less than preset third predetermined threshold value, determination does not include, and otherwise, attachment detection is carried out to the mail;
When determining that the text message does not include chained address, attachment detection is carried out to the mail.
27. device as claimed in claim 26, which is characterized in that when carrying out attachment detection to the mail, at the third
Reason unit is used for:
It determines there are when attachment, user is prompted to download the attachment with caution, otherwise, it is doubtful mail to prompt mail described in user,
It clicks with caution.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710071611.9A CN108418777A (en) | 2017-02-09 | 2017-02-09 | A kind of fishing mail detection method, apparatus and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710071611.9A CN108418777A (en) | 2017-02-09 | 2017-02-09 | A kind of fishing mail detection method, apparatus and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108418777A true CN108418777A (en) | 2018-08-17 |
Family
ID=63125016
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710071611.9A Pending CN108418777A (en) | 2017-02-09 | 2017-02-09 | A kind of fishing mail detection method, apparatus and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108418777A (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109039874A (en) * | 2018-09-17 | 2018-12-18 | 杭州安恒信息技术股份有限公司 | A kind of the mail auditing method and device of Behavior-based control analysis |
CN110648118A (en) * | 2019-09-27 | 2020-01-03 | 深信服科技股份有限公司 | Fish fork mail detection method and device, electronic equipment and readable storage medium |
CN110995576A (en) * | 2019-12-16 | 2020-04-10 | 深信服科技股份有限公司 | Mail detection method, device, equipment and storage medium |
CN111131137A (en) * | 2018-11-01 | 2020-05-08 | 财团法人资讯工业策进会 | Suspicious packet detection device and suspicious packet detection method thereof |
CN111404806A (en) * | 2020-03-16 | 2020-07-10 | 深信服科技股份有限公司 | Method, device and equipment for detecting harpoon mails and computer readable storage medium |
CN112039874A (en) * | 2020-08-28 | 2020-12-04 | 绿盟科技集团股份有限公司 | Malicious mail identification method and device |
CN113630397A (en) * | 2021-07-28 | 2021-11-09 | 上海纽盾网安科技有限公司 | E-mail security control method, client and system |
CN114004604A (en) * | 2021-12-30 | 2022-02-01 | 北京微步在线科技有限公司 | Method and device for detecting URL data in mail and electronic equipment |
CN114726603A (en) * | 2022-03-30 | 2022-07-08 | 北京明朝万达科技股份有限公司 | Mail detection method and device |
CN114760119A (en) * | 2022-04-02 | 2022-07-15 | 北京安博通金安科技有限公司 | Phishing mail attack detection method, device and system |
CN115643095A (en) * | 2022-10-27 | 2023-01-24 | 山东星维九州安全技术有限公司 | Method and system for security test of internal network of company |
CN116319654A (en) * | 2023-04-11 | 2023-06-23 | 华能信息技术有限公司 | Intelligent type junk mail scanning method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102098235A (en) * | 2011-01-18 | 2011-06-15 | 南京邮电大学 | Fishing mail inspection method based on text characteristic analysis |
CN102223316A (en) * | 2011-06-15 | 2011-10-19 | 成都市华为赛门铁克科技有限公司 | Method and device for processing electronic mail |
US20150067833A1 (en) * | 2013-08-30 | 2015-03-05 | Narasimha Shashidhar | Automatic phishing email detection based on natural language processing techniques |
CN105072137A (en) * | 2015-09-15 | 2015-11-18 | 蔡丝英 | Spear phishing mail detection method and device |
US20160344770A1 (en) * | 2013-08-30 | 2016-11-24 | Rakesh Verma | Automatic Phishing Email Detection Based on Natural Language Processing Techniques |
-
2017
- 2017-02-09 CN CN201710071611.9A patent/CN108418777A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102098235A (en) * | 2011-01-18 | 2011-06-15 | 南京邮电大学 | Fishing mail inspection method based on text characteristic analysis |
CN102223316A (en) * | 2011-06-15 | 2011-10-19 | 成都市华为赛门铁克科技有限公司 | Method and device for processing electronic mail |
US20150067833A1 (en) * | 2013-08-30 | 2015-03-05 | Narasimha Shashidhar | Automatic phishing email detection based on natural language processing techniques |
US20160344770A1 (en) * | 2013-08-30 | 2016-11-24 | Rakesh Verma | Automatic Phishing Email Detection Based on Natural Language Processing Techniques |
CN105072137A (en) * | 2015-09-15 | 2015-11-18 | 蔡丝英 | Spear phishing mail detection method and device |
Non-Patent Citations (1)
Title |
---|
GILCHAN PARK: "Text-Based Phishing Detection Using A Simulation Model", 《PURDUE UNIVERSITYPURDUE E-PUBS》 * |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109039874B (en) * | 2018-09-17 | 2021-08-20 | 杭州安恒信息技术股份有限公司 | Mail auditing method and device based on behavior analysis |
CN109039874A (en) * | 2018-09-17 | 2018-12-18 | 杭州安恒信息技术股份有限公司 | A kind of the mail auditing method and device of Behavior-based control analysis |
CN111131137A (en) * | 2018-11-01 | 2020-05-08 | 财团法人资讯工业策进会 | Suspicious packet detection device and suspicious packet detection method thereof |
CN110648118A (en) * | 2019-09-27 | 2020-01-03 | 深信服科技股份有限公司 | Fish fork mail detection method and device, electronic equipment and readable storage medium |
CN110995576A (en) * | 2019-12-16 | 2020-04-10 | 深信服科技股份有限公司 | Mail detection method, device, equipment and storage medium |
CN111404806A (en) * | 2020-03-16 | 2020-07-10 | 深信服科技股份有限公司 | Method, device and equipment for detecting harpoon mails and computer readable storage medium |
CN112039874B (en) * | 2020-08-28 | 2023-03-24 | 绿盟科技集团股份有限公司 | Malicious mail identification method and device |
CN112039874A (en) * | 2020-08-28 | 2020-12-04 | 绿盟科技集团股份有限公司 | Malicious mail identification method and device |
CN113630397A (en) * | 2021-07-28 | 2021-11-09 | 上海纽盾网安科技有限公司 | E-mail security control method, client and system |
CN114004604A (en) * | 2021-12-30 | 2022-02-01 | 北京微步在线科技有限公司 | Method and device for detecting URL data in mail and electronic equipment |
CN114726603A (en) * | 2022-03-30 | 2022-07-08 | 北京明朝万达科技股份有限公司 | Mail detection method and device |
CN114726603B (en) * | 2022-03-30 | 2023-09-01 | 北京明朝万达科技股份有限公司 | Mail detection method and device |
CN114760119A (en) * | 2022-04-02 | 2022-07-15 | 北京安博通金安科技有限公司 | Phishing mail attack detection method, device and system |
CN114760119B (en) * | 2022-04-02 | 2023-12-12 | 北京安博通金安科技有限公司 | Phishing mail attack detection method, device and system |
CN115643095A (en) * | 2022-10-27 | 2023-01-24 | 山东星维九州安全技术有限公司 | Method and system for security test of internal network of company |
CN115643095B (en) * | 2022-10-27 | 2023-08-29 | 山东星维九州安全技术有限公司 | Method and system for testing network security inside company |
CN116319654A (en) * | 2023-04-11 | 2023-06-23 | 华能信息技术有限公司 | Intelligent type junk mail scanning method |
CN116319654B (en) * | 2023-04-11 | 2024-05-28 | 华能信息技术有限公司 | Intelligent type junk mail scanning method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108418777A (en) | A kind of fishing mail detection method, apparatus and system | |
CN105516113B (en) | System and method for automatic network fishing detected rule evolution | |
US8769695B2 (en) | Phish probability scoring model | |
US8918466B2 (en) | System for email processing and analysis | |
JP5990284B2 (en) | Spam detection system and method using character histogram | |
CN109274632B (en) | Website identification method and device | |
RU2601190C2 (en) | System and methods for spam detection using frequency spectra of character strings | |
CN105119909B (en) | A kind of counterfeit website detection method and system based on page visual similarity | |
US7890588B2 (en) | Unwanted mail discriminating apparatus and unwanted mail discriminating method | |
CN104217160A (en) | Method and system for detecting Chinese phishing website | |
CN103685307A (en) | Method, system, client and server for detecting phishing fraud webpage based on feature library | |
CN109922065B (en) | Quick identification method for malicious website | |
CN109600362B (en) | Zombie host recognition method, device and medium based on recognition model | |
Rahim et al. | Detecting the Phishing Attack Using Collaborative Approach and Secure Login through Dynamic Virtual Passwords. | |
CN108023868A (en) | Malice resource address detection method and device | |
CN109450929A (en) | A kind of safety detection method and device | |
CN109543408A (en) | A kind of Malware recognition methods and system | |
CN113704328A (en) | User behavior big data mining method and system based on artificial intelligence | |
Sankhwar et al. | Email phishing: an enhanced classification model to detect malicious urls | |
CN106790025B (en) | Method and device for detecting link maliciousness | |
CN107018152A (en) | Message block method, device and electronic equipment | |
CN110061981A (en) | A kind of attack detection method and device | |
KR102648653B1 (en) | Mail security-based zero-day URL attack defense service providing device and method of operation | |
CN112039874B (en) | Malicious mail identification method and device | |
KR102546068B1 (en) | Device and its operation methods for providing E-mail security service using hierarchical architecture based on security level |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180817 |