CN108959917A - A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection - Google Patents
A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection Download PDFInfo
- Publication number
- CN108959917A CN108959917A CN201710378859.XA CN201710378859A CN108959917A CN 108959917 A CN108959917 A CN 108959917A CN 201710378859 A CN201710378859 A CN 201710378859A CN 108959917 A CN108959917 A CN 108959917A
- Authority
- CN
- China
- Prior art keywords
- attachment
- program
- behavior
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 78
- 238000001514 detection method Methods 0.000 title claims abstract description 54
- 238000003860 storage Methods 0.000 title claims description 28
- 238000012544 monitoring process Methods 0.000 claims abstract description 86
- 241000700605 Viruses Species 0.000 claims abstract description 64
- 244000035744 Hura crepitans Species 0.000 claims abstract description 62
- 238000002955 isolation Methods 0.000 claims abstract description 14
- 230000006399 behavior Effects 0.000 claims description 189
- 238000012545 processing Methods 0.000 claims description 12
- 230000005540 biological transmission Effects 0.000 claims description 11
- 230000003612 virological effect Effects 0.000 abstract description 13
- 238000012546 transfer Methods 0.000 abstract description 8
- 238000003745 diagnosis Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 14
- 230000008569 process Effects 0.000 description 10
- 230000006870 function Effects 0.000 description 7
- 238000004590 computer program Methods 0.000 description 5
- 230000002155 anti-virotic effect Effects 0.000 description 4
- 238000007689 inspection Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 239000007787 solid Substances 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 201000010099 disease Diseases 0.000 description 3
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 3
- 239000002574 poison Substances 0.000 description 3
- 231100000614 poison Toxicity 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 231100000572 poisoning Toxicity 0.000 description 1
- 230000000607 poisoning effect Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 230000014599 transmission of virus Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Transfer Between Computers (AREA)
Abstract
This application discloses a kind of methods of Email detection, comprising: receives Email;When detecting in Email comprising attachment, attachment is transmitted in sandbox, sandbox provides isolation environment for active program;Attachment is run in sandbox, and monitors whether attachment occurs target concern behavior;When monitoring that target concern behavior occurs for attachment, determines in attachment comprising extorting virus, then intercept Email, and export prompt messages.The method of Email detection provided by the embodiments of the present application, it is carried out in advance before mail transfer is to mail reception side and extorts viral diagnosis, and intercept the Email containing virus is extorted of exchanging, it pays through the nose the risk of virus infraction to reduce computer equipment, improves the safety of computer equipment.
Description
Technical field
This application involves Internet technical fields, and in particular to a kind of method, apparatus of Email detection, computer are set
Standby and computer readable storage medium.
Background technique
With the fast development of internet, network attack is also more and more, and network attack is usually that hacker will be with attack
It is intended to write rogue program to travel on network, such as: it is implanted in some videos or file, once user clicks
It is accordingly implanted the video or file of rogue program, the terminal of user will be implanted the rogue program, so as to cause the use
The terminal at family is poisoned or information is stolen.
Extorting software is one of rapid development and the huge network security threats of harm in recent years, be criminal by plus
The modes such as ciphertext part, screen locking kidnap the assets such as user file or resource, and a kind of Malware of user's wealth is extorted with this.It strangles
Rope software namely extorts virus, and criminal is planted by sending the phishings modes such as mail to aggrieved computer or server
Enter to extort virus to encrypt the even entire hard disk of the document on hard disk, then to aggrieved enterprise or personal does not ask for number not etc.
It is just decrypted after ransom money.
Mail is the severely afflicated area for extorting poisoning intrusion, and criminal runs Email attachment triggering by induction user and extorts disease
File on poison encryption user's local machine, and then ransomed using clear crytpographic key and obtain income.This extorts viral hair in several years
That opens up is very fast, and updates and lag for the characteristic detection method for the antivirus software for extorting virus, often leads to set computer
Before standby middle file is encrypted in, antivirus software has killing ability in rear, in such computer equipment the very high quilt of file presence
Extort the risk of virus infraction.
Summary of the invention
The embodiment of the present application provides a kind of method of Email detection, before mail transfer is to mail reception side
It carries out in advance and extorts viral diagnosis, and intercept the Email containing virus is extorted of exchanging, strangled to reduce computer equipment
The risk of rope virus infraction.The embodiment of the present application also provides corresponding device, computer equipment and computer-readable storage mediums
Matter.
The application first aspect provides a kind of method of Email detection, comprising:
Receive Email;
When detecting in the Email comprising attachment, the attachment is transmitted in sandbox, the sandbox is operation
In program provide isolation environment;
The attachment is run in the sandbox, and monitors whether the attachment occurs target concern behavior;
When monitoring that the target concern behavior occurs for the attachment, determine comprising extorting virus in the attachment, then
The Email is intercepted, and exports prompt messages.
The application second aspect provides a kind of device of Email detection, comprising:
Program module is received, for receiving Email;
Program module is detected, for whether detecting in the received Email of reception program module comprising attached
Part;
Transmission procedure module, for inciting somebody to action when the detection program module detects in the Email comprising attachment
The attachment is transmitted in sandbox, and the sandbox provides isolation environment for active program;
Program runs module, the attachment come for running the transmission procedure module transmitting in the sandbox;
Monitoring program module, for monitoring whether the attachment is sent out when described program operation module runs the attachment
Raw target pays close attention to behavior;
Handler module, for paying close attention to behavior when the target occurs for the monitoring program module monitors to the attachment
When, it determines in the attachment comprising extorting virus, then intercepts the Email, and export prompt messages.
The application third aspect provides a kind of computer equipment, comprising: input/output (I/O) interface, processor and storage
Device is stored with the instruction that the processing of software is extorted described in first aspect in the memory;
The processor is used to execute the instruction of the Email detection stored in memory, executes as described in relation to the first aspect
Email detection method the step of.
The another aspect of the application provides a kind of computer readable storage medium, in the computer readable storage medium
It is stored with instruction, when run on a computer, so that computer executes method described in above-mentioned first aspect.
The another aspect of the application provides a kind of computer program product comprising instruction, when it runs on computers
When, so that computer executes method described in above-mentioned first aspect.
The embodiment of the present application is using reception Email;It, will be described attached when detecting in the Email comprising attachment
Part is transmitted in sandbox, and the sandbox provides isolation environment for active program;The attachment is run in the sandbox, and
Monitor whether the attachment occurs target concern behavior;When monitoring that the target concern behavior occurs for the attachment, determine
Comprising extorting virus in the attachment, then the Email is intercepted, and export prompt messages.With user in the prior art
Computer equipment often because operation Email in attachment in virus compare, Email provided by the embodiments of the present application
The method of detection is carried out in advance before mail transfer is to mail reception side and extorts viral diagnosis, and intercepts switch containing Le
The Email of rope virus pays through the nose the risk of virus infraction to reduce computer equipment, improves computer equipment
Safety.
Detailed description of the invention
Fig. 1 is that the interface schematic diagram for extorting virus is propagated by the attachment of Email;
Fig. 2 is the interface schematic diagram of viral screen locking of paying through the nose;
Fig. 3 is the viral interface schematic diagram encrypted that pays through the nose;
Fig. 4 is an embodiment schematic diagram of the detection process of Email in the embodiment of the present application;
Fig. 5 is an embodiment schematic diagram of the method that Email detects in the embodiment of the present application;
Fig. 6 is another embodiment schematic diagram for the method that Email detects in the embodiment of the present application;
Fig. 7 is an embodiment schematic diagram of the device that Email detects in the embodiment of the present application;
Fig. 8 is an embodiment schematic diagram of computer equipment in the embodiment of the present application;
Fig. 9 is an embodiment schematic diagram of the virtualization form of computer equipment in the embodiment of the present application.
Specific embodiment
With reference to the accompanying drawing, embodiments herein is described, it is clear that described embodiment is only the application
The embodiment of a part, instead of all the embodiments.Those of ordinary skill in the art are it is found that with virus detection techniques are extorted
Development, technical solution provided by the embodiments of the present application is equally applicable for similar technical problem.
The description and claims of this application and term " first " in above-mentioned attached drawing, " second " etc. are for distinguishing
Similar object, without being used to describe a particular order or precedence order.It should be understood that the data used in this way are in appropriate feelings
It can be interchanged under condition, so that the embodiments described herein can be real with the sequence other than the content for illustrating or describing herein
It applies.In addition, term " includes " and " having " and their any deformation, it is intended that cover it is non-exclusive include, for example, packet
The process, method, system, product or equipment for having contained series of steps or module those of be not necessarily limited to be clearly listed step or
Module, but may include other steps being not clearly listed or intrinsic for these process, methods, product or equipment or
Module, the division of module appeared in the application, only a kind of division in logic can have when realizing in practical application
Other division mode, such as multiple modules can be combined into or are integrated in another system, or some features can be ignored,
Or do not execute, in addition, shown or discussion mutual coupling, direct-coupling or communication connection can be by one
A little interfaces, the indirect coupling or communication connection between module can be electrical or other similar form, do not make in the application
It limits.Also, module or submodule can be the separation that may not be physically as illustrated by the separation member, can be
It can not be physical module, or can be distributed in multiple circuit modules, portion therein can be selected according to the actual needs
Point or whole module realize the purpose of application scheme.
The embodiment of the present application provides a kind of method of Email detection, before mail transfer is to mail reception side
It carries out in advance and extorts viral diagnosis, and intercept the Email containing virus is extorted of exchanging, strangled to reduce computer equipment
The risk of rope virus infraction.The embodiment of the present application also provides corresponding device and equipment.It is described in detail separately below.
In computer safety field, and sandbox (English: sandbox, and it is translated into sandbox) and it is a kind of security mechanism, in operation
Program provide isolation environment.It is insincere typically as some sources, tool destructive power or can not decision procedure be intended to journey
Sequence provides experiment and is used.All changes in sandbox not will cause any loss to operating system.Therefore, sandbox can be used for surveying
Examination may viruliferous program or other malicious codes.
The method of Email provided by the embodiments of the present application detection can be applied in network it is any may pay through the nose it is soft
The computer equipment of part infringement, which is usually server in network but it is also possible to be terminal, if terminal can
Be personal computer (PC, personal computer), mobile phone, phone wrist-watch, laptop, tablet computer and its
The terminal device that he networks.If the method that terminal realizes the detection of the Email in the embodiment of the present application, can be and detect
The Email is directly abandoned after virus, and the Email is not presented in the E-mail address of user.
Software is extorted to be referred to as extorting virus, the computer equipment of the virus infraction that pays through the nose may by screen locking or
File is encrypted, and needing to pay could decrypt, and Email is a kind of quite common way for extorting viral transmission, if Fig. 1 is logical
The attachment for crossing Email propagates the interface schematic diagram for extorting virus.If attachment shown in FIG. 1 is once run, just will appear
Fig. 2 or interface shown in Fig. 3.
If Fig. 2 is the interface schematic diagram of viral screen locking of paying through the nose, Fig. 3 is the interface schematic diagram of virus encryption of paying through the nose.
As shown in Fig. 2, will receive interface notifications for example shown in Fig. 2 on locking screen interface if paying through the nose viral screen locking,
Notice goes connection publication to extort the hacker of virus using the user of the mobile phone, and after usually paying the bill to hacker, hacker can give mobile phone solution
Lock.
As shown in figure 3, also being will receive on the interface of computer after virus encryption such as figure if the file on computer pays through the nose
Interface notifications shown in 3 notify the file on user's computer to be all encrypted, if not in the hacker of stipulated time picture publication virus
Payment, then file can damage, can also the prompting residue time.
Extort virus by Email propagation allows user impossible to guard against sometimes, and hacker can also forge mailbox communication sometimes
Contact person in record carrys out transmitted virus, so the method for preferably avoiding virus is to intercept virulent mail in advance.Mesh
Preceding mailing system has certain interception function, but the interception function in current mailing system is usually conventional interception, only
The current virus for having analyzed feature can be intercepted still can not intercept in time for some new virus.
The embodiment of the present application provides a kind of detection process of Email, as shown in figure 4, involved in the detection process
Module include that e-mail sending, conventional detection intercepting system, attachment existence judge system, sandbox and safe processing system.
Wherein, conventional detection intercepting system: have the functions such as the detection of general characteristics code, malicious origin detection interception.
Attachment existence judges system: for judging mail with the presence or absence of attachment.
Sandbox (sandbox): for determining whether that there are file operation behavior or/and network behaviors
Safe processing system: the security alarm of processing triggering behavior
The detection process includes:
S1, e-mail sending send Email by terminal.
After Email reaches conventional inspection systems, which can carry out conventional detection to the Email,
Conventional inspection systems, can filter the virus of extorting for intercepting conventional viral and existing condition code, and virus is newly extorted in part on a large scale
It can be intercepted by threshold value, but the part of not up to threshold value can not be intercepted.
The Email that S2, conventional inspection systems clearance detection pass through.
After Email reaches attachment existence judgement system, which judges that system judges the Email
In whether include attachment.
Step S3 will be executed if not including attachment, if thening follow the steps S4 comprising attachment.
If S3, not including attachment, which judges that system is let pass the Email, which is passed
To the terminal of mail reception side.
If S4, comprising attachment, which judges that the attachment is transmitted to sandbox by system.
Sandbox can be monitored the attachment.
Sandbox in the embodiment of the present application can configure in the following way:
First way can be used conventional virtual machine (virtual machine, vm), virtual box virtualbox etc. and build
Windows sandbox.
The second way can also voluntarily construct the class windows operating system of simple function as sandbox, can support
The starting of office program, and file behavior and network behavior is supported to operate and record, sandbox configuration method maximizing mentions in this
Rise detection of the sandbox to virus behavior is extorted.
It include file operation behavior monitoring module and network behavior monitoring module in sandbox in Fig. 4.
File operation behavior monitoring module can monitor file line by following several modes are as follows:
1, by windows log, if the program when monitoring attachment operation of the recording logs with file of sysmon is to file
Operation behavior.
The operation behavior such as may include turn on, modify and encrypt at the sequence of operations behavior.
2, the behavior of file system filter driver logging program touching file.
File system filter driver is referred to as file system filter driver (FSFD, file system filter
driver)。
File system filter driver: from application, file system filter driver can filter one or more file systems
The I/O operation of system or file system volume, is divided by different types, and file system filter driver can be divided into log recording, be
System monitoring, data modification and event prevent several classes, in general, having file to add by the application program of core of file system filter driver
Application in terms of decryption, antivirus protection, Process flowchart, file access, post-audit and information security.
To the operation behavior of file when file system filter driver will record the program operation of attachment, which can be with
Including the sequence of operations behavior such as opening, modification and encryption.
3, the program of the attachment is injected into the target program for being used for monitoring, the target program includes and operation text
The associated interface of part;By monitoring use information of the program to the interface of the attachment, the program fortune of the attachment is monitored
To the operation behavior of file when row.
Data transmitting behavior after procedure operation file when network behavior includes attachment operation, such as: key passes
Defeated behavior, usually extorts virus to can all generate corresponding key after file encryption, in order to it is subsequent obtain ransom money when decrypt when make
With the key, need to send back the key control terminal for extorting virus.
Network behavior monitoring mould can monitor network behavior by following several modes:
1, by windows log, such as the Firewall Log of the network log of sysmon, system itself can monitoring network
Whether network behavior occurs.
2, data packet is grabbed in network layer, analyses whether that network behavior occurs.
3, the program of attachment is injected into the target program for being used for monitoring, the target program includes closing with network operation
The interface of connection;By monitoring use information of the program to the interface of the attachment, when monitoring the program operation of the attachment
Network behavior.
The monitoring of file operation behavior and network behavior can be in the embodiment of the present application and select selection monitoring, it can also be with
It monitors simultaneously, can be one monitored in file operation behavior and network behavior and determine that comprising extorting virus in attachment,
It is also possible to file operation behavior and network behavior and both monitors just determine to include to extort virus in attachment.
Target concern behavior in the embodiment of the present application includes at least one of file operation behavior and network behavior.
Wherein, file operation behavior refers to the operation behavior when program of attachment is run to file, the operation behavior
Including encrypting behavior.
Condition file operation behavior can also be arranged, such as when operating frequency of the program of the attachment to the file is super
When overfrequency threshold value, determine that target concern behavior occurs for the attachment, when to avoid the program operation for only monitoring an attachment
The operation of file is considered as wherein to lead to false alarm comprising extorting virus.
Data transmitting behavior after procedure operation file when network behavior includes attachment operation;When the attachment
Data occur after procedure operation file and transmit behavior, it is determined that the attachment occurs target and pays close attention to behavior.
If S4, sandbox do not have above-mentioned target concern behavior when determining the program operation of attachment, the Email of letting pass will
Terminal of the mail transfer to mail reception side.
If above-mentioned target concern behavior has occurred in S5, sandbox when determining the program operation of attachment, to safe processing system
Issue alarm prompt.
The Security Officer of safe processing system can carry out alarming processing according to the alarm prompt, can be somebody's turn to do by detection
Email source comprising extorting virus, is then handled from source.
In the embodiment of the present application, sandbox is set on mail transmission chain road, complete series office program is installed in sandbox
And start macro, file operation behavior and network behavior are monitored, file operation behavior is for example using macro script encryption file or use
Macro script downloading encipheror simultaneously starts encipheror encryption file, when the operating frequency monitored is greater than frequency threshold, then sentences
Determine in attachment comprising extorting virus.Operating frequency can be determined by the number of operations in the unit time.When in the unit time
Office program touches number of files > N and then determines that target, which occurs, pays close attention to behavior.Generation target can also be determined when network behavior occurs
Concern behavior.It can then determine in attachment comprising extorting virus, intercept the Email.
This scheme sandbox only monitors file operation behavior and network behavior, and monitoring parameter is small, and speed is fast, can avoid user
Mail delay is received, and can be intercepted before user receives and extort virus, accomplishes that user 0 loses.
With reference to the accompanying drawing, the method for the Email detection in the embodiment of the present application is introduced.
As shown in figure 5, an embodiment of the method for Email detection provided by the embodiments of the present application includes:
101, Email is received.
It may include that the attachment existence in Fig. 4 is sentenced that the computer equipment that Email detects is executed in the embodiment of the present application
Disconnected system and sandbox, Email are first transmitted to attachment existence and judge system, judge that system detection should by the attachment existence
It whether include attachment in Email.
The detection method of attachment can there are many, such as the position of direct detection accessory is being also possible to detecting mail just
Literary content and the byte-sized of Email determine whether comprising attachment.In the embodiment of the present application not to the detection method of attachment
It limits, as long as whether can quickly detect in Email comprising neighbouring.
102, when detecting in the Email comprising attachment, the attachment is transmitted in sandbox, the sandbox is
Active program provides isolation environment.
Description can be understood that this place does not do repetition and repeats refering to the associated description of above-mentioned sandbox as described in sandbox.
103, the attachment is run in the sandbox, and monitors whether the attachment occurs target concern behavior.
Target concern behavior in the embodiment of the present application includes at least one of file operation behavior and network behavior.
Wherein, file operation behavior refers to the operation behavior when program of attachment is run to file, the operation behavior
Including encrypting behavior.
Condition file operation behavior can also be arranged, such as when operating frequency of the program of the attachment to the file is super
When overfrequency threshold value, determine that target concern behavior occurs for the attachment, when to avoid the program operation for only monitoring an attachment
The operation of file is considered as wherein to lead to false alarm comprising extorting virus.
Data transmitting behavior after procedure operation file when network behavior includes attachment operation;When the attachment
Data occur after procedure operation file and transmit behavior, it is determined that the attachment occurs target and pays close attention to behavior.
104, it when monitoring that the target concern behavior occurs for the attachment, determines in the attachment comprising extorting disease
Poison then intercepts the Email, and exports prompt messages.
The embodiment of the present application is using reception Email;It, will be described attached when detecting in the Email comprising attachment
Part is transmitted in sandbox, and the sandbox provides isolation environment for active program;The attachment is run in the sandbox, and
Monitor whether the attachment occurs target concern behavior;When monitoring that the target concern behavior occurs for the attachment, determine
Comprising extorting virus in the attachment, then the Email is intercepted, and export prompt messages.With user in the prior art
Computer equipment often because operation Email in attachment in virus compare, Email provided by the embodiments of the present application
The method of detection is carried out in advance before mail transfer is to mail reception side and extorts viral diagnosis, and intercepts switch containing Le
The Email of rope virus pays through the nose the risk of virus infraction to reduce computer equipment, improves computer equipment
Safety.
Optionally, refering to Fig. 6, another embodiment of the method for Email detection provided by the embodiments of the present application includes:
201, Email is received.
It may include that the attachment existence in Fig. 4 is sentenced that the computer equipment that Email detects is executed in the embodiment of the present application
Disconnected system and sandbox, Email are first transmitted to attachment existence and judge system, judge that system detection should by the attachment existence
It whether include attachment in Email.
The detection method of attachment can there are many, such as the position of direct detection accessory is being also possible to detecting mail just
Literary content and the byte-sized of Email determine whether comprising attachment.In the embodiment of the present application not to the detection method of attachment
It limits, as long as whether can quickly detect in Email comprising neighbouring.
202, when detecting in the Email comprising attachment, the attachment is transmitted in sandbox, the sandbox is
Active program provides isolation environment.
203, the attachment is run in the sandbox.
To the operation behavior of file when 204-1, the program for monitoring the attachment are run, the operation behavior includes encryption row
For.
In the embodiment of the present application, to the operation behavior of file when the program of the monitoring attachment is run, comprising:
To the operation behavior of file, the operation file when being run by the program that operation file log monitors the attachment
The log that log is recorded by system file log or file system filter driver.Alternatively,
The program of the attachment is injected into the target program for being used for monitoring, the target program includes and operation file
Associated interface;By monitoring use information of the program to the interface of the attachment, the program operation of the attachment is monitored
When to the operation behavior of file.
It include file operation behavior monitoring module and network behavior monitoring module in sandbox in Fig. 4.
File operation behavior monitoring module can monitor file line by following several modes are as follows:
1, by windows log, if the program when monitoring attachment operation of the recording logs with file of sysmon is to file
Operation behavior.
The operation behavior such as may include turn on, modify and encrypt at the sequence of operations behavior.
2, the behavior of file system filter driver logging program touching file.
File system filter driver is referred to as file system filter driver (FSFD, file system filter
driver)。
File system filter driver: from application, file system filter driver can filter one or more file systems
The I/O operation of system or file system volume, is divided by different types, and file system filter driver can be divided into log recording, be
System monitoring, data modification and event prevent several classes, in general, having file to add by the application program of core of file system filter driver
Application in terms of decryption, antivirus protection, Process flowchart, file access, post-audit and information security.
To the operation behavior of file when file system filter driver will record the program operation of attachment, which can be with
Including the sequence of operations behavior such as opening, modification and encryption.
3, the program of the attachment is injected into the target program for being used for monitoring, the target program includes and operation text
The associated interface of part;By monitoring use information of the program to the interface of the attachment, the program fortune of the attachment is monitored
To the operation behavior of file when row.
205-1, when operating frequency overfrequency threshold value of the program of the attachment to the file, determine the attachment
Target occurs and pays close attention to behavior.
Network behavior when 204-2, the program for monitoring the attachment are run, the network behavior include the attachment operation
When procedure operation file after data transmit behavior.
Network behavior when the program operation of the monitoring attachment, comprising:
Crawl behavior by the program of grid log or the attachment in network layer to data packet, described in monitoring
Network behavior when the program operation of attachment.Alternatively,
The program of the attachment is injected into the target program for being used for monitoring, the target program includes and network operation
Associated interface;By monitoring use information of the program to the interface of the attachment, the program operation of the attachment is monitored
When network behavior.
Data transmitting behavior after procedure operation file when network behavior includes attachment operation, such as: key passes
Defeated behavior, usually extorts virus to can all generate corresponding key after file encryption, in order to it is subsequent obtain ransom money when decrypt when make
With the key, need to send back the key control terminal for extorting virus.
Network behavior monitoring mould can monitor network behavior by following several modes:
1, by windows log, such as the Firewall Log of the network log of sysmon, system itself can monitoring network
Whether network behavior occurs.
2, data packet is grabbed in network layer, analyses whether that network behavior occurs.
3, the program of attachment is injected into the target program for being used for monitoring, the target program includes closing with network operation
The interface of connection;By monitoring use information of the program to the interface of the attachment, when monitoring the program operation of the attachment
Network behavior.
205-2, data transmitting behavior occurs after the procedure operation file of the attachment, it is determined that mesh occurs for the attachment
Mark concern behavior.
206, it when monitoring that the target concern behavior occurs for the attachment, determines in the attachment comprising extorting disease
Poison then intercepts the Email, and exports prompt messages.
The monitoring of file operation behavior and network behavior can be in the embodiment of the present application and select selection monitoring, it can also be with
It monitors simultaneously, can be one monitored in file operation behavior and network behavior and determine that comprising extorting virus in attachment,
It is also possible to file operation behavior and network behavior and both monitors just determine to include to extort virus in attachment.
Target concern behavior in the embodiment of the present application includes at least one of file operation behavior and network behavior.
Optionally, it in the embodiment of the present application, when monitoring that the target concern behavior does not occur for the attachment, then lets pass
The Email.
It is that electronics postal in the embodiment of the present application is introduced with reference to the accompanying drawing to the description of the method for Email detection above
The device of part detection.
As shown in fig. 7, an embodiment of the device 30 of Email detection provided by the embodiments of the present application includes:
Program module 301 is received, for receiving Email;
Detect program module 302, for detect in the received Email of the reception program module 301 whether
Include attachment;
Transmission procedure module 303, for detecting in the Email in the detection program module 302 comprising attachment
When, the attachment is transmitted in sandbox, the sandbox provides isolation environment for active program;
Program runs module 304, the attachment come for running the transmitting of transmission procedure module 303 in the sandbox;
Monitoring program module 305, for monitoring the attachment when described program operation module 304 runs the attachment
Whether target concern behavior is occurred;
Handler module 306, for monitoring that the attachment occurs the target and closes when the monitoring program module 305
When note behavior, determines in the attachment comprising extorting virus, then intercept the Email, and export prompt messages.
Handler module 306 may include the processor for intercepting Email, can also include that output alarm mentions
Show the transceiver or I/O interface of information.
In the embodiment of the present application, receives program module 301 and receive Email;Detection program module 302 detects described
Whether receive in the received Email of program module 301 includes attachment;Transmission procedure module 303 is in the detection program
When module 302 is detected in the Email comprising attachment, the attachment is transmitted in sandbox, the sandbox is in operation
Program provide isolation environment;Program operation module 304 runs what the transmitting of transmission procedure module 303 came in the sandbox
Attachment;Monitoring program module 305 monitors whether the attachment occurs when described program operation module 304 runs the attachment
Target pays close attention to behavior;Handler module 306 monitors that the attachment occurs the target and closes when the monitoring program module 305
When note behavior, determines in the attachment comprising extorting virus, then intercept the Email, and export prompt messages.With
The computer equipment of user is often compared because running virus in the attachment in Email in the prior art, the embodiment of the present application
The device of the Email detection of offer, carries out in advance before mail transfer is to mail reception side and extorts viral diagnosis,
And intercept and exchange containing extorting the Email of virus, it pays through the nose the risk of virus infraction, improves to reduce computer equipment
The safety of computer equipment.
Optionally, in another embodiment of the device 30 of Email detection provided by the embodiments of the present application,
The monitoring program module 305 is used for:
To the operation behavior of file when monitoring the program operation of the attachment, the operation behavior includes encryption behavior;
When operating frequency overfrequency threshold value of the program of the attachment to the file, determine that mesh occurs for the attachment
Mark concern behavior.
Wherein, to the operation behavior of file when monitoring the program operation of the attachment, may include:
To the operation behavior of file, the operation file when being run by the program that operation file log monitors the attachment
The log that log is recorded by system file log or file system filter driver.
Alternatively,
The program of the attachment is injected into the target program for being used for monitoring, the target program includes and operation file
Associated interface;
By monitoring use information of the program to the interface of the attachment, when monitoring the program operation of the attachment pair
The operation behavior of file.
Optionally, in another embodiment of the device 30 of Email detection provided by the embodiments of the present application,
The monitoring program module 305 is used for:
Monitor the network behavior when program operation of the attachment, the journey when network behavior includes attachment operation
Data after sequence operation file transmit behavior;
Data occur after the procedure operation file of the attachment and transmit behavior, it is determined that target concern occurs for the attachment
Behavior.
Wherein, the network behavior when program operation of the attachment is monitored, may include:
Crawl behavior by the program of grid log or the attachment in network layer to data packet, described in monitoring
Network behavior when the program operation of attachment.
Alternatively,
The program of the attachment is injected into the target program for being used for monitoring, the target program includes and network operation
Associated interface;
By monitoring use information of the program to the interface of the attachment, when monitoring the program operation of the attachment
Network behavior.
Optionally, handler module 306 is also used to when monitoring that the target concern behavior does not occur for the attachment,
It then lets pass the Email.
The description of the device 30 of Email detection can be managed refering to the method part of prior figures 1 to Fig. 6 above
Solution, this place, which is not done, excessively to be repeated.
The computer equipment for executing the method for Email detection in the embodiment of the present application can be server architecture, certainly
It is also possible to terminal structure, usually more meeting is realized on the server, therefore, with the structure of server in the embodiment of the present application
For, introduce the computer equipment for executing the method for Email detection in the embodiment of the present application.
Fig. 8 is the structural schematic diagram of computer equipment 40 provided in an embodiment of the present invention.The computer equipment 40 includes
Processor 410, memory 450 and transceiver 430, memory 450 may include read-only memory and random access memory, and
Operational order and data are provided to processor 410.The a part of of memory 450 can also include non-volatile random access storage
Device (NVRAM).
In some embodiments, memory 450 stores following element, executable modules or data structures, or
Their subset of person or their superset:
In embodiments of the present invention, by calling the operational order of the storage of memory 450, (operational order is storable in behaviour
Make in system),
Email is received by transceiver 430;
When detecting in the Email comprising attachment, the attachment is transmitted in sandbox, the sandbox is operation
In program provide isolation environment;
The attachment is run in the sandbox, and monitors whether the attachment occurs target concern behavior;
When monitoring that the target concern behavior occurs for the attachment, determine comprising extorting virus in the attachment, then
The Email is intercepted, and exports prompt messages.
With the computer equipment of user in the prior art often because running in the attachment in Email compared with virus, this
Apply for the computer equipment that embodiment provides, is carried out in advance before mail transfer is to mail reception side and extort viral inspection
It surveys, and intercepts and exchange containing extorting the Email of virus, pay through the nose the risk of virus infraction, mention to reduce computer equipment
The high safety of computer equipment.
Processor 410 controls the operation of computer equipment 40, and processor 410 can also be known as CPU (Central
Processing Unit, central processing unit).Memory 450 may include read-only memory and random access memory, and
Instruction and data is provided to processor 410.The a part of of memory 450 can also include nonvolatile RAM
(NVRAM).The various components of computer equipment 40 are coupled by bus system 420 in specific application, wherein bus
System 420 can also include power bus, control bus and status signal bus in addition etc. in addition to including data/address bus.But it is
For the sake of clear explanation, in figure various buses are all designated as bus system 420.
The method that the embodiments of the present invention disclose can be applied in processor 410, or be realized by processor 410.
Processor 410 may be a kind of IC chip, the processing capacity with signal.During realization, the above method it is each
Step can be completed by the integrated logic circuit of the hardware in processor 410 or the instruction of software form.Above-mentioned processing
Device 410 can be general processor, digital signal processor (DSP), specific integrated circuit (ASIC), ready-made programmable gate array
(FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hardware components.May be implemented or
Person executes disclosed each method, step and the logic diagram in the embodiment of the present invention.General processor can be microprocessor or
Person's processor is also possible to any conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be straight
Connect and be presented as that hardware decoding processor executes completion, or in decoding processor hardware and software module combination executed
At.Software module can be located at random access memory, and flash memory, read-only memory, programmable read only memory or electrically-erasable can
In the storage medium of this fields such as programmable memory, register maturation.The storage medium is located at memory 450, and processor 410 is read
Information in access to memory 450, in conjunction with the step of its hardware completion above method.
Optionally, processor 410 is used for:
To the operation behavior of file when monitoring the program operation of the attachment, the operation behavior includes encryption behavior;
When operating frequency overfrequency threshold value of the program of the attachment to the file, determine that mesh occurs for the attachment
Mark concern behavior.
Optionally, processor 410 is used for:
Monitor the network behavior when program operation of the attachment, the journey when network behavior includes attachment operation
Data after sequence operation file transmit behavior;
Data occur after the procedure operation file of the attachment and transmit behavior, it is determined that target concern occurs for the attachment
Behavior.
Optionally, processor 410 is also used to:
To the operation behavior of file, the operation file when being run by the program that operation file log monitors the attachment
The log that log is recorded by system file log or file system filter driver.
Optionally, processor 410 is used for:
The program of the attachment is injected into the target program for being used for monitoring, the target program includes and operation file
Associated interface;
By monitoring use information of the program to the interface of the attachment, when monitoring the program operation of the attachment pair
The operation behavior of file.
Optionally, processor 410 is used for:
Crawl behavior by the program of grid log or the attachment in network layer to data packet, described in monitoring
Network behavior when the program operation of attachment.
Optionally, processor 410 is used for:
The program of the attachment is injected into the target program for being used for monitoring, the target program includes and network operation
Associated interface;
By monitoring use information of the program to the interface of the attachment, when monitoring the program operation of the attachment
Network behavior.
Optionally, transceiver 430 is also used to then let pass when monitoring that the target concern behavior does not occur for the attachment
The Email.
On to computer equipment 60 description can the description refering to fig. 1 to the part Fig. 7 understand that this place is not repeated
It repeats.
The system that the above computer equipment can also be virtualization, performance shape of the computer equipment in the case where virtualizing scene
Formula is as shown in figure 9, the computer equipment under the virtualization scene includes that hardware layer and the virtual machine operated on hardware layer are supervised
Control device (VMM) 1001 and multiple virtual machines 1002.One or more virtual machine be can choose as main controlled node, and
Multiple virtual machines are as working node.
Specifically, virtual machine 1002: one or more simulated in common hardware resource by software virtual machine
Virtual computer, and these virtual machines work just as real computer, and operation system can be installed on virtual machine
System and application program, virtual machine may also access Internet resources.For the application program run in virtual machine, virtual machine is just
It seem to work in real computer.
Hardware layer: the hardware platform of virtualized environment operation can be taken out by the hardware resource of one or more physical hosts
As obtaining.Wherein, hardware layer may include multiple hardwares, for example including processor 1004 (such as CPU) and memory 1005, also
It may include network interface card 1003 (such as RDMA network interface card), the input/output of high speed/low speed (I/O, Input/Output) equipment, and tool
There are other equipment of particular procedure function.
In addition, the distributed system under the virtualization scene can also include host (Host): as management level, to
Complete management, the distribution of hardware resource;Virtual hardware platform is presented for virtual machine;Realize the scheduling and isolation of virtual machine.Wherein,
Host may be monitor of virtual machine (VMM);In addition, VMM and 1 privileged virtual machine cooperation sometimes, the two combine composition Host.
Wherein, virtual hardware platform provides various hardware resources to each virtual machine run thereon, such as provides virtual processor (such as
VCPU), virtual memory, virtual disk, Microsoft Loopback Adapter etc..Wherein, the virtual disk can correspond to Host a file or
One logic block device.Virtual machine operates on virtual hardware platform of the Host for its preparation, runs on Host one or more
Virtual machine.
Privileged virtual machine: a kind of special virtual machine, also referred to as driving domain, such as this special virtual machine is in Xen
It is referred to as Dom0 on Hypervisor platform, the true physical equipment such as network interface card, scsi disk is mounted in the virtual machine
Driver, can detect and directly access these true physical equipments.The phase that other virtual machines utilize Hypervisor to provide
Mechanism is answered to access true physical equipment by privileged virtual machine.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real
It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.
The computer program product includes one or more computer instructions.Load and execute on computers the meter
When calculation machine program instruction, entirely or partly generate according to process or function described in the embodiment of the present invention.The computer can
To be general purpose computer, special purpose computer, computer network or other programmable devices.The computer instruction can be deposited
Storage in a computer-readable storage medium, or from a computer readable storage medium to another computer readable storage medium
Transmission, for example, the computer instruction can pass through wired (example from a web-site, computer, server or data center
Such as coaxial cable, optical fiber, Digital Subscriber Line (DSL)) or wireless (such as infrared, wireless, microwave) mode to another website
Website, computer, server or data center are transmitted.The computer readable storage medium can be computer and can deposit
Any usable medium of storage either includes that the data storages such as one or more usable mediums integrated server, data center are set
It is standby.The usable medium can be magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or partly lead
Body medium (such as solid state hard disk Solid State Disk (SSD)) etc..
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real
It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.
The computer program product includes one or more computer instructions.Load and execute on computers the meter
When calculation machine program instruction, entirely or partly generate according to process or function described in the embodiment of the present application.The computer can
To be general purpose computer, special purpose computer, computer network or other programmable devices.The computer instruction can be deposited
Storage in a computer-readable storage medium, or from a computer readable storage medium to another computer readable storage medium
Transmission, for example, the computer instruction can pass through wired (example from a web-site, computer, server or data center
Such as coaxial cable, optical fiber, Digital Subscriber Line (DSL)) or wireless (such as infrared, wireless, microwave) mode to another website
Website, computer, server or data center are transmitted.The computer readable storage medium can be computer and can deposit
Any usable medium of storage either includes that the data storages such as one or more usable mediums integrated server, data center are set
It is standby.The usable medium can be magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or partly lead
Body medium (such as solid state hard disk Solid State Disk (SSD)) etc..
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can
It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage
Medium may include: ROM, RAM, disk or CD etc..
Above to the method, apparatus of the detection of Email provided by the embodiment of the present application with, equipment and computer-readable
Storage medium is described in detail, and specific case used herein explains the principle and embodiment of the application
It states, the description of the example is only used to help understand the method for the present application and its core ideas;Meanwhile for this field
Those skilled in the art, according to the thought of the application, there will be changes in the specific implementation manner and application range, to sum up institute
It states, the contents of this specification should not be construed as limiting the present application.
Claims (13)
1. a kind of method of Email detection characterized by comprising
Receive Email;
When detecting in the Email comprising attachment, the attachment is transmitted in sandbox, the sandbox is running
Program provides isolation environment;
The attachment is run in the sandbox, and monitors whether the attachment occurs target concern behavior;
When monitoring that the target concern behavior occurs for the attachment, determines in the attachment comprising extorting virus, then intercept
The Email, and export prompt messages.
2. the method according to claim 1, wherein whether the monitoring attachment occurs target concern row
For, comprising:
To the operation behavior of file when monitoring the program operation of the attachment, the operation behavior includes encryption behavior;
When operating frequency overfrequency threshold value of the program of the attachment to the file, determine that the attachment occurs target and closes
Note behavior.
3. the method according to claim 1, wherein whether the monitoring attachment occurs target concern row
For, comprising:
Monitor the network behavior when program operation of the attachment, the program behaviour when network behavior includes attachment operation
Data after making file transmit behavior;
Data occur after the procedure operation file of the attachment and transmit behavior, it is determined that target concern row occurs for the attachment
For.
4. according to the method described in claim 2, it is characterized in that, to file when the program of the monitoring attachment is run
Operation behavior, comprising:
To the operation behavior of file, the operation file log when being run by the program that operation file log monitors the attachment
The log recorded by system file log or file system filter driver.
5. according to the method described in claim 2, it is characterized in that, to file when the program of the monitoring attachment is run
Operation behavior, comprising:
The program of the attachment is injected into the target program for being used for monitoring, the target program includes being associated with operation file
Interface;
By monitoring use information of the program to the interface of the attachment, to file when monitoring the program operation of the attachment
Operation behavior.
6. according to the method described in claim 3, it is characterized in that, network row when the program operation of the monitoring attachment
For, comprising:
Crawl behavior by the program of grid log or the attachment in network layer to data packet, monitors the attachment
Program operation when network behavior.
7. according to the method described in claim 3, it is characterized in that, network row when the program operation of the monitoring attachment
For, comprising:
The program of the attachment is injected into the target program for being used for monitoring, the target program includes being associated with network operation
Interface;
By monitoring use information of the program to the interface of the attachment, the network when program operation of the attachment is monitored
Behavior.
8. -7 any method according to claim 1, which is characterized in that when monitoring that the target does not occur for the attachment
When concern behavior, then the Email of letting pass.
9. a kind of device of Email detection characterized by comprising
Program module is received, for receiving Email;
Program module is detected, for whether detecting in the received Email of reception program module comprising attachment;
Transmission procedure module will be described for when the detection program module detects in the Email comprising attachment
Attachment is transmitted in sandbox, and the sandbox provides isolation environment for active program;
Program runs module, the attachment come for running the transmission procedure module transmitting in the sandbox;
Monitoring program module, for monitoring whether the attachment occurs mesh when described program operation module runs the attachment
Mark concern behavior;
Handler module is used for when the target concern behavior occurs for the monitoring program module monitors to the attachment,
It determines in the attachment comprising extorting virus, then intercepts the Email, and export prompt messages.
10. device according to claim 9, which is characterized in that
The monitoring program module is used for:
To the operation behavior of file when monitoring the program operation of the attachment, the operation behavior includes encryption behavior;
When operating frequency overfrequency threshold value of the program of the attachment to the file, determine that the attachment occurs target and closes
Note behavior.
11. device according to claim 9, which is characterized in that
The monitoring program module is used for:
Monitor the network behavior when program operation of the attachment, the program behaviour when network behavior includes attachment operation
Data after making file transmit behavior;
Data occur after the procedure operation file of the attachment and transmit behavior, it is determined that target concern row occurs for the attachment
For.
12. a kind of computer equipment characterized by comprising input/output (I/O) interface, processor and memory, it is described
The instruction of any Email detection of claim 1-8 is stored in memory;
The processor is used to execute the instruction of the processing for extorting software stored in memory, executes claim 1-8 such as and appoints
The step of method of the detection of Email described in one.
13. a kind of computer readable storage medium, which is characterized in that instruction is stored in the computer readable storage medium,
When run on a computer, so that computer executes any method of the claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710378859.XA CN108959917A (en) | 2017-05-25 | 2017-05-25 | A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710378859.XA CN108959917A (en) | 2017-05-25 | 2017-05-25 | A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108959917A true CN108959917A (en) | 2018-12-07 |
Family
ID=64494054
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710378859.XA Pending CN108959917A (en) | 2017-05-25 | 2017-05-25 | A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108959917A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109614797A (en) * | 2018-12-14 | 2019-04-12 | 北京车和家信息技术有限公司 | Software checking and killing method, device and equipment are extorted in the screen locking of vehicle-mounted information and entertainment system |
| CN111262831A (en) * | 2020-01-07 | 2020-06-09 | 深信服科技股份有限公司 | Phishing mail detection method, device, equipment and computer readable storage medium |
| CN116663001A (en) * | 2023-06-02 | 2023-08-29 | 北京永信至诚科技股份有限公司 | Security analysis method and device for mail, electronic equipment and medium |
| CN117150486A (en) * | 2023-07-27 | 2023-12-01 | 安徽启慧信息科技有限公司 | Information safety protection system based on internet |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1236451A (en) * | 1996-09-05 | 1999-11-24 | 切尼软件国际销售公司 | Anti-virus agent for use with database and mail servers |
| JP2003256342A (en) * | 2002-02-14 | 2003-09-12 | Aanrabu Inc | System for blocking malicious code spreading by e-mail |
| US6901519B1 (en) * | 2000-06-22 | 2005-05-31 | Infobahn, Inc. | E-mail virus protection system and method |
| US20050262566A1 (en) * | 2004-05-19 | 2005-11-24 | Computer Associates Think, Inc | Systems and methods for computer security |
| US7093135B1 (en) * | 2000-05-11 | 2006-08-15 | Cybersoft, Inc. | Software virus detection methods and apparatus |
| CN102833240A (en) * | 2012-08-17 | 2012-12-19 | 中国科学院信息工程研究所 | Malicious code capturing method and system |
| CN104852910A (en) * | 2015-04-24 | 2015-08-19 | 杭州华三通信技术有限公司 | Attack detection method and apparatus |
| CN105227570A (en) * | 2015-10-19 | 2016-01-06 | 成都卫士通信息产业股份有限公司 | A kind of safe e-mail system of integrated campaign |
| US20160314298A1 (en) * | 2015-04-27 | 2016-10-27 | Iboss, Inc. | Malicious program identification based on program behavior |
| CN106650451A (en) * | 2016-12-30 | 2017-05-10 | 北京启明星辰信息安全技术有限公司 | Detection method and device |
| CN106650337A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | Method and device for processing script file in installation package |
-
2017
- 2017-05-25 CN CN201710378859.XA patent/CN108959917A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1236451A (en) * | 1996-09-05 | 1999-11-24 | 切尼软件国际销售公司 | Anti-virus agent for use with database and mail servers |
| US7093135B1 (en) * | 2000-05-11 | 2006-08-15 | Cybersoft, Inc. | Software virus detection methods and apparatus |
| US6901519B1 (en) * | 2000-06-22 | 2005-05-31 | Infobahn, Inc. | E-mail virus protection system and method |
| JP2003256342A (en) * | 2002-02-14 | 2003-09-12 | Aanrabu Inc | System for blocking malicious code spreading by e-mail |
| US20050262566A1 (en) * | 2004-05-19 | 2005-11-24 | Computer Associates Think, Inc | Systems and methods for computer security |
| CN102833240A (en) * | 2012-08-17 | 2012-12-19 | 中国科学院信息工程研究所 | Malicious code capturing method and system |
| CN104852910A (en) * | 2015-04-24 | 2015-08-19 | 杭州华三通信技术有限公司 | Attack detection method and apparatus |
| US20160314298A1 (en) * | 2015-04-27 | 2016-10-27 | Iboss, Inc. | Malicious program identification based on program behavior |
| CN105227570A (en) * | 2015-10-19 | 2016-01-06 | 成都卫士通信息产业股份有限公司 | A kind of safe e-mail system of integrated campaign |
| CN106650337A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | Method and device for processing script file in installation package |
| CN106650451A (en) * | 2016-12-30 | 2017-05-10 | 北京启明星辰信息安全技术有限公司 | Detection method and device |
Non-Patent Citations (2)
| Title |
|---|
| 马汉: "勒索邮件来袭 靠谱邮件云网关如何防范", 《计算机与网络》 * |
| 马汉: "勒索邮件来袭 靠谱邮件云网关如何防范", 《计算机与网络》, no. 06, 26 March 2016 (2016-03-26), pages 53 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109614797A (en) * | 2018-12-14 | 2019-04-12 | 北京车和家信息技术有限公司 | Software checking and killing method, device and equipment are extorted in the screen locking of vehicle-mounted information and entertainment system |
| CN111262831A (en) * | 2020-01-07 | 2020-06-09 | 深信服科技股份有限公司 | Phishing mail detection method, device, equipment and computer readable storage medium |
| CN116663001A (en) * | 2023-06-02 | 2023-08-29 | 北京永信至诚科技股份有限公司 | Security analysis method and device for mail, electronic equipment and medium |
| CN117150486A (en) * | 2023-07-27 | 2023-12-01 | 安徽启慧信息科技有限公司 | Information safety protection system based on internet |
| CN117150486B (en) * | 2023-07-27 | 2024-04-26 | 河南中信科大数据科技有限公司 | Information safety protection system based on internet |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10887328B1 (en) | System and method for detecting interpreter-based exploit attacks | |
| US10454950B1 (en) | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks | |
| EP3391274B1 (en) | Dual memory introspection for securing multiple network endpoints | |
| US10311235B2 (en) | Systems and methods for malware evasion management | |
| US11979428B1 (en) | Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints | |
| US9697356B2 (en) | Detection and mitigation of side-channel attacks | |
| US9934376B1 (en) | Malware detection appliance architecture | |
| KR101737726B1 (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
| US9954872B2 (en) | System and method for identifying unauthorized activities on a computer system using a data structure model | |
| US10075455B2 (en) | Zero-day rotating guest image profile | |
| US9794270B2 (en) | Data security and integrity by remote attestation | |
| US9251343B1 (en) | Detecting bootkits resident on compromised computers | |
| KR20210096687A (en) | Systems and Methods for Cloud-Based Control-Plane Event Monitors | |
| US20170111388A1 (en) | Centralized and Automated Recovery | |
| CN108959917A (en) | A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection | |
| US11924235B2 (en) | Leveraging user-behavior analytics for improved security event classification | |
| Anand et al. | Comparative study of ransomwares | |
| US11496284B2 (en) | Detection of unauthorized encryption using key length evaluation | |
| Hu et al. | Detecting unknown massive mailing viruses using proactive methods | |
| WO2023173102A2 (en) | Zero trust endpoint device | |
| CN116702128A (en) | Host protection system, method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |