CN110519150A - Mail-detection method, apparatus, equipment, system and computer readable storage medium - Google Patents

Mail-detection method, apparatus, equipment, system and computer readable storage medium Download PDF

Info

Publication number
CN110519150A
CN110519150A CN201810497358.8A CN201810497358A CN110519150A CN 110519150 A CN110519150 A CN 110519150A CN 201810497358 A CN201810497358 A CN 201810497358A CN 110519150 A CN110519150 A CN 110519150A
Authority
CN
China
Prior art keywords
mail
killing
identification
exception
type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810497358.8A
Other languages
Chinese (zh)
Other versions
CN110519150B (en
Inventor
陈瑞钦
郭开
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201810497358.8A priority Critical patent/CN110519150B/en
Publication of CN110519150A publication Critical patent/CN110519150A/en
Application granted granted Critical
Publication of CN110519150B publication Critical patent/CN110519150B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/23Reliability checks, e.g. acknowledgments or fault reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a kind of mail-detection methods, comprising: identifies the email type of each mail;The email type includes secure e-mail type, dangerous email type and potential danger email type;According to the email type of each mail, the behavioral data of targeted mails is obtained;Analysis detection is carried out to the behavioral data using preset Analysis model of network behaviors, identifies the exception mail in the targeted mails.It can be seen that, in this programme, after carrying out type identification to mail, behavioural analysis can be carried out to mail by preset analysis model, to identify the exception mail in mail according to the behavioral data of mail, this mode from multi-angle identification exception mail, can detect that more potential security breaches, further increases the safety of mail;The invention also discloses a kind of mail-detection device, equipment, system and computer readable storage mediums, are equally able to achieve above-mentioned technical effect.

Description

Mail-detection method, apparatus, equipment, system and computer readable storage medium
Technical field
The present invention relates to mail security detection technique fields, more specifically to a kind of mail-detection method, dress It sets, equipment, system and computer readable storage medium.
Background technique
Currently, there are a large amount of e-mail messages to receive and dispatch behavior in everyday commerce activity, mail is the weight of person-to-person communication Want medium.For another convenience, mail is even more the important means of transmitted virus and fishing information, is on the one hand since mail is assisted There is certain security flaw in view, another aspect mail frequency of use is high, it is easy to be kept a close watch on by hacker and become attack in itself Carrier.There are a large amount of fishing in current network and cheats viral commercial paper mail.It is according to statistics to pass through more than the virus of extorting of half Mail is propagated, and fraud class mail of going fishing is easy to directly contribute the economic loss of enterprise and user, and mail security is current The serious problem faced.
Therefore, how mail is detected, improves the safety of mail, be that those skilled in the art need what is solved to ask Topic.
Summary of the invention
The purpose of the present invention is to provide a kind of mail-detection method, apparatus, equipment, system and computer-readable storage mediums Matter improves the safety of mail to detect to mail.
To achieve the above object, the embodiment of the invention provides following technical solutions:
A kind of mail-detection method, comprising:
Identify the email type of each mail;The email type includes secure e-mail type, dangerous email type and dives In dangerous email type;
According to the email type of each mail, the behavioral data of targeted mails is obtained;
Analysis detection is carried out to the behavioral data using preset Analysis model of network behaviors, identifies the targeted mails In exception mail.
Wherein, described that analysis detection is carried out to the behavioral data using preset Analysis model of network behaviors, identify institute State the exception mail in targeted mails, comprising:
According to the targeted mails log in record identification account blasting behavior, by the targeted mails with the account The corresponding mail of blasting behavior is determined as exception mail;And/or
According to the mail of the targeted mails send record identification group mail behavior, by the targeted mails with it is described The corresponding mail of group mail behavior is determined as exception mail.
Wherein, after the email type of each mail of identification, further includes:
Determination is corresponding with the potential danger email type to killing mail;
It will be sent to cloud killing system to the corresponding test object information of killing mail with described, to pass through the cloud killing To the exception mail in killing mail described in system identification.
Wherein, described to be sent to cloud killing system to the corresponding test object information of killing mail with described, to pass through To the exception mail in killing mail described in the cloud killing system identification, comprising:
By at least one in the corresponding account information of killing mail, URL information, accessory information and text message Person is sent to the cloud killing system, with by described in the cloud killing system identification to the exception mail in killing mail.
Wherein, to the exception mail in killing mail described in the cloud killing system identification, comprising:
Identify whether source address and/or destination address in the account information are to forge address, obtain account information knowledge Other result;And/or identify the URL content that whether there is malice type in the URL information, obtain URL recognition result;With/ Or, identifying the attachment that whether there is malice type in the accessory information, accessory identification result is obtained;And/or identification is described just The body matter that whether there is malice in literary information, obtains text recognition result;
Known according to the account information recognition result, the URL recognition result, the accessory identification result, the text At least one of other result identifies exception mail.
A kind of mail-detection device, comprising:
Email type identification module, for identification email type of each mail;The email type includes secure e-mail Type, dangerous email type and potential danger email type;
Behavioral data obtains module and obtains the behavioral data of targeted mails for the email type according to each mail;
Exception mail identification module, for being analyzed using preset Analysis model of network behaviors the behavioral data Detection, identifies the exception mail in the targeted mails.
Wherein, the exception mail identification module includes the first recognition unit and/or the second recognition unit;
First recognition unit, for logging in record identification account blasting behavior according to the targeted mails, by institute It states mail corresponding with the account blasting behavior in targeted mails and is determined as exception mail;
Second recognition unit, for sending record identification group mail behavior according to the mail of the targeted mails, Mail corresponding with the group mail behavior in the targeted mails is determined as exception mail.
Wherein, further includes:
It is corresponding with the potential danger email type to killing mail for determination to killing mail determining module;
Test object sending module will be sent to cloud killing system to the corresponding test object information of killing mail with described System, with by described in the cloud killing system identification to the exception mail in killing mail.
Wherein, the test object sending module, be specifically used for will with it is described to the corresponding account information of killing mail, At least one of URL information, accessory information and text message are sent to the cloud killing system, to pass through cloud killing system System identification is described to the exception mail in killing mail.
A kind of computer readable storage medium is stored with computer program on the computer readable storage medium, described It realizes when computer program is executed by processor such as the step of above-mentioned mail-detection method.
A kind of mail-detection equipment characterized by comprising
Memory, for storing computer program;Processor realizes such as above-mentioned postal when for executing the computer program The step of part detection method.
A kind of mail detection system, including destination host and cloud killing server;The destination host includes above-mentioned postal Part detection device;
The cloud killing server, for identification the destination host send it is corresponding with potential danger email type to Exception mail in killing mail.
Wherein, the cloud killing server is specifically used for:
Identify whether source address and/or destination address in the account information are to forge address, obtain account information knowledge Other result;And/or identify the URL content that whether there is malice type in the URL information, obtain URL recognition result;With/ Or, identifying the attachment that whether there is malice type in the accessory information, accessory identification result is obtained;And/or identification is described just The body matter that whether there is malice in literary information, obtains text recognition result;According to the account information recognition result, described At least one of URL recognition result, the accessory identification result, described text recognition result identify exception mail.
By above scheme it is found that a kind of mail-detection method provided in an embodiment of the present invention, comprising: identify each mail Email type;The email type includes secure e-mail type, dangerous email type, potential danger email type;According to every The email type of a mail obtains the behavioral data of targeted mails;Using preset Analysis model of network behaviors to the behavior Data carry out analysis detection, identify the exception mail in the targeted mails.As it can be seen that in the present solution, carrying out type to mail After identification, behavioural analysis can be carried out to mail by preset analysis model, to identify according to the behavioral data of mail Exception mail in mail, this mode from multi-angle identification exception mail, can detect that more potential security breaches, into The safety of one step raising mail;The invention also discloses a kind of mail-detection device, equipment, system and computer-readable storages Medium is equally able to achieve above-mentioned technical effect.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of mail-detection method flow schematic diagram disclosed by the embodiments of the present invention;
Fig. 2 is that mail-detection object disclosed by the embodiments of the present invention divides schematic diagram;
Fig. 3 is another mail-detection method flow schematic diagram disclosed by the embodiments of the present invention;
Fig. 4 is cloud killing schematic diagram disclosed by the embodiments of the present invention;
Fig. 5 is a kind of mail-detection apparatus structure schematic diagram disclosed by the embodiments of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
The embodiment of the invention discloses a kind of mail-detection method, apparatus, equipment, system and computer-readable storage mediums Matter improves the safety of mail to detect to mail.
Referring to Fig. 1, a kind of mail-detection method provided in an embodiment of the present invention, comprising:
The email type of S101, each mail of identification;The email type includes secure e-mail type, dangerous email type With potential danger email type;
Specifically, the email type of each mail of identification in the present embodiment, refers specifically to through rule-based, black and white lists Library and it is built-in kill it is the methods of soft mail is detected, by the identification to email type, can identify the tool of mail Body type, the type can significantly classify mail, wherein secure e-mail type is to meet the postal of the safety of white list rule Part, dangerous email type are the exception mail for meeting blacklist rule, potential danger email type include suspicious mail type and Unknown mails type, suspicious mail type are that there are suspicious mails, specifically can be understood as there may be security risk, but It is and is not belonging to the mail of dangerous email type, unknown mails type is the mail of the UNKNOWN TYPE except the above-mentioned type.
Above-mentioned detection method can quickly identify the general type of each mail, but this kind of detection method is limited to manually The Rule content of extraction, the update in black and white lists library and the update for killing soft built-in virus base, lead to not to most emerging Threat is detected and is responded, and orients fishing mail and most emerging virus type mail-detection energy especially for spear type Power obviously lacks.Therefore in this application, the knowledge according to mail behavior data to exception mail can be realized by S102-S103 Not.
It should be noted that need to obtain the basic information of each mail before this programme identifies email type, Specifically, first have to extract each field information of each envelope mail, 4 classes of field point of audit: link information, protocol command Information, mail header information, message body and attachment.
Wherein, the field of audit mainly has:
1) link information: source IP, destination IP, protocol type, software version, port numbers of mail etc.;
2) protocol command information: the request of account number log on command and response, article receiving and sending people command request and response, mail action Command request and response etc.;
3) mail header information: mail date of shipping, mail matter topics, mail transmission/reception part people, message body type etc.;
4) message body and attachment: message body content is extracted, and individually stores Email attachment.
Further, mail is divided into 5 test objects, as shown in Fig. 2, mail quilt in test object by this programme 5 class test objects are divided into, are mail account, URL information, Email attachment, message body content and mail transmission/reception row respectively For field relationship corresponding with mail audit is as follows:
1) mail account: the article receiving and sending people in source IP, destination IP in link information, SMTP, POP3 and IMAP protocol And mail logs in account, there are also the field informations such as the article receiving and sending people of mail header;
2) URL information: the URL information extracted from message body, or the potential URL letter extracted from message body Breath;
3) Email attachment: Email attachment;
4) message body content: message body content;
5) mail transmission/reception behavior: source IP, destination IP in link information, each generic operation in command information, such as mail hair Send refused, mail is deleted and the operation such as mobile, theme, article receiving and sending people's information of mail header etc..
This programme can be obviously improved the scalability and Ke Wei of detection device by carrying out test object division to mail Shield property is absorbed in and promotes detectability for each test object, and to testing result quick response, this detectability is dependent on tool The test object of body makes such detection framework possess higher flexibility.
In turn, to each test object obtain after, can using rule-based, black and white lists library and it is built-in kill it is soft The methods of mail is detected, the detection method is similar to traditional mail security detection device, thus realize to mail Quickly filtering, is detecting the problem of conventional mail safety device is capable of detecting when simultaneously, most of normal email is excluded, after being Continuous detection promotes detection efficiency.
S102, according to the email type of each mail, obtain the behavioral data of targeted mails;
Specifically, S102-S103 in this programme can be executed by setting interval, for example, set interval for 3 days, then the behavioral data in this three days is just obtained after being spaced three days.When obtaining behavioral data, it is thus necessary to determine which to be obtained The behavioral data of partial mail, therefore in the present embodiment, with the email type of each mail be according to targeted mails into Row selectivity obtains, and does not limit the selection mode of targeted mails specifically herein;For example, being detected to account blasting behavior When, if will only log in, the frequency of failure is higher to be used as unique criterion, at this moment since the mail of white list type is understood that For the mail of safety, black list type mail early has been identified as exception mail, i.e., the mail of both types there is no Security risk may be configured as the row for only obtaining the mail of potential danger email type at this moment when identifying account blasting behavior For data, i.e., only identifies and whether there is exception mail in the mail of potential danger email type;But if failure rate will be logged in As standard, at this moment just need to obtain the mail of secure e-mail type and dangerous email type.
S103, analysis detection is carried out to the behavioral data using preset Analysis model of network behaviors, identifies the mesh Mark the exception mail in mail.
Specifically, the analysis model in this programme is to use behavioral data caused by mailbox under normal circumstances using user Constructed, that is to say, that multidimensional behavioural analysis data present in the analysis model are the behavioral data of user's specification, example Such as: the landing time of mailbox, transmission/reception mail frequency of mailbox, the common of mailbox log in address etc. information.Passing through will Behavioral data in the behavioral data of targeted mails and the analysis model carries out analysis comparison, can be identified according to behavioral data Exception mail in targeted mails.Compared to, to the identification of email type, identification by behavioral data to mail can in S101 To be identified from multiple angles to exception mail, to increase the safety of mail.
It is in the present embodiment, described to utilize preset behavioural analysis based on the embodiment of above-mentioned mail-detection method Model carries out analysis detection to the behavioral data, identifies the exception mail in the targeted mails, specifically includes:
According to the targeted mails log in record identification account blasting behavior, by the targeted mails with the account The corresponding mail of blasting behavior is determined as exception mail;And/or
According to the mail of the targeted mails send record identification group mail behavior, by the targeted mails with it is described The corresponding mail of group mail behavior is determined as exception mail.
It should be noted that analysis model can detecte out a variety of abnormal behaviours, such as detection account blasting behavior, mass-sending Mail behavior, login time abnormal behaviour, debarkation point abnormal behaviour etc., in the present embodiment only to detect account blasting behavior And it is described for group mail behavior.Specifically, according to targeted mails when logging in record identification account blasting behavior, Specifically obtain login failure number in mail account the past period to be detected, number of success, trial encrypted message Etc. contents, and analyzed according to analysis model, if the account uses a large amount of weak password information registrations, and failure ratio is higher Can be identified as account number blasting behavior, so that the mail for belonging to account blasting behavior is all determined as exception mail.
In turn, mainly each by analyzing when sending record identification group mail behavior according to the mail of targeted mails Transmission mail record in a account number the past period, specifically include send successfully, failure record, the information such as mail matter topics into Row statistical analysis, identifies the abnormal behaviours such as single account number group mail, multiple account number group mails.It is understood that for The mail number for sending same subject can be greater than predetermined threshold and be determined as abnormal behaviour by abnormal behaviour, can will be sent same The failure rate of one theme is greater than predetermined threshold and is determined as abnormal behaviour, can also will only send failure rate and determine greater than predetermined threshold It is not specific herein to limit for abnormal behaviour, it should be understood that, for the group mail for identifying multiple accounts, It needs to be determined by necessary condition of same subject.
Anomalous identification is carried out to single envelope mail as can be seen that being compared to, in the present embodiment from abnormal behaviour angle, User/host the past period exception mail is identified by modeling, can accurately find mass-sending spam, account number explosion Equal behaviors, further increase the safety of mail.
Referring to Fig. 3, for another mail-detection method provided in an embodiment of the present invention, comprising:
The email type of S201, each mail of identification;The email type includes secure e-mail type, dangerous email type With potential danger email type;
S202, according to the email type of each mail, obtain the behavioral data of targeted mails;
S203, analysis detection is carried out to the behavioral data using preset Analysis model of network behaviors, identifies the mesh Mark the exception mail in mail;
It should be noted that S101-S103's described in S201-S203 and above method embodiment in the present embodiment is interior Hold identical, related content please refers to above-described embodiment, herein just without repeating.
S204, determination are corresponding with potential danger email type to killing mail;
S205, it will be sent to cloud killing system to the corresponding test object information of killing mail with described, by described To the exception mail in killing mail described in cloud killing system identification.
Specifically, can exist due to only only local being identified to mail and not updated due to recognition rule and cause The problem of existing security breaches, therefore in the present embodiment, using cloud killing technology, i.e., by the corresponding postal of potential danger email type Part is uploaded to cloud, carries out killing to mail using the powerful computing capability of cloud server and newest examination criteria abundant, To identify exception mail as far as possible.
It should be noted that S204-S205 and S202-S203 are two kinds of parallel detection modes, according to S202-S203 The behavioral data of user identifies exception mail, and S204-S205 is that exception mail is identified by way of cloud killing, certainly, this Two ways can also carry out simultaneously, that is to say, that in the present embodiment, can detect identification postal as first layer by S201 On the basis of part type, is detected by S202-S203 as the second layer, identify exception mail using behavioral data, and then pass through S204-S205 is detected as third layer, is identified exception mail using cloud killing, is filtered by this three layers detection, thus maximum journey Degree ground promotes detectability.
In the present embodiment, it will be sent to cloud killing system to the corresponding test object information of killing mail with described, had Body include: by at least one in the corresponding account information of killing mail, URL information, accessory information and text message Person is sent to the cloud killing system;
To the exception mail in killing mail described in cloud killing system identification, comprising:
Identify whether source address and/or destination address in the account information are to forge address, obtain account information knowledge Other result;And/or identify the URL content that whether there is malice type in the URL information, obtain URL recognition result;With/ Or, identifying the attachment that whether there is malice type in the accessory information, accessory identification result is obtained;And/or identification is described just The body matter that whether there is malice in literary information, obtains text recognition result;
Known according to the account information recognition result, the URL recognition result, the accessory identification result, the text At least one of other result identifies exception mail.
Specifically, before being detected to mail, it has been determined that 5 class test objects are mail account, URL respectively Information, Email attachment, message body content and mail transmission/reception behavior, wherein mail transmission/reception behavior, that is, S102-S103/S202- Behavioral data in S203, in addition 4 class test objects be need to carry out in the present embodiment cloud killing with to killing mail pair The test object information answered, certainly, this 4 class test object information are not to need all to carry out cloud killing, are needed according to mail Information for being included itself determines, such as: Email attachment and message body content are not that whole mails all include.
It referring to fig. 4, is cloud killing schematic diagram provided in this embodiment, this programme can be in mail account, message body At least one of URL, Email attachment, message body content carry out identification judgement, and are determined according to each final result Whether the mail is exception mail.Specifically:
Account number cloud killing: it is main that legitimacy detection is provided, judge whether source IP, destination IP are legal, identification is with the presence or absence of puppet It makes;
URL cloud killing: main by obtaining URL content, analyzing URL and sorting out, specific classification has fishing, extorts, extensively The classifications such as announcement;
Attachment cloud killing: multi engine killing, the classification of output file are carried out to attachment;
Text cloud killing: being directed to suspicious text, and semantic and sentiment analysis is further done using model, exports the theme of text With malice type.
To sum up, the present embodiment mainly includes three layers of detection mode: first layer is traditional rule-based, black and white lists Soft detection is killed with built-in, identifies the type information of mail, the second layer is behavioural analysis detection, to the article receiving and sending row of each account number To be analyzed, feature is extracted, is analyzed using algorithm, and testing result is further analyzed to identify;Third layer is looked into for cloud Detection is killed, suspect object in mail is mainly uploaded into cloud and carries out analysis detection;The method of this three layer filtration detection can carry out Analysis detection, each layer detectability is mutually indepedent, can be obviously improved mail security detectability.This programme presses mail simultaneously Test object is divided, convenient for carrying out detectability exploitation and extension for different test objects and release quickly is new Detectability and progress security incident response, have many advantages, such as that detectability is strong, scalability is good, easy to maintain.
Mail-detection device provided in an embodiment of the present invention is introduced below, mail-detection device described below with Above-described mail-detection method can be cross-referenced.
Referring to Fig. 5, a kind of mail-detection device provided in an embodiment of the present invention, comprising:
Email type identification module 100, for identification email type of each mail;The email type includes safe postal Part type, dangerous email type and potential danger email type;
Behavioral data obtains module 200 and obtains the behavior number of targeted mails for the email type according to each mail According to;
Exception mail identification module 300, for being carried out using preset Analysis model of network behaviors to the behavioral data Analysis detection identifies the exception mail in the targeted mails.
Wherein, the exception mail identification module includes the first recognition unit and/or the second recognition unit;
First recognition unit, for logging in record identification account blasting behavior according to the targeted mails, by institute It states mail corresponding with the account blasting behavior in targeted mails and is determined as exception mail;
Second recognition unit, for sending record identification group mail behavior according to the mail of the targeted mails, Mail corresponding with the group mail behavior in the targeted mails is determined as exception mail.
Wherein, this programme further include:
It is corresponding with the potential danger email type to killing mail for determination to killing mail determining module;
Test object sending module will be sent to cloud killing system to the corresponding test object information of killing mail with described System, with by described in the cloud killing system identification to the exception mail in killing mail.
Wherein, the test object sending module, be specifically used for will with it is described to the corresponding account information of killing mail, At least one of URL information, accessory information and text message are sent to the cloud killing system, to pass through cloud killing system System identification is described to the exception mail in killing mail.
The present embodiment also provides a kind of computer readable storage medium, and meter is stored on the computer readable storage medium The step of calculation machine program, the computer program realizes above-mentioned mail-detection method when being executed by processor.
Wherein, the storage medium may include: USB flash disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic or disk etc. are various can store program The medium of code.
The present embodiment also provides a kind of mail-detection equipment, comprising: memory, for storing computer program;Processor, The step of above-mentioned mail-detection method is realized when for executing the computer program.
The present embodiment also provides a kind of mail detection system, including destination host and cloud killing server;The target master Machine includes above-mentioned mail-detection equipment;
The cloud killing server, for identification the destination host send it is corresponding with potential danger email type to Exception mail in killing mail.
Wherein, the cloud killing server is specifically used for: identifying the source address and/or destination address in the account information Whether it is to forge address, obtains account information recognition result;And/or it identifies in the URL information with the presence or absence of malice type URL content obtains URL recognition result;And/or identify the attachment that whether there is malice type in the accessory information, it obtains attached Part recognition result;And/or identify the body matter that whether there is malice in the text message, obtain text recognition result;Root According in the account information recognition result, the URL recognition result, the accessory identification result, the text recognition result At least one, identifies exception mail.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other The difference of embodiment, the same or similar parts in each embodiment may refer to each other.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest scope of cause.

Claims (13)

1. a kind of mail-detection method characterized by comprising
Identify the email type of each mail;The email type includes secure e-mail type, dangerous email type and potential danger Dangerous email type;
According to the email type of each mail, the behavioral data of targeted mails is obtained;
Analysis detection is carried out to the behavioral data using preset Analysis model of network behaviors, is identified in the targeted mails Exception mail.
2. mail-detection method according to claim 1, which is characterized in that described to utilize preset behavioural analysis mould Type carries out analysis detection to the behavioral data, identifies the exception mail in the targeted mails, comprising:
According to the targeted mails log in record identification account blasting behavior, by the targeted mails with the account explosion The corresponding mail of behavior is determined as exception mail;And/or
According to the mail of the targeted mails send record identification group mail behavior, by the targeted mails with the mass-sending The corresponding mail of mail behavior is determined as exception mail.
3. mail-detection method according to claim 1, which is characterized in that the email type of each mail of the identification it Afterwards, further includes:
Determination is corresponding with the potential danger email type to killing mail;
It will be sent to cloud killing system to the corresponding test object information of killing mail with described, to pass through the cloud killing system Identification is described to the exception mail in killing mail.
4. mail-detection method according to claim 3, which is characterized in that it is described will with it is described corresponding to killing mail Test object information is sent to cloud killing system, with by described in the cloud killing system identification to the abnormal postal in killing mail Part, comprising:
It will be with described at least one of the corresponding account information of killing mail, URL information, accessory information and text message hair Send to the cloud killing system, with by described in the cloud killing system identification to the exception mail in killing mail.
5. mail-detection method according to claim 4, which is characterized in that killing described in the cloud killing system identification Exception mail in mail, comprising:
Identify whether source address and/or destination address in the account information are to forge address, obtains account information identification knot Fruit;And/or identify the URL content that whether there is malice type in the URL information, obtain URL recognition result;And/or know The attachment that whether there is malice type in the not described accessory information, obtains accessory identification result;And/or identify the text letter The body matter that whether there is malice in breath, obtains text recognition result;
According to the account information recognition result, the URL recognition result, the accessory identification result, the text recognition knot At least one of fruit identifies exception mail.
6. a kind of mail-detection device characterized by comprising
Email type identification module, for identification email type of each mail;The email type include secure e-mail type, Dangerous email type and potential danger email type;
Behavioral data obtains module and obtains the behavioral data of targeted mails for the email type according to each mail;
Exception mail identification module, for carrying out analysis inspection to the behavioral data using preset Analysis model of network behaviors It surveys, identifies the exception mail in the targeted mails.
7. mail-detection device according to claim 6, which is characterized in that the exception mail identification module includes first Recognition unit and/or the second recognition unit;
First recognition unit, for logging in record identification account blasting behavior according to the targeted mails, by the mesh Mail corresponding with the account blasting behavior is determined as exception mail in mark mail;
Second recognition unit, for sending record identification group mail behavior according to the mail of the targeted mails, by institute It states mail corresponding with the group mail behavior in targeted mails and is determined as exception mail.
8. mail-detection device according to claim 6, which is characterized in that further include:
It is corresponding with the potential danger email type to killing mail for determination to killing mail determining module;
Test object sending module will be sent to cloud killing system to the corresponding test object information of killing mail with described, with By described in the cloud killing system identification to the exception mail in killing mail.
9. mail-detection device according to claim 8, which is characterized in that the test object sending module, it is specific to use In will be sent with described at least one of the corresponding account information of killing mail, URL information, accessory information and text message To the cloud killing system, with by described in the cloud killing system identification to the exception mail in killing mail.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium Program realizes the step of the mail-detection method as described in any one of claim 1 to 5 when the computer program is executed by processor Suddenly.
11. a kind of mail-detection equipment characterized by comprising
Memory, for storing computer program;
Processor, realizing the mail-detection method as described in any one of claim 1 to 5 when for executing the computer program Step.
12. a kind of mail detection system, which is characterized in that including destination host and cloud killing server;The destination host packet Include mail-detection equipment as claimed in claim 11;
The cloud killing server, the destination host is sent corresponding with potential danger email type to killing for identification Exception mail in mail.
13. mail detection system according to claim 12, which is characterized in that the cloud killing server is specifically used for:
Identify whether source address and/or destination address in the account information are to forge address, obtains account information identification knot Fruit;And/or identify the URL content that whether there is malice type in the URL information, obtain URL recognition result;And/or know The attachment that whether there is malice type in the not described accessory information, obtains accessory identification result;And/or identify the text letter The body matter that whether there is malice in breath, obtains text recognition result;According to the account information recognition result, the URL At least one of recognition result, the accessory identification result, described text recognition result identify exception mail.
CN201810497358.8A 2018-05-22 2018-05-22 Mail detection method, device, equipment, system and computer readable storage medium Active CN110519150B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810497358.8A CN110519150B (en) 2018-05-22 2018-05-22 Mail detection method, device, equipment, system and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810497358.8A CN110519150B (en) 2018-05-22 2018-05-22 Mail detection method, device, equipment, system and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN110519150A true CN110519150A (en) 2019-11-29
CN110519150B CN110519150B (en) 2022-09-30

Family

ID=68622363

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810497358.8A Active CN110519150B (en) 2018-05-22 2018-05-22 Mail detection method, device, equipment, system and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN110519150B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995576A (en) * 2019-12-16 2020-04-10 深信服科技股份有限公司 Mail detection method, device, equipment and storage medium
CN111614543A (en) * 2020-04-10 2020-09-01 中国科学院信息工程研究所 URL-based spear phishing mail detection method and system
CN112039874A (en) * 2020-08-28 2020-12-04 绿盟科技集团股份有限公司 Malicious mail identification method and device
CN112163215A (en) * 2020-10-14 2021-01-01 杭州安恒信息技术股份有限公司 Weak password detection method and device and computer equipment
CN112511517A (en) * 2020-11-20 2021-03-16 深信服科技股份有限公司 Mail detection method, device, equipment and medium
CN113282921A (en) * 2021-06-11 2021-08-20 深信服科技股份有限公司 File detection method, device, equipment and storage medium
CN113381983A (en) * 2021-05-19 2021-09-10 清华大学 Method and device for identifying counterfeit e-mail
CN113595994A (en) * 2021-07-12 2021-11-02 深信服科技股份有限公司 Abnormal mail detection method and device, electronic equipment and storage medium
CN114006721A (en) * 2021-09-14 2022-02-01 北京纽盾网安信息技术有限公司 E-mail risk detection method and system
CN117061198A (en) * 2023-08-30 2023-11-14 广东励通信息技术有限公司 Network security early warning system and method based on big data

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050015626A1 (en) * 2003-07-15 2005-01-20 Chasin C. Scott System and method for identifying and filtering junk e-mail messages or spam based on URL content
CN101001244A (en) * 2006-01-13 2007-07-18 腾讯科技(深圳)有限公司 Method and system for removing misdicision of garbage E-mail
CN101188580A (en) * 2007-12-05 2008-05-28 中国联合通信有限公司 A real time spam filtering method and system
CN101540773A (en) * 2009-04-22 2009-09-23 成都市华为赛门铁克科技有限公司 Junk mail detection method and device thereof
CN102223316A (en) * 2011-06-15 2011-10-19 成都市华为赛门铁克科技有限公司 Method and device for processing electronic mail
US20120023182A1 (en) * 2006-10-13 2012-01-26 Pulfer Charles E Security classification of e-mail in a web e-mail access client
CN102413076A (en) * 2011-12-22 2012-04-11 网易(杭州)网络有限公司 Spam mail judging system based on behavior analysis
US8417715B1 (en) * 2007-12-19 2013-04-09 Tilmann Bruckhaus Platform independent plug-in methods and systems for data mining and analytics
US20140006129A1 (en) * 2011-09-15 2014-01-02 Stephan HEATH Systems and methods for mobile and online payment systems for purchases related to mobile and online promotions or offers provided using impressions tracking and analysis, location information, 2d and 3d mapping, mobile mapping, social media, and user behavior and information for generating mobile and internet posted promotions or offers for, and/or sales of, products and/or services in a social network, online or via a mobile device
CN103841094A (en) * 2012-11-27 2014-06-04 阿里巴巴集团控股有限公司 Method and device for judging mail types
US20150172233A1 (en) * 2013-12-16 2015-06-18 Alibaba Group Holding Limited Method, sending terminal, receiving terminal, and system for classifying emails
CN105049334A (en) * 2015-08-04 2015-11-11 新浪网技术(中国)有限公司 E-mail filtering method and device
CN105743876A (en) * 2015-08-28 2016-07-06 哈尔滨安天科技股份有限公司 Method and system for discovering targeted attack based on email source data
CN106027505A (en) * 2016-05-10 2016-10-12 国家电网公司 Anti-accident exercise inspecting and learning system
CN107196844A (en) * 2016-11-28 2017-09-22 北京神州泰岳信息安全技术有限公司 Exception mail recognition methods and device
CN107707462A (en) * 2017-10-31 2018-02-16 下代互联网重大应用技术(北京)工程研究中心有限公司 Spam emergency processing method based on cloud computing
CN107743087A (en) * 2016-10-27 2018-02-27 腾讯科技(深圳)有限公司 The detection method and system of a kind of e-mail attack
US20180124081A1 (en) * 2001-08-16 2018-05-03 The Trustees Of Columbia University In The City Of New York System and methods for detecting malicious email transmission
CN108011809A (en) * 2017-12-04 2018-05-08 北京明朝万达科技股份有限公司 Anti-data-leakage analysis method and system based on user behavior and document content
CN108694202A (en) * 2017-04-10 2018-10-23 上海交通大学 Configurable Spam Filtering System based on sorting algorithm and filter method

Patent Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180124081A1 (en) * 2001-08-16 2018-05-03 The Trustees Of Columbia University In The City Of New York System and methods for detecting malicious email transmission
US20050015626A1 (en) * 2003-07-15 2005-01-20 Chasin C. Scott System and method for identifying and filtering junk e-mail messages or spam based on URL content
CN101001244A (en) * 2006-01-13 2007-07-18 腾讯科技(深圳)有限公司 Method and system for removing misdicision of garbage E-mail
US20120023182A1 (en) * 2006-10-13 2012-01-26 Pulfer Charles E Security classification of e-mail in a web e-mail access client
CN101188580A (en) * 2007-12-05 2008-05-28 中国联合通信有限公司 A real time spam filtering method and system
US8417715B1 (en) * 2007-12-19 2013-04-09 Tilmann Bruckhaus Platform independent plug-in methods and systems for data mining and analytics
CN101540773A (en) * 2009-04-22 2009-09-23 成都市华为赛门铁克科技有限公司 Junk mail detection method and device thereof
CN102223316A (en) * 2011-06-15 2011-10-19 成都市华为赛门铁克科技有限公司 Method and device for processing electronic mail
US20140006129A1 (en) * 2011-09-15 2014-01-02 Stephan HEATH Systems and methods for mobile and online payment systems for purchases related to mobile and online promotions or offers provided using impressions tracking and analysis, location information, 2d and 3d mapping, mobile mapping, social media, and user behavior and information for generating mobile and internet posted promotions or offers for, and/or sales of, products and/or services in a social network, online or via a mobile device
CN102413076A (en) * 2011-12-22 2012-04-11 网易(杭州)网络有限公司 Spam mail judging system based on behavior analysis
CN103841094A (en) * 2012-11-27 2014-06-04 阿里巴巴集团控股有限公司 Method and device for judging mail types
US20150172233A1 (en) * 2013-12-16 2015-06-18 Alibaba Group Holding Limited Method, sending terminal, receiving terminal, and system for classifying emails
CN105049334A (en) * 2015-08-04 2015-11-11 新浪网技术(中国)有限公司 E-mail filtering method and device
CN105743876A (en) * 2015-08-28 2016-07-06 哈尔滨安天科技股份有限公司 Method and system for discovering targeted attack based on email source data
CN106027505A (en) * 2016-05-10 2016-10-12 国家电网公司 Anti-accident exercise inspecting and learning system
CN107743087A (en) * 2016-10-27 2018-02-27 腾讯科技(深圳)有限公司 The detection method and system of a kind of e-mail attack
CN107196844A (en) * 2016-11-28 2017-09-22 北京神州泰岳信息安全技术有限公司 Exception mail recognition methods and device
CN108694202A (en) * 2017-04-10 2018-10-23 上海交通大学 Configurable Spam Filtering System based on sorting algorithm and filter method
CN107707462A (en) * 2017-10-31 2018-02-16 下代互联网重大应用技术(北京)工程研究中心有限公司 Spam emergency processing method based on cloud computing
CN108011809A (en) * 2017-12-04 2018-05-08 北京明朝万达科技股份有限公司 Anti-data-leakage analysis method and system based on user behavior and document content

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ADMIN: "《基于Graylog日志安全审计时间》", 《HTTP://WWW.JINGLINGSHU.ORG/?P=11251》 *
VEENA H BHAT 等: "《Classification of email using BeaKS: Behavior and keyword stemming》", 《IEEE》 *
廖明涛 等: "《基于朴树贝叶斯和层次聚类的两阶段垃圾邮件过滤方法》", 《微电子学与计算机》 *

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995576A (en) * 2019-12-16 2020-04-10 深信服科技股份有限公司 Mail detection method, device, equipment and storage medium
CN110995576B (en) * 2019-12-16 2022-04-29 深信服科技股份有限公司 Mail detection method, device, equipment and storage medium
CN111614543B (en) * 2020-04-10 2021-09-14 中国科学院信息工程研究所 URL-based spear phishing mail detection method and system
CN111614543A (en) * 2020-04-10 2020-09-01 中国科学院信息工程研究所 URL-based spear phishing mail detection method and system
CN112039874A (en) * 2020-08-28 2020-12-04 绿盟科技集团股份有限公司 Malicious mail identification method and device
CN112039874B (en) * 2020-08-28 2023-03-24 绿盟科技集团股份有限公司 Malicious mail identification method and device
CN112163215A (en) * 2020-10-14 2021-01-01 杭州安恒信息技术股份有限公司 Weak password detection method and device and computer equipment
CN112511517A (en) * 2020-11-20 2021-03-16 深信服科技股份有限公司 Mail detection method, device, equipment and medium
CN112511517B (en) * 2020-11-20 2023-11-07 深信服科技股份有限公司 Mail detection method, device, equipment and medium
CN113381983A (en) * 2021-05-19 2021-09-10 清华大学 Method and device for identifying counterfeit e-mail
CN113381983B (en) * 2021-05-19 2023-09-22 清华大学 Method and device for identifying fake e-mail
CN113282921A (en) * 2021-06-11 2021-08-20 深信服科技股份有限公司 File detection method, device, equipment and storage medium
CN113595994A (en) * 2021-07-12 2021-11-02 深信服科技股份有限公司 Abnormal mail detection method and device, electronic equipment and storage medium
CN113595994B (en) * 2021-07-12 2023-03-21 深信服科技股份有限公司 Abnormal mail detection method and device, electronic equipment and storage medium
CN114006721A (en) * 2021-09-14 2022-02-01 北京纽盾网安信息技术有限公司 E-mail risk detection method and system
CN117061198A (en) * 2023-08-30 2023-11-14 广东励通信息技术有限公司 Network security early warning system and method based on big data
CN117061198B (en) * 2023-08-30 2024-02-02 广东励通信息技术有限公司 Network security early warning system and method based on big data

Also Published As

Publication number Publication date
CN110519150B (en) 2022-09-30

Similar Documents

Publication Publication Date Title
CN110519150A (en) Mail-detection method, apparatus, equipment, system and computer readable storage medium
Stringhini et al. {EVILCOHORT}: Detecting communities of malicious accounts on online services
US10243989B1 (en) Systems and methods for inspecting emails for malicious content
US8224905B2 (en) Spam filtration utilizing sender activity data
US8370930B2 (en) Detecting spam from metafeatures of an email message
JP2006521635A5 (en)
CN111092902B (en) Attachment camouflage-oriented fishfork attack mail discovery method and device
Stringhini et al. {B@ bel}: Leveraging Email Delivery for Spam Mitigation
CA2513967A1 (en) Feedback loop for spam prevention
CN108183888A (en) A kind of social engineering Network Intrusion path detection method based on random forests algorithm
CA2467186A1 (en) Computer security system
CN111404805B (en) Junk mail detection method and device, electronic equipment and storage medium
KR100927240B1 (en) A malicious code detection method using virtual environment
CA2478299A1 (en) Systems and methods for enhancing electronic communication security
CA2654796A1 (en) Systems and methods for identifying potentially malicious messages
CN106656728A (en) Mail detection and monitoring system
CN108011805A (en) Method, apparatus, intermediate server and the car networking system of message screening
CN103716335A (en) Detecting and filtering method of spam mail based on counterfeit sender
CN109672607A (en) A kind of email processing method, device and storage equipment, program product
CN108683589A (en) Detection method, device and the electronic equipment of spam
Moore et al. Discovering phishing dropboxes using email metadata
CN110061981A (en) A kind of attack detection method and device
US20130145289A1 (en) Real-time duplication of a chat transcript between a person of interest and a correspondent of the person of interest for use by a law enforcement agent
CN103841006A (en) Method and device for intercepting junk mails in cloud computing system
Nagamalai et al. Novel mechanism to defend DDoS attacks caused by spam

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant