CN110519150A - Mail-detection method, apparatus, equipment, system and computer readable storage medium - Google Patents
Mail-detection method, apparatus, equipment, system and computer readable storage medium Download PDFInfo
- Publication number
- CN110519150A CN110519150A CN201810497358.8A CN201810497358A CN110519150A CN 110519150 A CN110519150 A CN 110519150A CN 201810497358 A CN201810497358 A CN 201810497358A CN 110519150 A CN110519150 A CN 110519150A
- Authority
- CN
- China
- Prior art keywords
- killing
- identification
- exception
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/23—Reliability checks, e.g. acknowledgments or fault reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/42—Mailbox-related aspects, e.g. synchronisation of mailboxes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a kind of mail-detection methods, comprising: identifies the email type of each mail;The email type includes secure e-mail type, dangerous email type and potential danger email type;According to the email type of each mail, the behavioral data of targeted mails is obtained;Analysis detection is carried out to the behavioral data using preset Analysis model of network behaviors, identifies the exception mail in the targeted mails.It can be seen that, in this programme, after carrying out type identification to mail, behavioural analysis can be carried out to mail by preset analysis model, to identify the exception mail in mail according to the behavioral data of mail, this mode from multi-angle identification exception mail, can detect that more potential security breaches, further increases the safety of mail;The invention also discloses a kind of mail-detection device, equipment, system and computer readable storage mediums, are equally able to achieve above-mentioned technical effect.
Description
Technical field
The present invention relates to mail security detection technique fields, more specifically to a kind of mail-detection method, dress
It sets, equipment, system and computer readable storage medium.
Background technique
Currently, there are a large amount of e-mail messages to receive and dispatch behavior in everyday commerce activity, mail is the weight of person-to-person communication
Want medium.For another convenience, mail is even more the important means of transmitted virus and fishing information, is on the one hand since mail is assisted
There is certain security flaw in view, another aspect mail frequency of use is high, it is easy to be kept a close watch on by hacker and become attack in itself
Carrier.There are a large amount of fishing in current network and cheats viral commercial paper mail.It is according to statistics to pass through more than the virus of extorting of half
Mail is propagated, and fraud class mail of going fishing is easy to directly contribute the economic loss of enterprise and user, and mail security is current
The serious problem faced.
Therefore, how mail is detected, improves the safety of mail, be that those skilled in the art need what is solved to ask
Topic.
Summary of the invention
The purpose of the present invention is to provide a kind of mail-detection method, apparatus, equipment, system and computer-readable storage mediums
Matter improves the safety of mail to detect to mail.
To achieve the above object, the embodiment of the invention provides following technical solutions:
A kind of mail-detection method, comprising:
Identify the email type of each mail;The email type includes secure e-mail type, dangerous email type and dives
In dangerous email type;
According to the email type of each mail, the behavioral data of targeted mails is obtained;
Analysis detection is carried out to the behavioral data using preset Analysis model of network behaviors, identifies the targeted mails
In exception mail.
Wherein, described that analysis detection is carried out to the behavioral data using preset Analysis model of network behaviors, identify institute
State the exception mail in targeted mails, comprising:
According to the targeted mails log in record identification account blasting behavior, by the targeted mails with the account
The corresponding mail of blasting behavior is determined as exception mail;And/or
According to the mail of the targeted mails send record identification group mail behavior, by the targeted mails with it is described
The corresponding mail of group mail behavior is determined as exception mail.
Wherein, after the email type of each mail of identification, further includes:
Determination is corresponding with the potential danger email type to killing mail;
It will be sent to cloud killing system to the corresponding test object information of killing mail with described, to pass through the cloud killing
To the exception mail in killing mail described in system identification.
Wherein, described to be sent to cloud killing system to the corresponding test object information of killing mail with described, to pass through
To the exception mail in killing mail described in the cloud killing system identification, comprising:
By at least one in the corresponding account information of killing mail, URL information, accessory information and text message
Person is sent to the cloud killing system, with by described in the cloud killing system identification to the exception mail in killing mail.
Wherein, to the exception mail in killing mail described in the cloud killing system identification, comprising:
Identify whether source address and/or destination address in the account information are to forge address, obtain account information knowledge
Other result;And/or identify the URL content that whether there is malice type in the URL information, obtain URL recognition result;With/
Or, identifying the attachment that whether there is malice type in the accessory information, accessory identification result is obtained;And/or identification is described just
The body matter that whether there is malice in literary information, obtains text recognition result;
Known according to the account information recognition result, the URL recognition result, the accessory identification result, the text
At least one of other result identifies exception mail.
A kind of mail-detection device, comprising:
Email type identification module, for identification email type of each mail;The email type includes secure e-mail
Type, dangerous email type and potential danger email type;
Behavioral data obtains module and obtains the behavioral data of targeted mails for the email type according to each mail;
Exception mail identification module, for being analyzed using preset Analysis model of network behaviors the behavioral data
Detection, identifies the exception mail in the targeted mails.
Wherein, the exception mail identification module includes the first recognition unit and/or the second recognition unit;
First recognition unit, for logging in record identification account blasting behavior according to the targeted mails, by institute
It states mail corresponding with the account blasting behavior in targeted mails and is determined as exception mail;
Second recognition unit, for sending record identification group mail behavior according to the mail of the targeted mails,
Mail corresponding with the group mail behavior in the targeted mails is determined as exception mail.
Wherein, further includes:
It is corresponding with the potential danger email type to killing mail for determination to killing mail determining module;
Test object sending module will be sent to cloud killing system to the corresponding test object information of killing mail with described
System, with by described in the cloud killing system identification to the exception mail in killing mail.
Wherein, the test object sending module, be specifically used for will with it is described to the corresponding account information of killing mail,
At least one of URL information, accessory information and text message are sent to the cloud killing system, to pass through cloud killing system
System identification is described to the exception mail in killing mail.
A kind of computer readable storage medium is stored with computer program on the computer readable storage medium, described
It realizes when computer program is executed by processor such as the step of above-mentioned mail-detection method.
A kind of mail-detection equipment characterized by comprising
Memory, for storing computer program;Processor realizes such as above-mentioned postal when for executing the computer program
The step of part detection method.
A kind of mail detection system, including destination host and cloud killing server;The destination host includes above-mentioned postal
Part detection device;
The cloud killing server, for identification the destination host send it is corresponding with potential danger email type to
Exception mail in killing mail.
Wherein, the cloud killing server is specifically used for:
Identify whether source address and/or destination address in the account information are to forge address, obtain account information knowledge
Other result;And/or identify the URL content that whether there is malice type in the URL information, obtain URL recognition result;With/
Or, identifying the attachment that whether there is malice type in the accessory information, accessory identification result is obtained;And/or identification is described just
The body matter that whether there is malice in literary information, obtains text recognition result;According to the account information recognition result, described
At least one of URL recognition result, the accessory identification result, described text recognition result identify exception mail.
By above scheme it is found that a kind of mail-detection method provided in an embodiment of the present invention, comprising: identify each mail
Email type;The email type includes secure e-mail type, dangerous email type, potential danger email type;According to every
The email type of a mail obtains the behavioral data of targeted mails;Using preset Analysis model of network behaviors to the behavior
Data carry out analysis detection, identify the exception mail in the targeted mails.As it can be seen that in the present solution, carrying out type to mail
After identification, behavioural analysis can be carried out to mail by preset analysis model, to identify according to the behavioral data of mail
Exception mail in mail, this mode from multi-angle identification exception mail, can detect that more potential security breaches, into
The safety of one step raising mail;The invention also discloses a kind of mail-detection device, equipment, system and computer-readable storages
Medium is equally able to achieve above-mentioned technical effect.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of mail-detection method flow schematic diagram disclosed by the embodiments of the present invention;
Fig. 2 is that mail-detection object disclosed by the embodiments of the present invention divides schematic diagram;
Fig. 3 is another mail-detection method flow schematic diagram disclosed by the embodiments of the present invention;
Fig. 4 is cloud killing schematic diagram disclosed by the embodiments of the present invention;
Fig. 5 is a kind of mail-detection apparatus structure schematic diagram disclosed by the embodiments of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
The embodiment of the invention discloses a kind of mail-detection method, apparatus, equipment, system and computer-readable storage mediums
Matter improves the safety of mail to detect to mail.
Referring to Fig. 1, a kind of mail-detection method provided in an embodiment of the present invention, comprising:
The email type of S101, each mail of identification;The email type includes secure e-mail type, dangerous email type
With potential danger email type;
Specifically, the email type of each mail of identification in the present embodiment, refers specifically to through rule-based, black and white lists
Library and it is built-in kill it is the methods of soft mail is detected, by the identification to email type, can identify the tool of mail
Body type, the type can significantly classify mail, wherein secure e-mail type is to meet the postal of the safety of white list rule
Part, dangerous email type are the exception mail for meeting blacklist rule, potential danger email type include suspicious mail type and
Unknown mails type, suspicious mail type are that there are suspicious mails, specifically can be understood as there may be security risk, but
It is and is not belonging to the mail of dangerous email type, unknown mails type is the mail of the UNKNOWN TYPE except the above-mentioned type.
Above-mentioned detection method can quickly identify the general type of each mail, but this kind of detection method is limited to manually
The Rule content of extraction, the update in black and white lists library and the update for killing soft built-in virus base, lead to not to most emerging
Threat is detected and is responded, and orients fishing mail and most emerging virus type mail-detection energy especially for spear type
Power obviously lacks.Therefore in this application, the knowledge according to mail behavior data to exception mail can be realized by S102-S103
Not.
It should be noted that need to obtain the basic information of each mail before this programme identifies email type,
Specifically, first have to extract each field information of each envelope mail, 4 classes of field point of audit: link information, protocol command
Information, mail header information, message body and attachment.
Wherein, the field of audit mainly has:
1) link information: source IP, destination IP, protocol type, software version, port numbers of mail etc.;
2) protocol command information: the request of account number log on command and response, article receiving and sending people command request and response, mail action
Command request and response etc.;
3) mail header information: mail date of shipping, mail matter topics, mail transmission/reception part people, message body type etc.;
4) message body and attachment: message body content is extracted, and individually stores Email attachment.
Further, mail is divided into 5 test objects, as shown in Fig. 2, mail quilt in test object by this programme
5 class test objects are divided into, are mail account, URL information, Email attachment, message body content and mail transmission/reception row respectively
For field relationship corresponding with mail audit is as follows:
1) mail account: the article receiving and sending people in source IP, destination IP in link information, SMTP, POP3 and IMAP protocol
And mail logs in account, there are also the field informations such as the article receiving and sending people of mail header;
2) URL information: the URL information extracted from message body, or the potential URL letter extracted from message body
Breath;
3) Email attachment: Email attachment;
4) message body content: message body content;
5) mail transmission/reception behavior: source IP, destination IP in link information, each generic operation in command information, such as mail hair
Send refused, mail is deleted and the operation such as mobile, theme, article receiving and sending people's information of mail header etc..
This programme can be obviously improved the scalability and Ke Wei of detection device by carrying out test object division to mail
Shield property is absorbed in and promotes detectability for each test object, and to testing result quick response, this detectability is dependent on tool
The test object of body makes such detection framework possess higher flexibility.
In turn, to each test object obtain after, can using rule-based, black and white lists library and it is built-in kill it is soft
The methods of mail is detected, the detection method is similar to traditional mail security detection device, thus realize to mail
Quickly filtering, is detecting the problem of conventional mail safety device is capable of detecting when simultaneously, most of normal email is excluded, after being
Continuous detection promotes detection efficiency.
S102, according to the email type of each mail, obtain the behavioral data of targeted mails;
Specifically, S102-S103 in this programme can be executed by setting interval, for example, set interval for
3 days, then the behavioral data in this three days is just obtained after being spaced three days.When obtaining behavioral data, it is thus necessary to determine which to be obtained
The behavioral data of partial mail, therefore in the present embodiment, with the email type of each mail be according to targeted mails into
Row selectivity obtains, and does not limit the selection mode of targeted mails specifically herein;For example, being detected to account blasting behavior
When, if will only log in, the frequency of failure is higher to be used as unique criterion, at this moment since the mail of white list type is understood that
For the mail of safety, black list type mail early has been identified as exception mail, i.e., the mail of both types there is no
Security risk may be configured as the row for only obtaining the mail of potential danger email type at this moment when identifying account blasting behavior
For data, i.e., only identifies and whether there is exception mail in the mail of potential danger email type;But if failure rate will be logged in
As standard, at this moment just need to obtain the mail of secure e-mail type and dangerous email type.
S103, analysis detection is carried out to the behavioral data using preset Analysis model of network behaviors, identifies the mesh
Mark the exception mail in mail.
Specifically, the analysis model in this programme is to use behavioral data caused by mailbox under normal circumstances using user
Constructed, that is to say, that multidimensional behavioural analysis data present in the analysis model are the behavioral data of user's specification, example
Such as: the landing time of mailbox, transmission/reception mail frequency of mailbox, the common of mailbox log in address etc. information.Passing through will
Behavioral data in the behavioral data of targeted mails and the analysis model carries out analysis comparison, can be identified according to behavioral data
Exception mail in targeted mails.Compared to, to the identification of email type, identification by behavioral data to mail can in S101
To be identified from multiple angles to exception mail, to increase the safety of mail.
It is in the present embodiment, described to utilize preset behavioural analysis based on the embodiment of above-mentioned mail-detection method
Model carries out analysis detection to the behavioral data, identifies the exception mail in the targeted mails, specifically includes:
According to the targeted mails log in record identification account blasting behavior, by the targeted mails with the account
The corresponding mail of blasting behavior is determined as exception mail;And/or
According to the mail of the targeted mails send record identification group mail behavior, by the targeted mails with it is described
The corresponding mail of group mail behavior is determined as exception mail.
It should be noted that analysis model can detecte out a variety of abnormal behaviours, such as detection account blasting behavior, mass-sending
Mail behavior, login time abnormal behaviour, debarkation point abnormal behaviour etc., in the present embodiment only to detect account blasting behavior
And it is described for group mail behavior.Specifically, according to targeted mails when logging in record identification account blasting behavior,
Specifically obtain login failure number in mail account the past period to be detected, number of success, trial encrypted message
Etc. contents, and analyzed according to analysis model, if the account uses a large amount of weak password information registrations, and failure ratio is higher
Can be identified as account number blasting behavior, so that the mail for belonging to account blasting behavior is all determined as exception mail.
In turn, mainly each by analyzing when sending record identification group mail behavior according to the mail of targeted mails
Transmission mail record in a account number the past period, specifically include send successfully, failure record, the information such as mail matter topics into
Row statistical analysis, identifies the abnormal behaviours such as single account number group mail, multiple account number group mails.It is understood that for
The mail number for sending same subject can be greater than predetermined threshold and be determined as abnormal behaviour by abnormal behaviour, can will be sent same
The failure rate of one theme is greater than predetermined threshold and is determined as abnormal behaviour, can also will only send failure rate and determine greater than predetermined threshold
It is not specific herein to limit for abnormal behaviour, it should be understood that, for the group mail for identifying multiple accounts,
It needs to be determined by necessary condition of same subject.
Anomalous identification is carried out to single envelope mail as can be seen that being compared to, in the present embodiment from abnormal behaviour angle,
User/host the past period exception mail is identified by modeling, can accurately find mass-sending spam, account number explosion
Equal behaviors, further increase the safety of mail.
Referring to Fig. 3, for another mail-detection method provided in an embodiment of the present invention, comprising:
The email type of S201, each mail of identification;The email type includes secure e-mail type, dangerous email type
With potential danger email type;
S202, according to the email type of each mail, obtain the behavioral data of targeted mails;
S203, analysis detection is carried out to the behavioral data using preset Analysis model of network behaviors, identifies the mesh
Mark the exception mail in mail;
It should be noted that S101-S103's described in S201-S203 and above method embodiment in the present embodiment is interior
Hold identical, related content please refers to above-described embodiment, herein just without repeating.
S204, determination are corresponding with potential danger email type to killing mail;
S205, it will be sent to cloud killing system to the corresponding test object information of killing mail with described, by described
To the exception mail in killing mail described in cloud killing system identification.
Specifically, can exist due to only only local being identified to mail and not updated due to recognition rule and cause
The problem of existing security breaches, therefore in the present embodiment, using cloud killing technology, i.e., by the corresponding postal of potential danger email type
Part is uploaded to cloud, carries out killing to mail using the powerful computing capability of cloud server and newest examination criteria abundant,
To identify exception mail as far as possible.
It should be noted that S204-S205 and S202-S203 are two kinds of parallel detection modes, according to S202-S203
The behavioral data of user identifies exception mail, and S204-S205 is that exception mail is identified by way of cloud killing, certainly, this
Two ways can also carry out simultaneously, that is to say, that in the present embodiment, can detect identification postal as first layer by S201
On the basis of part type, is detected by S202-S203 as the second layer, identify exception mail using behavioral data, and then pass through
S204-S205 is detected as third layer, is identified exception mail using cloud killing, is filtered by this three layers detection, thus maximum journey
Degree ground promotes detectability.
In the present embodiment, it will be sent to cloud killing system to the corresponding test object information of killing mail with described, had
Body include: by at least one in the corresponding account information of killing mail, URL information, accessory information and text message
Person is sent to the cloud killing system;
To the exception mail in killing mail described in cloud killing system identification, comprising:
Identify whether source address and/or destination address in the account information are to forge address, obtain account information knowledge
Other result;And/or identify the URL content that whether there is malice type in the URL information, obtain URL recognition result;With/
Or, identifying the attachment that whether there is malice type in the accessory information, accessory identification result is obtained;And/or identification is described just
The body matter that whether there is malice in literary information, obtains text recognition result;
Known according to the account information recognition result, the URL recognition result, the accessory identification result, the text
At least one of other result identifies exception mail.
Specifically, before being detected to mail, it has been determined that 5 class test objects are mail account, URL respectively
Information, Email attachment, message body content and mail transmission/reception behavior, wherein mail transmission/reception behavior, that is, S102-S103/S202-
Behavioral data in S203, in addition 4 class test objects be need to carry out in the present embodiment cloud killing with to killing mail pair
The test object information answered, certainly, this 4 class test object information are not to need all to carry out cloud killing, are needed according to mail
Information for being included itself determines, such as: Email attachment and message body content are not that whole mails all include.
It referring to fig. 4, is cloud killing schematic diagram provided in this embodiment, this programme can be in mail account, message body
At least one of URL, Email attachment, message body content carry out identification judgement, and are determined according to each final result
Whether the mail is exception mail.Specifically:
Account number cloud killing: it is main that legitimacy detection is provided, judge whether source IP, destination IP are legal, identification is with the presence or absence of puppet
It makes;
URL cloud killing: main by obtaining URL content, analyzing URL and sorting out, specific classification has fishing, extorts, extensively
The classifications such as announcement;
Attachment cloud killing: multi engine killing, the classification of output file are carried out to attachment;
Text cloud killing: being directed to suspicious text, and semantic and sentiment analysis is further done using model, exports the theme of text
With malice type.
To sum up, the present embodiment mainly includes three layers of detection mode: first layer is traditional rule-based, black and white lists
Soft detection is killed with built-in, identifies the type information of mail, the second layer is behavioural analysis detection, to the article receiving and sending row of each account number
To be analyzed, feature is extracted, is analyzed using algorithm, and testing result is further analyzed to identify;Third layer is looked into for cloud
Detection is killed, suspect object in mail is mainly uploaded into cloud and carries out analysis detection;The method of this three layer filtration detection can carry out
Analysis detection, each layer detectability is mutually indepedent, can be obviously improved mail security detectability.This programme presses mail simultaneously
Test object is divided, convenient for carrying out detectability exploitation and extension for different test objects and release quickly is new
Detectability and progress security incident response, have many advantages, such as that detectability is strong, scalability is good, easy to maintain.
Mail-detection device provided in an embodiment of the present invention is introduced below, mail-detection device described below with
Above-described mail-detection method can be cross-referenced.
Referring to Fig. 5, a kind of mail-detection device provided in an embodiment of the present invention, comprising:
Email type identification module 100, for identification email type of each mail;The email type includes safe postal
Part type, dangerous email type and potential danger email type;
Behavioral data obtains module 200 and obtains the behavior number of targeted mails for the email type according to each mail
According to;
Exception mail identification module 300, for being carried out using preset Analysis model of network behaviors to the behavioral data
Analysis detection identifies the exception mail in the targeted mails.
Wherein, the exception mail identification module includes the first recognition unit and/or the second recognition unit;
First recognition unit, for logging in record identification account blasting behavior according to the targeted mails, by institute
It states mail corresponding with the account blasting behavior in targeted mails and is determined as exception mail;
Second recognition unit, for sending record identification group mail behavior according to the mail of the targeted mails,
Mail corresponding with the group mail behavior in the targeted mails is determined as exception mail.
Wherein, this programme further include:
It is corresponding with the potential danger email type to killing mail for determination to killing mail determining module;
Test object sending module will be sent to cloud killing system to the corresponding test object information of killing mail with described
System, with by described in the cloud killing system identification to the exception mail in killing mail.
Wherein, the test object sending module, be specifically used for will with it is described to the corresponding account information of killing mail,
At least one of URL information, accessory information and text message are sent to the cloud killing system, to pass through cloud killing system
System identification is described to the exception mail in killing mail.
The present embodiment also provides a kind of computer readable storage medium, and meter is stored on the computer readable storage medium
The step of calculation machine program, the computer program realizes above-mentioned mail-detection method when being executed by processor.
Wherein, the storage medium may include: USB flash disk, mobile hard disk, read-only memory (Read-Only Memory,
ROM), random access memory (Random Access Memory, RAM), magnetic or disk etc. are various can store program
The medium of code.
The present embodiment also provides a kind of mail-detection equipment, comprising: memory, for storing computer program;Processor,
The step of above-mentioned mail-detection method is realized when for executing the computer program.
The present embodiment also provides a kind of mail detection system, including destination host and cloud killing server;The target master
Machine includes above-mentioned mail-detection equipment;
The cloud killing server, for identification the destination host send it is corresponding with potential danger email type to
Exception mail in killing mail.
Wherein, the cloud killing server is specifically used for: identifying the source address and/or destination address in the account information
Whether it is to forge address, obtains account information recognition result;And/or it identifies in the URL information with the presence or absence of malice type
URL content obtains URL recognition result;And/or identify the attachment that whether there is malice type in the accessory information, it obtains attached
Part recognition result;And/or identify the body matter that whether there is malice in the text message, obtain text recognition result;Root
According in the account information recognition result, the URL recognition result, the accessory identification result, the text recognition result
At least one, identifies exception mail.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other
The difference of embodiment, the same or similar parts in each embodiment may refer to each other.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (13)
1. a kind of mail-detection method characterized by comprising
Identify the email type of each mail;The email type includes secure e-mail type, dangerous email type and potential danger
Dangerous email type;
According to the email type of each mail, the behavioral data of targeted mails is obtained;
Analysis detection is carried out to the behavioral data using preset Analysis model of network behaviors, is identified in the targeted mails
Exception mail.
2. mail-detection method according to claim 1, which is characterized in that described to utilize preset behavioural analysis mould
Type carries out analysis detection to the behavioral data, identifies the exception mail in the targeted mails, comprising:
According to the targeted mails log in record identification account blasting behavior, by the targeted mails with the account explosion
The corresponding mail of behavior is determined as exception mail;And/or
According to the mail of the targeted mails send record identification group mail behavior, by the targeted mails with the mass-sending
The corresponding mail of mail behavior is determined as exception mail.
3. mail-detection method according to claim 1, which is characterized in that the email type of each mail of the identification it
Afterwards, further includes:
Determination is corresponding with the potential danger email type to killing mail;
It will be sent to cloud killing system to the corresponding test object information of killing mail with described, to pass through the cloud killing system
Identification is described to the exception mail in killing mail.
4. mail-detection method according to claim 3, which is characterized in that it is described will with it is described corresponding to killing mail
Test object information is sent to cloud killing system, with by described in the cloud killing system identification to the abnormal postal in killing mail
Part, comprising:
It will be with described at least one of the corresponding account information of killing mail, URL information, accessory information and text message hair
Send to the cloud killing system, with by described in the cloud killing system identification to the exception mail in killing mail.
5. mail-detection method according to claim 4, which is characterized in that killing described in the cloud killing system identification
Exception mail in mail, comprising:
Identify whether source address and/or destination address in the account information are to forge address, obtains account information identification knot
Fruit;And/or identify the URL content that whether there is malice type in the URL information, obtain URL recognition result;And/or know
The attachment that whether there is malice type in the not described accessory information, obtains accessory identification result;And/or identify the text letter
The body matter that whether there is malice in breath, obtains text recognition result;
According to the account information recognition result, the URL recognition result, the accessory identification result, the text recognition knot
At least one of fruit identifies exception mail.
6. a kind of mail-detection device characterized by comprising
Email type identification module, for identification email type of each mail;The email type include secure e-mail type,
Dangerous email type and potential danger email type;
Behavioral data obtains module and obtains the behavioral data of targeted mails for the email type according to each mail;
Exception mail identification module, for carrying out analysis inspection to the behavioral data using preset Analysis model of network behaviors
It surveys, identifies the exception mail in the targeted mails.
7. mail-detection device according to claim 6, which is characterized in that the exception mail identification module includes first
Recognition unit and/or the second recognition unit;
First recognition unit, for logging in record identification account blasting behavior according to the targeted mails, by the mesh
Mail corresponding with the account blasting behavior is determined as exception mail in mark mail;
Second recognition unit, for sending record identification group mail behavior according to the mail of the targeted mails, by institute
It states mail corresponding with the group mail behavior in targeted mails and is determined as exception mail.
8. mail-detection device according to claim 6, which is characterized in that further include:
It is corresponding with the potential danger email type to killing mail for determination to killing mail determining module;
Test object sending module will be sent to cloud killing system to the corresponding test object information of killing mail with described, with
By described in the cloud killing system identification to the exception mail in killing mail.
9. mail-detection device according to claim 8, which is characterized in that the test object sending module, it is specific to use
In will be sent with described at least one of the corresponding account information of killing mail, URL information, accessory information and text message
To the cloud killing system, with by described in the cloud killing system identification to the exception mail in killing mail.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program realizes the step of the mail-detection method as described in any one of claim 1 to 5 when the computer program is executed by processor
Suddenly.
11. a kind of mail-detection equipment characterized by comprising
Memory, for storing computer program;
Processor, realizing the mail-detection method as described in any one of claim 1 to 5 when for executing the computer program
Step.
12. a kind of mail detection system, which is characterized in that including destination host and cloud killing server;The destination host packet
Include mail-detection equipment as claimed in claim 11;
The cloud killing server, the destination host is sent corresponding with potential danger email type to killing for identification
Exception mail in mail.
13. mail detection system according to claim 12, which is characterized in that the cloud killing server is specifically used for:
Identify whether source address and/or destination address in the account information are to forge address, obtains account information identification knot
Fruit;And/or identify the URL content that whether there is malice type in the URL information, obtain URL recognition result;And/or know
The attachment that whether there is malice type in the not described accessory information, obtains accessory identification result;And/or identify the text letter
The body matter that whether there is malice in breath, obtains text recognition result;According to the account information recognition result, the URL
At least one of recognition result, the accessory identification result, described text recognition result identify exception mail.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810497358.8A CN110519150B (en) | 2018-05-22 | 2018-05-22 | Mail detection method, device, equipment, system and computer readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810497358.8A CN110519150B (en) | 2018-05-22 | 2018-05-22 | Mail detection method, device, equipment, system and computer readable storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110519150A true CN110519150A (en) | 2019-11-29 |
CN110519150B CN110519150B (en) | 2022-09-30 |
Family
ID=68622363
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810497358.8A Active CN110519150B (en) | 2018-05-22 | 2018-05-22 | Mail detection method, device, equipment, system and computer readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110519150B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110995576A (en) * | 2019-12-16 | 2020-04-10 | 深信服科技股份有限公司 | Mail detection method, device, equipment and storage medium |
CN111614543A (en) * | 2020-04-10 | 2020-09-01 | 中国科学院信息工程研究所 | URL-based spear phishing mail detection method and system |
CN112039874A (en) * | 2020-08-28 | 2020-12-04 | 绿盟科技集团股份有限公司 | Malicious mail identification method and device |
CN112163215A (en) * | 2020-10-14 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Weak password detection method and device and computer equipment |
CN112511517A (en) * | 2020-11-20 | 2021-03-16 | 深信服科技股份有限公司 | Mail detection method, device, equipment and medium |
CN113282921A (en) * | 2021-06-11 | 2021-08-20 | 深信服科技股份有限公司 | File detection method, device, equipment and storage medium |
CN113381983A (en) * | 2021-05-19 | 2021-09-10 | 清华大学 | Method and device for identifying counterfeit e-mail |
CN113595994A (en) * | 2021-07-12 | 2021-11-02 | 深信服科技股份有限公司 | Abnormal mail detection method and device, electronic equipment and storage medium |
CN114006721A (en) * | 2021-09-14 | 2022-02-01 | 北京纽盾网安信息技术有限公司 | E-mail risk detection method and system |
CN117061198A (en) * | 2023-08-30 | 2023-11-14 | 广东励通信息技术有限公司 | Network security early warning system and method based on big data |
Citations (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050015626A1 (en) * | 2003-07-15 | 2005-01-20 | Chasin C. Scott | System and method for identifying and filtering junk e-mail messages or spam based on URL content |
CN101001244A (en) * | 2006-01-13 | 2007-07-18 | 腾讯科技(深圳)有限公司 | Method and system for removing misdicision of garbage E-mail |
CN101188580A (en) * | 2007-12-05 | 2008-05-28 | 中国联合通信有限公司 | A real time spam filtering method and system |
CN101540773A (en) * | 2009-04-22 | 2009-09-23 | 成都市华为赛门铁克科技有限公司 | Junk mail detection method and device thereof |
CN102223316A (en) * | 2011-06-15 | 2011-10-19 | 成都市华为赛门铁克科技有限公司 | Method and device for processing electronic mail |
US20120023182A1 (en) * | 2006-10-13 | 2012-01-26 | Pulfer Charles E | Security classification of e-mail in a web e-mail access client |
CN102413076A (en) * | 2011-12-22 | 2012-04-11 | 网易(杭州)网络有限公司 | Spam mail judging system based on behavior analysis |
US8417715B1 (en) * | 2007-12-19 | 2013-04-09 | Tilmann Bruckhaus | Platform independent plug-in methods and systems for data mining and analytics |
US20140006129A1 (en) * | 2011-09-15 | 2014-01-02 | Stephan HEATH | Systems and methods for mobile and online payment systems for purchases related to mobile and online promotions or offers provided using impressions tracking and analysis, location information, 2d and 3d mapping, mobile mapping, social media, and user behavior and information for generating mobile and internet posted promotions or offers for, and/or sales of, products and/or services in a social network, online or via a mobile device |
CN103841094A (en) * | 2012-11-27 | 2014-06-04 | 阿里巴巴集团控股有限公司 | Method and device for judging mail types |
US20150172233A1 (en) * | 2013-12-16 | 2015-06-18 | Alibaba Group Holding Limited | Method, sending terminal, receiving terminal, and system for classifying emails |
CN105049334A (en) * | 2015-08-04 | 2015-11-11 | 新浪网技术(中国)有限公司 | E-mail filtering method and device |
CN105743876A (en) * | 2015-08-28 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | Method and system for discovering targeted attack based on email source data |
CN106027505A (en) * | 2016-05-10 | 2016-10-12 | 国家电网公司 | Anti-accident exercise inspecting and learning system |
CN107196844A (en) * | 2016-11-28 | 2017-09-22 | 北京神州泰岳信息安全技术有限公司 | Exception mail recognition methods and device |
CN107707462A (en) * | 2017-10-31 | 2018-02-16 | 下代互联网重大应用技术(北京)工程研究中心有限公司 | Spam emergency processing method based on cloud computing |
CN107743087A (en) * | 2016-10-27 | 2018-02-27 | 腾讯科技(深圳)有限公司 | The detection method and system of a kind of e-mail attack |
US20180124081A1 (en) * | 2001-08-16 | 2018-05-03 | The Trustees Of Columbia University In The City Of New York | System and methods for detecting malicious email transmission |
CN108011809A (en) * | 2017-12-04 | 2018-05-08 | 北京明朝万达科技股份有限公司 | Anti-data-leakage analysis method and system based on user behavior and document content |
CN108694202A (en) * | 2017-04-10 | 2018-10-23 | 上海交通大学 | Configurable Spam Filtering System based on sorting algorithm and filter method |
-
2018
- 2018-05-22 CN CN201810497358.8A patent/CN110519150B/en active Active
Patent Citations (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180124081A1 (en) * | 2001-08-16 | 2018-05-03 | The Trustees Of Columbia University In The City Of New York | System and methods for detecting malicious email transmission |
US20050015626A1 (en) * | 2003-07-15 | 2005-01-20 | Chasin C. Scott | System and method for identifying and filtering junk e-mail messages or spam based on URL content |
CN101001244A (en) * | 2006-01-13 | 2007-07-18 | 腾讯科技(深圳)有限公司 | Method and system for removing misdicision of garbage E-mail |
US20120023182A1 (en) * | 2006-10-13 | 2012-01-26 | Pulfer Charles E | Security classification of e-mail in a web e-mail access client |
CN101188580A (en) * | 2007-12-05 | 2008-05-28 | 中国联合通信有限公司 | A real time spam filtering method and system |
US8417715B1 (en) * | 2007-12-19 | 2013-04-09 | Tilmann Bruckhaus | Platform independent plug-in methods and systems for data mining and analytics |
CN101540773A (en) * | 2009-04-22 | 2009-09-23 | 成都市华为赛门铁克科技有限公司 | Junk mail detection method and device thereof |
CN102223316A (en) * | 2011-06-15 | 2011-10-19 | 成都市华为赛门铁克科技有限公司 | Method and device for processing electronic mail |
US20140006129A1 (en) * | 2011-09-15 | 2014-01-02 | Stephan HEATH | Systems and methods for mobile and online payment systems for purchases related to mobile and online promotions or offers provided using impressions tracking and analysis, location information, 2d and 3d mapping, mobile mapping, social media, and user behavior and information for generating mobile and internet posted promotions or offers for, and/or sales of, products and/or services in a social network, online or via a mobile device |
CN102413076A (en) * | 2011-12-22 | 2012-04-11 | 网易(杭州)网络有限公司 | Spam mail judging system based on behavior analysis |
CN103841094A (en) * | 2012-11-27 | 2014-06-04 | 阿里巴巴集团控股有限公司 | Method and device for judging mail types |
US20150172233A1 (en) * | 2013-12-16 | 2015-06-18 | Alibaba Group Holding Limited | Method, sending terminal, receiving terminal, and system for classifying emails |
CN105049334A (en) * | 2015-08-04 | 2015-11-11 | 新浪网技术(中国)有限公司 | E-mail filtering method and device |
CN105743876A (en) * | 2015-08-28 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | Method and system for discovering targeted attack based on email source data |
CN106027505A (en) * | 2016-05-10 | 2016-10-12 | 国家电网公司 | Anti-accident exercise inspecting and learning system |
CN107743087A (en) * | 2016-10-27 | 2018-02-27 | 腾讯科技(深圳)有限公司 | The detection method and system of a kind of e-mail attack |
CN107196844A (en) * | 2016-11-28 | 2017-09-22 | 北京神州泰岳信息安全技术有限公司 | Exception mail recognition methods and device |
CN108694202A (en) * | 2017-04-10 | 2018-10-23 | 上海交通大学 | Configurable Spam Filtering System based on sorting algorithm and filter method |
CN107707462A (en) * | 2017-10-31 | 2018-02-16 | 下代互联网重大应用技术(北京)工程研究中心有限公司 | Spam emergency processing method based on cloud computing |
CN108011809A (en) * | 2017-12-04 | 2018-05-08 | 北京明朝万达科技股份有限公司 | Anti-data-leakage analysis method and system based on user behavior and document content |
Non-Patent Citations (3)
Title |
---|
ADMIN: "《基于Graylog日志安全审计时间》", 《HTTP://WWW.JINGLINGSHU.ORG/?P=11251》 * |
VEENA H BHAT 等: "《Classification of email using BeaKS: Behavior and keyword stemming》", 《IEEE》 * |
廖明涛 等: "《基于朴树贝叶斯和层次聚类的两阶段垃圾邮件过滤方法》", 《微电子学与计算机》 * |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110995576A (en) * | 2019-12-16 | 2020-04-10 | 深信服科技股份有限公司 | Mail detection method, device, equipment and storage medium |
CN110995576B (en) * | 2019-12-16 | 2022-04-29 | 深信服科技股份有限公司 | Mail detection method, device, equipment and storage medium |
CN111614543B (en) * | 2020-04-10 | 2021-09-14 | 中国科学院信息工程研究所 | URL-based spear phishing mail detection method and system |
CN111614543A (en) * | 2020-04-10 | 2020-09-01 | 中国科学院信息工程研究所 | URL-based spear phishing mail detection method and system |
CN112039874A (en) * | 2020-08-28 | 2020-12-04 | 绿盟科技集团股份有限公司 | Malicious mail identification method and device |
CN112039874B (en) * | 2020-08-28 | 2023-03-24 | 绿盟科技集团股份有限公司 | Malicious mail identification method and device |
CN112163215A (en) * | 2020-10-14 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Weak password detection method and device and computer equipment |
CN112511517A (en) * | 2020-11-20 | 2021-03-16 | 深信服科技股份有限公司 | Mail detection method, device, equipment and medium |
CN112511517B (en) * | 2020-11-20 | 2023-11-07 | 深信服科技股份有限公司 | Mail detection method, device, equipment and medium |
CN113381983A (en) * | 2021-05-19 | 2021-09-10 | 清华大学 | Method and device for identifying counterfeit e-mail |
CN113381983B (en) * | 2021-05-19 | 2023-09-22 | 清华大学 | Method and device for identifying fake e-mail |
CN113282921A (en) * | 2021-06-11 | 2021-08-20 | 深信服科技股份有限公司 | File detection method, device, equipment and storage medium |
CN113595994A (en) * | 2021-07-12 | 2021-11-02 | 深信服科技股份有限公司 | Abnormal mail detection method and device, electronic equipment and storage medium |
CN113595994B (en) * | 2021-07-12 | 2023-03-21 | 深信服科技股份有限公司 | Abnormal mail detection method and device, electronic equipment and storage medium |
CN114006721A (en) * | 2021-09-14 | 2022-02-01 | 北京纽盾网安信息技术有限公司 | E-mail risk detection method and system |
CN117061198A (en) * | 2023-08-30 | 2023-11-14 | 广东励通信息技术有限公司 | Network security early warning system and method based on big data |
CN117061198B (en) * | 2023-08-30 | 2024-02-02 | 广东励通信息技术有限公司 | Network security early warning system and method based on big data |
Also Published As
Publication number | Publication date |
---|---|
CN110519150B (en) | 2022-09-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110519150A (en) | Mail-detection method, apparatus, equipment, system and computer readable storage medium | |
Stringhini et al. | {EVILCOHORT}: Detecting communities of malicious accounts on online services | |
US10243989B1 (en) | Systems and methods for inspecting emails for malicious content | |
US8224905B2 (en) | Spam filtration utilizing sender activity data | |
US8370930B2 (en) | Detecting spam from metafeatures of an email message | |
JP2006521635A5 (en) | ||
CN111092902B (en) | Attachment camouflage-oriented fishfork attack mail discovery method and device | |
Stringhini et al. | {B@ bel}: Leveraging Email Delivery for Spam Mitigation | |
CA2513967A1 (en) | Feedback loop for spam prevention | |
CN108183888A (en) | A kind of social engineering Network Intrusion path detection method based on random forests algorithm | |
CA2467186A1 (en) | Computer security system | |
CN111404805B (en) | Junk mail detection method and device, electronic equipment and storage medium | |
KR100927240B1 (en) | A malicious code detection method using virtual environment | |
CA2478299A1 (en) | Systems and methods for enhancing electronic communication security | |
CA2654796A1 (en) | Systems and methods for identifying potentially malicious messages | |
CN106656728A (en) | Mail detection and monitoring system | |
CN108011805A (en) | Method, apparatus, intermediate server and the car networking system of message screening | |
CN103716335A (en) | Detecting and filtering method of spam mail based on counterfeit sender | |
CN109672607A (en) | A kind of email processing method, device and storage equipment, program product | |
CN108683589A (en) | Detection method, device and the electronic equipment of spam | |
Moore et al. | Discovering phishing dropboxes using email metadata | |
CN110061981A (en) | A kind of attack detection method and device | |
US20130145289A1 (en) | Real-time duplication of a chat transcript between a person of interest and a correspondent of the person of interest for use by a law enforcement agent | |
CN103841006A (en) | Method and device for intercepting junk mails in cloud computing system | |
Nagamalai et al. | Novel mechanism to defend DDoS attacks caused by spam |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |