CN113726806A - BEC mail detection method, device and system and readable storage medium - Google Patents
BEC mail detection method, device and system and readable storage medium Download PDFInfo
- Publication number
- CN113726806A CN113726806A CN202111031344.5A CN202111031344A CN113726806A CN 113726806 A CN113726806 A CN 113726806A CN 202111031344 A CN202111031344 A CN 202111031344A CN 113726806 A CN113726806 A CN 113726806A
- Authority
- CN
- China
- Prior art keywords
- abnormal
- mailbox account
- bec
- mailbox
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/42—Mailbox-related aspects, e.g. synchronisation of mailboxes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a BEC mail detection method, a BEC mail detection device, a BEC mail detection system and a computer-readable storage medium, wherein the method comprises the steps of acquiring various current behavior characteristics of mailbox accounts aiming at each mailbox account; analyzing various current behavior characteristics of the mailbox account and various corresponding historical behavior characteristics to obtain the comprehensive abnormal condition of the mailbox account; determining an abnormal mailbox account according to the comprehensive abnormal condition of each mailbox account; performing BEC mail detection on the abnormal mailbox account; the invention can improve the accuracy of the BEC mail detection and the safety of the mailbox account in the using process.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a BEC mail detection method, a BEC mail detection device, a BEC mail detection system and a computer readable storage medium.
Background
Phishing mail is a way of attacking using social engineering, BEC is an advanced phishing mail, and is also one of spear phishing mails. Compared with the ordinary phishing mails, the BEC (Business Email company, commercial mail fraud) phishing mails have extremely strong pertinence, and the BEC is a type of oriented phishing mails specially aiming at enterprise high management, and the hazard of the BEC is far higher than that of the ordinary phishing mails.
BECs generally do not contain attachments or links, but are attacked purely by social engineering, generally pretend to be leaders or business partners, and then use the colloquies of the leaders or business partners to transfer or further communicate with the recipients using more urgent utterances, and the recipients often transfer directly to a given account or take further action as instructed due to time strain or trust. The success rate of the attack mode is high, the loss is huge, and in recent years, more and more BECs for high management of enterprises are provided.
Because the BEC does not contain links or attachments, the traditional attachment-based or link-based detection mode for phishing mails and even spear phishing mails is invalid, and some NLP natural language processing methods also have poor technical effect of NLP purely based on grammatical lexical analysis due to the scarcity and strong pertinence of the number of BEC mails.
In view of this, how to provide a BEC e-mail detection method, device, system and computer-readable storage medium with high detection accuracy becomes a problem to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the invention aims to provide a method, a device and a system for detecting a BEC mail and a computer readable storage medium, which can improve the accuracy of detecting the BEC mail and the safety of a mailbox account in the using process.
In order to solve the above technical problem, an embodiment of the present invention provides a BEC mail detection method, including:
acquiring various current behavior characteristics of the mailbox accounts aiming at each mailbox account;
analyzing various current behavior characteristics and corresponding various historical behavior characteristics of the mailbox account to obtain a comprehensive abnormal condition of the mailbox account;
determining an abnormal mailbox account according to the comprehensive abnormal condition of each mailbox account;
and performing BEC mail detection on the abnormal mailbox account.
Optionally, the process of analyzing various current behavior characteristics of the mailbox account and various corresponding historical behavior characteristics to obtain the comprehensive abnormal condition of the mailbox account is as follows:
establishing a normal historical behavior baseline which corresponds to each behavior characteristic and is established in advance according to each historical behavior characteristic of the mailbox account;
comparing the characteristic values of various current behavior characteristics of the mailbox account with corresponding normal historical behavior baselines to obtain first abnormal scores corresponding to the current behavior characteristics of each class;
calculating a comprehensive abnormal score of the mailbox account according to the first abnormal score corresponding to each type of the current behavior characteristics;
and determining that the abnormal mailbox account is as follows according to the comprehensive abnormal condition of each mailbox account:
and analyzing the respective comprehensive abnormal score of each mailbox account to determine an abnormal mailbox account.
Optionally, the process of establishing the normal historical behavior baselines corresponding to the various behavior characteristics in advance according to the various historical behavior characteristics of the mailbox account includes:
for each mailbox account, acquiring a historical audit log and historical mail data of the mailbox account in advance;
extracting each type of historical behavior characteristics from the historical audit log and the historical mail data of the mailbox account;
and establishing a normal historical behavior baseline corresponding to the behavior characteristics aiming at each type of historical behavior characteristics so as to obtain a normal historical behavior baseline corresponding to each type of behavior characteristics of each mailbox account.
Optionally, the analyzing the respective comprehensive abnormal score of each mailbox account and the determining an abnormal mailbox account includes:
sorting the respective comprehensive abnormal scores of the mailbox accounts from large to small;
and taking the mailbox account with the comprehensive abnormal score larger than the first preset value or taking the mailbox account with the previous preset name as the abnormal mailbox account.
Optionally, the process of performing BEC mail detection on the abnormal mailbox account includes:
acquiring all mails of the abnormal mailbox account in a preset time period;
deleting mails containing attachments and/or links and/or no numbers from all the mails to obtain the rest abnormal mails;
carrying out anomaly scoring on each abnormal mail to obtain respective comprehensive anomaly score of each abnormal mail;
and analyzing the comprehensive abnormal score of each abnormal mail to obtain the suspicious BEC mail.
Optionally, the process of performing an anomaly score on each abnormal email to obtain a respective comprehensive anomaly score of each abnormal email includes:
extracting various mail content characteristics of the abnormal mails aiming at each abnormal mail;
acquiring a pre-established historical normal content baseline which corresponds to each type of mail content characteristics of the abnormal mails;
comparing the characteristic value of each type of the mail content characteristics with the corresponding historical normal content baseline to obtain a second abnormal score corresponding to each type of the mail content characteristics;
and calculating the comprehensive abnormal score of the corresponding abnormal mail according to the second abnormal score of the content characteristics of each type of mail.
Optionally, the method further includes:
acquiring a behavior list of the suspicious BEC mails;
and feeding back the suspicious BEC mails and the corresponding behavior lists as detection results.
An embodiment of the present invention further provides a BEC mail detection apparatus, including:
the acquisition module is used for acquiring various current behavior characteristics of the mailbox accounts aiming at each mailbox account;
the analysis module is used for analyzing various current behavior characteristics of the mailbox account and various corresponding historical behavior characteristics to obtain the comprehensive abnormal condition of the mailbox account;
the determining module is used for determining an abnormal mailbox account according to the comprehensive abnormal condition of each mailbox account;
and the detection module is used for carrying out BEC mail detection on the abnormal mailbox account.
The embodiment of the invention also provides a BEC mail detection system, which comprises:
a memory for storing a computer program;
a processor for implementing the steps of the BEC mail detection method as described above when executing the computer program.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the BEC mail detection method are implemented as described above.
The embodiment of the invention provides a BEC mail detection method, a BEC mail detection device, a BEC mail detection system and a computer-readable storage medium, wherein the method comprises the steps of acquiring various current behavior characteristics of mailbox accounts aiming at each mailbox account; analyzing various current behavior characteristics of the mailbox account and various corresponding historical behavior characteristics to obtain the comprehensive abnormal condition of the mailbox account; determining an abnormal mailbox account according to the comprehensive abnormal condition of each mailbox account; and performing BEC mail detection on the abnormal mailbox account.
Therefore, the embodiment of the invention analyzes the behavior of each mailbox account from the aspect of behavior analysis, obtains the comprehensive abnormal condition of each mailbox account by acquiring various current behavior characteristics of each mailbox account and analyzing various current behavior characteristics and various historical behavior characteristics corresponding to each mailbox account, and determines the abnormal mailbox account according to the comprehensive abnormal condition of each mailbox account, thereby carrying out the BEC mail detection on the abnormal mailbox account.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed in the prior art and the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic flow chart of a BEC mail detection method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a process for analyzing a comprehensive abnormal situation of a mailbox account according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a process of performing BEC mail detection on an abnormal mailbox account according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a BEC mail detection apparatus according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a method, a device and a system for detecting a BEC mail and a computer readable storage medium, which can improve the accuracy of detecting the BEC mail and the safety of a mailbox account in the using process.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a flowchart illustrating a BEC mail detection method according to an embodiment of the present invention. The method comprises the following steps:
s110: acquiring various current behavior characteristics of the mailbox accounts aiming at each mailbox account;
specifically, when each mailbox account is monitored, various current behavior characteristics of each mailbox account can be obtained, wherein for one mailbox account, a current audit log of the mailbox account can be obtained, specifically, the current audit log of each behavior can be obtained, and various current behavior characteristics are extracted from the current audit logs, that is, the behavior characteristics extracted according to the current audit log of the mailbox account are referred to as current behavior characteristics in the embodiment of the present invention.
S120: analyzing various current behavior characteristics of the mailbox account and various corresponding historical behavior characteristics to obtain the comprehensive abnormal condition of the mailbox account;
please refer to fig. 2, the process of S120 in the embodiment of the present invention may specifically be:
s210: establishing a normal historical behavior baseline which corresponds to various behavior characteristics in advance according to various historical behavior characteristics of the mailbox account;
specifically, for each mailbox account, acquiring a historical audit log and historical mail data of the mailbox account in advance; extracting each type of historical behavior characteristics from historical audit logs and historical mail data of a mailbox account; and establishing a normal historical behavior baseline corresponding to the behavior characteristics aiming at each type of historical behavior characteristics to obtain a normal historical behavior baseline corresponding to each type of behavior characteristics of each mailbox account.
It should be noted that, for each mailbox account to be monitored, various historical Behavior features of each mailbox account may be obtained in advance, specifically, various historical Behavior features may be extracted from a historical audit log and historical mail data of each mailbox account by obtaining a historical audit log and historical mail data of each mailbox account in advance, and for one mailbox account, the Behavior features may be features of a UEBA (User and Entity Analysis, a User Behavior and Entity Analysis) Behavior, and may be divided into different types.
Specifically, the audit log in the embodiment of the present invention may include various operation behavior logs on the mailbox account, such as behavior logs of logging in and out, modifying configuration, deleting a mail, reading a mail, sending a mail, and the like; the mail data is all mails in the mailbox account, including sent mails, received mails, mails in a draft box, mails in a garbage box, and the like. In the embodiment of the present invention, after acquiring an audit log (a current audit log or a historical audit log) and mail data (historical mail data) of a mailbox account, the audit log and the mail data are analyzed to obtain important field information under different operations, including but not limited to the following field information: the method comprises the steps of starting time, login IP, mailbox account name, sender, receiver, mail operation, mail subject, mail body and the like, and further extracting various behavior characteristics (current behavior characteristics or historical behavior characteristics) based on the field information.
It should be noted that the behavior characteristics in the embodiment of the present invention include, but are not limited to: the method comprises the following steps of mailbox account login and logout behavior, mailbox account personal information modification behavior, mailbox setting configuration behavior, mailbox account contact modification behavior, mailbox mail writing and sending behavior, mailbox pull and view mail behavior and the like. Wherein:
the mailbox account login and logout behavior mainly focuses on the mailbox account login and logout behavior, and the main focused indexes include but are not limited to: login time, login location, login IP, login client, login success, etc.; the behavior that the mailbox account modifies the personal information mainly focuses on the behavior that the mailbox account modifies the personal information, and the main focus indexes include but are not limited to: name modification, nickname modification, remark modification, mobile phone number modification, contact address modification, mailbox password modification, avatar modification and the like; mailbox configuration setting behaviors, mainly paying attention to behavior of modifying configuration of a mailbox account, and mainly paying attention to indexes including but not limited to: black and white list modification, security login setting modification, automatic forwarding modification, download path modification, new mail notification modification, signature information modification and the like; the mailbox account modification contact behavior is mainly concerned with the mailbox account modification contact behavior, and the main concerned indexes include but are not limited to: deleting the contact, adding the contact, modifying the contact, creating a group, deleting the group and the like; the mailbox writes and sends the mail, and mainly focuses on the behavior of writing and sending the mail in the mailbox account, and the indexes of the main concern include but are not limited to: the number of recipients, whether the recipients contain attachments, whether the stone contains links, whether the stone contains telephone numbers, whether the stone contains bank card numbers, paragraph numbers, mark points, whether the stone contains pause words and the like; mailbox pull and view mail behavior, and mainly focuses on behavior of mailbox account viewing and viewing mail, and the indexes of main interest include but are not limited to: whether to pull a new mail, whether to open a mail, whether to click a link, whether to download an attachment, whether to directly open an attachment, the number of recipients, the number of paragraphs, the number of credits, and the like.
It should be further noted that after obtaining each type of historical behavior feature of the mailbox account, a normal historical behavior baseline corresponding to the behavior feature is established for each type of historical behavior feature, so as to obtain a normal historical behavior baseline corresponding to each type of behavior feature of each mailbox account, specifically:
for mailbox account login logout behavior, a normal historical behavior baseline for mailbox account login can be constructed including but not limited to: the time distribution of logging in the mailbox in one day, the time distribution of logging in the mailbox in one week, common client software, frequently-logged IP addresses, the probability of login failure, the probability of click logout and the like.
For mailbox account modified personal information behavior, a normal historical behavior baseline for mailbox account modified personal information can be constructed including but not limited to: the probability of modifying the password, the probability of modifying the mobile phone number, the probability of modifying the nickname, the probability of modifying the head portrait, the probability of modifying the remarks and the like.
Setting configuration behavior for a mailbox, a normal historical behavior baseline for mailbox account modification personal information may be constructed including, but not limited to: probability of blacklist change, probability of automatic forwarding modification, probability of download path modification, probability of new mail notification modification, probability of signature information modification, etc.
For mailbox account modification contact behavior, a normal historical behavior baseline for mailbox account modification contacts may be constructed including, but not limited to: probability of deleting a contact, probability of increasing a grouping, probability of modifying a grouping, etc.
For mailbox writing email sending behavior, a normal historical behavior baseline for mailbox account writing email sending can be constructed, including but not limited to: the distribution of the number of the mail text paragraphs, the distribution of the mail text punctuation, the distribution of the number of text words, the distribution of the number of recipients, the probability of containing telephone numbers, the probability of containing bank cards, the probability of containing links, the probability of containing attachments, and the like.
For mailbox pull view mail behavior, normal historical behavior baselines for mailbox account pull view mail behavior may be constructed including, but not limited to: the probability of actively pulling the mail, the probability of opening the mail, the probability of clicking a link, the probability of opening an attachment, the probability of downloading the attachment, the distribution of recipients, the distribution of the number of attachments and the like.
The probability in the embodiment of the present invention refers to a result calculated under the data support of the historical behavior characteristics, and is used as a baseline reference of the normal historical behavior.
S220: comparing the characteristic values of various current behavior characteristics of the mailbox account with corresponding normal historical behavior baselines to obtain first abnormal scores corresponding to the various current behavior characteristics;
specifically, in the embodiment of the present invention, after various current behavior features of a mailbox account are acquired, a feature value of each current behavior feature may be compared with a normal historical behavior baseline of a corresponding behavior feature in the mailbox account, and specifically, algorithms such as a gaussian distribution 3sigma criterion, an isolated forest, a boxplot method, a K neighbor, an automatic encoder, and the like may be adopted to determine an abnormal degree, so as to obtain a first abnormal score of the current behavior feature, obtain a respective first abnormal score of each current behavior feature for one mailbox account, and obtain a respective first abnormal score of each current behavior feature of each mailbox account for different mailbox accounts.
S230: and calculating the comprehensive abnormal score of the mailbox account according to the first abnormal score corresponding to each type of current behavior characteristics.
Specifically, for each mailbox account, after obtaining a first abnormal score corresponding to each current behavior feature in the mailbox account, the first abnormal score of each current behavior feature of all mailbox accounts may be synthesized, then each first abnormal score is normalized, the first abnormal score is mapped onto the same order of magnitude, the normalized first abnormal score corresponding to each current behavior feature of the mailbox account is obtained, then for one mailbox account, the normalized first abnormal score corresponding to each current behavior feature is synthesized, specifically, the weight of each behavior feature may be preset, then each normalized first abnormal score is calculated according to the weight, the total abnormal score corresponding to the mailbox account is obtained, and thus the total abnormal score corresponding to each mailbox account is obtained, and then, synthesizing each mailbox account, normalizing the total abnormal score corresponding to each mailbox account, and taking the normalized total abnormal score as the comprehensive abnormal score of the mailbox account.
S130: determining an abnormal mailbox account according to the comprehensive abnormal condition of each mailbox account;
it should be noted that the respective comprehensive abnormal score of each mailbox account may be analyzed to determine the abnormal mailbox account, for example, the respective comprehensive abnormal scores of each mailbox account may be sorted from large to small, and the mailbox account with the comprehensive abnormal score larger than the first preset value or the mailbox account with the previous preset rank may be used as the abnormal mailbox account.
That is, in the embodiment of the present invention, the comprehensive abnormality scores of each mailbox account may be sorted in the descending order, and the mailbox account whose comprehensive abnormality score is greater than the first preset value (for example, 70 scores) is used as the abnormal mailbox account, or the mailbox account with the first preset rank (for example, the first 5 or 10) in the sorting is used as the abnormal mailbox account.
S140: and performing BEC mail detection on the abnormal mailbox account.
Specifically, after the abnormal mailbox account is screened out, BEC mail detection is performed on the abnormal mailbox account, specifically, a suspicious BEC mail is detected from the mail of the abnormal mailbox account, and as shown in fig. 3, the detection process may specifically be:
s310: acquiring all mails of the abnormal mailbox account in a preset time period;
specifically, all mails in 7 days of the abnormal mailbox account can be acquired.
S320: deleting mails containing attachments or links or not containing numbers from all mails to obtain the rest abnormal mails;
specifically, since the BEC mail does not contain attachments and links, the mail containing attachments or links is deleted from all mails, and also the mail not containing digits (such as a telephone number or other digits) is deleted, and the remaining respective mails are regarded as abnormal mails.
S330: carrying out anomaly scoring on each abnormal mail to obtain respective comprehensive anomaly score of each abnormal mail;
specifically, after each abnormal mail is determined, various mail content characteristics of the abnormal mail can be extracted for each abnormal mail, then a pre-established historical normal content baseline corresponding to each mail content characteristic of the abnormal mail is obtained, the characteristic value of each mail content characteristic is compared with the corresponding historical normal content baseline, and a second abnormal score corresponding to each mail content characteristic is obtained; and calculating the comprehensive abnormal score of the corresponding abnormal mail according to the second abnormal score of the content characteristics of each type of mail.
It should be noted that, in the embodiment of the present invention, audit logs and mail data of all mails in a certain period of time in the abnormal mailbox may also be obtained, then various historical mail content features of each mail are extracted, a historical normal content baseline is established for each mail content feature based on each historical mail content feature, then when an abnormal mail is evaluated, various mail content features of the abnormal mail may be obtained, including but not limited to distribution of mail text paragraph number, distribution of mail text mark number, distribution of text word number, distribution of recipient number, whether a sender is a common place, whether a login is a common client, etc., then each mail content feature is compared with the corresponding historical normal content baseline, and a gaussian distribution 3 ma criterion, isolation, a box line graph method, etc. is used to obtain a judgment of an abnormal degree, the abnormal score of different mail content characteristics corresponding to one mail is obtained, a normalization method is used for obtaining a second abnormal score of each mail content characteristic, the second abnormal score of each mail content characteristic corresponding to the abnormal mail is comprehensively calculated for one abnormal mail, and particularly, the comprehensive abnormal score corresponding to the abnormal mail can be obtained by calculating according to preset weights, so that the comprehensive abnormal score corresponding to each abnormal mail is obtained for each abnormal mail.
S340: and analyzing the comprehensive abnormal score of each abnormal mail to obtain the suspicious BEC mail.
Specifically, in the embodiment of the present invention, the comprehensive abnormality score of each abnormal mail may be sorted from high to low, and the abnormal mail with a score greater than a second preset value (for example, 70 points) or ranked top (top 5 or top 10) may be used as the suspicious BEC mail.
Further, after the suspicious BEC mail is determined, a behavior list of the suspicious BEC mail can be obtained, the suspicious BEC mail and the corresponding behavior list are used as detection results to be fed back, and specifically, the suspicious BEC mail and the corresponding behavior list can be fed back to a safety analysis worker, so that the safety analysis worker can check and confirm the suspicious BEC mail according to the detection results, the number of mails finally submitted to the safety analysis worker is very small, the labor cost can be reduced, safety warning information can be sent to a corresponding abnormal mailbox account to prompt a user to do no relevant dangerous operation as much as possible, and loss is avoided.
It should be further noted that, in the embodiment of the present invention, based on a behavior analysis perspective of the UEBA, various abnormal behaviors of the mailbox account can be better discovered, and compared with a traditional detection manner based on an attachment or a link or a lexical method, a behavior analysis method is not limited by specific content of a mail and is not changed by an attack manner of an attacker, and an abnormality can be discovered from a slight behavior difference, so that the security of the mailbox account is improved.
Therefore, the embodiment of the invention analyzes the behavior of each mailbox account from the aspect of behavior analysis, obtains the comprehensive abnormal condition of each mailbox account by acquiring various current behavior characteristics of each mailbox account and analyzing various current behavior characteristics and various historical behavior characteristics corresponding to each mailbox account, and determines the abnormal mailbox account according to the comprehensive abnormal condition of each mailbox account, thereby carrying out the BEC mail detection on the abnormal mailbox account.
On the basis of the above embodiments, an embodiment of the present invention further provides a BEC mail detection apparatus, which is specifically shown in fig. 4. The device includes:
the obtaining module 21 is configured to obtain, for each mailbox account, various current behavior characteristics of the mailbox account;
the analysis module 22 is configured to analyze various current behavior characteristics of the mailbox account and various corresponding historical behavior characteristics to obtain a comprehensive abnormal condition of the mailbox account;
the determining module 23 is configured to determine an abnormal mailbox account according to the comprehensive abnormal condition of each mailbox account;
and the detection module 24 is used for performing BEC mail detection on the abnormal mailbox account.
It should be noted that the BEC e-mail detection apparatus in the embodiment of the present invention has the same beneficial effects as the BEC e-mail detection method provided in the foregoing embodiment, and for the specific description of the BEC e-mail detection method related in the embodiment of the present invention, please refer to the foregoing embodiment, which is not described herein again.
On the basis of the above embodiment, an embodiment of the present invention further provides a BEC mail detection system, including:
a memory for storing a computer program;
a processor for implementing the steps of the above BEC mail detection method when executing the computer program.
For example, the processor in the embodiment of the present invention may be specifically configured to obtain, for each mailbox account, various current behavior characteristics of the mailbox account; analyzing various current behavior characteristics of the mailbox account and various corresponding historical behavior characteristics to obtain the comprehensive abnormal condition of the mailbox account; determining an abnormal mailbox account according to the comprehensive abnormal condition of each mailbox account; and performing BEC mail detection on the abnormal mailbox account.
On the basis of the foregoing embodiments, the present invention further provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the BEC mail detection method as described above.
The computer-readable storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A BEC mail detection method, comprising:
acquiring various current behavior characteristics of the mailbox accounts aiming at each mailbox account;
analyzing various current behavior characteristics and corresponding various historical behavior characteristics of the mailbox account to obtain a comprehensive abnormal condition of the mailbox account;
determining an abnormal mailbox account according to the comprehensive abnormal condition of each mailbox account;
and performing BEC mail detection on the abnormal mailbox account.
2. The BEC e-mail detection method of claim 1, wherein the analyzing of the various types of current behavior features and the corresponding various types of historical behavior features of the mailbox account to obtain the comprehensive abnormal condition of the mailbox account comprises:
establishing a normal historical behavior baseline which corresponds to each behavior characteristic and is established in advance according to each historical behavior characteristic of the mailbox account;
comparing the characteristic values of various current behavior characteristics of the mailbox account with corresponding normal historical behavior baselines to obtain first abnormal scores corresponding to the current behavior characteristics of each class;
calculating a comprehensive abnormal score of the mailbox account according to the first abnormal score corresponding to each type of the current behavior characteristics;
and determining that the abnormal mailbox account is as follows according to the comprehensive abnormal condition of each mailbox account:
and analyzing the respective comprehensive abnormal score of each mailbox account to determine an abnormal mailbox account.
3. The BEC e-mail detection method of claim 2, wherein the process of establishing in advance normal historical behavior baselines corresponding to various types of behavior characteristics according to the various types of historical behavior characteristics of the mailbox account is as follows:
for each mailbox account, acquiring a historical audit log and historical mail data of the mailbox account in advance;
extracting each type of historical behavior characteristics from the historical audit log and the historical mail data of the mailbox account;
and establishing a normal historical behavior baseline corresponding to the behavior characteristics aiming at each type of historical behavior characteristics so as to obtain a normal historical behavior baseline corresponding to each type of behavior characteristics of each mailbox account.
4. The BEC mail detection method of claim 2, wherein the analyzing the respective composite anomaly score for each mailbox account to determine an anomalous mailbox account comprises:
sorting the respective comprehensive abnormal scores of the mailbox accounts from large to small;
and taking the mailbox account with the comprehensive abnormal score larger than the first preset value or taking the mailbox account with the previous preset name as the abnormal mailbox account.
5. The BEC mail detection method of claim 1, wherein the BEC mail detection for the abnormal mailbox account is performed by:
acquiring all mails of the abnormal mailbox account in a preset time period;
deleting mails containing attachments and/or links and/or no numbers from all the mails to obtain the rest abnormal mails;
carrying out anomaly scoring on each abnormal mail to obtain respective comprehensive anomaly score of each abnormal mail;
and analyzing the comprehensive abnormal score of each abnormal mail to obtain the suspicious BEC mail.
6. The BEC e-mail detection method of claim 5, wherein the process of scoring each abnormal e-mail for anomalies to obtain a respective composite anomaly score for each abnormal e-mail comprises:
extracting various mail content characteristics of the abnormal mails aiming at each abnormal mail;
acquiring a pre-established historical normal content baseline which corresponds to each type of mail content characteristics of the abnormal mails;
comparing the characteristic value of each type of the mail content characteristics with the corresponding historical normal content baseline to obtain a second abnormal score corresponding to each type of the mail content characteristics;
and calculating the comprehensive abnormal score of the corresponding abnormal mail according to the second abnormal score of the content characteristics of each type of mail.
7. The BEC mail detection method of claim 5, further comprising:
acquiring a behavior list of the suspicious BEC mails;
and feeding back the suspicious BEC mails and the corresponding behavior lists as detection results.
8. A BEC mail detection apparatus, comprising:
the acquisition module is used for acquiring various current behavior characteristics of the mailbox accounts aiming at each mailbox account;
the analysis module is used for analyzing various current behavior characteristics of the mailbox account and various corresponding historical behavior characteristics to obtain the comprehensive abnormal condition of the mailbox account;
the determining module is used for determining an abnormal mailbox account according to the comprehensive abnormal condition of each mailbox account;
and the detection module is used for carrying out BEC mail detection on the abnormal mailbox account.
9. A BEC mail detection system, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the BEC mail detection method as claimed in any one of claims 1 to 7 when executing said computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the BEC mail detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111031344.5A CN113726806A (en) | 2021-09-03 | 2021-09-03 | BEC mail detection method, device and system and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111031344.5A CN113726806A (en) | 2021-09-03 | 2021-09-03 | BEC mail detection method, device and system and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113726806A true CN113726806A (en) | 2021-11-30 |
Family
ID=78681387
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111031344.5A Withdrawn CN113726806A (en) | 2021-09-03 | 2021-09-03 | BEC mail detection method, device and system and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113726806A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115037542A (en) * | 2022-06-09 | 2022-09-09 | 北京天融信网络安全技术有限公司 | Abnormal mail detection method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109040103A (en) * | 2018-08-27 | 2018-12-18 | 深信服科技股份有限公司 | A kind of mail account is fallen detection method, device, equipment and readable storage medium storing program for executing |
| CN111614543A (en) * | 2020-04-10 | 2020-09-01 | 中国科学院信息工程研究所 | URL-based spear phishing mail detection method and system |
| CN112688926A (en) * | 2020-12-18 | 2021-04-20 | 杭州安恒信息技术股份有限公司 | Method, system and device for detecting spear type phishing mails based on attachments |
| CN113240297A (en) * | 2021-05-19 | 2021-08-10 | 清华大学 | Phishing mail detection method and system |
| US20210273976A1 (en) * | 2020-03-02 | 2021-09-02 | Abnormal Security Corporation | Abuse mailbox for facilitating discovery, investigation, and analysis of email-based threats |
-
2021
- 2021-09-03 CN CN202111031344.5A patent/CN113726806A/en not_active Withdrawn
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109040103A (en) * | 2018-08-27 | 2018-12-18 | 深信服科技股份有限公司 | A kind of mail account is fallen detection method, device, equipment and readable storage medium storing program for executing |
| US20210273976A1 (en) * | 2020-03-02 | 2021-09-02 | Abnormal Security Corporation | Abuse mailbox for facilitating discovery, investigation, and analysis of email-based threats |
| CN111614543A (en) * | 2020-04-10 | 2020-09-01 | 中国科学院信息工程研究所 | URL-based spear phishing mail detection method and system |
| CN112688926A (en) * | 2020-12-18 | 2021-04-20 | 杭州安恒信息技术股份有限公司 | Method, system and device for detecting spear type phishing mails based on attachments |
| CN113240297A (en) * | 2021-05-19 | 2021-08-10 | 清华大学 | Phishing mail detection method and system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115037542A (en) * | 2022-06-09 | 2022-09-09 | 北京天融信网络安全技术有限公司 | Abnormal mail detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ho et al. | Detecting and characterizing lateral phishing at scale | |
| US11595353B2 (en) | Identity-based messaging security | |
| US20210021612A1 (en) | Message platform for automated threat simulation, reporting, detection, and remediation | |
| US10298602B2 (en) | Suspicious message processing and incident response | |
| US8224905B2 (en) | Spam filtration utilizing sender activity data | |
| CN110519150B (en) | Mail detection method, device, equipment, system and computer readable storage medium | |
| Cidon et al. | High precision detection of business email compromise | |
| US8769695B2 (en) | Phish probability scoring model | |
| US20210092154A1 (en) | Detection of external messaging attacks using trust relationships | |
| US9961029B2 (en) | System for reclassification of electronic messages in a spam filtering system | |
| JP4827518B2 (en) | Spam detection based on message content | |
| US20160014151A1 (en) | Systems and methods for electronic message analysis | |
| US20090157675A1 (en) | Method and System for Processing Fraud Notifications | |
| WO2017195199A1 (en) | Method and system for detecting malicious and soliciting electronic messages | |
| CN111404805B (en) | Junk mail detection method and device, electronic equipment and storage medium | |
| WO2019141091A1 (en) | Method, system, and device for mail monitoring | |
| KR20080067352A (en) | Voicemail and fax filtering | |
| US11563757B2 (en) | System and method for email account takeover detection and remediation utilizing AI models | |
| US20090282112A1 (en) | Spam identification system | |
| US20200351302A1 (en) | Cybersecurity Email Classification and Mitigation Platform | |
| CN111147489B (en) | Link camouflage-oriented fishfork attack mail discovery method and device | |
| US10944749B1 (en) | Data scrubbing via template generation and matching | |
| CN103716335A (en) | Detecting and filtering method of spam mail based on counterfeit sender | |
| CN114143282A (en) | Mail processing method, device, equipment and storage medium | |
| Balim et al. | Automatic detection of smishing attacks by machine learning methods |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20211130 |
|
| WW01 | Invention patent application withdrawn after publication |