CN114006721B - E-mail risk detection method and system - Google Patents
E-mail risk detection method and system Download PDFInfo
- Publication number
- CN114006721B CN114006721B CN202111072481.3A CN202111072481A CN114006721B CN 114006721 B CN114006721 B CN 114006721B CN 202111072481 A CN202111072481 A CN 202111072481A CN 114006721 B CN114006721 B CN 114006721B
- Authority
- CN
- China
- Prior art keywords
- information
- terminal
- mailbox
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
The invention discloses a risk detection method and a risk detection system for an email, and relates to the technical field of network security. The method comprises the steps of: collecting login operation of a user to login an email box on a first terminal; acquiring mailbox login verification information which is successfully logged in, sending the mailbox login verification information to an associated security terminal, and using the mailbox login verification information to log in the same mailbox account by the associated security terminal; monitoring operation information of a user for checking mails in an email box on a first terminal, and opening the target mails through an associated security terminal after acquiring target mail information which the user expects to open; and carrying out security risk detection on mail content in the target mail through the associated security terminal, and setting security risk warning information of the target mail in the first terminal when the mail content is judged to contain the security risk information. The invention has small occupation of terminal resources of the terminal where the user is located, and can be used for detecting various security risks.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a risk detection method and system for an email.
Background
Computer viruses are malicious programs (codes) inserted by a constructor in a computer program to destroy computer functions or data, can influence the use of the computer and spread in a network, and are one of the main modes of current network attacks. A common attack scenario is that an attacker implants a computer virus into some videos, files or mails, and once a user clicks the corresponding video, file or mail implanted with a malicious program, the terminal of the user is implanted with the computer virus, so that the terminal of the user is poisoned or information is stolen and tampered.
With the diversification of cyber attack means and channels, cyber threats are evolving rapidly. Taking the lux virus as an example, the lux virus is one of the network security threats which are rapidly growing and endanger greatly in recent years, and an attacker encrypts a document or whole hard disk data on a hard disk by inducing a user to click on a link object implanted with the lux virus, implanting the lux virus into a user computer or a server, and then asking the user for redemption before decrypting the document or whole hard disk data. After sending the mail to the user, an attacker induces the user to operate an accessory in the mail to trigger the lux virus, encrypts a file on a local terminal of the user through the lux virus, and further obtains benefits by using a decryption password luxury.
At present, in the prior art, safety filtration is generally performed on electronic mails to perform safety precautions, and the received electronic mails are screened from dangerous mails such as junk mails, phishing mails, virus mails and the like to prevent safety threats. Currently, methods for screening risk mails are roughly classified into three types: the detection method based on the black-and-white list detection mechanism is characterized in that the detection method is based on a black-and-white list detection mechanism, the detection method is based on an anti-virus mail gateway, and the detection method is based on the fact that an attachment sandbox is arranged to provide an isolation environment for operating an attachment file, and dynamic behaviors in the operation process of the attachment file are analyzed. However, when the user terminal discriminates the risk mail, the memory resource and the processor resource of the user terminal are inevitably occupied, and particularly for mobile terminals such as mobile phones, normal use of the user can be affected when the memory storage capacity and the data processing capacity of the mobile terminal are limited. On the other hand, with the development of novel attacks such as the lux virus and the directed threat attack, a great challenge is brought to the traditional detection method, and how to better discover and cope with the novel threats is also a problem to be solved currently.
In summary, how to provide a risk detection method for email with small terminal resource occupation and wide applicability for the terminal where the user is located is a technical problem that needs to be solved currently.
Disclosure of Invention
The invention aims to provide a risk detection method and system for an email. According to the invention, when a user logs in an email through the first terminal, the associated security terminal is triggered to log in the same email account, then the security risk detection is carried out on the email content in the target email through the associated security terminal, and security risk warning information is set in the first terminal when the email content contains the security risk information. The technical scheme provided by the invention has small occupation of terminal resources of the terminal where the user is located, and can be used for detecting various security risks.
In order to achieve the above object, the present invention provides the following technical solutions:
a risk detection method for an email, comprising the steps of:
collecting login operation of a user to login an email box on a first terminal, wherein an associated security terminal is arranged corresponding to the first terminal;
acquiring mailbox login verification information which is successfully logged in, sending the mailbox login verification information to the associated security terminal, and using the mailbox login verification information to log in the same mailbox account by the associated security terminal;
monitoring operation information of a user for checking mails in an email box on a first terminal, and opening the target mails through the associated safety terminal after acquiring target mail information which the user expects to open;
And carrying out security risk detection on mail content in the target mail through the associated security terminal, and setting security risk warning information of the target mail in the first terminal when the mail content is judged to contain the security risk information.
Further, the mailbox login verification information comprises a login mailbox account name, a mailbox password and mailbox type identification information, and the step of using the mailbox login verification information to log in the same mailbox account by the associated security terminal is as follows:
the associated security terminal calls a corresponding email service program according to the email type identifier, and sends login request information to a corresponding email server through the email service program, wherein the login request information comprises the email account name and the email password;
and the email server receives the login request information, verifies that the mailbox account name and the mailbox password pass, and then sends a login verification passing message to the associated security terminal, and the associated security terminal logs in the corresponding mailbox account.
Further, the operation information of the user for checking the mail in the email box is monitored by performing screen recording operation on the display window of the first terminal, and at this time, the step of obtaining the target mail information which the user desires to open is as follows:
Starting a screen recording program, and carrying out image scanning on a display window of the first terminal at regular time or in real time through the screen recording program to acquire a scanned image;
performing image recognition on the scanned image to identify a mail list display area and a mouse pointer display area in the image;
judging whether the mouse pointer is positioned in a mail list display area;
when the current mail is judged to be positioned in the mail list display area, the current mail with the mouse pointer is obtained to serve as a target mail, and list display information of the target mail is identified to obtain sender information, theme information and time information of the target mail.
Further, monitoring operation information of a user for viewing the mail in the email box by performing a monitoring operation on the movement of the mouse pointer on the display window of the first terminal, and at this time, obtaining the target mail information that the user desires to open includes:
generating a mouse moving event according to the operation of a user for moving the mouse, and acquiring the coordinate position of the window after the mouse moves as the current position of the mouse;
acquiring display position information of each trigger item in an email box window according to the display content information of the email box window;
Traversing all trigger items, and judging whether the current position of the mouse is positioned in the display position of the trigger item of the corresponding mail;
when the position of the trigger item corresponding to the mail is judged to be in the display position, the mail corresponding to the trigger item is taken as a target mail, and the sender information, the theme information and the time information of the target mail are obtained.
Further, the operation information of the user for checking the mail in the email box is monitored by monitoring the shape of the mouse pointer on the display window of the first terminal, and at this time, the step of obtaining the target mail information which the user desires to open is as follows:
the method comprises the steps that image acquisition is carried out on a display window of a first terminal through an image acquisition device;
performing image recognition on the acquired image, and judging whether the shape presented by a mouse pointer in the image is changed or not;
when the shape presented by the mouse pointer is changed from the default shape to the shape of the indication link, the current mail in which the mouse pointer is positioned is acquired as a target mail, and list display information of the target mail is identified to acquire sender information, theme information and time information of the target mail.
Further, the step of security risk detection for the mail content in the target mail includes:
Detecting whether the target mail contains an attachment;
when the accessory is contained, the accessory is transferred into a sandbox, and the sandbox provides an isolated environment for a running program;
operating the accessory in the sandbox, monitoring dynamic parameters generated in the operation process of the accessory, and judging whether the dynamic parameters contain operation behaviors of encrypting or falsifying files or not;
when the operation behavior of encrypting or falsifying the file is included, the mail content is judged to include security risk information.
Further, the security risk warning information is set in such a way that in the first terminal, a danger warning identifier is output corresponding to the target mail, and the danger warning identifier is a text warning, a color warning, a picture warning, a sound warning and/or an animation warning.
Further, the security risk warning information is set in a manner that a forbidden opening permission is set for the target mail in the first terminal, and one of the following manners is adopted:
in a first mode, when the associated security terminal judges that the target mail contains security risk information, sending request information for prohibiting opening of the target mail to a corresponding email server, wherein the request information for prohibiting opening comprises security risk evidence information of the target mail; after the email server acquires the request information for prohibiting the opening, the email server examines the security risk evidence information, and when the examination passes, the email server sets the permission for prohibiting the opening of the target email;
And secondly, performing screen capturing on a mailbox display interface currently displayed by the first terminal, taking a screenshot obtained by the screen capturing as a shielding picture covering the mailbox display interface, and enabling a user to be incapable of opening a target mail through the shielding picture.
Further, a user feedback information acquisition column is arranged corresponding to the opening prohibition permission, and the user feedback information acquisition column is used for acquiring feedback information of the user on the opening prohibition permission, and judging whether the user needs to release the opening prohibition permission according to the feedback information; when judging that the forbidden opening authority needs to be released, setting an isolation sandbox for the target mail, and then recovering the opening authority of the target mail in the first terminal, wherein the isolation sandbox can provide an isolation environment for a running program;
and acquiring triggering operation of a user on the executable file in the target mail in the first terminal, and transmitting the executable file to the isolation sandbox for operation.
The invention also provides a risk detection system of the E-mail, which comprises the following steps: a mail server, a first terminal and a second terminal which are provided with association relations;
The first terminal is used for collecting login operation of a user for logging in an email box and outputting an email box display interface after successful login;
the mail server is used for acquiring mailbox login verification information which is successfully logged in according to the login operation and sending the mailbox login verification information to the second terminal;
the second terminal is used for logging in the same mailbox account by using the mailbox login verification information and outputting a mailbox display interface after successful login;
the mail server is further configured to: monitoring operation information of mails in an email box checked by a user on a first terminal, controlling the second terminal to open the target mails after acquiring target mail information which the user expects to open, and carrying out security risk detection on mail content in the target mails, and setting security risk warning information of the target mails in the first terminal when judging that the mail content contains the security risk information.
Compared with the prior art, the invention has the following advantages and positive effects by taking the technical scheme as an example: according to the invention, when a user logs in an email through the first terminal, the associated security terminal is triggered to log in the same email account, then the security risk detection is carried out on the email content in the target email through the associated security terminal, and security risk warning information is set in the first terminal when the email content contains the security risk information. The technical scheme provided by the invention has small occupation of terminal resources of the terminal where the user is located, and can be used for detecting various security risks.
Drawings
Fig. 1 is a flowchart of a risk detection method for email provided in an embodiment of the present invention.
Fig. 2 is a diagram illustrating a display interface of a mail list according to an embodiment of the present invention.
FIG. 3 is a diagram illustrating an exemplary interface of a mouse pointer on a target mail according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a system according to an embodiment of the present invention.
Reference numerals illustrate:
reference numerals illustrate:
email main interface 100, email list 110, mouse pointer 120, target email 130.
Detailed Description
The method and system for risk detection of email disclosed in the present invention are described in further detail below with reference to the accompanying drawings and specific embodiments. It should be noted that the technical features or combinations of technical features described in the following embodiments should not be regarded as being isolated, and they may be combined with each other to achieve a better technical effect. In the drawings of the embodiments described below, like reference numerals appearing in the various drawings represent like features or components and are applicable to the various embodiments. Thus, once an item is defined in one drawing, no further discussion thereof is required in subsequent drawings.
It should be noted that the structures, proportions, sizes, etc. shown in the drawings are merely used in conjunction with the disclosure of the present specification, and are not intended to limit the applicable scope of the present invention, but rather to limit the scope of the present invention. The scope of the preferred embodiments of the present invention includes additional implementations in which functions may be performed out of the order described or discussed, including in a substantially simultaneous manner or in an order that is reverse, depending on the function involved, as would be understood by those of skill in the art to which embodiments of the present invention pertain.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but are intended to be part of the specification where appropriate. In all examples shown and discussed herein, any specific values should be construed as merely illustrative, and not a limitation. Thus, other examples of the exemplary embodiments may have different values.
Examples
Referring to fig. 1, a risk detection method for an email according to an embodiment of the present invention is shown. The method comprises the following steps:
s100, collecting login operation of a user to login an email box on a first terminal, wherein an associated security terminal is arranged corresponding to the first terminal.
The first terminal is preferably a portable terminal, such as a comparison computer, a netbook, a tablet computer, etc. The association relationship between the first terminal and the associated security terminal is preferably set by the user. By way of example and not limitation, a user may have his/her own cell phone or notebook as the first terminal and his/her own desktop computer or purchased server host as the associated security terminal.
S200, acquiring mailbox login verification information which is successfully logged in, sending the mailbox login verification information to the associated security terminal, and using the mailbox login verification information to log in the same mailbox account by the associated security terminal.
In this embodiment, the mailbox login verification information may specifically include a mailbox account name, a mailbox password, and mailbox type identification information that are logged in. At this time, the step of the associated security terminal using the mailbox login verification information to log in the same mailbox account includes:
The associated security terminal calls a corresponding email service program according to the email type identifier, and sends login request information to a corresponding email server through the email service program, wherein the login request information comprises the email account name and the email password;
and the email server receives the login request information, verifies that the mailbox account name and the mailbox password pass, and then sends a login verification passing message to the associated security terminal, and the associated security terminal logs in the corresponding mailbox account.
Preferably, before the mailbox login authentication information is sent to the associated security terminal, the method may further include the steps of: encrypting the mailbox login verification information through a preset encryption algorithm; after the associated security terminal receives the mailbox login verification information, the encrypted mailbox login verification information is decrypted through a corresponding decryption algorithm to obtain a mailbox account name, a mailbox password and mailbox type identification information.
Thus, by encryption, it is possible to prevent leakage during information transmission. The manner of encrypting the information may be based on existing symmetric encryption algorithms or asymmetric encryption algorithms.
Preferably, in order to further improve the security of the encrypted data, multiple encryption and decryption steps are adopted, which are specifically as follows:
firstly, encrypting mailbox login verification information through an AES symmetric encryption algorithm to obtain first encrypted data, then asymmetrically encrypting the first encrypted data through RSA to obtain second encrypted data, and storing the second encrypted data in a preset storage path. The second encrypted data comprises signature data information, wherein the signature data information comprises a file header, a code to be executed and signature information, the length of data and the offset of the data to the file header are stored in the file header, and the signature information comprises an RSA public key and ciphertext of a data hash value. The EFUSE memory stores the AES private key (namely, the 128-bit encryption and decryption key of the AES algorithm) and the hash value of the RSA public key (namely, the hash value of the RSA algorithm public key).
And then, the second encrypted data is sent to the associated security terminal. After receiving the second encrypted data, the associated security terminal can asymmetrically decrypt the second encrypted data by RSA to authenticate. When authentication is performed, firstly, positioning to signature information according to the offset and the length of data in a file header, wherein the signature information comprises an RSA public key and a data hash value; then, calculating a hash value of an RSA public key in the signature information by using an SHA algorithm to obtain a second hash value, comparing the second hash value with the hash value of the RSA public key pre-stored in the EFUSE memory, and judging whether the second hash value and the hash value are identical; under the condition that the first hash value and the second hash value are the same, the hash value of the RSA public key and the ciphertext in the signature information is used as a third hash value, the third hash value is compared with the second hash value, if the first hash value and the second hash value are the same, the data is determined to be credible, and the signing passes; otherwise, the data is judged to be modified, and authentication fails.
And then, after the authentication is passed, performing AES decryption to acquire mailbox login verification information.
By way of example, but not limitation, for example, a user's notebook terminal is a first terminal, the user logs in an internet-ready mailbox using the first terminal, specifically, the user may first start the internet-ready mailbox client installed in the first terminal, then input the mailbox account name and the corresponding password of the user, and then the internet-ready mailbox client initiates login to an internet-ready mail server according to the mailbox account name and the password, and when the internet-ready mail server verifies that the mailbox login request is passed, sends a verification passing message to the first terminal, and the first terminal performs mail service processing according to the verification passing message. Meanwhile, the mail server acquires mailbox login verification information which is successfully logged in according to the login operation, and sends the mailbox login verification information to a desktop computer (namely a preset associated security terminal) of a user, and the desktop computer initiates login through the mailbox account name, the password and the mailbox service identifier. The specific login may be as follows: the desktop computer initiates a second login request of the service to the mail server according to the account name and the password of the mailbox; and when the mail server verifies that the second login request is passed, sending a verification passing message to the desktop computer, and carrying out service processing by the desktop computer according to the verification passing message.
S300, monitoring operation information of the mail in the email box checked by the user on the first terminal, and opening the target mail through the associated safety terminal after obtaining target mail information which the user expects to open.
At this time, the first terminal and the associated secure terminal log in the same mailbox account. And monitoring operation information of the mail in the electronic mailbox checked by the user on the first terminal, so as to acquire target mail information which the user expects to open.
In one embodiment, the operation information of the user for viewing the mail in the email box is monitored by performing a screen recording operation on the display window of the first terminal.
Specifically, the step of acquiring the target mail information that the user desires to open may be as follows: starting a screen recording program, and carrying out image scanning on a display window of the first terminal at regular time or in real time through the screen recording program to acquire a scanned image; performing image recognition on the scanned image to identify a mail list display area and a mouse pointer display area in the image; judging whether the mouse pointer is positioned in a mail list display area; when the current mail is judged to be positioned in the mail list display area, the current mail with the mouse pointer is obtained to serve as a target mail, and list display information of the target mail is identified to obtain sender information, theme information and time information of the target mail.
For each terminal device, the content displayed by the terminal device is generally that the terminal operating system manages and draws the current application window in a memory buffer, and then the content in the memory buffer is transmitted to a display screen through a corresponding transmission medium (such as an AV line, an HDMI line or a VGA line) by a driving middleware for display, so that the terminal can monitor the content drawn according to the system application window in the terminal memory buffer (including specific information of the content and a content display position, wherein the content information is set corresponding to the content display position, i.e. what content is displayed in what position of the window). That is, the display content corresponding to the trigger item can be acquired through the trigger item display position, and thus, the corresponding mail-related information can be acquired based on the display position of the trigger item of the mail. After the position relation between the mouse pointer and the mail triggering item is obtained, for example, the position of the mouse pointer is located at the triggering item position of a certain mail (when a user wants to view a target mail, the user moves the mouse cursor to the area where the target mail is located), the mail can be judged to be the target mail which the user wants to open, and the display content of the position can be obtained according to the position of the triggering item, so that the mail basic content such as the sender information, the theme information, the time information and the like of the target mail can be obtained.
The triggering item refers to an operable option in the page, and specifically can be a click button (represented as a control), or a click region.
In this embodiment, the step of obtaining the window coordinate position after the mouse movement may be: the external Input device receives a mouse movement event, and inputs the mouse movement event to an Input system (Input system); an Input system (Input system) transmits the mouse movement event as an Input event to a Window Manager (Window Manager); after receiving the mouse moving event, the window manager determines the coordinate position of the window after the mouse moves according to the mouse moving event.
In another embodiment, the operation information of the user for viewing the mail in the email box is monitored by performing a monitoring operation on the movement of the mouse pointer on the display window of the first terminal.
Specifically, the step of acquiring the target mail information that the user desires to open may be as follows: generating a mouse moving event according to the operation of a user for moving the mouse, and acquiring the coordinate position of the window after the mouse moves as the current position of the mouse; acquiring display position information of each trigger item in an email box window according to the display content information of the email box window; traversing all trigger items, and judging whether the current position of the mouse is positioned in the display position of the trigger item of the corresponding mail; when the position of the trigger item corresponding to the mail is judged to be in the display position, the mail corresponding to the trigger item is taken as a target mail, and the sender information, the theme information and the time information of the target mail are obtained.
In this embodiment, the manner of monitoring the movement of the mouse may be that the movement of the mouse is monitored by calling a function of a hook of the mouse, which belongs to the prior art and will not be described herein.
In another embodiment, the operation information of the user for viewing the mail in the email box is monitored by performing a listening operation on the shape of the mouse pointer on the display window of the first terminal.
Specifically, the step of acquiring the target mail information that the user desires to open may be as follows: the method comprises the steps that image acquisition is carried out on a display window of a first terminal through an image acquisition device; performing image recognition on the acquired image, and judging whether the shape presented by a mouse pointer in the image is changed or not; when the shape presented by the mouse pointer is changed from the default shape to the shape of the indication link, for example, the default arrow is changed to a small hand state, the current mail in which the mouse pointer is positioned is acquired as the target mail, and the list display information of the target mail is identified to acquire the sender information, the theme information and the time information of the target mail.
This embodiment is described in detail with reference to fig. 2 and 3.
In the prior art, the mouse pointer may be configured with different shapes in different states. As an example of a typical way, a mouse is typically in a default shape in a waiting state-typically in the shape of an arrow as shown in fig. 2. When the mouse pointer is moved to a trigger item with a link (such as a line of a certain mail in the mail list 110), the shape presented by the mouse pointer 120 changes from the default arrow shape to a shape indicating a link, such as the small hand shape in fig. 3, because the line of the mail has a mail link. That is, by monitoring the change in the shape of the mouse pointer on the display window, the user's operation information for viewing the mail in the electronic mailbox can be monitored. Specifically, referring to fig. 3, for example, when it is detected that the mouse pointer has changed to the small hand shape, the current mail (shown as a mail line in the mail list) in which the mouse pointer is located may be acquired as the target mail 130. Then, the list display information of the target mail can be identified by an image identification technology to acquire the mail basic contents such as the sender information, the subject information, the time information and the like of the target mail.
After the target mail information which is expected to be opened by the user but not opened yet is obtained, the target mail can be opened through the associated security terminal.
S400, carrying out security risk detection on mail content in the target mail through the associated security terminal, and setting security risk warning information of the target mail in the first terminal when the mail content is judged to contain the security risk information.
Thus, risk pre-judging of the received mails is realized.
In this embodiment, preferably, the step of performing security risk detection on the mail content in the target mail may be as follows: detecting whether the target mail contains an attachment; when the accessory is contained, the accessory is transferred into a sandbox, and the sandbox provides an isolated environment for a running program; operating the accessory in the sandbox, monitoring dynamic parameters generated in the operation process of the accessory, and judging whether the dynamic parameters contain operation behaviors of encrypting or falsifying files or not; when the operation behavior of encrypting or falsifying the file is included, the mail content is judged to include security risk information.
Specifically, the manner of setting the security risk warning information may be as follows: and outputting a dangerous reminding identifier corresponding to the target mail in the first terminal, wherein the dangerous reminding identifier is a text reminding, a color reminding, a picture reminding, a sound reminding and/or an animation reminding.
Preferably, for the attachment of the target mail with safety risk, when the attachment is operated in the sandbox, the dynamic parameters generated by the attachment in the operation process are monitored, and after the monitoring process and/or the monitoring result are formed into image data, the image data are displayed to the line of the target mail in the mail list.
In this embodiment, the security risk warning information may also be set by setting a prohibited opening permission for the target mail in the first terminal.
Specifically, in one embodiment, when the associated security terminal determines that the target mail includes security risk information, the request information for prohibiting the opening of the target mail may be sent to the corresponding email server, where the request information for prohibiting the opening includes security risk evidence information of the target mail. After the email server acquires the request information for prohibiting the opening, the email server carries out auditing on the security risk evidence information, and when the auditing passes, the email server sets the permission for prohibiting the opening on the target email.
The opening prohibition permission is set, for example, an opening password is set, so that a user can input the password to open the risk mail, and the risk mail cannot be opened under the condition that the user does not know the password, thereby realizing opening prohibition. Or, setting the opening time, and enabling the user to open the risk mail within the specified opening time range. Alternatively, when the opening time is set, the opening time may be set to a longer period of time after the current time, for example, after 100 years, so that the user cannot open the risk mail.
In another embodiment, a screen capture can be further performed on a mailbox display interface currently displayed by the first terminal, the screenshot obtained by the screen capture is used as a shielding picture for covering the mailbox display interface, and the user cannot perform opening operation on the target mail through the shielding picture.
Preferably, an annotation information field is provided corresponding to the shielding picture, and is used for collecting information input by a user in the annotation information field, and displaying the information corresponding to the shielding picture as annotation information. Thus, the user can annotate the related information of the target mail through the annotation information column, such as specific risk content, risk type and the like of the annotated mail.
In this embodiment, a user feedback information acquisition column is further provided corresponding to the opening prohibition permission, and the user feedback information acquisition column is used to acquire feedback information of the user about the opening prohibition permission, and determine whether the user needs to release the opening prohibition permission according to the feedback information; when the forbidden opening authority is judged to be released, setting an isolation sandbox for the target mail, and then recovering the opening authority of the target mail in the first terminal, wherein the isolation sandbox can provide an isolation environment for a running program.
And then, acquiring triggering operation of a user on the executable file in the target mail in the first terminal, and transmitting the executable file to the isolation sandbox for operation.
Preferably, the operation information of the executable file in the isolation sandbox is obtained, and after the operation information is generated into an image, the image is displayed corresponding to the content display area of the target mail. The images are preferably animated images by which the running process and the running result are displayed.
In this embodiment, for extracting the attachment information, it is first required to detect whether the mail to be detected includes an attachment. When the method is implemented, whether an attachment field of the mail is empty or not can be detected, and if the attachment field is empty, the attachment is not contained; if the attribute field is not null, then it is determined that the attachment is included.
The sandbox in the embodiment of the application may be configured in the following manner: the first mode can be built by adopting a conventional virtual machine (vm), a virtual box and the like
windows sandboxes.
The second mode can also automatically construct a single-function window-like operating system as a sandbox, can support the starting of an office program, and supports the operation and recording of file behaviors and network behaviors.
Taking the lux virus as an example, the file operation behavior monitoring module can monitor the file behavior in several ways:
1. and monitoring the operation behavior of the program in the running process of the attachment on the file through windows logs, such as a file record log of a sysmon. The operational actions may include a series of operational actions such as opening, modifying, and encrypting.
2. The file filtering driver records the behavior of the program touching the file. The file system filter driver may filter I/O operations of one or more file systems, or file system volumes. According to different types, the file system filtering driver can be divided into log record, system monitoring, data modification and event prevention, and generally, application programs taking the file system filtering driver as a core have applications in aspects of file encryption and decryption, virus protection, process control, file access, post audit and information security. The file filter driver records the operational behavior of the accessory program on the file during its running, which may include a series of operations such as opening, modification, and encryption.
3. Injecting the program of the accessory into a target program for monitoring, wherein the target program comprises an interface associated with an operation file; and monitoring the operation behavior of the accessory program on the file when the accessory program runs by monitoring the use information of the accessory program on the interface.
In this embodiment, it may also be said that an anti-virus friend group is provided, when the associated security terminal detects security risk of the mail content in the target mail, and when it is determined that the mail content does not include security risk information, the mail content is sent to the anti-virus friend group for risk evaluation again. And after the evaluation result is obtained, setting the security risk warning information of the target mail in the first terminal when the re-evaluation result is that the security risk information is contained.
Specifically, the associated contact setting information of the mailbox where the target mail is located can be obtained; judging whether the mailbox is provided with an anti-virus friend group or not according to the related contact person setting information; when judging that the anti-virus friend group exists, sending the mail content to the anti-virus friend group for evaluation; when judging that the anti-virus friend group does not exist, acquiring instant messaging account information of a preset anti-virus associated contact person, triggering and establishing the anti-virus friend group based on the anti-virus associated contact person, and then sending the mail content to the anti-virus friend group for evaluation.
The anti-virus friend group and the anti-virus associated contact are set based on an instant messaging tool, and the anti-virus friend group and the anti-virus associated contact information corresponding to the associated contact can be obtained by obtaining instant messaging account information of the associated contact, usually the user. The instant messaging account information of the associated contact person can be obtained through active setting of the user in the electronic mailbox, such as the associated contact person information of the mailbox set by the user in the electronic mailbox, including the instant messaging account of the associated contact person. After the instant messaging account information of the associated contact person is obtained, whether the mailbox is provided with the anti-virus friend group or not can be judged according to the instant messaging account information. The anti-virus associated contact information is preset, and can be set by a user or a system. In this embodiment, preferably, the anti-virus association contact is automatically set by a system, and the system selects the anti-virus association contact based on the work or occupation information of the remark of the user.
Referring to fig. 4, in another embodiment of the present invention, a risk detection system for email is provided.
The system comprises a mail server, and a first terminal and a second terminal which are provided with association relations.
The first terminal is used for collecting login operation of a user for logging in an email box and outputting an email box display interface after successful login.
The mail server is used for acquiring mailbox login verification information which is successfully logged in according to the login operation and sending the mailbox login verification information to the second terminal.
The second terminal is used as an associated safety terminal of the first terminal, and is used for logging in the same mailbox account by using the mailbox login verification information and outputting a mailbox display interface after the login is successful.
The mail server is further configured to: monitoring operation information of mails in an email box checked by a user on a first terminal, controlling the second terminal to open the target mails after acquiring target mail information which the user expects to open, and carrying out security risk detection on mail content in the target mails, and setting security risk warning information of the target mails in the first terminal when judging that the mail content contains the security risk information.
In this embodiment, the mailbox login verification information includes a login mailbox account name, a mailbox password and mailbox type identification information. At this time, the step of the associated security terminal using the mailbox login verification information to log in the same mailbox account includes: the associated security terminal calls a corresponding email service program according to the email type identifier, and sends login request information to a corresponding email server through the email service program, wherein the login request information comprises the email account name and the email password; and the email server receives the login request information, verifies that the mailbox account name and the mailbox password pass, and then sends a login verification passing message to the associated security terminal, and the associated security terminal logs in the corresponding mailbox account.
In this embodiment, the manner of setting the security risk warning information may be: and outputting a dangerous reminding identifier corresponding to the target mail in the first terminal, wherein the dangerous reminding identifier is a text reminding, a color reminding, a picture reminding, a sound reminding and/or an animation reminding.
Preferably, the security risk warning information may be set in such a way that a forbidden opening authority is set for the target mail in the first terminal.
Specifically, when the associated security terminal determines that the target mail contains security risk information, sending request information for prohibiting opening of the target mail to a corresponding email server, wherein the request information for prohibiting opening comprises security risk evidence information of the target mail; after the email server acquires the request information for prohibiting the opening, the email server carries out auditing on the security risk evidence information, and when the auditing passes, the email server sets the permission for prohibiting the opening on the target email.
Or, performing screen capturing on a mailbox display interface currently displayed by the first terminal, taking a screenshot obtained by the screen capturing as a shielding picture covering the mailbox display interface, and enabling a user to be unable to perform opening operation on the target mail through the shielding picture.
Preferably, a user feedback information acquisition column is arranged corresponding to the opening prohibition permission, and the user feedback information acquisition column is used for acquiring feedback information of the user on the opening prohibition permission, and judging whether the user needs to release the opening prohibition permission according to the feedback information; when the forbidden opening authority is judged to be released, setting an isolation sandbox for the target mail, and then recovering the opening authority of the target mail in the first terminal, wherein the isolation sandbox can provide an isolation environment for a running program.
And acquiring triggering operation of a user on the executable file in the target mail in the first terminal, and transmitting the executable file to the isolation sandbox for operation.
Other technical features are referred to the previous embodiments and will not be described here again.
In the above description, the disclosure of the present invention is not intended to limit itself to these aspects. Rather, the components may be selectively and operatively combined in any number within the scope of the present disclosure. In addition, terms like "comprising," "including," and "having" should be construed by default as inclusive or open-ended, rather than exclusive or closed-ended, unless expressly defined to the contrary. All technical, scientific, or other terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Common terms found in dictionaries should not be too idealized or too unrealistically interpreted in the context of the relevant technical document unless the present disclosure explicitly defines them as such. Any alterations and modifications of the present invention, which are made by those of ordinary skill in the art based on the above disclosure, are intended to be within the scope of the appended claims.
Claims (7)
1. A risk detection method for an email, comprising the steps of:
collecting login operation of a user to login an email box on a first terminal, wherein an associated security terminal is arranged corresponding to the first terminal;
acquiring mailbox login verification information which is successfully logged in, sending the mailbox login verification information to the associated security terminal, and using the mailbox login verification information to log in the same mailbox account by the associated security terminal;
monitoring operation information of a user for checking mails in an email box on a first terminal, and opening the target mails through the associated safety terminal after acquiring target mail information which the user expects to open;
the method comprises the steps that safety risk detection is conducted on mail content in a target mail through an associated safety terminal, and when the fact that the mail content contains safety risk information is judged, safety risk warning information of the target mail is set in a first terminal;
wherein, the liquid crystal display device comprises a liquid crystal display device,
the operation information of the user for checking the mail in the electronic mailbox is monitored by performing screen recording operation on the display window of the first terminal, and at this time, the step of acquiring the target mail information which the user expects to open is as follows: starting a screen recording program, and carrying out image scanning on a display window of the first terminal at regular time or in real time through the screen recording program to acquire a scanned image; performing image recognition on the scanned image to identify a mail list display area and a mouse pointer display area in the image; judging whether the mouse pointer is positioned in a mail list display area; when the current mail is judged to be positioned in the mail list display area, the current mail with the mouse pointer is obtained to serve as a target mail, and the list display information of the target mail is identified to obtain sender information, theme information and time information of the target mail;
Or monitoring operation information of a user for checking the mail in the electronic mailbox by monitoring the movement of the mouse pointer on the display window of the first terminal, wherein the step of acquiring the target mail information which the user expects to open comprises the following steps: generating a mouse moving event according to the operation of a user for moving the mouse, and acquiring the coordinate position of the window after the mouse moves as the current position of the mouse; acquiring display position information of each trigger item in an email box window according to the display content information of the email box window; traversing all trigger items, and judging whether the current position of the mouse is positioned in the display position of the trigger item of the corresponding mail; when judging that the mail is positioned at the display position of the triggering item of the corresponding mail, taking the mail corresponding to the triggering item as a target mail, and acquiring sender information, theme information and time information of the target mail;
or monitoring operation information of a user for checking the mail in the electronic mailbox by monitoring the shape of the mouse pointer on the display window of the first terminal, wherein the step of acquiring the target mail information which the user expects to open is as follows: the method comprises the steps that image acquisition is carried out on a display window of a first terminal through an image acquisition device; performing image recognition on the acquired image, and judging whether the shape presented by a mouse pointer in the image is changed or not; when the shape presented by the mouse pointer is changed from the default shape to the shape of the indication link, the current mail in which the mouse pointer is positioned is acquired as a target mail, and list display information of the target mail is identified to acquire sender information, theme information and time information of the target mail.
2. The method according to claim 1, characterized in that: the mailbox login verification information comprises a login mailbox account name, a mailbox password and mailbox type identification information, and the steps of using the mailbox login verification information to log in the same mailbox account by the associated security terminal are as follows:
the associated security terminal calls a corresponding email service program according to the email type identifier, and sends login request information to a corresponding email server through the email service program, wherein the login request information comprises the email account name and the email password;
and the email server receives the login request information, verifies that the mailbox account name and the mailbox password pass, and then sends a login verification passing message to the associated security terminal, and the associated security terminal logs in the corresponding mailbox account.
3. The method according to claim 1, characterized in that: the step of carrying out security risk detection on mail content in the target mail comprises the following steps:
detecting whether the target mail contains an attachment;
when the accessory is contained, the accessory is transferred into a sandbox, and the sandbox provides an isolated environment for a running program;
operating the accessory in the sandbox, monitoring dynamic parameters generated in the operation process of the accessory, and judging whether the dynamic parameters contain operation behaviors of encrypting or falsifying files or not;
When the operation behavior of encrypting or falsifying the file is included, the mail content is judged to include security risk information.
4. A method according to any one of claims 1-3, characterized in that: the mode of setting the safety risk warning information is that in the first terminal, a danger reminding identifier is output corresponding to the target mail, and the danger reminding identifier is a text reminding, a color reminding, a picture reminding, a sound reminding and/or an animation reminding.
5. A method according to any one of claims 1-3, characterized in that: the security risk warning information is set in a mode that a forbidden opening permission is set for the target mail in the first terminal, and one of the following modes is adopted:
in a first mode, when the associated security terminal judges that the target mail contains security risk information, sending request information for prohibiting opening of the target mail to a corresponding email server, wherein the request information for prohibiting opening comprises security risk evidence information of the target mail; after the email server acquires the request information for prohibiting the opening, the email server examines the security risk evidence information, and when the examination passes, the email server sets the permission for prohibiting the opening of the target email;
And secondly, performing screen capturing on a mailbox display interface currently displayed by the first terminal, taking a screenshot obtained by the screen capturing as a shielding picture covering the mailbox display interface, and enabling a user to be incapable of opening a target mail through the shielding picture.
6. The method according to claim 5, wherein: a user feedback information acquisition column is arranged corresponding to the opening prohibition permission, and the user feedback information acquisition column is used for acquiring feedback information of the user on the opening prohibition permission, and judging whether the user needs to release the opening prohibition permission according to the feedback information; when judging that the forbidden opening authority needs to be released, setting an isolation sandbox for the target mail, and then recovering the opening authority of the target mail in the first terminal, wherein the isolation sandbox can provide an isolation environment for a running program;
and acquiring triggering operation of a user on the executable file in the target mail in the first terminal, and transmitting the executable file to the isolation sandbox for operation.
7. A risk detection system for emails according to the method of claim 1, characterized by comprising: a mail server, a first terminal and a second terminal which are provided with association relations;
The first terminal is used for collecting login operation of a user for logging in an email box and outputting an email box display interface after successful login;
the mail server is used for acquiring mailbox login verification information which is successfully logged in according to the login operation and sending the mailbox login verification information to the second terminal;
the second terminal is used for logging in the same mailbox account by using the mailbox login verification information and outputting a mailbox display interface after successful login;
the mail server is further configured to: monitoring operation information of mails in an email box checked by a user on a first terminal, controlling the second terminal to open the target mails after acquiring target mail information which the user expects to open, and carrying out security risk detection on mail content in the target mails, and setting security risk warning information of the target mails in the first terminal when judging that the mail content contains the security risk information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111072481.3A CN114006721B (en) | 2021-09-14 | 2021-09-14 | E-mail risk detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111072481.3A CN114006721B (en) | 2021-09-14 | 2021-09-14 | E-mail risk detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114006721A CN114006721A (en) | 2022-02-01 |
| CN114006721B true CN114006721B (en) | 2023-05-19 |
Family
ID=79921328
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111072481.3A Active CN114006721B (en) | 2021-09-14 | 2021-09-14 | E-mail risk detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114006721B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109474510A (en) * | 2017-12-25 | 2019-03-15 | 北京安天网络安全技术有限公司 | A kind of E mail safety intersects auditing method, system and storage medium |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2428648A1 (en) * | 2003-01-12 | 2004-07-12 | Yaron Mayer | System and method for secure communications |
| US8443447B1 (en) * | 2009-08-06 | 2013-05-14 | Trend Micro Incorporated | Apparatus and method for detecting malware-infected electronic mail |
| CN103929411B (en) * | 2013-01-16 | 2017-05-24 | 深圳市腾讯计算机系统有限公司 | Information displaying method, terminal, safety server and system |
| CN108337153B (en) * | 2018-01-19 | 2020-10-23 | 论客科技(广州)有限公司 | Method, system and device for monitoring mails |
| CN110519150B (en) * | 2018-05-22 | 2022-09-30 | 深信服科技股份有限公司 | Mail detection method, device, equipment, system and computer readable storage medium |
| CN109040103B (en) * | 2018-08-27 | 2021-09-17 | 深信服科技股份有限公司 | Mail account number defect detection method, device, equipment and readable storage medium |
| CN109672607A (en) * | 2018-12-20 | 2019-04-23 | 东软集团股份有限公司 | A kind of email processing method, device and storage equipment, program product |
| CN112995143B (en) * | 2021-02-04 | 2022-06-03 | 海尔数字科技(青岛)有限公司 | Safety reporting method, device, equipment and medium based on mail system |
-
2021
- 2021-09-14 CN CN202111072481.3A patent/CN114006721B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109474510A (en) * | 2017-12-25 | 2019-03-15 | 北京安天网络安全技术有限公司 | A kind of E mail safety intersects auditing method, system and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114006721A (en) | 2022-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9846776B1 (en) | System and method for detecting file altering behaviors pertaining to a malicious attack | |
| US9317701B2 (en) | Security methods and systems | |
| US9712565B2 (en) | System and method to provide server control for access to mobile client data | |
| US9832225B2 (en) | Identity theft countermeasures | |
| US8141159B2 (en) | Method and system for protecting confidential information | |
| US8042178B1 (en) | Alert message control of security mechanisms in data processing systems | |
| CN117171743A (en) | Real-time detection and protection of steganography in kernel mode | |
| Jang et al. | Gyrus: A Framework for User-Intent Monitoring of Text-based Networked Applications. | |
| Petracca et al. | {AWare}: Preventing Abuse of {Privacy-Sensitive} Sensors via Operation Bindings | |
| US20110225652A1 (en) | Identity theft countermeasures | |
| US11929992B2 (en) | Encrypted cache protection | |
| US11539742B2 (en) | Application security through multi-factor fingerprinting | |
| US20150172310A1 (en) | Method and system to identify key logging activities | |
| CN114006721B (en) | E-mail risk detection method and system | |
| US20220376919A1 (en) | Blockchain-enabled secure messaging system, device, and method using blockchain validation and biometric authentication | |
| WO2022208045A1 (en) | Encrypted cache protection | |
| CN113965349B (en) | Network safety protection system and method with safety detection function | |
| KR101825699B1 (en) | Method for improving security in program using CNG(cryptography API next generation) and apparatus for using the same | |
| Parikh et al. | Multimodal data security framework using steganography approaches | |
| CN116204880A (en) | Computer virus defense system | |
| US20180285581A1 (en) | System and Method for Protecting Information from Unauthorized Access | |
| CN115426192A (en) | Network security defense method and device, self-service terminal equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |