CN116663001A - Security analysis method and device for mail, electronic equipment and medium - Google Patents
Security analysis method and device for mail, electronic equipment and medium Download PDFInfo
- Publication number
- CN116663001A CN116663001A CN202310648613.5A CN202310648613A CN116663001A CN 116663001 A CN116663001 A CN 116663001A CN 202310648613 A CN202310648613 A CN 202310648613A CN 116663001 A CN116663001 A CN 116663001A
- Authority
- CN
- China
- Prior art keywords
- data
- primary
- search
- analyzed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 65
- 238000000034 method Methods 0.000 claims abstract description 74
- 230000008451 emotion Effects 0.000 claims description 25
- 230000008569 process Effects 0.000 claims description 19
- 238000003058 natural language processing Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 16
- 230000006870 function Effects 0.000 claims description 13
- 238000001514 detection method Methods 0.000 claims description 10
- 244000035744 Hura crepitans Species 0.000 claims description 9
- 230000009286 beneficial effect Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 5
- 238000011156 evaluation Methods 0.000 description 4
- 231100000279 safety data Toxicity 0.000 description 4
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000011218 segmentation Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The application relates to a method, a device, electronic equipment and a medium for safety analysis of mails, wherein the method comprises the following steps: acquiring mail data and analyzing the mail data to obtain quintuple data; performing primary retrieval on the five-tuple data to obtain a primary retrieval result, wherein the primary retrieval result is used for analyzing whether primary retrieval content has safety or not; and performing deep secondary retrieval on the five-tuple data with the security in the primary retrieval result to obtain a secondary retrieval result, wherein the secondary retrieval result is used for judging whether secondary retrieval contents have the security. By the method, the mail can be detected and analyzed in a layering way, and the mail with sensitive information can be filtered.
Description
Technical Field
The application belongs to the technical field of mail management, and particularly relates to a method, a device, electronic equipment and a medium for safety analysis of mails.
Background
Email is a communication method for providing information exchange by electronic means, and is the service with the widest application of the internet. Through the network's email system, the user can contact network users in any corner of the world in a very inexpensive (no matter where they are sent, they need only to pay a net fee), very fast manner (they can be sent to any designated destination in the world within a few seconds).
Email may take many forms, such as text, images, etc. Meanwhile, the user can obtain a large number of free news and thematic mails, and can easily realize easy information searching. The existence of the e-mails greatly facilitates the communication and exchange among people, and promotes the development of society.
Because of the popularity and versatility of mail, there is an increasing need for authentication and analysis of mail, which is used in the prior art to filter spam and presence-sensitive information files by analyzing the subject, sender, recipient, etc. information of the mail.
The prior art has at least the following problems:
1. the prior art lacks analysis of body text data and attachment data, and the analysis result is incomplete.
2. The prior art lacks security analysis on mails, and cannot avoid the damage of files with potential threats to a user terminal.
Disclosure of Invention
The application aims to solve at least one technical problem by providing a method, a device, equipment and a medium for safely analyzing mails.
The technical scheme for solving the technical problems is as follows: a security analysis method for mail, the method comprising:
acquiring mail data and analyzing the mail data to obtain quintuple data, and dividing the quintuple data into primary search content and secondary search content;
performing primary retrieval on the primary retrieval content to obtain a primary retrieval result, wherein the primary retrieval result is used for analyzing whether the primary retrieval content has safety or not;
and acquiring secondary search contents of the mail with safety in the primary search results, and performing secondary search to obtain secondary search results, wherein the secondary search results are used for judging whether the secondary search contents have safety.
The beneficial effects of the application are as follows: after the quintuple data of the mail is analyzed, the quintuple data is searched for one time, whether the mail is the safety data or not is judged, if the mail is not the safety data, the mail is filtered, if the mail is judged to be the safety mail, the quintuple data of the mail is searched for the second time in deep level, the quintuple data can be searched for more comprehensively, whether the mail is the safety mail is judged through the second time searching, and if the mail is not the safety mail, the mail is filtered. And through the two searches, the complete search of the mail data is realized. The mail security is ensured.
On the basis of the technical scheme, the application can be improved as follows.
Further, the five-tuple data includes: the primary search content comprises a theme, a text, a sender, a receiver and an attachment, wherein the primary search process comprises the following steps: after the primary search content is obtained, sensitive keyword information search is carried out on the text, emotion analysis search is carried out on the subject, then search is carried out on the receiver and the sender, and finally a primary search result is obtained.
The beneficial effects of adopting the further scheme are as follows: and (3) by carrying out sensitive keyword retrieval on the text, acquiring whether sensitive keyword information exists in the text, and judging the safety of the text.
Further, the above-mentioned sensitive keyword information retrieval of the text is:
constructing a keyword database containing sensitive keywords;
the method comprises the steps of obtaining text data of a text, decomposing the text data through a natural language processing method based on an NLP (non-linear language) analyzer to obtain the text data to be analyzed, wherein the natural language processing method comprises the following steps: dependency grammar parsing, word embedding, named entity recognition, part-of-speech tagging and semantic disambiguation;
and matching the text data to be analyzed with a keyword database, and judging whether sensitive keywords exist in the text data to be analyzed to obtain a primary matching result, wherein the primary matching result is used for judging whether the sensitive keywords exist in the text.
The beneficial effects of adopting the further scheme are as follows: the word segmentation processing is carried out on the text data of the body through a natural language processing method, so that the word segmentation processing is more accurate.
Further, the text content of the theme is analyzed through the natural language processing method to obtain theme data to be analyzed, emotion analysis is carried out on the theme data to be analyzed through an emotion analysis model, emotion analysis results corresponding to the theme data to be analyzed are obtained, and the emotion analysis results are used for representing whether the description property of the theme is positive description or negative description.
The beneficial effects of adopting the further scheme are as follows: and more accurately obtaining the emotion state description of the theme through the emotion analysis model.
Further, the second search content is an attachment, and the second search process is as follows: the method comprises the steps of obtaining an accessory, carrying out safe operation detection on the accessory, obtaining image-text data of the accessory on the premise that the accessory supports safe operation, carrying out identification analysis on the image-text data, and obtaining a safety index of the analyzed image-text data.
The beneficial effects of adopting the further scheme are as follows: on the premise of the safety of primary retrieval of text content, the attachment data of the mail is retrieved for the second time, and hierarchical retrieval ensures that the retrieval efficiency is higher.
Further, the safety operation detection process comprises the following steps:
acquiring executable code existing in the accessory;
simulating and executing the executable code by adopting a sandbox system, and detecting whether a call to a system Application Programming Interface (API) function exists in the process of simulating and executing the executable code by utilizing a Hook API module in the sandbox system;
if there is a call to the system application programming interface API function, determining that the attachment is a potential threat file and issuing alarm information.
The beneficial effects of adopting the further scheme are as follows: whether the potential threat files exist in the attachment is detected in advance through a sandbox technology, so that the server is prevented from being damaged by the potential threat files.
Further, the specific process of the secondary search for the accessories is as follows:
constructing a keyword database containing sensitive keywords;
identifying the picture file in the accessory through the OCR module to obtain picture text data, and combining the picture file data with text data in the accessory to form accessory data to be analyzed;
based on an NLP analyzer, decomposing the accessory data to be analyzed through a natural language processing method, and matching the decomposed data to be analyzed with a keyword database to obtain a secondary matching result, wherein the secondary matching result is used for judging whether sensitive keywords exist in the decomposed data to be analyzed.
The beneficial effects of adopting the further scheme are as follows: the OCR module is used for identifying the content of the picture, and double detection of the picture and the text is carried out, so that the detection data is better and comprehensive.
In a second aspect, the present application further provides a security analysis device for mail, for solving the above technical problem, including:
and an analysis module: acquiring mail data and analyzing the mail data to obtain quintuple data, and dividing the quintuple data into primary search content and secondary search content;
and a primary retrieval module: performing primary retrieval on the primary retrieval content to obtain a primary retrieval result, wherein the primary retrieval result is used for analyzing whether the primary retrieval content has safety or not;
and a secondary retrieval module: and acquiring secondary search contents of the mail with safety in the primary search results, and performing secondary search to obtain secondary search results, wherein the secondary search results are used for judging whether the secondary search contents have safety.
In a third aspect, the present application further provides an electronic device, where the electronic device includes a memory, a processor, and a computer program stored on the memory and capable of running on the processor, and the processor implements the mail security analysis method of the present application when executing the computer program.
In a fourth aspect, the present application further provides a computer readable storage medium, where a computer program is stored, where the computer program is executed by a processor to implement the mail security analysis method of the present application.
Additional aspects and advantages of the application will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application.
Drawings
Fig. 1 is a schematic flow chart of a method for security analysis of mail according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a security analysis device for mail according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The principles and features of the present application are described below with examples given for the purpose of illustration only and are not intended to limit the scope of the application.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
The scheme provided by the embodiment of the application can be applied to any application scene needing data storage. The scheme provided by the embodiment of the application can be executed by any electronic equipment, for example, the scheme can be terminal equipment of a user and comprises at least one of the following steps: smart phone, tablet computer, notebook computer, desktop computer, intelligent audio amplifier, intelligent wrist-watch, smart television, intelligent vehicle equipment.
The embodiment of the application provides a possible implementation manner, as shown in fig. 1, a flow diagram of a method for security analysis of mail is provided, and the method can be executed by any electronic device, for example, can be a terminal device, or can be executed by the terminal device and a server together. For convenience of description, a method provided by an embodiment of the present application will be described below by taking a server as an execution body, and the method may include the following steps as shown in a flowchart in fig. 1:
acquiring mail data and analyzing the mail data to obtain quintuple data, and dividing the quintuple data into primary search content and secondary search content;
performing primary retrieval on the primary retrieval content to obtain a primary retrieval result, wherein the primary retrieval result is used for analyzing whether the primary retrieval content has safety or not;
and acquiring secondary search contents of the mail with safety in the primary search results, and performing secondary search to obtain secondary search results, wherein the secondary search results are used for judging whether the secondary search contents have safety.
After the quintuple data of the mail is analyzed and obtained by the method, the quintuple data is searched for once, whether the mail is the safety data or not is judged, if the mail is not the safety data, the mail is filtered, if the mail is judged to be the safety mail, the quintuple data of the mail is searched for a deep level for the second time, the quintuple data can be searched for more comprehensively, whether the mail is the safety mail is judged by the second time, and if the mail is not the safety mail, the mail is filtered. And through the two searches, the complete search of the mail data is realized. The mail security is ensured.
The scheme of the application is further described below with reference to the following specific examples, in which the mail security analysis method includes the following steps:
acquiring mail data and analyzing the mail data to obtain quintuple data; wherein the quintuple data includes: subject, text, sender, recipient and attachment.
Performing primary search on the quintuple data to obtain a primary search result, wherein primary search contents comprise a theme, a text, a sender and a receiver, and judging the safety of the mail by searching the primary search contents;
and performing deep secondary search on the five-tuple data with the safety in the primary search result to obtain a secondary search result, wherein the secondary search content is an attachment, and the secondary search can judge whether the security exists in the attachment in the mail.
Optionally, normalization processing is performed on the obtained mails of different types to obtain mails in a unified format: firstly, obtaining a compressed package file containing a large number of mails; identifying mail formats, such as: msg, pst, eml, etc., and performing normalization processing to convert the mail in other formats into eml format mail.
Optionally, the sensitive keyword retrieval is performed on the text data of the body, and the steps are as follows:
constructing a keyword database containing sensitive keywords;
the method comprises the steps of obtaining text data of a text, decomposing the text data through a natural language processing method based on an NLP (non-linear language) analyzer to obtain the text data to be analyzed, wherein the natural language processing method comprises the following steps: dependency grammar parsing, word embedding, named entity recognition, part-of-speech tagging and semantic disambiguation;
and matching the text data to be analyzed with a keyword database, and judging whether sensitive keywords exist in the text data to be analyzed to obtain a primary matching result, wherein the primary matching result is used for judging whether the sensitive keywords exist in the text.
Optionally, analyzing the text content of the theme by a natural language processing method to obtain theme data to be analyzed, performing emotion analysis on the theme data to be analyzed by adopting an emotion analysis model to obtain an emotion analysis result corresponding to the theme data to be analyzed, wherein the emotion analysis result is used for representing whether the description property of the theme is positive description or negative description.
Optionally, the sender and the receiver specified in the quintuple data are matched through the regular expression.
The primary search result obtained by the search includes: and (3) an evaluation report of a primary matching result, an evaluation report of an emotion analysis result and information of a receiver and a sender.
Optionally, when the evaluation report of the primary matching result is unsafe or the evaluation report of the emotion analysis result is negative, designating the corresponding mail as dangerous mail, otherwise, performing secondary search on the attachment of the mail to obtain a secondary search result. Before the second search, the safety operation detection is carried out on the accessory.
The safe operation detection process comprises the following steps: acquiring executable code existing in the accessory; simulating and executing the executable code by adopting a sandbox system, and detecting whether a call to a system Application Programming Interface (API) function exists in the process of simulating and executing the executable code by utilizing a Hook API module in the sandbox system; if there is a call to the system application programming interface API function, determining that the attachment is a potential threat file and issuing alarm information. And designates the mail as dangerous mail.
Optionally, when the accessory can safely run, the accessory is retrieved for the second time, and the process is as follows:
constructing a keyword database containing sensitive keywords;
identifying the picture file in the accessory through the OCR module to obtain picture text data, and combining the picture file data with text data in the accessory to form accessory data to be analyzed;
based on an NLP analyzer, decomposing the accessory data to be analyzed through a natural language processing method, and matching the decomposed data to be analyzed with a keyword database to obtain a secondary matching result, wherein the secondary matching result is used for judging whether sensitive keywords exist in the decomposed data to be analyzed.
After the secondary matching result is obtained, if the sensitive keyword exists in the secondary matching result, designating the mail as dangerous mail, and if the sensitive keyword does not exist, designating the mail as safe mail. Wherein the sensitive word databases used for the primary search and the secondary search are the same database.
Optionally, after obtaining the text data of the body and the attachment, preprocessing the file data to obtain preprocessed text data, where the preprocessing includes at least one of data cleaning, data format unified processing and data complement processing.
Based on the same principle as the method shown in fig. 1, the embodiment of the application also provides a security analysis device for a mail, as shown in fig. 2, the security analysis device for a mail may include an analysis module, a primary search module and a secondary search module, where:
and an analysis module: acquiring mail data and analyzing the mail data to obtain quintuple data, and dividing the quintuple data into primary search content and secondary search content;
and a primary retrieval module: performing primary retrieval on the primary retrieval content to obtain a primary retrieval result, wherein the primary retrieval result is used for analyzing whether the primary retrieval content has safety or not;
and a secondary retrieval module: and acquiring secondary search contents of the mail with safety in the primary search results, and performing secondary search to obtain secondary search results, wherein the secondary search results are used for judging whether the secondary search contents have safety.
Optionally, the five-tuple data includes: the primary search content comprises a theme, a text, a sender, a receiver and an attachment, wherein the primary search process comprises the following steps: after the primary search content is obtained, sensitive keyword information search is carried out on the text, emotion analysis search is carried out on the subject, then search is carried out on the receiver and the sender, and finally a primary search result is obtained.
Optionally, the sensitive keyword information retrieval of the text is:
constructing a keyword database containing sensitive keywords;
the method comprises the steps of obtaining text data of a text, decomposing the text data through a natural language processing method based on an NLP (non-linear language) analyzer to obtain the text data to be analyzed, wherein the natural language processing method comprises the following steps: dependency grammar parsing, word embedding, named entity recognition, part-of-speech tagging and semantic disambiguation;
and matching the text data to be analyzed with a keyword database, and judging whether sensitive keywords exist in the text data to be analyzed to obtain a primary matching result, wherein the primary matching result is used for judging whether the sensitive keywords exist in the text.
Optionally, the emotion analysis and retrieval of the theme is specifically: analyzing the text content of the theme by a natural language processing method to obtain theme data to be analyzed, carrying out emotion analysis on the theme data to be analyzed by adopting an emotion analysis model to obtain emotion analysis results corresponding to the theme data to be analyzed, wherein the emotion analysis results are used for representing whether the description property of the theme is positive description or negative description.
Optionally, the second search content is an attachment, and the second search process is as follows: the method comprises the steps of obtaining an accessory, carrying out safe operation detection on the accessory, obtaining image-text data of the accessory on the premise that the accessory supports safe operation, carrying out identification analysis on the image-text data, and obtaining a safety index of the analyzed image-text data.
Optionally, the safe operation detection process is as follows:
acquiring executable code existing in the accessory;
simulating and executing the executable code by adopting a sandbox system, and detecting whether a call to a system Application Programming Interface (API) function exists in the process of simulating and executing the executable code by utilizing a Hook API module in the sandbox system;
if there is a call to the system application programming interface API function, determining that the attachment is a potential threat file and issuing alarm information.
Optionally, the specific process of performing secondary search on the accessory is as follows:
constructing a keyword database containing sensitive keywords;
identifying the picture file in the accessory through the OCR module to obtain picture text data, and combining the picture file data with text data in the accessory to form accessory data to be analyzed;
based on an NLP analyzer, decomposing the accessory data to be analyzed through a natural language processing method, and matching the decomposed data to be analyzed with a keyword database to obtain a secondary matching result, wherein the secondary matching result is used for judging whether sensitive keywords exist in the decomposed data to be analyzed.
The mail security analysis device according to the embodiments of the present application may execute the mail security analysis method according to the embodiments of the present application, and the implementation principle is similar, and actions executed by each module and unit in the mail security analysis device according to each embodiment of the present application correspond to steps in the mail security analysis method according to each embodiment of the present application, and detailed functional descriptions of each module of the mail security analysis device may be referred to the descriptions in the corresponding mail security analysis method shown in the foregoing, which are not repeated herein.
The mail security analysis device may be a computer program (including program code) running in a computer device, for example, the mail security analysis device is an application software; the device can be used for executing corresponding steps in the method provided by the embodiment of the application.
In some embodiments, the mail security analysis device provided by the embodiments of the present application may be implemented by combining software and hardware, and by way of example, the mail security analysis device provided by the embodiments of the present application may be a processor in the form of a hardware decoding processor that is programmed to perform the mail security analysis method provided by the embodiments of the present application, for example, the processor in the form of a hardware decoding processor may employ one or more application specific integrated circuits (ASIC, application Specific IntegratedCircuit), DSP, programmable logic device (PLD, programmable Logic Device), complex programmable logic device (CPLD, complex Programmable Logic Device), field programmable gate array (FPGA, field-Programmable Gate Array), or other electronic components.
In other embodiments, the mail security analysis device provided in the embodiments of the present application may be implemented in software, and fig. 2 shows the mail security analysis device stored in the memory, which may be software in the form of a program, a plug-in, and the like, and includes a series of modules including an analysis module, a primary search module, and a secondary search module, for implementing the method provided in the embodiments of the present application.
The modules involved in the embodiments of the present application may be implemented in software or in hardware. The name of a module does not in some cases define the module itself.
Based on the same principles as the methods shown in the embodiments of the present application, there is also provided in the embodiments of the present application an electronic device, which may include, but is not limited to: a processor and a memory; a memory for storing a computer program; a processor for executing the method according to any of the embodiments of the application by invoking a computer program.
In an alternative embodiment, there is provided an electronic device, as shown in fig. 3, the electronic device shown in fig. 3 including: a processor and a memory. Wherein the processor is coupled to the memory, such as via a bus. Optionally, the electronic device may further comprise a transceiver, which may be used for data interaction between the electronic device and other electronic devices, such as transmission of data and/or reception of data, etc. It should be noted that, in practical applications, the transceiver is not limited to one, and the structure of the electronic device does not limit the embodiments of the present application.
The processor may be a CPU (Central Processing Unit ), general purpose processor, DSP (Digital Signal Processor, data signal processor), ASIC (Application SpecificIntegrated Circuit ), FPGA (Field Programmable Gate Array, field programmable gate array) or other programmable logic device, transistor logic device, hardware components, or any combination thereof. Which may implement or perform the various exemplary logic blocks, modules and circuits described in connection with this disclosure. The processor 4001 may also be a combination that implements computing functionality, e.g., comprising one or more microprocessor combinations, a combination of a DSP and a microprocessor, etc.
A bus may include a path that communicates information between the components. The bus may be a PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus or an EISA (ExtendedIndustry Standard Architecture ) bus, or the like. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one thick line is shown in fig. 3, but not only one bus or one type of bus.
The Memory may be, but is not limited to, ROM (Read Only Memory) or other type of static storage device that can store static information and instructions, RAM (Random Access Memory ) or other type of dynamic storage device that can store information and instructions, EEPROM (Electrically ErasableProgrammable Read Only Memory ), CD-ROM (Compact DiscRead Only Memory, compact disc Read Only Memory) or other optical disk storage, optical disk storage (including compact discs, laser discs, optical discs, digital versatile discs, blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
The memory is used for storing application program codes (computer programs) for executing the scheme of the application, and the execution is controlled by the processor. The processor is configured to execute the application code stored in the memory to implement what is shown in the foregoing method embodiments.
The electronic device shown in fig. 3 is only an example, and should not impose any limitation on the functions and application scope of the embodiment of the present application.
Embodiments of the present application provide a computer-readable storage medium having a computer program stored thereon, which when run on a computer, causes the computer to perform the corresponding method embodiments described above.
According to another aspect of the present application, there is also provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the methods provided in the implementation of the various embodiments described above.
Computer program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
It should be appreciated that the flow charts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The computer readable storage medium according to embodiments of the present application may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer-readable storage medium carries one or more programs which, when executed by the electronic device, cause the electronic device to perform the methods shown in the above-described embodiments.
The above description is only illustrative of the preferred embodiments of the present application and of the principles of the technology employed. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in the present application is not limited to the specific combinations of technical features described above, but also covers other technical features formed by any combination of the technical features described above or their equivalents without departing from the spirit of the disclosure. Such as the above-mentioned features and the technical features disclosed in the present application (but not limited to) having similar functions are replaced with each other.
Claims (10)
1. A security analysis method for mail, comprising:
acquiring mail data and analyzing the mail data to obtain quintuple data, and dividing the quintuple data into primary search content and secondary search content;
performing primary retrieval on the primary retrieval content to obtain a primary retrieval result, wherein the primary retrieval result is used for analyzing whether the primary retrieval content has safety or not;
and acquiring secondary search contents of the mail with safety in the primary search results, and performing secondary search to obtain secondary search results, wherein the secondary search results are used for judging whether the secondary search contents have safety.
2. The method for securely analyzing mail according to claim 1, wherein said five-tuple data comprises: the primary search content comprises a theme, a text, a sender, a receiver and an attachment, wherein the primary search process comprises the following steps: after the primary search content is obtained, sensitive keyword information search is carried out on the text, emotion analysis search is carried out on the subject, then search is carried out on the receiver and the sender, and finally a primary search result is obtained.
3. The method for securely analyzing mail according to claim 2, wherein the sensitive keyword information retrieval of the text is:
constructing a keyword database containing sensitive keywords;
the method comprises the steps of obtaining text data of a text, decomposing the text data through a natural language processing method based on an NLP (non-linear language) analyzer to obtain the text data to be analyzed, wherein the natural language processing method comprises the following steps: dependency grammar parsing, word embedding, named entity recognition, part-of-speech tagging and semantic disambiguation;
and matching the text data to be analyzed with a keyword database, and judging whether sensitive keywords exist in the text data to be analyzed to obtain a primary matching result, wherein the primary matching result is used for judging whether the sensitive keywords exist in the text.
4. The method for securely analyzing mail according to claim 2, wherein the emotion analysis search for the subject is specifically: analyzing the text content of the theme by a natural language processing method to obtain theme data to be analyzed, carrying out emotion analysis on the theme data to be analyzed by adopting an emotion analysis model to obtain emotion analysis results corresponding to the theme data to be analyzed, wherein the emotion analysis results are used for representing whether the description property of the theme is positive description or negative description.
5. The method for securely analyzing mail according to claim 1, wherein the second search content is an attachment, and the second search process is as follows: the method comprises the steps of obtaining an accessory, carrying out safe operation detection on the accessory, obtaining image-text data of the accessory on the premise that the accessory supports safe operation, carrying out identification analysis on the image-text data, and obtaining a safety index of the analyzed image-text data.
6. The method for securely analyzing mail according to claim 5, wherein the security operation detection process is:
acquiring executable code existing in the accessory;
simulating and executing the executable code by adopting a sandbox system, and detecting whether a call to a system Application Programming Interface (API) function exists in the process of simulating and executing the executable code by utilizing a Hook API module in the sandbox system;
if there is a call to the system application programming interface API function, determining that the attachment is a potential threat file and issuing alarm information.
7. The method for securely analyzing mail according to claim 5, wherein the specific process of performing the secondary search for the attachment is:
constructing a keyword database containing sensitive keywords;
identifying the picture file in the accessory through the OCR module to obtain picture text data, and combining the picture file data with text data in the accessory to form accessory data to be analyzed;
based on an NLP analyzer, decomposing the accessory data to be analyzed through a natural language processing method, and matching the decomposed data to be analyzed with a keyword database to obtain a secondary matching result, wherein the secondary matching result is used for judging whether sensitive keywords exist in the decomposed data to be analyzed.
8. A security analysis device for mail, comprising:
and an analysis module: acquiring mail data and analyzing the mail data to obtain quintuple data, and dividing the quintuple data into primary search content and secondary search content;
and a primary retrieval module: performing primary retrieval on the primary retrieval content to obtain a primary retrieval result, wherein the primary retrieval result is used for analyzing whether the primary retrieval content has safety or not;
and a secondary retrieval module: and acquiring secondary search contents of the mail with safety in the primary search results, and performing secondary search to obtain secondary search results, wherein the secondary search results are used for judging whether the secondary search contents have safety.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any one of claims 1-7 when the computer program is executed.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310648613.5A CN116663001A (en) | 2023-06-02 | 2023-06-02 | Security analysis method and device for mail, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310648613.5A CN116663001A (en) | 2023-06-02 | 2023-06-02 | Security analysis method and device for mail, electronic equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116663001A true CN116663001A (en) | 2023-08-29 |
Family
ID=87716741
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310648613.5A Pending CN116663001A (en) | 2023-06-02 | 2023-06-02 | Security analysis method and device for mail, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116663001A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101535503B1 (en) * | 2014-02-25 | 2015-07-09 | 한국인터넷진흥원 | Method for detecting malware infected terminal based on commercial e-mail |
| CN108959917A (en) * | 2017-05-25 | 2018-12-07 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection |
| CN109450929A (en) * | 2018-12-13 | 2019-03-08 | 成都亚信网络安全产业技术研究院有限公司 | A kind of safety detection method and device |
| WO2020060505A1 (en) * | 2018-09-20 | 2020-03-26 | Ucar Ozan | Incident detecting and responding method on email services |
| CN111985896A (en) * | 2020-08-19 | 2020-11-24 | 中国银行股份有限公司 | Mail filtering method and device |
| CN113692597A (en) * | 2019-04-18 | 2021-11-23 | 微软技术许可有限责任公司 | E-mail content modification system |
| CN114298684A (en) * | 2021-12-27 | 2022-04-08 | 北京安天网络安全技术有限公司 | E-mail security detection method and device, electronic equipment and storage medium |
-
2023
- 2023-06-02 CN CN202310648613.5A patent/CN116663001A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101535503B1 (en) * | 2014-02-25 | 2015-07-09 | 한국인터넷진흥원 | Method for detecting malware infected terminal based on commercial e-mail |
| CN108959917A (en) * | 2017-05-25 | 2018-12-07 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection |
| WO2020060505A1 (en) * | 2018-09-20 | 2020-03-26 | Ucar Ozan | Incident detecting and responding method on email services |
| CN109450929A (en) * | 2018-12-13 | 2019-03-08 | 成都亚信网络安全产业技术研究院有限公司 | A kind of safety detection method and device |
| CN113692597A (en) * | 2019-04-18 | 2021-11-23 | 微软技术许可有限责任公司 | E-mail content modification system |
| CN111985896A (en) * | 2020-08-19 | 2020-11-24 | 中国银行股份有限公司 | Mail filtering method and device |
| CN114298684A (en) * | 2021-12-27 | 2022-04-08 | 北京安天网络安全技术有限公司 | E-mail security detection method and device, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 牛淑珍: "《数据金融与数据商科》", 复旦大学出版社, pages: 242 - 243 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10812427B2 (en) | Forgotten attachment detection | |
| CN111522927B (en) | Entity query method and device based on knowledge graph | |
| CN110109888B (en) | File processing method and device | |
| CN111314388B (en) | Method and apparatus for detecting SQL injection | |
| CN111859968A (en) | Text structuring method, text structuring device and terminal equipment | |
| CN110008740B (en) | Method, device, medium and electronic equipment for processing document access authority | |
| CN113568934B (en) | Data query method and device, electronic equipment and storage medium | |
| CN115827903A (en) | Violation detection method and device for media information, electronic equipment and storage medium | |
| CN116663001A (en) | Security analysis method and device for mail, electronic equipment and medium | |
| US20190188224A1 (en) | Method and apparatus for obtaining picture public opinions, computer device and storage medium | |
| CN110688558A (en) | Method and device for searching web page, electronic equipment and storage medium | |
| CN113472686B (en) | Information identification method, device, equipment and storage medium | |
| CN111367955B (en) | Target object identification method, target object identification device, electronic equipment and storage medium | |
| CN105786929A (en) | Information monitoring method and device | |
| CN115730104A (en) | Live broadcast room processing method, device, equipment and medium | |
| CN112256836A (en) | Recording data processing method and device and server | |
| CN113032515A (en) | Method, system, device and storage medium for generating chart based on multiple data sources | |
| CN113988313A (en) | User data deleting method and device and electronic equipment | |
| CN117014180A (en) | Mail hazard identification and classification method, mail hazard identification and classification device, electronic equipment and media | |
| CN111259216A (en) | Information identification method, device and equipment | |
| CN112561456B (en) | Approval assisting method, device, storage medium and equipment | |
| CN116484856B (en) | Keyword extraction method and device of text, electronic equipment and storage medium | |
| CN117473511B (en) | Edge node vulnerability data processing method, device, equipment and storage medium | |
| US11893651B2 (en) | Systems for collecting digital witness statements and detecting electronic resources referenced during collection | |
| CN113111181B (en) | Text data processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100094 103, building 6, yard 9, FengHao East Road, Haidian District, Beijing Applicant after: Yongxin Zhicheng Technology Group Co.,Ltd. Address before: 100094 103, building 6, yard 9, FengHao East Road, Haidian District, Beijing Applicant before: BEIJING YONGXIN ZHICHENG TECHNOLOGY CO.,LTD. |
|
| CB02 | Change of applicant information |