Information safety protection system based on internet
Technical Field
The invention relates to the technical field of information security, in particular to an information security protection system based on the Internet.
Background
Information security refers to that the data of the hardware, software and the system of the information network are protected from being damaged, altered and leaked by accidental or malicious reasons, so that the system continuously, reliably and normally operates.
The electronic mail is used as a communication mode for providing information exchange by an electronic means, is the service with the widest application of the Internet, is a main means for transmitting viruses by lawbreakers, achieves the purposes of information stealing and computer destruction by transmitting the viruses, and mainly has the following problems in the current stage because of the high frequency occurrence of information leakage events caused by mail viruses aiming at the condition that the mail viruses steal user information:
1. the user has insufficient knowledge on the mail viruses, is easy to be induced by mail contents to open mail attachments or third party links, so that a computer is infected by viruses to further cause personal information leakage, and when lawless persons send mails with viruses to the user by using address book contact account numbers, the user is difficult to distinguish the authenticity of the other party;
2. when virus misjudgment occurs in the antivirus software, viruses can be used as a springboard to infect surrounding computers through a network while infecting a user computer, more computer information is stolen, and the personal and machine are caused to be irrecoverable.
Disclosure of Invention
The present invention is directed to an internet-based information security system, which solves the problems set forth in the background art.
The aim of the invention can be achieved by the following technical scheme: the information safety protection system based on the Internet comprises a mail information acquisition module, a prompt module, a mail viewing module, an abnormal mail detection module, a content judgment module, a virus detection module and a trap module;
the mail information acquisition module is used for acquiring the name, the address and the sending time of a mail;
the abnormal mail detection module is used for acquiring the name and the sending address of the sender of the mail, comparing the name of the sender of the mail with the contact persons in the address book of the user, checking whether the sender of the mail is in the address book of the user, analyzing the abnormal index of the mail to obtain an abnormal mail or a normal mail, wherein the abnormal index of the mail comprises an address book mail abnormal index and a strange mail abnormal index, sending the abnormal mail to the content judgment module, and sending the normal mail to the mail checking module;
the content judging module is used for judging whether the abnormal mail contains an attachment or a third party link, when the suspicious mail contains the attachment or the third party link, the suspicious mail is sent to the virus detecting module, and otherwise, the suspicious mail is sent to the trap module;
the virus detection module is used for detecting attachments or third-party links of the abnormal mail and comprises a virus scanning unit and a virus feature library, wherein the virus scanning unit is used for carrying out virus scanning on the attachments and the third-party links of the abnormal mail and extracting feature codes, matching the feature codes with the virus feature library, generating a virus signal when matching is successful, and the virus feature library is used for storing the virus feature codes;
the trap module is used for analyzing virus characteristic indexes of mails and comprises a network isolation unit and a virtual operation unit, wherein the network isolation unit is used for isolating a virtual machine network, and the virtual operation unit is used for operating third-party links or attachments in abnormal mails;
the prompting module is used for receiving the signal sent by the trap module and making an early warning prompt for a user;
the mail viewing module is used for viewing the mail passing through detection and the normal mail.
Preferably, the analysis of the abnormality index of the mail is performed as follows:
s1: inquiring historical mails according to the names of senders of the mails, and converting each historical mail and the current mail by using a mail transcoding and converting tool to obtain the original text of each historical mail and the original text of the current mail;
s2: acquiring basic information of the mail and current address book contact person information of a user, extracting names of all contacts in the address book contact person information, comparing the names of all contacts with the names of senders of the mail, if the sender of the mail is successfully compared with the names of the address book contact persons, marking the current mail as the address book mail and entering a step S3, otherwise, marking the current mail as strange mail and entering a step S4;
s3: the method comprises the following steps of analyzing communication addresses corresponding to each historical mail of a sender and a user of the address book mail to obtain an address book mail abnormality index, wherein the specific analysis process is as follows:
s31: analyzing mail heads corresponding to the original texts of the historical mails to obtain IP addresses corresponding to the historical mails, inquiring attributions to obtain IP attributions corresponding to the historical mails, and marking the IP attributions as GS i I is the number of each history mail, i=1, 2,..n, n is a positive integer;
s32, summarizing IP attribution corresponding to each historical mail into an attribution list [ GS ] 1 ,GS 2 ,...,GS i ]Sorting the home location list from big to small according to the occurrence frequency of the home location, selecting the first three digits of the list as common communication addresses, and respectively marking as CY 1 、CY 2 、CY 3 ;
S33: analyzing the mail header corresponding to the address book mail text to obtain the IP address of the address book mail, inquiring the attribution of the IP address of the address book mail to obtain the attribution of the IP address of the address book mail and marking as gs, comparing the attribution of the IP address book mail with the common communication address of the address book sender to generate an address identifier DZ, and when gs is E (CY 1 、CY 2 、CY 3 ) The address identifier is assigned 1 whenWhen the address identifier is assigned to 3;
s34: acquiring the corresponding sending time of each historical mail and marking as T i Obtaining the abnormal index KY of the address book mail through analysis 1 Comparing the address book mail abnormality index with a preset abnormality index threshold, marking the address book mail as normal mail and sending the normal mail to a mail checking module when the address book mail abnormality index is smaller than the preset abnormality index threshold, marking the address book mail as abnormal mail and sending the abnormal mail when the address book mail abnormality index is larger than the preset abnormality index thresholdSending to a content detection module;
s4: analyzing the server address and the IP address of the sender of the strange mail to obtain the strange mail abnormality index, wherein the specific analysis process is as follows:
s41: analyzing mail heads corresponding to the strange mail original text, marking the mail heads corresponding to the strange mail original text as strange mail heads, acquiring a sender server address and an IP address in the strange mail heads, reversely analyzing the IP address in the strange mail heads by using DNS, comparing the IP address with the sender server address, generating an identity identifier SF, when the IP address is consistent with the sender server address, assigning the identity identifier as 1, and when the IP address is inconsistent with the sender server address, assigning the identity identifier as 2;
s42: comparing the mail sending address in the strange mail header with the mail reply address to generate a receiving and transmitting address identifier sf, when the sending address of the strange mail is consistent with the strange mail reply address, assigning the receiving and transmitting address identifier as 2, and when the sending address of the strange mail is inconsistent with the strange mail reply address, assigning the receiving and transmitting address identifier as 4;
s43: obtaining abnormal index KY of strange mail through analysis 2 Comparing the abnormal index of the strange mail with a preset abnormal index threshold, marking the strange mail as a normal mail when the abnormal index of the strange mail is smaller than the preset abnormal index threshold, sending the normal mail to the mail checking module, and marking the strange mail as an abnormal mail and sending the abnormal mail to the content detecting module when the abnormal index of the strange mail is larger than the preset abnormal index threshold.
Preferably, the analysis process for determining whether the abnormal mail contains an attachment or a third party link is as follows:
SS1, judging whether the abnormal mail contains an attachment or not in the following judging mode:
acquiring the source code of the abnormal mail and inquiring a content type field corresponding to the abnormal mail, judging that the abnormal mail contains an attachment when the content type field of the abnormal mail is 'multi part/mixed', and indicating that the abnormal mail does not contain the attachment when the content type field of the abnormal mail is of other types;
SS2: judging whether the abnormal mail contains a third party link or not by the following judging method:
the method comprises the steps of connecting a mail server, obtaining the text content of an abnormal mail and analyzing the text content of the abnormal mail, wherein the analysis mode is as follows: and matching the text content of the abnormal mail through the regular expression, judging that the abnormal mail contains a third-party link when the regular expression is successfully matched with the text content of the abnormal mail, and sending the third-party link to the virus detection module, otherwise, converting the text content of the abnormal mail into a webpage code, inquiring whether a label corresponding to the webpage code of the abnormal mail contains a link label and whether the webpage code is embedded with the third-party link, and if the webpage code corresponding to the abnormal mail contains the link label or the webpage code is embedded with the third-party link, judging that the abnormal mail contains the third-party link, and sending the third-party link to the virus detection module, otherwise, sending the abnormal mail to the mail checking module.
Preferably, the detecting the attachment or the third party link of the abnormal mail includes:
the virus scanning unit scans the mails containing the attachments or the third-party links, extracts feature codes from the attachments and the third-party links, matches the feature codes with a virus feature library, when the matching is successful, indicates that viruses exist in the mails containing the attachments or the third-party links, generates virus signals, sends the virus signals to the prompt module, and when the matching is unsuccessful, indicates that viruses do not exist in the mails containing the attachments or the third-party links, and sends the virus signals to the mail viewing module.
Preferably, the analysis is performed on the virus characteristic index of the mail, and the specific analysis process is as follows:
setting a virtual machine on a user machine, acquiring an accessory or a third party link corresponding to an abnormal mail on the user machine on the virtual machine, and starting network isolation for a virtual machine network;
acquiring an initial feature code MD of each file of a starting memory NC of a virtual machine j The operation speed V, j is the attachment corresponding to the virtual machine operation mail or each file before the third party is linkedJ=1, 2,.,. K, running an attachment or third party link to which the mail corresponds;
when a third party link or an attachment of the abnormal mail is opened, operating the virtual machine within a preset time range, recording the operation memory of the virtual machine as NC', and obtaining a final feature code LA corresponding to each file p 'and operation speed V', p are numbers of the files after the virtual machine operates the corresponding attachments of the mail or the third party links, p=1, 2.
Comparing the original feature code and the final feature code of each file, and generating a feature identifier TZ j When the comparison of the original feature codes and the final feature codes of the files is successful, the feature identifier is assigned to be 1, and when the comparison of the original feature codes and the final feature codes of the files is failed, the feature identifier is assigned to be 0;
monitoring the state of a virtual machine operating system, generating a system identifier XT, assigning the system identifier to 1 when the abnormal condition occurs in the virtual machine operating system, and assigning the system identifier to 0 when the abnormal condition does not occur in the virtual machine operating system;
the method comprises the steps of analyzing and calculating to obtain a virus characteristic index, comparing the virus characteristic index with a preset virus characteristic index threshold, generating a safety signal when the virus characteristic index of an abnormal mail is smaller than the preset virus characteristic index threshold, sending the safety signal to a prompt module, closing network isolation of a virtual machine, generating a virus signal when the virus characteristic index of the abnormal mail is larger than the preset virus characteristic index threshold, sending the virus signal to the prompt module, submitting an attachment or a third party link corresponding to the mail to a virus scanning unit, extracting a virus characteristic code by the virus scanning unit, and storing the virus characteristic code in a virus characteristic library.
Preferably, the early warning prompt is made for the user, and the specific early warning mode is as follows:
when a virus signal is received, early warning information is sent to a user, the user is warned that the current mail contains virus, the mail is deleted, and a series of losses caused by virus infection of a computer are avoided; when the safety signal is received, a prompt message is sent to the user to prompt the user that the current mail passes the detection, the mail can be checked, the mail is marked as the detection passing mail, and the detection passing mail is sent to the mail checking module.
The invention has the beneficial effects that:
1. according to the invention, through distinguishing the identity of the sender of the mail, different analysis is carried out on the abnormal indexes of the mail according to different identities of the sender of the mail, so that the condition that the user is induced to click an accessory or a third party link to cause the virus to be implanted into the user computer is prevented, and the user information leakage and economic loss caused by virus implantation are avoided.
2. The invention analyzes the virus characteristic index of the mail, avoids the infection of the user computer caused by the condition that the virus killing software is missed, and prevents the virus from infecting the user computer through the network by carrying out network isolation on the virtual machine, thereby further reducing the possibility of virus spreading through the network and providing powerful guarantee for the information security of the user.
Drawings
The invention is further described below with reference to the accompanying drawings.
Fig. 1 is a system block diagram of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, the invention discloses an information security protection system based on internet, which comprises a mail information acquisition module, a prompting module, a mail viewing module, an abnormal mail detection module, a content judgment module, a virus detection module and a trap module;
the mail information acquisition module acquires basic information of a mail through the Internet, wherein the basic information of the mail comprises a name of a sender of the mail, a mail address of the sender and mail sending time;
the abnormal mail detection module obtains the name and the sending address of the sender of the mail, matches the name of the sender of the mail with the contact person in the address book of the user, checks whether the sender of the mail is in the address book of the user, and analyzes the abnormal index of the mail according to the result, wherein the analysis process is as follows:
according to the names of senders of the mails, inquiring the historical mails, and converting each historical mail and the current mail by using a mail transcoding and converting tool to obtain the original text of each historical mail and the original text of the current mail.
Acquiring basic information of the mail and current address book contact person information of a user, extracting names of all contacts in the address book contact person information, comparing the names of all contacts with the names of senders of the mail, if the names of the senders of the mail and the names of the address book contact person are successfully compared, marking the current mail as the address book mail and entering step S3, otherwise, marking the current mail as strange mail and entering step S4.
S3: the method comprises the following steps of analyzing communication addresses corresponding to each historical mail of a sender and a user of the address book mail to obtain an address book mail abnormality index, wherein the specific analysis process is as follows:
analyzing mail heads corresponding to the original texts of the historical mails to obtain IP addresses corresponding to the historical mails, inquiring attributions to obtain IP attributions corresponding to the historical mails, and marking the IP attributions as GS i I is the number of each history mail, i=1, 2,..n, n is a positive integer.
Summarizing IP attribution corresponding to each historical mail into an attribution list [ GS ] 1 ,GS 2 ,...,GS i ]Sorting the home location list from big to small according to the occurrence frequency of the home location, selecting the first three digits of the list as common communication addresses, and respectively marking as CY 1 、CY 2 、CY 3 。
Analyzing the mail header corresponding to the address book mail text to obtain the IP address of the address book mail, inquiring the attribution of the IP address of the address book mail to obtain the attribution of the IP address of the address book mail and marking the attribution as gs, and comparing the attribution of the IP address book mail with the corresponding address book mailThe communication addresses commonly used by the sender are compared to generate an address identifier DZ, and when gs e (CY 1 、CY 2 、CY 3 ) The address identifier is assigned 1 whenWhen the address identifier is assigned 3.
Acquiring the corresponding sending time of each historical mail and marking as T i By the formulaCalculating to obtain address book mail abnormality index KY 1 T' is a preset communication interval duration threshold, < >>The method comprises the steps of respectively obtaining a preset number of times of communication, a communication interval duration weight coefficient and an IP attribution weight coefficient, wherein e is a natural constant, m is a constant, comparing an abnormality index of the address book mail with a preset abnormality index threshold, marking the address book mail as a normal mail and sending the normal mail to a mail checking module when the abnormality index of the address book mail is smaller than the preset abnormality index threshold, and marking the address book mail as an abnormal mail and sending the abnormal mail to a content detecting module when the abnormality index of the address book mail is larger than the preset abnormality index threshold.
When the sender of the mail belongs to the address book of the user, the abnormal index of the mail is analyzed according to the number of times of mail passing, the IP attribution and the communication interval duration, so that the information leakage and economic loss of the user caused by the transmission of viruses by the contact person in the address book are avoided, and the information safety of the user is further ensured.
S4: analyzing the server address and the IP address of the sender of the strange mail to obtain the strange mail abnormality index, wherein the specific analysis process is as follows:
analyzing mail heads corresponding to the strange mail texts, marking the mail heads corresponding to the strange mail texts as strange mail heads, acquiring sender server addresses and IP addresses in the strange mail heads, reversely analyzing the IP addresses in the strange mail heads by using DNS, comparing the IP addresses with the sender server addresses, generating an identity identifier SF, when the IP addresses are consistent with the sender server addresses, assigning the identity identifier as 1, and when the IP addresses are inconsistent with the sender server addresses, assigning the identity identifier as 2.
Comparing the mail sending address in the strange mail header with the mail reply address to generate a receiving and transmitting address identifier sf, when the sending address of the strange mail is consistent with the strange mail reply address, assigning the receiving and transmitting address identifier as 2, and when the sending address of the strange mail is inconsistent with the strange mail reply address, assigning the receiving and transmitting address identifier as 4.
According to the formulaCalculating to obtain abnormal index KY of strange mail 2 ,/>And->Comparing the abnormal index of the strange mail with a preset abnormal index threshold, marking the strange mail as a normal mail and sending the normal mail to a mail checking module when the abnormal index of the strange mail is smaller than the preset abnormal index threshold, and marking the strange mail as an abnormal mail and sending the abnormal mail to a content detecting module when the abnormal index of the strange mail is larger than the preset abnormal index threshold.
Further, when the sender of the mail does not belong to the user address book, the mail header of the mail is analyzed to judge whether the mail is tampered and forged or not, and the abnormal index of the mail is analyzed, and based on the analysis, the normal mail with compliance is filtered, virus detection is carried out on the mail with the tampered and forged condition, so that the condition that the user is induced to click an accessory or a third party link to cause the virus to be implanted into a user machine is prevented, and the user information leakage and economic loss caused by virus implantation are effectively avoided.
The content judging module analyzes whether the abnormal mail contains an attachment or a third party link, and the analysis process is as follows:
acquiring the source code of the abnormal mail, inquiring a content type field corresponding to the abnormal mail, and judging that the abnormal mail contains an attachment when the content type field of the abnormal mail is 'multi part/mixed';
the method comprises the steps of connecting a mail server, obtaining the text content of an abnormal mail and analyzing the text content of the abnormal mail, wherein the analysis mode is as follows: and matching the content of the abnormal mail body through the regular expression, judging that the abnormal mail contains a third-party link when the regular expression is successfully matched with the content of the abnormal mail body, sending the third-party link to a virus detection module, converting the content of the abnormal mail into a webpage code when the regular expression is unsuccessfully matched with the content of the abnormal mail body, inquiring whether the webpage code label contains a link label and inquiring whether the webpage pattern code contains an embedded third-party link, judging that the abnormal mail contains the third-party link if the webpage code contains the link label or the webpage pattern code is embedded with the third-party link, sending the abnormal mail to the virus detection module, and sending the abnormal mail to a trap module if the webpage code does not contain the link label or the webpage pattern code is not embedded with the third-party link.
The virus detection module is used for detecting the attachment or the third party link of the abnormal mail in the detection mode;
the virus scanning unit scans the mail containing the attachment or the third party link, extracts the feature code, matches the mail with the virus feature library, generates a virus signal when matching is successful, sends the virus signal to the prompt module, and sends the virus signal to the trap module when matching is unsuccessful.
Furthermore, the invention obviously improves the identification rate of viruses by judging whether the abnormal mail contains the attachment or the link and further detecting the viruses of the attachment and the link.
The trap module is used for analyzing the virus characteristic index of the abnormal mail, and the analysis process is as follows:
setting a virtual machine on a user machine, acquiring an accessory or a third party link corresponding to an email on the user machine on the virtual machine, and starting network isolation for a virtual machine network;
the user machine is abbreviated as a user computer.
Acquiring an initial feature code MD of each file of a starting memory NC of a virtual machine j The operation speed V, j is the number of each file before the virtual machine runs the attachment or the third party link corresponding to the mail, j=1, 2,.,. K, previewing the mail and opening the attachment or the third party link corresponding to the mail;
when previewing the mail and opening the attachment or the third party link corresponding to the mail, operating the virtual machine within a preset time range, recording the operation memory of the virtual machine as NC', and obtaining the final feature code LA corresponding to each file p 'and operation speed V', p are numbers of the files after the virtual machine operates the corresponding attachments of the mail or the third party links, p=1, 2.
Comparing the original feature code and the final feature code of each file, and generating a feature identifier TZ j When the comparison of the original feature codes and the final feature codes of the files is successful, the feature identifier is assigned to be 1, and when the comparison of the original feature codes and the final feature codes of the files is failed, the feature identifier is assigned to be 0;
monitoring the state of a virtual machine operating system, generating a system identifier XT, assigning the system identifier to 1 when the abnormal condition occurs in the virtual machine operating system, and assigning the system identifier to 0 when the abnormal condition does not occur in the virtual machine operating system;
according to the formulaCalculating to obtain virus characteristic index, nc is preset memory threshold value, lambda 1 、λ 2 、λ 3 、λ 4 Respectively a preset memory weight coefficient, a characteristic code weight coefficient, an operating speed weight coefficient and an operating system state weight coefficient, wherein v is a preset operation speed threshold value, and the virus characteristic index is compared with a preset virus characteristic index threshold value when differentWhen the virus characteristic index of the abnormal mail is greater than the preset virus characteristic index threshold, generating a virus signal and sending the virus signal to the prompting module, and when the virus characteristic index of the abnormal mail is greater than the preset virus characteristic index threshold, submitting an attachment or a third party link corresponding to the mail to a virus scanning unit, extracting a virus characteristic code by the virus scanning unit and storing the virus characteristic code in a virus characteristic library.
The trap module comprises a network isolation unit and a virtual operation unit, wherein the network isolation unit is used for isolating a virtual machine network, and the virtual operation unit is used for operating a third party link or an attachment in an abnormal mail.
According to the embodiment of the invention, the virus characteristic index of the abnormal mail is analyzed through the trap module, so that the defect that the virus scanning unit fails to judge the virus is overcome, the identification rate of novel viruses is improved, and the risk of information leakage of users is effectively reduced.
Further, a virtual machine environment is established through the virtual operation unit, abnormal mail is previewed in the virtual machine, and an accessory or a third party link corresponding to the abnormal mail is opened, so that the condition that viruses are infected by the user machine due to operation of the accessory or the link is avoided, the virtual machine is isolated in a network through the network isolation unit, the user machine is prevented from being infected through the network after the viruses are infected by the virtual machine, and the viruses are prevented from being further spread by taking the user machine as a springboard.
Further, when the virus characteristic index of the mail is larger than the virus characteristic index threshold, judging that the abnormal mail has viruses, extracting the characteristic codes of the viruses and sending the characteristic codes to the virus scanning unit, thereby continuously perfecting the virus characteristic library and reducing the misjudgment rate and the missed judgment rate of the virus scanning unit.
The prompt module is used for receiving the signal sent by the trap module and giving an early warning prompt to the user, and the specific early warning mode is as follows:
when a virus signal is received, early warning information is sent to a user, the user is warned that the current mail contains virus, the mail is deleted, and a series of losses caused by virus infection of a computer are avoided; when the safety signal is received, a prompt message is sent to the user to prompt the user that the current mail passes the detection, the mail can be checked, the mail is marked as the detection passing mail, and the detection passing mail is sent to the mail checking module.
The mail viewing module is used for viewing the passing mail and the normal mail.
The foregoing is merely illustrative and explanatory of the invention, as it is apparent to those skilled in the art that various modifications and additions can be made to the specific embodiments described or in a similar manner without departing from the structure of the invention or beyond the scope of the invention as defined in the appended claims.