CN117150486A - Information safety protection system based on internet - Google Patents

Information safety protection system based on internet Download PDF

Info

Publication number
CN117150486A
CN117150486A CN202310926518.7A CN202310926518A CN117150486A CN 117150486 A CN117150486 A CN 117150486A CN 202310926518 A CN202310926518 A CN 202310926518A CN 117150486 A CN117150486 A CN 117150486A
Authority
CN
China
Prior art keywords
mail
abnormal
virus
module
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310926518.7A
Other languages
Chinese (zh)
Other versions
CN117150486B (en
Inventor
田飞
王志婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan Citic Big Data Technology Co ltd
Original Assignee
Anhui Qihui Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Anhui Qihui Information Technology Co ltd filed Critical Anhui Qihui Information Technology Co ltd
Priority to CN202310926518.7A priority Critical patent/CN117150486B/en
Publication of CN117150486A publication Critical patent/CN117150486A/en
Application granted granted Critical
Publication of CN117150486B publication Critical patent/CN117150486B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/07User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail characterised by the inclusion of specific contents
    • H04L51/08Annexed information, e.g. attachments
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention relates to the technical field of information safety, in particular to an information safety protection system based on the Internet, which comprises a mail information acquisition module, a prompting module, a mail checking module, an abnormal mail detection module, a content judgment module, a virus detection module and a trap module. Through analyzing the abnormality index of the mail and the virus characteristic index of the abnormal mail, the situation that the user is induced to click the accessory or the third party link to enable the virus to be implanted into the user computer is prevented, not only is the user information leakage caused by virus implantation avoided, but also the situation that the user computer is infected when virus misjudgment occurs in antivirus software is avoided, and the user computer is prevented from being infected by the virus through network isolation by the virtual machine, so that the possibility of virus propagation and diffusion through the network is further reduced, and powerful guarantee is provided for user information safety.

Description

Information safety protection system based on internet
Technical Field
The invention relates to the technical field of information security, in particular to an information security protection system based on the Internet.
Background
Information security refers to that the data of the hardware, software and the system of the information network are protected from being damaged, altered and leaked by accidental or malicious reasons, so that the system continuously, reliably and normally operates.
The electronic mail is used as a communication mode for providing information exchange by an electronic means, is the service with the widest application of the Internet, is a main means for transmitting viruses by lawbreakers, achieves the purposes of information stealing and computer destruction by transmitting the viruses, and mainly has the following problems in the current stage because of the high frequency occurrence of information leakage events caused by mail viruses aiming at the condition that the mail viruses steal user information:
1. the user has insufficient knowledge on the mail viruses, is easy to be induced by mail contents to open mail attachments or third party links, so that a computer is infected by viruses to further cause personal information leakage, and when lawless persons send mails with viruses to the user by using address book contact account numbers, the user is difficult to distinguish the authenticity of the other party;
2. when virus misjudgment occurs in the antivirus software, viruses can be used as a springboard to infect surrounding computers through a network while infecting a user computer, more computer information is stolen, and the personal and machine are caused to be irrecoverable.
Disclosure of Invention
The present invention is directed to an internet-based information security system, which solves the problems set forth in the background art.
The aim of the invention can be achieved by the following technical scheme: the information safety protection system based on the Internet comprises a mail information acquisition module, a prompt module, a mail viewing module, an abnormal mail detection module, a content judgment module, a virus detection module and a trap module;
the mail information acquisition module is used for acquiring the name, the address and the sending time of a mail;
the abnormal mail detection module is used for acquiring the name and the sending address of the sender of the mail, comparing the name of the sender of the mail with the contact persons in the address book of the user, checking whether the sender of the mail is in the address book of the user, analyzing the abnormal index of the mail to obtain an abnormal mail or a normal mail, wherein the abnormal index of the mail comprises an address book mail abnormal index and a strange mail abnormal index, sending the abnormal mail to the content judgment module, and sending the normal mail to the mail checking module;
the content judging module is used for judging whether the abnormal mail contains an attachment or a third party link, when the suspicious mail contains the attachment or the third party link, the suspicious mail is sent to the virus detecting module, and otherwise, the suspicious mail is sent to the trap module;
the virus detection module is used for detecting attachments or third-party links of the abnormal mail and comprises a virus scanning unit and a virus feature library, wherein the virus scanning unit is used for carrying out virus scanning on the attachments and the third-party links of the abnormal mail and extracting feature codes, matching the feature codes with the virus feature library, generating a virus signal when matching is successful, and the virus feature library is used for storing the virus feature codes;
the trap module is used for analyzing virus characteristic indexes of mails and comprises a network isolation unit and a virtual operation unit, wherein the network isolation unit is used for isolating a virtual machine network, and the virtual operation unit is used for operating third-party links or attachments in abnormal mails;
the prompting module is used for receiving the signal sent by the trap module and making an early warning prompt for a user;
the mail viewing module is used for viewing the mail passing through detection and the normal mail.
Preferably, the analysis of the abnormality index of the mail is performed as follows:
s1: inquiring historical mails according to the names of senders of the mails, and converting each historical mail and the current mail by using a mail transcoding and converting tool to obtain the original text of each historical mail and the original text of the current mail;
s2: acquiring basic information of the mail and current address book contact person information of a user, extracting names of all contacts in the address book contact person information, comparing the names of all contacts with the names of senders of the mail, if the sender of the mail is successfully compared with the names of the address book contact persons, marking the current mail as the address book mail and entering a step S3, otherwise, marking the current mail as strange mail and entering a step S4;
s3: the method comprises the following steps of analyzing communication addresses corresponding to each historical mail of a sender and a user of the address book mail to obtain an address book mail abnormality index, wherein the specific analysis process is as follows:
s31: analyzing mail heads corresponding to the original texts of the historical mails to obtain IP addresses corresponding to the historical mails, inquiring attributions to obtain IP attributions corresponding to the historical mails, and marking the IP attributions as GS i I is the number of each history mail, i=1, 2,..n, n is a positive integer;
s32, summarizing IP attribution corresponding to each historical mail into an attribution list [ GS ] 1 ,GS 2 ,...,GS i ]Sorting the home location list from big to small according to the occurrence frequency of the home location, selecting the first three digits of the list as common communication addresses, and respectively marking as CY 1 、CY 2 、CY 3
S33: analyzing the mail header corresponding to the address book mail text to obtain the IP address of the address book mail, inquiring the attribution of the IP address of the address book mail to obtain the attribution of the IP address of the address book mail and marking as gs, comparing the attribution of the IP address book mail with the common communication address of the address book sender to generate an address identifier DZ, and when gs is E (CY 1 、CY 2 、CY 3 ) The address identifier is assigned 1 whenWhen the address identifier is assigned to 3;
s34: acquiring the corresponding sending time of each historical mail and marking as T i Obtaining the abnormal index KY of the address book mail through analysis 1 Comparing the address book mail abnormality index with a preset abnormality index threshold, marking the address book mail as normal mail and sending the normal mail to a mail checking module when the address book mail abnormality index is smaller than the preset abnormality index threshold, marking the address book mail as abnormal mail and sending the abnormal mail when the address book mail abnormality index is larger than the preset abnormality index thresholdSending to a content detection module;
s4: analyzing the server address and the IP address of the sender of the strange mail to obtain the strange mail abnormality index, wherein the specific analysis process is as follows:
s41: analyzing mail heads corresponding to the strange mail original text, marking the mail heads corresponding to the strange mail original text as strange mail heads, acquiring a sender server address and an IP address in the strange mail heads, reversely analyzing the IP address in the strange mail heads by using DNS, comparing the IP address with the sender server address, generating an identity identifier SF, when the IP address is consistent with the sender server address, assigning the identity identifier as 1, and when the IP address is inconsistent with the sender server address, assigning the identity identifier as 2;
s42: comparing the mail sending address in the strange mail header with the mail reply address to generate a receiving and transmitting address identifier sf, when the sending address of the strange mail is consistent with the strange mail reply address, assigning the receiving and transmitting address identifier as 2, and when the sending address of the strange mail is inconsistent with the strange mail reply address, assigning the receiving and transmitting address identifier as 4;
s43: obtaining abnormal index KY of strange mail through analysis 2 Comparing the abnormal index of the strange mail with a preset abnormal index threshold, marking the strange mail as a normal mail when the abnormal index of the strange mail is smaller than the preset abnormal index threshold, sending the normal mail to the mail checking module, and marking the strange mail as an abnormal mail and sending the abnormal mail to the content detecting module when the abnormal index of the strange mail is larger than the preset abnormal index threshold.
Preferably, the analysis process for determining whether the abnormal mail contains an attachment or a third party link is as follows:
SS1, judging whether the abnormal mail contains an attachment or not in the following judging mode:
acquiring the source code of the abnormal mail and inquiring a content type field corresponding to the abnormal mail, judging that the abnormal mail contains an attachment when the content type field of the abnormal mail is 'multi part/mixed', and indicating that the abnormal mail does not contain the attachment when the content type field of the abnormal mail is of other types;
SS2: judging whether the abnormal mail contains a third party link or not by the following judging method:
the method comprises the steps of connecting a mail server, obtaining the text content of an abnormal mail and analyzing the text content of the abnormal mail, wherein the analysis mode is as follows: and matching the text content of the abnormal mail through the regular expression, judging that the abnormal mail contains a third-party link when the regular expression is successfully matched with the text content of the abnormal mail, and sending the third-party link to the virus detection module, otherwise, converting the text content of the abnormal mail into a webpage code, inquiring whether a label corresponding to the webpage code of the abnormal mail contains a link label and whether the webpage code is embedded with the third-party link, and if the webpage code corresponding to the abnormal mail contains the link label or the webpage code is embedded with the third-party link, judging that the abnormal mail contains the third-party link, and sending the third-party link to the virus detection module, otherwise, sending the abnormal mail to the mail checking module.
Preferably, the detecting the attachment or the third party link of the abnormal mail includes:
the virus scanning unit scans the mails containing the attachments or the third-party links, extracts feature codes from the attachments and the third-party links, matches the feature codes with a virus feature library, when the matching is successful, indicates that viruses exist in the mails containing the attachments or the third-party links, generates virus signals, sends the virus signals to the prompt module, and when the matching is unsuccessful, indicates that viruses do not exist in the mails containing the attachments or the third-party links, and sends the virus signals to the mail viewing module.
Preferably, the analysis is performed on the virus characteristic index of the mail, and the specific analysis process is as follows:
setting a virtual machine on a user machine, acquiring an accessory or a third party link corresponding to an abnormal mail on the user machine on the virtual machine, and starting network isolation for a virtual machine network;
acquiring an initial feature code MD of each file of a starting memory NC of a virtual machine j The operation speed V, j is the attachment corresponding to the virtual machine operation mail or each file before the third party is linkedJ=1, 2,.,. K, running an attachment or third party link to which the mail corresponds;
when a third party link or an attachment of the abnormal mail is opened, operating the virtual machine within a preset time range, recording the operation memory of the virtual machine as NC', and obtaining a final feature code LA corresponding to each file p 'and operation speed V', p are numbers of the files after the virtual machine operates the corresponding attachments of the mail or the third party links, p=1, 2.
Comparing the original feature code and the final feature code of each file, and generating a feature identifier TZ j When the comparison of the original feature codes and the final feature codes of the files is successful, the feature identifier is assigned to be 1, and when the comparison of the original feature codes and the final feature codes of the files is failed, the feature identifier is assigned to be 0;
monitoring the state of a virtual machine operating system, generating a system identifier XT, assigning the system identifier to 1 when the abnormal condition occurs in the virtual machine operating system, and assigning the system identifier to 0 when the abnormal condition does not occur in the virtual machine operating system;
the method comprises the steps of analyzing and calculating to obtain a virus characteristic index, comparing the virus characteristic index with a preset virus characteristic index threshold, generating a safety signal when the virus characteristic index of an abnormal mail is smaller than the preset virus characteristic index threshold, sending the safety signal to a prompt module, closing network isolation of a virtual machine, generating a virus signal when the virus characteristic index of the abnormal mail is larger than the preset virus characteristic index threshold, sending the virus signal to the prompt module, submitting an attachment or a third party link corresponding to the mail to a virus scanning unit, extracting a virus characteristic code by the virus scanning unit, and storing the virus characteristic code in a virus characteristic library.
Preferably, the early warning prompt is made for the user, and the specific early warning mode is as follows:
when a virus signal is received, early warning information is sent to a user, the user is warned that the current mail contains virus, the mail is deleted, and a series of losses caused by virus infection of a computer are avoided; when the safety signal is received, a prompt message is sent to the user to prompt the user that the current mail passes the detection, the mail can be checked, the mail is marked as the detection passing mail, and the detection passing mail is sent to the mail checking module.
The invention has the beneficial effects that:
1. according to the invention, through distinguishing the identity of the sender of the mail, different analysis is carried out on the abnormal indexes of the mail according to different identities of the sender of the mail, so that the condition that the user is induced to click an accessory or a third party link to cause the virus to be implanted into the user computer is prevented, and the user information leakage and economic loss caused by virus implantation are avoided.
2. The invention analyzes the virus characteristic index of the mail, avoids the infection of the user computer caused by the condition that the virus killing software is missed, and prevents the virus from infecting the user computer through the network by carrying out network isolation on the virtual machine, thereby further reducing the possibility of virus spreading through the network and providing powerful guarantee for the information security of the user.
Drawings
The invention is further described below with reference to the accompanying drawings.
Fig. 1 is a system block diagram of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, the invention discloses an information security protection system based on internet, which comprises a mail information acquisition module, a prompting module, a mail viewing module, an abnormal mail detection module, a content judgment module, a virus detection module and a trap module;
the mail information acquisition module acquires basic information of a mail through the Internet, wherein the basic information of the mail comprises a name of a sender of the mail, a mail address of the sender and mail sending time;
the abnormal mail detection module obtains the name and the sending address of the sender of the mail, matches the name of the sender of the mail with the contact person in the address book of the user, checks whether the sender of the mail is in the address book of the user, and analyzes the abnormal index of the mail according to the result, wherein the analysis process is as follows:
according to the names of senders of the mails, inquiring the historical mails, and converting each historical mail and the current mail by using a mail transcoding and converting tool to obtain the original text of each historical mail and the original text of the current mail.
Acquiring basic information of the mail and current address book contact person information of a user, extracting names of all contacts in the address book contact person information, comparing the names of all contacts with the names of senders of the mail, if the names of the senders of the mail and the names of the address book contact person are successfully compared, marking the current mail as the address book mail and entering step S3, otherwise, marking the current mail as strange mail and entering step S4.
S3: the method comprises the following steps of analyzing communication addresses corresponding to each historical mail of a sender and a user of the address book mail to obtain an address book mail abnormality index, wherein the specific analysis process is as follows:
analyzing mail heads corresponding to the original texts of the historical mails to obtain IP addresses corresponding to the historical mails, inquiring attributions to obtain IP attributions corresponding to the historical mails, and marking the IP attributions as GS i I is the number of each history mail, i=1, 2,..n, n is a positive integer.
Summarizing IP attribution corresponding to each historical mail into an attribution list [ GS ] 1 ,GS 2 ,...,GS i ]Sorting the home location list from big to small according to the occurrence frequency of the home location, selecting the first three digits of the list as common communication addresses, and respectively marking as CY 1 、CY 2 、CY 3
Analyzing the mail header corresponding to the address book mail text to obtain the IP address of the address book mail, inquiring the attribution of the IP address of the address book mail to obtain the attribution of the IP address of the address book mail and marking the attribution as gs, and comparing the attribution of the IP address book mail with the corresponding address book mailThe communication addresses commonly used by the sender are compared to generate an address identifier DZ, and when gs e (CY 1 、CY 2 、CY 3 ) The address identifier is assigned 1 whenWhen the address identifier is assigned 3.
Acquiring the corresponding sending time of each historical mail and marking as T i By the formulaCalculating to obtain address book mail abnormality index KY 1 T' is a preset communication interval duration threshold, < >>The method comprises the steps of respectively obtaining a preset number of times of communication, a communication interval duration weight coefficient and an IP attribution weight coefficient, wherein e is a natural constant, m is a constant, comparing an abnormality index of the address book mail with a preset abnormality index threshold, marking the address book mail as a normal mail and sending the normal mail to a mail checking module when the abnormality index of the address book mail is smaller than the preset abnormality index threshold, and marking the address book mail as an abnormal mail and sending the abnormal mail to a content detecting module when the abnormality index of the address book mail is larger than the preset abnormality index threshold.
When the sender of the mail belongs to the address book of the user, the abnormal index of the mail is analyzed according to the number of times of mail passing, the IP attribution and the communication interval duration, so that the information leakage and economic loss of the user caused by the transmission of viruses by the contact person in the address book are avoided, and the information safety of the user is further ensured.
S4: analyzing the server address and the IP address of the sender of the strange mail to obtain the strange mail abnormality index, wherein the specific analysis process is as follows:
analyzing mail heads corresponding to the strange mail texts, marking the mail heads corresponding to the strange mail texts as strange mail heads, acquiring sender server addresses and IP addresses in the strange mail heads, reversely analyzing the IP addresses in the strange mail heads by using DNS, comparing the IP addresses with the sender server addresses, generating an identity identifier SF, when the IP addresses are consistent with the sender server addresses, assigning the identity identifier as 1, and when the IP addresses are inconsistent with the sender server addresses, assigning the identity identifier as 2.
Comparing the mail sending address in the strange mail header with the mail reply address to generate a receiving and transmitting address identifier sf, when the sending address of the strange mail is consistent with the strange mail reply address, assigning the receiving and transmitting address identifier as 2, and when the sending address of the strange mail is inconsistent with the strange mail reply address, assigning the receiving and transmitting address identifier as 4.
According to the formulaCalculating to obtain abnormal index KY of strange mail 2 ,/>And->Comparing the abnormal index of the strange mail with a preset abnormal index threshold, marking the strange mail as a normal mail and sending the normal mail to a mail checking module when the abnormal index of the strange mail is smaller than the preset abnormal index threshold, and marking the strange mail as an abnormal mail and sending the abnormal mail to a content detecting module when the abnormal index of the strange mail is larger than the preset abnormal index threshold.
Further, when the sender of the mail does not belong to the user address book, the mail header of the mail is analyzed to judge whether the mail is tampered and forged or not, and the abnormal index of the mail is analyzed, and based on the analysis, the normal mail with compliance is filtered, virus detection is carried out on the mail with the tampered and forged condition, so that the condition that the user is induced to click an accessory or a third party link to cause the virus to be implanted into a user machine is prevented, and the user information leakage and economic loss caused by virus implantation are effectively avoided.
The content judging module analyzes whether the abnormal mail contains an attachment or a third party link, and the analysis process is as follows:
acquiring the source code of the abnormal mail, inquiring a content type field corresponding to the abnormal mail, and judging that the abnormal mail contains an attachment when the content type field of the abnormal mail is 'multi part/mixed';
the method comprises the steps of connecting a mail server, obtaining the text content of an abnormal mail and analyzing the text content of the abnormal mail, wherein the analysis mode is as follows: and matching the content of the abnormal mail body through the regular expression, judging that the abnormal mail contains a third-party link when the regular expression is successfully matched with the content of the abnormal mail body, sending the third-party link to a virus detection module, converting the content of the abnormal mail into a webpage code when the regular expression is unsuccessfully matched with the content of the abnormal mail body, inquiring whether the webpage code label contains a link label and inquiring whether the webpage pattern code contains an embedded third-party link, judging that the abnormal mail contains the third-party link if the webpage code contains the link label or the webpage pattern code is embedded with the third-party link, sending the abnormal mail to the virus detection module, and sending the abnormal mail to a trap module if the webpage code does not contain the link label or the webpage pattern code is not embedded with the third-party link.
The virus detection module is used for detecting the attachment or the third party link of the abnormal mail in the detection mode;
the virus scanning unit scans the mail containing the attachment or the third party link, extracts the feature code, matches the mail with the virus feature library, generates a virus signal when matching is successful, sends the virus signal to the prompt module, and sends the virus signal to the trap module when matching is unsuccessful.
Furthermore, the invention obviously improves the identification rate of viruses by judging whether the abnormal mail contains the attachment or the link and further detecting the viruses of the attachment and the link.
The trap module is used for analyzing the virus characteristic index of the abnormal mail, and the analysis process is as follows:
setting a virtual machine on a user machine, acquiring an accessory or a third party link corresponding to an email on the user machine on the virtual machine, and starting network isolation for a virtual machine network;
the user machine is abbreviated as a user computer.
Acquiring an initial feature code MD of each file of a starting memory NC of a virtual machine j The operation speed V, j is the number of each file before the virtual machine runs the attachment or the third party link corresponding to the mail, j=1, 2,.,. K, previewing the mail and opening the attachment or the third party link corresponding to the mail;
when previewing the mail and opening the attachment or the third party link corresponding to the mail, operating the virtual machine within a preset time range, recording the operation memory of the virtual machine as NC', and obtaining the final feature code LA corresponding to each file p 'and operation speed V', p are numbers of the files after the virtual machine operates the corresponding attachments of the mail or the third party links, p=1, 2.
Comparing the original feature code and the final feature code of each file, and generating a feature identifier TZ j When the comparison of the original feature codes and the final feature codes of the files is successful, the feature identifier is assigned to be 1, and when the comparison of the original feature codes and the final feature codes of the files is failed, the feature identifier is assigned to be 0;
monitoring the state of a virtual machine operating system, generating a system identifier XT, assigning the system identifier to 1 when the abnormal condition occurs in the virtual machine operating system, and assigning the system identifier to 0 when the abnormal condition does not occur in the virtual machine operating system;
according to the formulaCalculating to obtain virus characteristic index, nc is preset memory threshold value, lambda 1 、λ 2 、λ 3 、λ 4 Respectively a preset memory weight coefficient, a characteristic code weight coefficient, an operating speed weight coefficient and an operating system state weight coefficient, wherein v is a preset operation speed threshold value, and the virus characteristic index is compared with a preset virus characteristic index threshold value when differentWhen the virus characteristic index of the abnormal mail is greater than the preset virus characteristic index threshold, generating a virus signal and sending the virus signal to the prompting module, and when the virus characteristic index of the abnormal mail is greater than the preset virus characteristic index threshold, submitting an attachment or a third party link corresponding to the mail to a virus scanning unit, extracting a virus characteristic code by the virus scanning unit and storing the virus characteristic code in a virus characteristic library.
The trap module comprises a network isolation unit and a virtual operation unit, wherein the network isolation unit is used for isolating a virtual machine network, and the virtual operation unit is used for operating a third party link or an attachment in an abnormal mail.
According to the embodiment of the invention, the virus characteristic index of the abnormal mail is analyzed through the trap module, so that the defect that the virus scanning unit fails to judge the virus is overcome, the identification rate of novel viruses is improved, and the risk of information leakage of users is effectively reduced.
Further, a virtual machine environment is established through the virtual operation unit, abnormal mail is previewed in the virtual machine, and an accessory or a third party link corresponding to the abnormal mail is opened, so that the condition that viruses are infected by the user machine due to operation of the accessory or the link is avoided, the virtual machine is isolated in a network through the network isolation unit, the user machine is prevented from being infected through the network after the viruses are infected by the virtual machine, and the viruses are prevented from being further spread by taking the user machine as a springboard.
Further, when the virus characteristic index of the mail is larger than the virus characteristic index threshold, judging that the abnormal mail has viruses, extracting the characteristic codes of the viruses and sending the characteristic codes to the virus scanning unit, thereby continuously perfecting the virus characteristic library and reducing the misjudgment rate and the missed judgment rate of the virus scanning unit.
The prompt module is used for receiving the signal sent by the trap module and giving an early warning prompt to the user, and the specific early warning mode is as follows:
when a virus signal is received, early warning information is sent to a user, the user is warned that the current mail contains virus, the mail is deleted, and a series of losses caused by virus infection of a computer are avoided; when the safety signal is received, a prompt message is sent to the user to prompt the user that the current mail passes the detection, the mail can be checked, the mail is marked as the detection passing mail, and the detection passing mail is sent to the mail checking module.
The mail viewing module is used for viewing the passing mail and the normal mail.
The foregoing is merely illustrative and explanatory of the invention, as it is apparent to those skilled in the art that various modifications and additions can be made to the specific embodiments described or in a similar manner without departing from the structure of the invention or beyond the scope of the invention as defined in the appended claims.

Claims (7)

1. The information safety protection system based on the Internet comprises a mail information acquisition module, a prompting module and a mail viewing module; the system is characterized by further comprising an abnormal mail detection module, a content judgment module, a virus detection module and a trap module;
the abnormal mail detection module analyzes the abnormal indexes of the mails, wherein the abnormal indexes of the mails comprise address book mail abnormal indexes and strange mail abnormal indexes, and the abnormal indexes of the mails are marked as normal mails or abnormal mails according to the abnormal indexes of the mails based on whether the sender of the mails analyzes the abnormal indexes of the mails in a user address book, the normal mails are sent to the mail checking module, the abnormal mails are sent to the content judging module, and the content of the abnormal mails is further analyzed;
the content judging module is used for judging whether the abnormal mail contains an attachment or a third party link, analyzing the mail source code of the abnormal mail, judging whether the abnormal mail contains the third party link or the attachment, sending the abnormal mail containing the third party link or the attachment to the virus detecting module, and otherwise, sending the abnormal mail to the trap module;
the virus detection module is used for detecting attachments or third-party links of abnormal mails and comprises a virus scanning unit and a virus feature library;
the trap module is used for analyzing the virus characteristic index of the mail, checking the mail in the virtual machine, downloading the attachment of the mail or opening the third party link of the mail, and analyzing the virus characteristic index of the mail by detecting the running condition of the virtual machine.
2. The internet-based information security system according to claim 1, wherein the analysis of the abnormality index of the mail is performed as follows:
s1: inquiring historical mails according to the names of senders of the mails, and converting each historical mail and the current mail by using a mail transcoding and converting tool to obtain the original text of each historical mail and the original text of the current mail;
s2: acquiring basic information of the mail and current address book contact person information of a user, extracting the names of all contact persons in the address book contact person information, comparing the names with the names of the senders of the mails, if the sender names of the mails are successfully compared with the names of the address book contact persons, marking the current mail as an address book mail and entering a step S3, otherwise, marking the current mail as a strange mail and entering a step S4;
s3: the method comprises the following steps of analyzing communication addresses corresponding to each historical mail of a sender and a user of the address book mail to obtain an address book mail abnormality index, wherein the specific analysis process is as follows:
s31: analyzing mail heads corresponding to the original texts of the historical mails to obtain IP addresses corresponding to the historical mails, and inquiring attribution areas to obtain IP attribution areas corresponding to the historical mails;
s32, summarizing IP attributions corresponding to each historical mail into an attribution list, sequencing the attribution list from big to small according to the occurrence frequency of the attributions, and selecting the first three bits of the list as common communication addresses;
s33: analyzing the mail header corresponding to the address book mail text to obtain the IP address of the address book mail, inquiring the attribution of the IP address of the address book mail, comparing the attribution of the IP address of the address book mail with the communication address commonly used by the current sender, and generating an address identifier;
s34: acquiring the corresponding sending time of each historical mail, analyzing to obtain an address book mail abnormality index, comparing the address book mail abnormality index with a preset address book mail abnormality index threshold, marking the address book mail as a normal mail and sending the normal mail to a mail checking module when the address book mail abnormality index is smaller than the preset address book mail abnormality index threshold, marking the address book mail as an abnormal mail and sending the abnormal mail to a content detecting module when the address book mail abnormality index is larger than the preset address book mail abnormality index threshold;
s4: analyzing the server address and the IP address of the sender of the strange mail to obtain the strange mail abnormality index, wherein the specific analysis process is as follows:
s41: analyzing the mail header corresponding to the strange mail original text, marking the mail header corresponding to the strange mail original text as the strange mail header, acquiring the address of the sender server and the IP address in the strange mail header, reversely analyzing the IP address in the strange mail header and the address of the sender server by using DNS, and comparing to generate an identity identifier;
s42: comparing the mail sending address in the strange mail header with the mail reply address to generate a receiving and transmitting address identifier;
s43: and analyzing the identity identifier and the receiving and sending address identifier to obtain an abnormal index of the strange mail, comparing the abnormal index of the strange mail with a preset abnormal index threshold, marking the strange mail as a normal mail and sending the normal mail to the mail checking module when the abnormal index of the strange mail is smaller than the preset abnormal index threshold, and marking the strange mail as an abnormal mail and sending the abnormal mail to the content detecting module when the abnormal index of the strange mail is larger than the preset abnormal index threshold.
3. The internet-based information security system of claim 1, wherein the determining whether the abnormal mail contains an attachment or a third party link is performed by:
SS1, judging whether the abnormal mail contains an attachment or not in the following judging mode:
acquiring the source code of the abnormal mail, inquiring a content type field corresponding to the abnormal mail, and judging whether the abnormal mail contains an attachment according to the content of the content type field;
SS2: judging whether the abnormal mail contains a third party link or not by the following judging method:
the method comprises the steps of connecting a mail server, obtaining the text content of an abnormal mail and analyzing the text content of the abnormal mail, wherein the analysis mode is as follows: and matching the text content of the abnormal mail through the regular expression, judging that the abnormal mail contains a third-party link when the regular expression is successfully matched with the text content of the abnormal mail, and sending the third-party link to the virus detection module, otherwise, converting the text content of the abnormal mail into a webpage code, inquiring whether a label corresponding to the webpage code of the abnormal mail contains a link label and whether the webpage code is embedded with the third-party link, and if the webpage code corresponding to the abnormal mail contains the link label or the webpage code is embedded with the third-party link, judging that the abnormal mail contains the third-party link, and sending the third-party link to the virus detection module, otherwise, sending the abnormal mail to the mail checking module.
4. The internet-based information security system according to claim 1, wherein the detecting the attachment of the abnormal mail or the third party link is performed by:
the virus scanning unit scans the mail containing the attachment or the third party link, extracts the feature code, matches the mail with the virus feature library, generates a virus signal when matching is successful, sends the virus signal to the prompt module, and sends the virus signal to the trap module when matching is unsuccessful.
5. The internet-based information security system according to claim 1, wherein the analyzing the virus characteristic index of the mail comprises the following specific analysis process:
setting a virtual machine on a user machine, acquiring an accessory or a third party link corresponding to an abnormal mail on the user machine on the virtual machine, and starting network isolation for a virtual machine network;
acquiring a starting memory of a virtual machine, original feature codes of all files and operation speed;
when a third party link or an accessory of the abnormal mail is opened, enabling the virtual machine to operate within a preset time range, recording an operation memory of the virtual machine, and obtaining a final feature code and an operation speed corresponding to each file;
comparing the original feature codes of the files with the final feature codes, and generating feature identifiers;
monitoring the operating system state of the virtual machine and generating a system identifier;
the method comprises the steps of obtaining a virus characteristic index of an abnormal mail through analysis, comparing the virus characteristic index with a preset virus characteristic index threshold, generating a safety signal when the virus characteristic index of the abnormal mail is smaller than the preset virus characteristic index threshold, sending the safety signal to a prompt module, closing network isolation of a virtual machine, generating a virus signal when the virus characteristic index of the abnormal mail is larger than the preset virus characteristic index threshold, sending the virus signal to the prompt module, submitting an accessory or a third party link corresponding to the abnormal mail to a virus scanning unit, extracting virus characteristic codes by the virus scanning unit, and storing the virus characteristic codes in a virus characteristic library.
6. The internet-based information security system according to claim 1, wherein the mail information collection module is configured to collect basic information of a mail through the internet; the prompting module is used for receiving the signal sent by the trap module and making an early warning prompt for a user; the mail viewing module is used for viewing mails.
7. The internet-based information security system according to claim 6, wherein the early warning prompt is made for the user, and the specific early warning mode is: when a virus signal is received, a corresponding early warning prompt is sent to a user; when the security signal is received, a corresponding prompt is sent to the user, the mail is marked as a detection passing mail, and the detection passing mail is sent to the mail checking module.
CN202310926518.7A 2023-07-27 2023-07-27 Information safety protection system based on internet Active CN117150486B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310926518.7A CN117150486B (en) 2023-07-27 2023-07-27 Information safety protection system based on internet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310926518.7A CN117150486B (en) 2023-07-27 2023-07-27 Information safety protection system based on internet

Publications (2)

Publication Number Publication Date
CN117150486A true CN117150486A (en) 2023-12-01
CN117150486B CN117150486B (en) 2024-04-26

Family

ID=88908890

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310926518.7A Active CN117150486B (en) 2023-07-27 2023-07-27 Information safety protection system based on internet

Country Status (1)

Country Link
CN (1) CN117150486B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050283837A1 (en) * 2004-06-16 2005-12-22 Michael Olivier Method and apparatus for managing computer virus outbreaks
US20090216841A1 (en) * 2008-02-21 2009-08-27 Yahoo! Inc. Identifying ip addresses for spammers
KR101535503B1 (en) * 2014-02-25 2015-07-09 한국인터넷진흥원 Method for detecting malware infected terminal based on commercial e-mail
US20170214716A1 (en) * 2016-01-26 2017-07-27 Korea Internet & Security Agency Violation information management module forming violation information intelligence analysis system
CN108768960A (en) * 2018-05-10 2018-11-06 腾讯科技(深圳)有限公司 Method for detecting virus, device, storage medium and computer equipment
CN108959917A (en) * 2017-05-25 2018-12-07 腾讯科技(深圳)有限公司 A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection
US20190306102A1 (en) * 2018-03-29 2019-10-03 Cellopoint International Corporation Reminding method of unfamiliar emails
KR20220089459A (en) * 2020-12-21 2022-06-28 (주)기원테크 Device and its operation methods for providing E-mail security service using hierarchical architecture based on security level
CN115603926A (en) * 2021-06-28 2023-01-13 深信服科技股份有限公司(Cn) Phishing mail identification method, system, device and storage medium
CN116055440A (en) * 2023-01-05 2023-05-02 论客科技(广州)有限公司 Method, device, equipment and medium for judging and filtering mail safety content by terminal
KR102546068B1 (en) * 2022-01-27 2023-06-21 (주)기원테크 Device and its operation methods for providing E-mail security service using hierarchical architecture based on security level
CN116436663A (en) * 2023-04-07 2023-07-14 华能信息技术有限公司 Mail attack detection method

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050283837A1 (en) * 2004-06-16 2005-12-22 Michael Olivier Method and apparatus for managing computer virus outbreaks
US20090216841A1 (en) * 2008-02-21 2009-08-27 Yahoo! Inc. Identifying ip addresses for spammers
KR101535503B1 (en) * 2014-02-25 2015-07-09 한국인터넷진흥원 Method for detecting malware infected terminal based on commercial e-mail
US20170214716A1 (en) * 2016-01-26 2017-07-27 Korea Internet & Security Agency Violation information management module forming violation information intelligence analysis system
CN108959917A (en) * 2017-05-25 2018-12-07 腾讯科技(深圳)有限公司 A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection
US20190306102A1 (en) * 2018-03-29 2019-10-03 Cellopoint International Corporation Reminding method of unfamiliar emails
CN108768960A (en) * 2018-05-10 2018-11-06 腾讯科技(深圳)有限公司 Method for detecting virus, device, storage medium and computer equipment
KR20220089459A (en) * 2020-12-21 2022-06-28 (주)기원테크 Device and its operation methods for providing E-mail security service using hierarchical architecture based on security level
CN115603926A (en) * 2021-06-28 2023-01-13 深信服科技股份有限公司(Cn) Phishing mail identification method, system, device and storage medium
KR102546068B1 (en) * 2022-01-27 2023-06-21 (주)기원테크 Device and its operation methods for providing E-mail security service using hierarchical architecture based on security level
CN116055440A (en) * 2023-01-05 2023-05-02 论客科技(广州)有限公司 Method, device, equipment and medium for judging and filtering mail safety content by terminal
CN116436663A (en) * 2023-04-07 2023-07-14 华能信息技术有限公司 Mail attack detection method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ASIF KARIM;SAMI AZAM;BHARANIDHARAN SHANMUGAM: "A Comprehensive Survey for Intelligent Spam Email Detection", IEEE ACCESS, vol. 7, 20 November 2019 (2019-11-20), pages 168261 - 168295, XP011758547, DOI: 10.1109/ACCESS.2019.2954791 *
王圣波: "局域网垃圾邮件监控及过滤技术的研究", 信息科技, no. 3, 15 March 2015 (2015-03-15), pages 15 - 30 *
黄澄清;李宏宇;李红;曾明发;张宏宾;刘辉;钟江;韩松;张璐;肖科;孙永革;田飞;徐原;史晓霞;郝志超: "反垃圾邮件综合处理平台", 信息科技, 1 August 2011 (2011-08-01), pages 1 - 5 *

Also Published As

Publication number Publication date
CN117150486B (en) 2024-04-26

Similar Documents

Publication Publication Date Title
US10042919B2 (en) Using distinguishing properties to classify messages
US8984289B2 (en) Classifying a message based on fraud indicators
US8578480B2 (en) Systems and methods for identifying potentially malicious messages
US8463861B2 (en) Message classification using legitimate contact points
US7877807B2 (en) Method of and system for, processing email
EP1997281B1 (en) Method and sytem for recognizing desired email
US7854007B2 (en) Identifying threats in electronic messages
US20070198420A1 (en) Method and a system for outbound content security in computer networks
KR100927240B1 (en) A malicious code detection method using virtual environment
CN101471897A (en) Heuristic detection of possible misspelled addresses in electronic communications
US7890588B2 (en) Unwanted mail discriminating apparatus and unwanted mail discriminating method
Irani et al. Evolutionary study of phishing
CN111147489B (en) Link camouflage-oriented fishfork attack mail discovery method and device
KR20180031570A (en) Technique for Detecting Suspicious Electronic Messages
CN110061981A (en) A kind of attack detection method and device
CN117150486B (en) Information safety protection system based on internet
CN112367315A (en) Endogenous safe WAF honeypot deployment method
CN113938311A (en) Mail attack tracing method and system
US11997138B1 (en) Detecting and analyzing phishing attacks through artificial intelligence
US20240137378A1 (en) User Importance Metric for Email
KR20230143401A (en) Malicious email classification system and method
CN117768142A (en) Mail security detection device, method, equipment and storage medium
CN117176446A (en) Post-processing method after being attacked by phishing mail

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20240403

Address after: No. 1602, 16th Floor, Unit 2, No. 22, Business Outer Ring Road, Zhengzhou Area (Zhengdong), Zhengzhou Pilot Free Trade Zone, Henan Province, 450000

Applicant after: Henan CITIC Big Data Technology Co.,Ltd.

Country or region after: China

Address before: Room 1305, Building 3, Entrepreneurship Center, No. 82 Huayuan West Road, Chuzhou City, Anhui Province, 239000

Applicant before: ANHUI QIHUI INFORMATION TECHNOLOGY Co.,Ltd.

Country or region before: China

GR01 Patent grant
GR01 Patent grant