KR101450961B1 - Method and system for blocking sophisticated phishing mail by monitoring inner and outer traffic - Google Patents

Abstract

The present invention relates to a method for blocking intelligent phishing e-mails through internal and external traffic monitoring. The method includes extracting and storing data packets related to mail by monitoring traffic transmitted and received in the internal network, analyzing each data packet, (S10) for extracting the URL included in the mail from the structured mail data in the mail structuring step (S10) and extracting the URL included in the mail from the structured mail data A threat detection step (S20) of checking whether the threat of mail data exists; A risk management list generation step (S30) of generating a risk management list by classifying threats of sites corresponding to the URLs included in the mail according to the result of the threat detection step (S20); (S40) of creating a block list based on the risk management list, the risk management list generation step (S30) includes an external web mail service side and an organization And the risk management list for the external web mail service and the risk mail management service for the organization mail service are separately generated and the step of creating a blocking list S40 is performed And a blocking list is created by cross-referencing the two.

Description

FIELD OF THE INVENTION [0001] The present invention relates to a method and system for blocking intelligent phishing e-mails by monitoring internal and external traffic,

The present invention relates to a phishing e-mail blocking method and a phishing e-mail blocking system using the same, and more particularly, to a phishing e-mail blocking method and an anti-phishing e-mail blocking system through internal and external traffic monitoring.

Today, with the rapid progress of informatization, information systems are storing a lot of important information, and the economic value of such integrated information is also rapidly increasing. Under this circumstance, phishing based on user 's cheat behavior, which is a social engineering technique, provides a means for hackers to easily cut out important information. In the Internet, access to information systems and financial transactions can be performed using personal IDs and passwords. Thus, if a hacker cuts out important information of a user, it can acquire an internal system access or a direct economic profit through the network. In fact, phishing attacks are causing huge economic losses every year and continue to occur in various forms.

Phishing attacks are becoming more and more intelligent and technologically advanced over time. It is also becoming more threatening due to APT (Advanced Persistent Threat) attacks. Major organizations such as the United States, which received such a sophisticated cyber attack, have operated the Internet and the internal network separately, and many insiders themselves have been infected by unintended malicious code infections, Of information leaked.

There is a sophisticated phishing attack at the start of this technology spill. A hacker uses a method of occupying an insider's computer to infiltrate the internal network of a major institution. As such, the Internet and internal networks can not be secure from cyber threats as long as hackers continue to implement sophisticated phishing attacks aimed at specific entities or organizations.

Therefore, in-depth analysis of sophisticated phishing attacks to identify attack mechanisms, and to design and implement a security structure for them, can provide important information on the organization or organization. It is essential to protect.

In the conventional type of phishing attack and the defense mechanism, Phishing uses an e-mail or the like to induce a user to access a manipulated web site, It has emerged as a new type of network attack. This is an unfair monetization gain for hackers due to attacks such as fraudulent authentication schemes, cross-site scripting using vulnerabilities such as lack of user recognition, and man-in-the-middle attacks. Leakage of confidential information, and distribution of malicious code. And as recent web application-related threats are increasing, increasingly intelligent phishing is being used as a broad and effective social engineering attack technique, including Internet mail services.

Phishing, which has been targeted at an unspecified number of people, has evolved into targeted attacks targeting members of a particular group or organization. Typical spear phishing is based on phrases that are based on phrases tailored to groups, such as personal names and e-mails, as well as trusted social networking sites or interests such as Facebook and Twitter .

And the more serious thing is not just to cut off the information of the targeted individual, but also to manipulate the individual's computer to distribute malicious code and become a base for infiltration into a specific organization. Since these attacks do not provide adequate countermeasures against spam filters, there is a growing need to find ways to recognize and block threats through separate, specialized security modeling.

In addition to this, whaling has become a recent threat, which is the practice of spear phishing for those who have a high level of reputation in a particular organization and who own a lot of high-tech information or wealthy people, This is the preferred attack for hackers. On the contrary, it implies that a security administrator can suffer a large loss due to a single information leakage accident.

On the other hand, defense mechanisms against general phishing attacks generate user-centered protection and predictable phishing site lists using a tool bar while maintaining a general security network configuration as shown in FIG. 9, And techniques using security-oriented security solutions that can check and block the presence of a specific content in a packet. For example, when receiving mail from the server, it is attempting to protect the user by removing the "<a href =" link and removing the automatic connection setting.

However, this countermeasure may result in user inconvenience by removing large attachments or normal links together, and it is difficult for the user to simply protect them when moving to the site by copy and paste.

User-space countermeasures use anti-virus, anti-spyware, firewall, or computer-based intrusion detection systems or how to adjust the security settings of a web browser. These methods enable defense in depth for individual users but depend on the level of user's security awareness, the presence of computer security programs, and the presence of vulnerabilities. That is, if the security level of the user is low, the security program is stopped or if the security update is neglected, the countermeasure is disabled. Also, when the hacker who uses the similar domain to access a site that the user himself / herself trusts is used, he / she can disengage the security setting by himself / herself and induce him / her to access the phishing site. Therefore, if the proxy server is operated in the network, it is possible to prevent the threat of accessing the phishing site through the human operation.

Server domain countermeasures are a phishing attack defense at the corporate or organizational level. Web application development and strong Token-based authentication are used to ensure security. In addition, when a phishing site with a name similar to the domain used by the server is found, the user should be notified of the content to prevent the possibility of an accident. This method establishes a trust relationship between a user and a server to ensure a secure transaction relationship at the site, but it is inconvenient for the user to be aware of the security information provided for each site. In other words, it may happen that the convenience of using information beyond the construction is hindered. Also, as a server administrator, it is necessary to secure a certain level of safety more than a certain level, and there is a burden that it is necessary to maintain a trust relationship without an information leakage accident caused by a hacking.

This server area countermeasure is effective in providing an effective security to the users who use the service by accessing the server from the outside, but it is limited to protect the insiders who use the service from the inside to the external server from the phishing site. This is because the management authority of the external server is entirely the area of the security manager operating the server.

The countermeasures using security products and technologies guarantee a certain level of security for both the user and the organization, but performance depends on the update rate of the security policy. Recent hackers have found that attacks are not detected with tests using the same security products and technologies that the target has prior to the attack, so countermeasures that rely on security products and technologies should be deployed to cyber threats It is helpless in front. That is, it is difficult to cope with a zero-day attack, which is one of recent serious threats. In addition, security products and technologies are subject to universal security policies, making individual and in-depth defense difficult.

Therefore, countermeasures using standardized security products and technologies are not appropriate for spear phishing and wailing. Given that the average lifetime of a typical phishing site is around 20 hours, you need a means to respond more quickly and actively.

In addition, anti-spam and anti-virus product based security structure construction is used as a typical method for protecting users from phishing. However, as described above, the response to spear phishing and wailing requires a security strategy specific to this attack in order to respond more swiftly and actively, and some recent studies have reflected this demand.

In Document 1, Aycock classifies the types of spear phishing attacks as external and internal, and designs a security structure that matches each attribute. In Document 2, the OAK RIDGE Lab uses a proxy server to determine whether a user is a malicious domain when accessing a link contained in a mail to protect against spear phishing and wailing attacks, and transmits DNS requests A comparison method is used. In Document 3, David developed a spear phishing attack detection system (SPEAD), and proposed a method of blocking cyber threats from being introduced into a user's mailbox by inspecting URLs and attachment files included in the emails .

However, all of these methods have a limitation in protecting only a user (End User) using an organization mail of a specific organization in a manner corresponding to a phishing threat in a conventional mail network-based system as shown in FIG.

Document 1: Aycock, J., A design for an anti-spear-phishing system, VIRUS BULLETIN CONFERENCE, September 2007. Document 2: Anti-Phishing and Whaling (ANTI-PAW), Cyberspace Sciences and Information Intelligence Research Group Projects, Computational Sciences & Engineering Division, OAK RIDGE National Laboratory. Literature 3: David T. Merritt, et al., SPEAR PHISHING ATTACK DETECTION, Degree of Master of Science in Computer Engineering Thesis, Air Force Institute of Technology, Air University, March, 2011.

It is an object of the present invention to provide a method and system for detecting and blocking intelligent phishing attacks that provide a security structure that can be protected from the threats of intelligent phishing, i.e., spear phishing and wailing, And to provide an intelligent phishing e-mail blocking method and an intelligent phishing e-mail blocking system using the same.

It is another object of the present invention to provide a method for blocking intelligent phishing mails through internal and external traffic monitoring for detecting and blocking increasingly intelligent phishing attacks and an intelligent phishing mail blocking system using the same.

According to an aspect of the present invention, there is provided a method for blocking intelligent phishing e-mails through internal and external traffic monitoring, comprising the steps of: monitoring traffic transmitted and received in an internal network to extract and store data packets related to mail; (S10) for processing structured mail data by processing each mail data by each configuration item including a URL included in the mail, wherein the structured mail data is included in the mail from the structured mail data in the mail structuring step (S10) A threat detection step (S20) of extracting a URL and checking whether there is a threat of mail data based on the URL; A risk management list generation step (S30) of generating a risk management list by classifying threats of sites corresponding to the URLs included in the mail according to the result of the threat detection step (S20); (S40) of creating a block list based on the risk management list, the risk management list generation step (S30) includes an external web mail service side and an organization And the risk management list for the external web mail service and the risk mail management service for the organization mail service are separately generated and the step of creating a blocking list S40 is performed And a blocking list is created by cross-referencing the two.

Preferably, the internal user detects the URL of the site to which the internal user accesses, generates a site list accessed by the internal user, classifies reputable sites that are highly recognized and frequently accessed and utilized by the user based on the generated site list, (S50) of creating a connection-based site list based on the reputation that is generated and managed.

Here, the risk management list generation step (S30) is preferably performed to generate a risk management list based on the reputation-based access site list.

Preferably, the mail structuring step S10 and the threat detection step S20 are separately performed on the side of the external web mail service and the organization's mail service side.

Further, preferably, a relationship analysis classification list generation step (S21) for generating a relationship analysis classification list for classifying and listing the information of the mail recipient on the basis of the sender information of the mail from the structured mail data do.

Here, the risk management list generation step (S30) may be performed to generate the risk management list based on the relation analysis classification list.

Preferably, an internal security classifying list generating step (S22) for generating an internal security classifying list for classifying and listing the information of the mail sender and the mail receiving information based on the internal security level from the structured mail data .

Here, the risk management list generation step S30 may be performed to generate the risk management list based on the internal security classification list and the relationship analysis classification list.

In another aspect, the present invention relates to a phishing e-mail blocking system for monitoring internal and external traffic, which is connected to an external web mail service to monitor incoming traffic to an internal network to extract and store data packets related to mail, A first mail structuring unit (11) for analyzing packets and processing each mail data for each configuration item including a URL included in the mail to generate structured mail data; It is connected to the internal mail service side of the organization and monitors traffic transmitted and received in the internal network to extract and store data packets related to the mail, analyzes each data packet, and stores each mail data in a configuration item A second mail structuring unit (12) for processing structured mail data; A first threat detection unit (21) for extracting a URL included in the mail from the structured mail data in the first mail structuring unit and checking whether there is a threat of mail data based on the extracted URL; A second threat detection unit 22 for extracting a URL included in the mail from the structured mail data in the second mail structuring unit and checking whether there is a threat of the mail data based on the extracted URL; A first risk management list generation unit 31 for classifying threats of a site corresponding to a URL included in a mail according to the inspection result of the first threat detection unit and generating a risk management list; A second risk management list generation unit 32 for classifying the threat of the site corresponding to the URL included in the mail according to the inspection result of the second threat detection unit and generating a risk management list; And a block list generation unit (40) for cross-referencing the risk management lists generated by the first risk management list generation unit (31) and the second risk management list generation unit (32) to create a block list .

Preferably, the internal user detects the URL of the accessed site, generates a site list accessed by the internal user, classifies reputable sites that are highly recognized and frequently accessed and utilized by the user based on the generated list, The first risk management list generating unit 31 and the second risk management list generating unit 32 generate a risk list based on the reputation-based access site list, Create a management list.

As described above, according to the present invention, it is possible to provide an intelligent phishing mail blocking method and a blocking system by monitoring internal and external traffic in order to detect and block phishing attacks that are becoming increasingly intelligent.

In addition, it becomes possible to provide a security structure that can be protected from the threat of intelligent phishing even in a situation where the user does not use the internal mail of the institution.

Further, because the results of the cyber threat detection are superimposed on each other between the external web mail service side and the internal mail service side, the internal user can perform an intelligent phishing attack only on the external web mail service side or the intra- , Spear phishing, and wailing, both services can be protected.

FIG. 1 is a flowchart illustrating a method of blocking intelligent phishing e-mails according to the present invention.
2 is a structural diagram for explaining structured mail data and threat detection according to an embodiment of the present invention.
3 is a diagram for explaining a process of blocking intelligent phishing mails through internal and external traffic monitoring according to an embodiment of the present invention.
FIG. 4 is a view for explaining data and application process of generated business relationship data according to an embodiment of the present invention.
FIG. 5 is a block diagram of an intelligent phishing e-mail blocking system according to the present invention.
FIG. 6 is a diagram illustrating a process of applying a result of each step of the embodiment of the present invention to a phishing e-mail prevention system.
7 is a configuration diagram of an exemplary mail network implemented with the present invention.
8 (a) is an exemplary network configuration diagram of a conventional secure network.
8 (b) is a configuration diagram of another exemplary mail network in which the present invention is applied.
9 is a configuration diagram of a conventional mail network for explaining a phishing threat in the mail system.

The present invention may be embodied in many different forms and is not limited to the embodiments described herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification. And a detailed description thereof will be omitted to omit descriptions of portions that can be readily understood by those skilled in the art. Throughout the specification and claims, where a section includes a constituent, it does not exclude other elements unless specifically stated otherwise, but may include other elements.

As described above, there are various aspects of the sophisticated phishing attack, and the system for preventing the intelligent phishing attack proposed in the present invention is a threat against threats encountered when operating an actual information system. Especially, defense mechanism was designed based on intelligent phishing e-mail blocking method and intelligent phishing e-mail blocking method for spear phishing and wailing attack using e-mail. Based on the following three basic response concepts and environment, phishing Respond effectively to attacks.

(1) When an e-mail is checked using an information system operated by an internal user, it is possible to monitor inbound traffic from an external network to an inner network to detect an intelligent phishing attack That is, it detects and blocks spear phishing or wailing attacks.

(2) Users are employees who are authorized to use the information system operated by the company or organization. Therefore, it is possible to use the personnel database to identify and manage individual users and to provide a unique number and intelligent phishing attack, ie department, position (or department) for risk management of spear phishing or wailing attacks class) can be used. On the other hand, outsiders who temporarily check e-mail using the internal information system can not obtain normal information and are therefore classified as unknown-users when designing the defense mechanism.

(3) The e-mail used by users is composed of an external mail service provided by an external web site and an organization's mail service provided by an internal server service).

The person in charge of a particular company or organization receives many e-mails to process. They contain information such as confirmation of facts, requests for status reports, submission of applications, etc., and they are read by the person in charge of the work. In this case, cyber threats such as connecting to a phishing site or downloading a malicious code such as a Trojan horse may occur at the same time. Therefore, it is necessary to detect and block an attack in advance. For this purpose, .

Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

FIG. 1 is a flowchart illustrating a method of blocking intelligent phishing e-mails according to the present invention.

Referring to FIG. 1, an intelligent phishing e-mail blocking method according to an embodiment of the present invention includes a mail structuring step S10, a threat detection step S20, a risk management list generating step S30, (Blocking List) creating step (S40). The risk management list creating step (S30) is performed separately on the side of the external web mail service and the organization's mail service side , A risk management list for the external web mail service and a risk management list for the organization mail service are separately generated and a blocking list creation step S40 creates a blocking list by cross- The created block list effectively responds to intelligent phishing attacks by preventing internal users from accessing or accessing the sites (url) included in the block list It is good.

According to an embodiment, the mail structuring step S10 and the threat detection step 20 may be performed separately on the side of the external web mail service and on the organization's mail service side.

2 is a structural diagram for explaining structured mail data and threat detection according to an embodiment of the present invention. 3 is a diagram for explaining a process of blocking intelligent phishing mails through internal and external traffic monitoring according to an embodiment of the present invention.

Referring to FIG. 2 and FIG. 3, the mail structuring step S 10 is a step of monitoring the traffic transmitted and received in the internal network (packet flow monitoring) to extract and store (Deep Packet Capture) (Packet Analysis) to process each mail data for each configuration item including a URL included in the mail to generate structured mail data.

It is a preliminary step for detecting cyber threats that enter the inner network through a mail service. It monitors and captures packets related to mail transmitted and received in the internal network, And structuring the mail data by each item. The structured mail data includes a URL item and the like, and has a configuration as shown in FIG.

A protocol such as POP3 or SMTP is used for sending and receiving mail. In order to manage risk related to spear phishing and wailing, information such as who sent whom, what URLs are transmitted based on the information of the structured mail data, And whether or not the infected attachment is transmitted.

Meanwhile, internal users simultaneously use an external web mail service and an organization's mail service. Therefore, in order to simultaneously identify the threat elements occurring in both sections, the mail structuring step S10 and the risk management list generating step S30 for generating a risk management list, which will be described later, the web mail service side and the organization's mail service side. This is because hackers can use either the external webmail service or the internal mail service, or both, to attack internal users.

Particularly, the method of monitoring and capturing the traffic of both the external web mail service and the organization's mail service side, Of the mail server is located in the DMZ. In addition, if the internal user and the internal mail server are located in the same network section, the burden of monitoring and capturing the packets is reduced, but the insider can detect attacks that are executed using the internal mail service The problem of difficulty arises. Therefore, the network section used by the internal users and the organization mail server for establishing the security structure corresponding to the spear phishing and wailing is separately operated as in the configuration diagram of the mail network implemented with the invention of FIG. 7 More preferable.

In the subsequent threat detection step S20, the URL included in the mail is extracted from the structured mail data in the mail structure step S10, and the existence of the threat of the mail data is checked based on the extracted URL.

As shown in FIG. 3, the presence or absence of a cyber threat is checked using anti-virus, anti-spam, and a phishing filter for the URL extracted from the mail and the attached file. The threats or secure URLs are distinguished according to the detected result.

In step S30, a risk management list is generated based on the result of the threat detection step S20. In step S30, the risk management server classifies the threats of sites corresponding to the URLs included in the mail according to the result of the threat detection step S20, Create a list. Site threats are categorized into categories, including, for example, Threat sites, Safe sites, and Unknown sites. The risk management list can also be created using Http.

turn division URL Reason Remarks One Threat www.attacket.com Malicious code distribution site Notice of Internet Promotion Agency 2 safety www.naver.com Portal site List of Internet Management Systems 3 Need analysis www.mailrc.com Continuous mail flow Internal user 00
Send periodic e-mails, or periodic e-mails to key internal personnel with low security labeling needs 4 Unknown www.car.com connected site Internal user periodic access

6, the process of checking whether there is a cyber threat will be described in detail with reference to FIG. 6. In detail, a white domain list, a phishing site list, and a phishing site list are created for a URL (Listing of Extracted URL) extracted from structured mail data. , And the URL of the site included in the reputation-based site list (Used site Lists based on Reputation). The white domain lists are the URLs of the site And in some cases may be created and managed in various ways including the same manner as the reputation-based connection site list described later based on the connection site information of the internal users.

In addition, the presence or absence of a threat URL is checked using the security device such as Anti-Virus, Anti-Spam, and Anti-Phishing System for the extracted mail data (for example, attached file data) (The mail sending site and the site associated with the attachment) and adding the URL to the risk management list. In addition, URLs reflecting the security policies of other organizations can be added to reflect the security policies of the organization.

In addition, the sites included in the White Domain Lists and the list of Used Site Lists based on Reputation are classified into secure URLs, so that some or all of the above-described processes for analyzing the existence of cyber threats May be omitted to reduce time commitment for analysis.

The blocking list creating step S40 creates a blocking list based on the risk management list. As described above, the risk management list creating step S30 is a step of creating an external web mail service side And the organization's mail service side separately to generate a risk management list for the external web mail service and a risk management list for the organization mail service separately and generate a blocking list S40 ) Is performed in such a manner that a final blocking list is created by cross-referencing the two.

In this way, the method of blocking the intelligent phishing e-mail according to the present invention is separated into the external web mail service side and the internal mail service side, and the results of the cyber threat detection are overlapped. Even if an intelligent phishing attack, such as spear phishing and wailing, occurs in only one of the internal mail service side, both services can be protected.

In addition, it detects the URL of the site accessed by internal users, generates a list of sites accessed by internal users, classifies reputable sites that are highly recognized and frequently accessed and utilized by users based on the list, and generates a reputation-based access site list (S50), and the risk management list generation step S30 is performed to generate a risk management list based on the reputation-based access site list It is possible.

The list of sites accessed by internal users is managed by storing internal users' access to external sites in the form of a list of URLs, and these sites are determined to be continuously accessed by internal users because they are useful. Therefore, the URLs in this list are basically classified as safe sites that reflect the recognition or reputation of the URLs of the internal users, unless they are judged to be separate threats, and generate and manage a list of sites based on the reputation, Compared with the malicious code propagation site list, the threat URL can be extracted from the access site list, and the list of URLs of sites excluding the threat URL can be updated to the reputation-based access site list. Sites accessed by a majority of internal users are still considered empirically secure.

Meanwhile, regarding the generation of the connection site list based on the reputation, a security system is generally operated in which internal users check and allow or block the corresponding URL when accessing a web site. The security system, as shown in Table 2 below, It has a list database and classifies it into groups such as stocks, portal sites, education, public institutions, etc., and determines which services are used by internal users based on the list of URLs currently in normal service. , It is possible to generate a list of connection sites based on the reputation based on this, and in the case where people recommend using a particular site by using an online bulletin board or the like, since the site may be a threat source, And whether there is a large number of referrals. It may threaten the separation of the extent of the site, and reflect it to create a connection list of sites based on reputation. In addition, a URL reflecting the blocking policy in the other organization may be added to reflect the security policy of the corresponding organization.

turn Contact IP Contact person Access URL Access time result Reason One 192.0.0.2 Choi Jung Ho www.naver.com 201205050627 permit Portal site 2 192.0.0.3 Choi Kyung Ho www.phishing.com 201205050900 block Phishing site 3 192.0.0.2 Choi Jung Ho www.nate.com 201205050911 permit Portal site

Further, the embodiment may further include a relational analysis classification list generation step (S21), and the relational analysis list may basically be configured to extract the sender information of the mail from the structured mail data And generates a list by classifying the information of the mail recipient on the basis of the user information in the organization.

The structured mail data of the present invention combines information extracted from the structured mail data and user information in the organization to manage the data on a daily basis. Thus, in the form of Table 3 below, Is generated and is continuously updated in such a manner that who in the organization is receiving a certain mail, and is updated based on the caller ID and IP.

Extraction of Mail Information Information on the internal personnel who received the e-mail No. Time SenderID ReceiverID pressure of business name One 201205052142 A@t.com J@c.com One Choi Jung Ho 2 Choi Kyung Ho 2 201205052150 B@t.com J@c.com One Choi Jung Ho

Preferably, the relationship analysis classification list may be used as a basic data for generating a risk management list, and the risk management list generation step S30 may be performed to generate the risk management list based on the relation analysis classification list In this case, the recipient or group of the e-mail received from the threat agent is identified through the relationship analysis list, and the site corresponding to the threat agent is reflected in the risk management list and included in the block list, . In addition, it is possible to generate security basic data in the organization, such as basic data for analyzing the internal affair relationship or a list of user awareness training.

Also, it can be used as a data for determining the security label of insider of the users in the organization. It is reflected in the above-mentioned risk management list together with the security level information, and is used as basic information for classifying the threat of the risk management list .

FIG. 4 is a diagram for explaining a generated task association data and an application process according to an embodiment of the present invention. The organization internal members are classified into five security levels according to task privileges, As shown in Fig. The security level represents the authority to access important information of the organization. It is divided into Top Secret, Secret, Confidential, Restricted and Unclassified according to the order of importance. This may be divided into three or four levels, depending on the size of the organization and how it is classified and managed. The relationships that are related to each other in terms of business can be set in various ways, such as by department, common or specific task promotion group

4 is generated by extracting information on e-mail transmission / reception among members in the entire organization through a relationship analysis classification list, and analyzing and sorting the business relationship between members based on the extracted information. The security label of insider is granted based on the authority of the personnel of the specific organization. The lower the security level, the higher the privilege, and therefore more internal information can be handled.

Accordingly, by analyzing the task association relationship obtained through the relationship analysis classification list in association with the security level, it is possible to generate task association data considering the surge in security and security as shown in FIG. 4, By analyzing the task-related relationships that are considered security level, tracking the change of attack target or continuous attack can capture the indication of targeted attack and classify the threat level of the phishing attack.

Unlike general phishing e-mails, which send mass malicious messages to a large number of unspecified persons, intelligent phishing, spear phishing waling, is an attack that is targeted at individuals within a particular group or senior position within an organization. For the configuration of the anti-phishing system, it is necessary to establish a security policy for preventing phishing based on the business association data considering the security level or the basic information for classifying whether the threat list is threatened or not, .

Accordingly, preferably, an internal security classifying list generating step (S22) for generating an internal security classifying list for classifying and listing the information of the mail sender and the mail receiving information based on the internal security grade from the structured mail data And the risk management list generating step S30 may generate the risk management list based on the internal security classifying list relational analysis classification list.

The internal security classification list is information that can identify who is receiving mail based on the security label of insider, and manages data on a daily basis, and is generated in the form shown in Table 4 below.

Security Label of insider Extraction of Mail Information Internal personnel information Security rating No. Time SenderID ReceiverID pressure of business name One Choi Jung Ho One One 201205052142 A@t.com J@c.com 2 201205052150 B@t.com J@c.com 2 Choi Kyung Ho 2 One 201205050627 A@t.com c@c.com

The phishing e-mail blocking system through internal and external traffic monitoring of the present invention performs each step of the method for blocking intelligent phishing e-mails through internal and external traffic monitoring of the present invention as described above. Hereinafter, Explain.

FIG. 5 is a block diagram of an intelligent phishing e-mail blocking system according to the present invention. Referring to FIG. 5, it is connected to an external web mail service to monitor incoming traffic to an internal network to extract and store mail- A first mail structuring unit 11 for analyzing each data packet and processing each mail data for each configuration item including a URL included in the mail to generate structured mail data, Monitors the traffic transmitted and received in the network to extract and store data packets related to the mail, analyzes each data packet, processes each mail data by each configuration item including a URL included in the mail, and generates structured mail data A second mail structuring unit (12), a first mail structuring unit A first threat detection unit 21 for extracting a URL included in the e-mail and examining existence of a threat of the mail data on the basis of the extracted URL, a URL included in the mail from the mail data structured by the second mail structuring unit A second threat detection unit 22 for detecting existence of a threat of mail data on the basis of the detected threat, a threat management unit 22 for classifying the threat of the site corresponding to the URL included in the mail according to the inspection result of the first threat detection unit, A second risk management list generation unit 31 for generating a risk management list by classifying whether threats of sites corresponding to URLs included in the mail are classified according to the inspection result of the second threat detection unit, And the block list generating unit 40. The block list generating unit 40 generates the block list generating unit 31 and the second risk management list generating unit 31 Cross-reference to risk management list , And creates a block list.

The first mail structuring unit 11 and the second mail structuring unit 12 are connected to the external web mail service side and the internal mail service side of the organization respectively so as to perform each of the embodiments of the mail structuring step S10 And the first threat detection unit 21 and the second threat detection unit 22 are configured to perform the respective embodiments of the threat detection step S20 described above.

The first risk management list generating unit 31 and the second risk management list generating unit 32 are configured to perform the step S30 of generating the risk management list and include a risk management list for the external web mail service, The risk management list for the organizational mail service is separately generated and the block list generating unit 40 is configured to perform each embodiment of the blocking list creating step S40, 31 and the second risk management list generating unit 31 to generate a final block list.

In order to generate the list of connection sites based on the reputation, the URL of the site accessed by the internal user is detected, and a list of sites accessed by the internal user is generated. Based on this, And an internal user access site management unit 50 for generating and managing a reputation-based access site list by classifying the sites. The first risk management list generation unit 31 and the second risk management list creation unit The unit 32 is configured to generate a risk management list based on the reputation-based access site list.

FIG. 6 is a diagram illustrating a process of applying the results of the steps of the embodiment of the present invention to a phishing e-mail prevention system. As shown in FIG. 6, The results of intelligent phishing e-mail blocking methods are applied.

FIG. 7 is a block diagram of a mail network according to an embodiment of the present invention. Referring to FIG. 7, a UTM having an intrusion prevention function is operated in order to apply a block list output as a result of the present invention.

On the other hand, Fig. 8 (a) is an exemplary network configuration diagram of a normal security network. 8 (b) is a configuration diagram of another exemplary mail network to which the present invention is applied. [0082] FIG. 8 (a) is applied to a normal security network in the form as shown in FIG. 8 (b) Configure a secure network to prevent phishing e-mail.

In the above-described exemplary system, the methods are described on the basis of a flowchart as a series of steps or blocks, but the present invention is not limited to the order of the steps, and some steps may occur in different orders or simultaneously . It will also be understood by those skilled in the art that the steps shown in the flowchart are not exclusive and that other steps may be included or that one or more steps in the flowchart may be deleted without affecting the scope of the invention.

11: First mail structuring unit 12: Second mail structuring unit
21: first threat detection unit 22: second threat detection unit
31: First Threat Management List Generation Unit 32: First Threat Management List Generation Unit
40: Block list boss
50: Internal user access site management unit

Claims (10)

An intelligent phishing e-mail blocking method using internal and external traffic monitoring using a phishing e-mail blocking system,
The blocking system of the phishing e-mail monitors the traffic transmitted and received in the internal network, extracts and stores the data packet related to the mail, analyzes each data packet, processes each mail data by each configuration item including the URL included in the mail A mail structuring step (S10) of generating structured mail data;
A threat detection step (S20) of extracting a URL included in a mail from the structured mail data in the mail structuring step (S10) and checking whether the threat of the structured mail data exists based on the extracted URL;
A risk management list creating step (S30) of classifying the threat of the site corresponding to the URL included in the mail according to the inspection result of the threat detection step (S20) to generate a risk management list; And
A blocking list creating step (S40) of creating a blocking list including a URL of a site classified as a threat site based on the risk management list by the blocking system of the phishing mail; Including,
The risk management list generation step S30 is performed separately from the external web mail service side and the organization's mail service side so that the risk management list for the external web mail service and the organization Separate risk management lists for mail services,
The Blocking List creation step S40 is a step of cross-referencing the URL of the threat site in the risk management list for the external web mail service and the URL of the threat site in the risk management list for the organization mail service, Creating a blocking list including URLs of sites classified as a threat site in at least one of a risk management list for the mail service and a risk management list for the organization mail service,
(S22) an internal security classifying list generating step of generating an internal security classifying list for classifying and listing the mail sender's information and mail receiving person's information based on the internal security grade from the structured mail data How to block intelligent phishing e-mails by monitoring internal and external traffic. delete delete The method according to claim 1,
The mail structuring step S10 and the threat detection step 20 are performed separately on the side of the external web mail service and on the organization's mail service side. How to block intelligent phishing emails. The method according to claim 1,
The blocking system of the phishing mails further includes a relationship analysis classification list generation step (S21) of generating a relationship analysis classification list for classifying and listing the information of the mail recipient based on the sender information of the mail from the structured mail data Wherein the phishing e-mail message is received by the e-mail server. delete delete delete A system for blocking phishing e-mails through internal and external traffic monitoring,
It is connected to the external web mail service to monitor the incoming traffic to the internal network, extracts and stores the data packet related to the mail, analyzes each data packet and processes each mail data by configuration items including the URL included in the mail A first mail structuring unit (11) for generating structured mail data;
It is connected to the internal mail service side of the organization and monitors traffic transmitted and received in the internal network to extract and store data packets related to the mail, analyzes each data packet, and stores each mail data in a configuration item A second mail structuring unit (12) for processing structured mail data;
A first threat detection unit (21) for extracting a URL included in a mail from the structured mail data in the first mail structuring unit and checking whether the mail data is present or not;
A second threat detection unit 22 for extracting a URL included in the mail from the structured mail data in the second mail structuring unit and checking whether the mail data is present or not;
A first risk management list generation unit 31 for classifying the threat of the site corresponding to the URL included in the mail according to the inspection result of the first threat detection unit and generating a first risk management list;
A second risk management list generation unit 32 for classifying the threat of the site corresponding to the URL included in the mail according to the inspection result of the second threat detection unit and generating a second risk management list; And
The URL of the threat site included in the first risk management list generated by the first risk management list generating unit 31 and the second risk management list generating unit 32 and the URL of the threat site included in the second risk management list And a blocking list generation unit (40) for creating a blocking list including URLs of sites classified as a threat site in at least one of the first risk management list and the second risk management list,
The second risk management list generating unit 32 generates an internal security classifying list for classifying and listing mail sender information and mail receiver information based on the internal security level from the structured mail data. Monitor phishing e-mail blocking system. delete

Images