KR101814088B1 - Intelligent and learning type mail firewall appratus - Google Patents

Intelligent and learning type mail firewall appratus Download PDF

Info

Publication number
KR101814088B1
KR101814088B1 KR1020150094764A KR20150094764A KR101814088B1 KR 101814088 B1 KR101814088 B1 KR 101814088B1 KR 1020150094764 A KR1020150094764 A KR 1020150094764A KR 20150094764 A KR20150094764 A KR 20150094764A KR 101814088 B1 KR101814088 B1 KR 101814088B1
Authority
KR
South Korea
Prior art keywords
mail
intelligent
module
learning
reliability
Prior art date
Application number
KR1020150094764A
Other languages
Korean (ko)
Other versions
KR20170005279A (en
Inventor
김충한
김기남
Original Assignee
김충한
(주)기원테크
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 김충한, (주)기원테크 filed Critical 김충한
Priority to KR1020150094764A priority Critical patent/KR101814088B1/en
Publication of KR20170005279A publication Critical patent/KR20170005279A/en
Application granted granted Critical
Publication of KR101814088B1 publication Critical patent/KR101814088B1/en

Links

Images

Classifications

    • H04L51/12
    • H04L51/30
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

An origin tracking module for checking the stability of the e-mail sender using the e-mail address and protocol information; An intelligent learning module for learning characteristics of each mail based on an intelligent program and learning a pattern; And a reliability checking module for checking the reliability of the received mail through the management of the preset reliability reference table.
According to the present invention, it is possible to construct a next generation mail firewall capable of preparing intelligent attacks by applying the learning filtering function.

Description

[0001] INTELLIGENT AND LEARNING TYPE MAIL FIREWALL APPRATUS [0002]

The present invention relates to an intelligent and learning type mail firewall device, and more particularly, to an intelligent and learning mail firewall that prevents a spoofing of mail and an accident from happening and filters hacking mail, ≪ / RTI >

In recent years, fraudulent crimes via e-mail have been rapidly increasing, and the safe reception and transmission of e-mail are becoming an important issue.

In particular, a method for verifying the security of a mail by verifying the sender of the mail is proposed in a manner that prevents the receiver from receiving spam mails containing undesired contents or harmful mails causing various harm to the receiver, Open Publication No. 2003-55817 (name: mail management method and mail client terminal for selectively receiving / deleting mail using a mail header) can be referred to. Here, the mail client accesses the mail server to receive only the header information of the mail first, and the user who operates the mail client confirms the address of the sender included in the header information of the mail and selects to receive or delete the body of the mail And the like.

However, in this method, the user on the mail client side must process the decision of receiving / deleting all the mail, and therefore, for example, judging whether to receive / delete the mail from the sender who has received the mail in the past securely There is an inconvenience to do. In addition, when a similar sender address is included, there is a high possibility that the user is misidentified as a safe sender, and the user may not be able to determine the deletion correctly.

In addition, due to the development of web applications and the increase in the proportion of online systems, attack paths have become much more complex and diverse than in the past. Therefore, there is a need for a mail firewall device that can protect against intelligent attacks.

Published Japanese Patent Application No. 2003-55817

SUMMARY OF THE INVENTION It is an object of the present invention to provide an intelligent and learning type mail firewall device that prevents a mail fraud and an incident from occurring in a rapidly increasing number of times and filters hacking messages and the like so that a user can use the mail reliably.

The problems to be solved by the present invention are not limited to the above-mentioned problems, and other problems not mentioned can be clearly understood by those skilled in the art from the following description will be.

According to an aspect of the present invention, there is provided an information processing apparatus including: a source tracking module for checking stability of a sender of an e-mail using a sending e-mail address and protocol information; An intelligent learning module for learning characteristics of each mail based on an intelligent program and learning a pattern; And a reliability checking module for checking the reliability of the received mail through the management of the preset reliability reference table.

The origin tracking module can check the stability of the sender in real time.

The intelligent filtering module can perform a mail classification by creating a self confidence probability while calculating a number of a plurality of cases using a pattern through learning.

The intelligent filtering module can perform intelligent filtering for distinguishing and blocking normal mail from hacking mail even when the same mail address is used.

The reliability checking module can distinguish the normal mail from the hacking mail based on the reliability of the standard even when the same mail address is used.

The intelligent and learning mail firewall device may further include a virus detection module that filters virus files through analysis and real-time inspection of attached files at the same time using a multi-virtual space.

The virus detection module may perform an operation set to minimize network load due to the virus engine real-time update.

The intelligent and learning mail firewall device may further include an archiving module having a large storage space for long-term storage of mails.

The archiving module may have a redundant storage space to store the body of the mail and the attached file, and to restore the original state when necessary.

The intelligent and learned mail firewall device may further comprise an Intelligent URL Filtering Engine (IUFE) module for analyzing URLs contained in the email body through an intelligent URL filtering engine.

The IUFE module may be configured to perform intelligent filtering using a virtual machine.

The IUFE module may be configured to detect an auto-executable file upon URL connection. An intelligent and learning mail firewall, further comprising an add-on support module for performing unicode support so that the multi- Device.

The supplementary function supporting module can support the blocking contents to be able to view the contents of the original text for further judgment.

The additional function support module may be configured to automatically update information collected in the central control system every hour.

The additional function support module may be configured to automatically perform a post-pre-action reporting function upon receipt of a suspicious or cautionary mail.

According to the present invention, it is possible to construct a next generation mail firewall capable of preparing intelligent attacks by applying the learning filtering function.

In addition, it is compatible with any mail server through easy installation, and it is possible to receive the most secure mail after analyzing the mail through real-time tracking of origin and learning.

According to the present invention, it is possible to block new hacking emails such as spear phishing and APT attacks in terms of stability, protect the customer's property from hacking emails through the encrypted security method, have.

According to the present invention, deformation attack and real-time detection of a new attack can be performed by the encrypted mail processing method in terms of security, and the source of the attack can be blocked by the reliability check through the learning function.

According to the present invention, it is possible to provide an optimized customized solution for a company.

FIG. 1 is a view for explaining an intelligent and learning mail firewall device according to an embodiment of the present invention. Referring to FIG.
FIG. 2 and FIG. 3 illustrate a destination tracking module in an intelligent and learning mail firewall according to an exemplary embodiment of the present invention.
4 is a diagram for explaining a learning function in an intelligent and learning type mail firewall device according to an embodiment of the present invention.
5 and 6 are views for explaining a reliability checking function in an intelligent and learning type mail firewall device according to an embodiment of the present invention.
FIG. 7 is a diagram illustrating a network in which an intelligent and learned mail firewall device according to an embodiment of the present invention is installed.
FIG. 8 is a diagram for explaining how an intelligent and learning mail firewall device according to an embodiment of the present invention blocks hacking.
FIG. 9 is a diagram illustrating a network in which an intelligent and learned mail firewall device according to another embodiment of the present invention is installed.

Hereinafter, specific embodiments of the present invention will be described in detail with reference to the drawings. It should be understood, however, that there is no intention to limit the scope of the present invention to the embodiment shown, and other embodiments which are degenerative by adding, changing or deleting other elements or other embodiments falling within the spirit of the present invention Can be proposed.

Although the term used in the present invention is a general term that is widely used at present, there are some terms selected arbitrarily by the applicant in a specific case. In this case, since the meaning is described in detail in the description of the corresponding invention, It is to be understood that the present invention should be grasped as a meaning of a non-term.

That is, in the following description, the word 'comprising' does not exclude the presence of other elements or steps than those listed.

FIG. 1 is a view for explaining an intelligent and learning mail firewall device according to an embodiment of the present invention. Referring to FIG.

1, an intelligent and learning mail firewall device 100 according to an exemplary embodiment of the present invention includes a source tracking module 110, an intelligent learning module 120, an intelligent filtering module 130, a reliability checking module 140, a virus detection module 150, an archiving module 160, an IUFE module 170, and an additional function support module 180.

The origin tracking module 110 can check the stability of the sender in real time using the outgoing e-mail address and protocol information.

The intelligent learning module 120 can memorize the characteristic of each mail and learn the pattern instead of storing the information in a simple manner.

The intelligent filtering module 130 can classify and classify its own reliability probabilities while calculating the number of cases rather than a simple comparison using a pattern through learning.

The intelligent filtering module 130 can perform intelligent filtering for distinguishing and blocking normal mail from hacking mail even when the same mail address is used.

The reliability checking module 140 can perform the reliability checking through the preset reliability reference table management. The reliability checking module can distinguish a normal mail from a hacking mail based on the reliability as a reference even when the same mail address is used.

The virus detection module 150 can filter the virus file through analysis and real-time inspection of the attached file at the same time using the multi-virtual space.

The virus detection module 150 may operate to minimize network load due to virus engine real-time updates.

The archiving module 160 can store a large amount of mail for a long period of time.

The archiving module 160 may have a redundant storage space to securely store the text and the attached file, and can restore the original state when necessary.

The Intelligent URL Filtering Engine (IUFE) module 170 may perform intelligent URL filtering. Accordingly, the IUFE module 170 can analyze the URL contained in the email body. You can also enable intelligent filtering using a virtual machine. In addition, the IUFE module can detect autorun files at URL connection time.

The additional function support module 180 can perform unicode support so that the multi-language mail can be viewed as it is from the original.

The additional function support module 180 can support the original text to be viewed in order to make an accurate judgment on the blocked mail.

The additional function support module 180 can automatically update the information collected in the central control system every hour.

The additional function support module 180 can automatically perform a post-action post-report function upon receipt of a suspicious or careful mail.

FIG. 2 and FIG. 3 illustrate a destination tracking module in an intelligent and learning mail firewall according to an exemplary embodiment of the present invention.

Referring to FIG. 2 and FIG. 3, the origin tracking module 110 may perform filtering after comparing and analyzing received mail by driving an intelligent program.

Accordingly, the origin tracking module 110 can accurately detect and block modified hacking mails.

Also, the dispatcher tracking module 110 can improve the management efficiency by showing blocking, warning, normal, attention, virus, URL detection among received mails.

In addition, the origin tracking module 110 can provide a graphical representation of the filtering status and the status of the user so that the user can easily understand the filtering status and the status at a glance.

4 is a diagram for explaining a learning function in an intelligent and learning type mail firewall device according to an embodiment of the present invention.

Referring to FIG. 4, the intelligent learning module 120 may perform filtering after comparing and analyzing real-time mail domain, sending IP, and protocol mail.

The intelligent learning module 120 can analyze the content pattern of the mail through filtering on the received mail.

The intelligent learning module 120 can detect the malicious code through comparison analysis and display the filtering result.

For example, the intelligent learning module 120 can display the setter, the sent mail, the communication domain, the sending IP, the registration time, the learning status, the reliability, and the deletion as screen information.

For example, the learning menu may indicate whether the learning has been completed, and the reliability menu may be displayed. In the delete menu, the user can delete the corresponding mail item by selecting delete for the mail item.

The intelligent learning module 120 may generate a probability with an encrypted value through the learning function to allow secure mail.

5 and 6 are views for explaining a reliability checking function in an intelligent and learning type mail firewall device according to an embodiment of the present invention.

Referring to FIGS. 5 and 6, the reliability checking module 140 can generate reliability through real-time comparison analysis.

The reliability checking module 140 displays a warning for a mail having a low probability of safety through reliability even in the case of learned mail.

For example, the reliability can be managed by dividing into less than 60% (low), more than 70% (medium), and more than 80% (high).

The reliability checking module 140 can secure the security of the mail through the reliability check.

For example, FIGS. 5 and 6 show items such as a sender of mail, an actual recipient, a subject, a received date, a filtering, a status, and a restoration menu item. The filtering menu item displays the reliability calculated after performing the filtering.

In FIG. 5, highly reliable mails are sorted based on a predetermined reliability criterion. Thus, mail sorted here can be processed to be delivered to the actual recipients.

On the other hand, in FIG. 6, mails having low reliability are sorted based on a predetermined reliability criterion. Therefore, the mail sorted here can be processed to not be delivered to the actual recipients.

The firewall device 100 can perform a mail firewall function, a reliability check through a learning function, a real time inspection, a mail content analysis comparison, and an analysis in a mail body URL virtual space.

In addition, the firewall device 100 can perform spam blocking, spear phishing protection, APT preemptive response, virus blocking, and mail body URL comparison operations.

The firewall device 100 compares and analyzes the communication domain, the sending IP, the sending domain, and the contents of the mail in real time instead of the simple domain inspection through the SPF function.

The firewall device 100 distinguishes allowed mail as an indicator of reliability through a reliability check through a learning function based on an intelligent program and classifies it as high, medium, or low. In case of low reliability, the firewall device 100 blocks reception and delivery of a mail .

In addition, the firewall device 100 performs a real-time comparison analysis of the communication domain, the sending IP, and the sending domain, and also notifies the manager when the mismatch does not occur. Here, the real-time comparison analysis of the communication domain, the sending IP, and the sending domain is performed. If they do not match, this corresponds to the intelligent hacking mail. Therefore, intelligent hacking mail can be effectively blocked.

Also, when the firewall device 100 is constructed with a small capacity of 1,000 users, it is possible to perform 100 concurrent mail analysis and 100-150 DB processing. Accordingly, the throughput of mail can be handled between 100,000 and 200,000.

On the other hand, when the firewall device 100 is constructed with an intermediate capacity of 1,000-2,000 users, it is possible to perform 500 concurrent mail analysis and 200-300 DB processing. Accordingly, the throughput of mail can be handled from 200,000 to 500,000 per day.

On the other hand, when the firewall device 100 is constructed with a large capacity of 2,000 or more users, it is possible to perform 1,000 concurrent mail analysis and 400-500 DB processing. Accordingly, the throughput of mail can be handled from 800,000 to 1,000,000 per day.

FIG. 7 is a diagram illustrating a network in which an intelligent and learned mail firewall device according to an embodiment of the present invention is installed.

7, the intelligent and learned mail firewall device 100 may be installed between the mail server 10 and the network equipment 20. [ The network equipment 20 is connected to a firewall equipment 30 connected to the Internet.

Therefore, it is necessary to change the MX record of the DNS server with respect to the mail flowing into the mail server 10, and to input the mail to the intelligent and learned mail firewall device 100.

FIG. 8 is a diagram for explaining how an intelligent and learning mail firewall device according to an embodiment of the present invention blocks hacking.

Referring to FIG. 8, a primary defense against a hacking attack can be performed by the firewall device 30. [ On the other hand, with respect to a hacking attack that has passed through the firewall device 30, the intelligent and learned mail firewall device 100 performs final defense to block hacking, thereby safely protecting the mail server 10 from an external hacking attack have.

FIG. 9 is a diagram illustrating a network in which an intelligent and learned mail firewall device according to another embodiment of the present invention is installed.

Referring to FIG. 9, the intelligent and learned mail firewall device 100 may be installed between the mail server 10 and the L4 network equipment 40 in a redundant manner. The L4 network equipment 40 is connected to the switch equipment 50 and the switch equipment 50 is connected to the firewall equipment 60 connected to the Internet.

Since the intelligent and learning mail firewall device 100 is connected to the L4 network equipment 40 using the L4 redundancy method, it is possible to improve the point that the MX redundancy scheme is vulnerable to failure in the related art.

The intelligent and learning type mail firewall device 100 can monitor the mutual monitoring through redundancy and cope with a failure, thereby securing the stability of the mail service.

In addition, when the failure occurs due to an operating system failure or mechanical failure, the intelligent and learning mail firewall device 100 changes the setting of the L4 network device 40 to enable forwarding to the mail server 10, Can be secured.

Since the intelligent and learning mail firewall device 100 can perform real-time inquiry using more than 1,000 virtual spaces, the speed of data analysis processing and result delivery is remarkably high.

The intelligent and learned mail firewall device 100 can continue learning to keep the update up to date whenever a new type of dangerous mail is found.

In addition to the firewall function of the mail, the intelligent and learned mail firewall device 100 may also include a spam-out function and a virus detection function.

The intelligent and learning mail firewall device 100 can be operated in an extended manner so as to be additionally installed and operated while operating a mail server already installed.

While the invention has been shown and described with reference to certain preferred embodiments thereof, it will be understood by those skilled in the art that various changes and modifications may be made therein without departing from the spirit and scope of the invention. Therefore, the scope of the present invention should not be limited to the described embodiments, but should be determined by the equivalents of the claims and the claims.

Claims (16)

An origin tracking module for checking the stability of the e-mail sender using the e-mail address and protocol information;
An intelligent learning module that stores characteristics of each of the emails based on the intelligent program, learns a pattern, and provides information on completion of learning to each of the emails to the user; And
The reliability of each of the e-mails is checked through a predetermined reliability reference table management, and the information about the reliability of each of the e-mails is classified into high, medium and low according to a predetermined criterion, And a reliability check module for providing a warning indication for the mail classified as < RTI ID = 0.0 >
The reliability checking module includes:
The reliability of the mail whose learning has been completed by the intelligent learning module is also checked
Intelligent and learning mail firewall device.
The intelligent and learned mail firewall device of claim 1, wherein the source tracking module checks real-time stability of a sender.
The method according to claim 1,
Further comprising an intelligent filtering module for performing a mail classification by creating a self confidence probability while calculating the number of a plurality of cases using a pattern through learning.
The method of claim 3,
Wherein the intelligent filtering module performs intelligent filtering for distinguishing and blocking normal mail from hacking mail even when the same mail address is used.
The intelligent and learned mail firewall device according to claim 1, wherein the reliability checking module distinguishes a normal mail from a hacking mail based on a reliability that is a standard even when the same mail address is used.
The method according to claim 1,
An intelligent and learning mail firewall device further comprising a virus detection module that filters virus files through analysis and real-time inspection of attachments at the same time using multiple virtual spaces.
7. The intelligent and learned mail firewall device of claim 6, wherein the virus detection module performs an action set to minimize network load due to virus engine real-time updating.
The method according to claim 1,
Further comprising an archiving module having a large storage space for long-term storage of the mail.
The intelligent and learning type mail firewall device according to claim 8, wherein the archiving module has a redundant storage space to store a main body of the mail and attached files, and to restore the original state when necessary.
The method according to claim 1,
An intelligent and learning mail firewall device further comprising an Intelligent URL Filtering Engine (IUFE) module that analyzes the URLs contained in the email body through an intelligent URL filtering engine.
11. The intelligent and learned mail firewall device of claim 10, wherein the IUFE module is configured to perform intelligent filtering using a virtual machine.
11. The intelligent and learned mail firewall device of claim 10, wherein the IUFE module is configured to detect an autorun file upon URL connection.
The method according to claim 1,
And an add-on support module for performing unicode support so that the multi-language mail can be viewed as it is from the original.
14. The method of claim 13,
Wherein the additional function support module supports the original text to be viewed for additional judgment on the blocked mail.
14. The method of claim 13,
Wherein the additional function support module is configured to automatically update information collected in the central control system every hour.
14. The method of claim 13,
Wherein the additional function supporting module is configured to perform a reporting function after a pre-action automatically upon receipt of a suspicious or cautionary mail.
KR1020150094764A 2015-07-02 2015-07-02 Intelligent and learning type mail firewall appratus KR101814088B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150094764A KR101814088B1 (en) 2015-07-02 2015-07-02 Intelligent and learning type mail firewall appratus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150094764A KR101814088B1 (en) 2015-07-02 2015-07-02 Intelligent and learning type mail firewall appratus

Publications (2)

Publication Number Publication Date
KR20170005279A KR20170005279A (en) 2017-01-12
KR101814088B1 true KR101814088B1 (en) 2018-01-03

Family

ID=57811605

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150094764A KR101814088B1 (en) 2015-07-02 2015-07-02 Intelligent and learning type mail firewall appratus

Country Status (1)

Country Link
KR (1) KR101814088B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021025203A1 (en) * 2019-08-07 2021-02-11 주식회사 기원테크 Artificial intelligence-based mail management method and device
WO2022054982A1 (en) * 2020-09-09 2022-03-17 주식회사 기원테크 Method and device for managing electronic mail

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102005420B1 (en) * 2018-01-11 2019-07-30 국방과학연구소 Method and apparatus for providing e-mail authorship classification

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4681980B2 (en) * 2004-09-16 2011-05-11 マイクロソフト コーポレーション How to publish user profile information

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20030055817A (en) 2001-12-27 2003-07-04 삼성전자주식회사 Mail control method of receiving and deleting mails selectively using mail header information and mail client terminal

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4681980B2 (en) * 2004-09-16 2011-05-11 マイクロソフト コーポレーション How to publish user profile information

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021025203A1 (en) * 2019-08-07 2021-02-11 주식회사 기원테크 Artificial intelligence-based mail management method and device
WO2022054982A1 (en) * 2020-09-09 2022-03-17 주식회사 기원테크 Method and device for managing electronic mail

Also Published As

Publication number Publication date
KR20170005279A (en) 2017-01-12

Similar Documents

Publication Publication Date Title
US11477222B2 (en) Cyber threat defense system protecting email networks with machine learning models using a range of metadata from observed email communications
US11936604B2 (en) Multi-level security analysis and intermediate delivery of an electronic message
US10243989B1 (en) Systems and methods for inspecting emails for malicious content
US20190215335A1 (en) Method and system for delaying message delivery to users categorized with low level of awareness to suspicius messages
JP5118020B2 (en) Identifying threats in electronic messages
EP3786823A1 (en) An endpoint agent extension of a machine learning cyber defense system for email
JP6104149B2 (en) Log analysis apparatus, log analysis method, and log analysis program
CN101213812B (en) Method for defending against denial of service attacks in IP networks by target victim self-identification and device
WO2018218537A1 (en) Industrial control system and network security monitoring method therefor
CN101540773B (en) Junk mail detection method and device thereof
US7756929B1 (en) System and method for processing e-mail
US20060271631A1 (en) Categorizing mails by safety level
US20050283837A1 (en) Method and apparatus for managing computer virus outbreaks
US7958557B2 (en) Determining a source of malicious computer element in a computer network
US20200351302A1 (en) Cybersecurity Email Classification and Mitigation Platform
KR20080073301A (en) Electronic message authentication
US20200074079A1 (en) Method and system for checking malicious hyperlink in email body
US10333974B2 (en) Automated processing of suspicious emails submitted for review
KR101814088B1 (en) Intelligent and learning type mail firewall appratus
CN103716335A (en) Detecting and filtering method of spam mail based on counterfeit sender
US12101284B2 (en) Computerized system for analysis of vertices and edges of an electronic messaging system
WO2018081016A1 (en) Multi-level security analysis and intermediate delivery of an electronic message
CN108965350B (en) Mail auditing method, device and computer readable storage medium
CN104363160A (en) Processing methods, device and system of e-mail with file attachments
CN101951563B (en) Technique for fault avoidance in mail gateway

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant