KR20130035572A - Detecting apparatus and method for messenger phishing - Google Patents

Abstract

PURPOSE: A messenger phishing detecting equipment and a method thereof are provided to automatically detect the messenger phishing and to improve the accuracy of the messenger phishing detecting with a help of the phishing detecting equipment. CONSTITUTION: A phishing detecting equipment receives and collects a fixed number of sentences from an initial point of time when a companion of conversation of a messenger tries for a dialogue(110). The phishing detecting equipment analyzes a dialogue pattern from the collected sentences and calculates the risk of the message(120). The phishing detecting equipment determines whether the calculated risk is higher than the predetermined threshold and detects a messenger phishing attempt(130). If the calculated risk is higher than the predetermined threshold, the phishing detecting equipment requests additional authentication information to the companion of conversation(140). The phishing detecting equipment blocks the service usage of the companion of conversation when a user does not reply to the additional authentication information request(150). If the calculated risk is lower than the predetermined threshold, the phishing detecting equipment maintains a messenger session continuously(160). [Reference numerals] (110) Receiving and collecting a fixed number of sentences from an initial point of time when a companion of conversation of a messenger tries for a dialogue; (120) Analyzing a dialogue pattern from the collected sentences and calculating a risk value; (130) Risk value > Threshold ?; (140) Requesting additional authentication information; (150) Blocking the service usage when a user does not replay and transmitting a notification message; (160) Holding a session; (AA) Start; (BB) No; (CC) Yes; (DD) End;

Description

Detecting apparatus and method for messenger phishing

The present invention relates to a technique for detecting messenger phishing, and more particularly, an apparatus for detecting and rejecting a messenger phishing activity during a conversation with a counterpart, in which a chat counterpart deliberately deceives a messenger user to take economic benefits, It relates to a method and a recording medium recording the same.

Phishing is a compound word that means 'fishing private data'. In general, phishing sends an unspecified number of users to a fake homepage to access a fake homepage. It is a new breed of fraudulent technique.

Phishing scams are widely known to require sensitive personal data, such as card numbers and passwords, disguised as messages from financial institutions. In this case, the body of the e-mail contains a notice and a link to a website urging the user to enter personal information. When the link is clicked, a regular website of the financial institution and a pop-up window for personal information input are displayed. In the case of phishing, the site displayed in the main window is a true regular website, but the pop-up page is a disguised web page. Therefore, when a user who views a regular website and sends a personal financial information such as an authentication code, a password, or a credit card number into a text box displayed on a pop-up is sent to the person attempting phishing. In addition to these methods, phishing schemes use special formatting used in URLs to make use of sophisticated techniques, such as making them appear to be linked to a real domain, or hiding the address bar of a pop-up window. Doing. The non-patent literature cited below introduces various types of phishing and countermeasures.

In recent years, phishing has emerged as a new type of messenger phishing. Messenger phishing is literally phishing by using a messenger, which means to steal someone's messenger ID, log in, send a message to a registered acquaintance, and request money, and is a kind of social engineering hacking technique. In other words, a person who attempts to phish in messenger phishing illegally finds another person's account in an Internet messenger or an online service capable of chatting, and checks a list of friends registered in the messenger or service, and is currently connected. Talking to people pretends to be acquaintances, you get unjust financial gain. For this purpose, the messenger phishing suspect accesses another user's messenger account, checks a list of friends registered in the messenger, talks to the accessing person, lends him money, and induces an account transfer or unpaid deposit.

Such messenger phishing is more natural and difficult to detect fraud in that the suspect is not a machine or a program. In particular, it is pointed out that the problem is that the mechanical response is difficult because the uniform and sequential phishing behavior is not performed by the program, and the user's attention is completely required even in the prevention. Therefore, there is a need for a technical means to accurately detect and respond to the ever-increasing messenger phishing.

 Phishing Threats and Countermeasures, Eung-Yong Lee, Yun-Jung Kim, Kyu-Min Cho, Korea IT Industry Promotion Agency, 2006.

The technical problem to be solved by the present invention is to overcome the limitation that the response to the messenger phishing is entirely at the user's attention level, and some messenger phishing detection technology in response to the mechanical words in response to the financing of a certain word, the mechanical warning By displaying the message, it solves the problem that unnecessary warning message is exposed even in the context of non-messenger phishing, and the user's attention is lowered by frequent exposure of the warning message, thereby eliminating the side effect of exposure to the messenger phishing risk.

In order to solve the above technical problem, the phishing detection device according to an embodiment of the present invention detects phishing through a messenger, the phishing detection device is a predetermined number from the first time the conversation counterpart of the messenger attempts a conversation Receiving and collecting sentences; The phishing detection device analyzing a conversation pattern from the collected sentence to calculate a risk value of a message; And determining, by the phishing detection device, whether the calculated risk value is greater than or equal to a preset threshold.

In the method of detecting phishing through the messenger, the analyzing of the conversation pattern is performed in consideration of the temporal order and the risk of keywords included in the collected sentence. Also, keywords extracted from the collected sentences may be divided into greetings, connection words, and financial related terms.

In the method of detecting phishing through the messenger, analyzing the conversation pattern may include extracting a keyword from the collected sentence using morpheme analysis; Determining whether there is a non-verbal greeting among the extracted keywords; Determining whether there is a connection word for switching topics among the keywords extracted after the greeting when there is a greeting other than the honor word; Determining whether a financial term exists among keywords extracted after the connection word when the connection word exists; And if the financial related term exists, determining whether financial transaction information exists among keywords extracted after the financial related term.

In the method of detecting phishing through the messenger, analyzing the conversation pattern and calculating a risk value of the message may include extracting a keyword in the collected sentence using morphological analysis; Determining whether the extracted keyword corresponds to a predefined phishing conversation pattern; Determining whether keywords corresponding to the phishing conversation pattern sequentially correspond to a predefined phishing step; And weighting each keyword corresponding to the phishing step and summing the assigned weights.

The method may further include requesting, by the phishing detection device, additional authentication information from the phishing detection device when the calculated risk value is greater than or equal to the threshold value in the method for detecting phishing through the messenger.

Furthermore, in order to solve the technical problem, a method for detecting a phishing through a messenger according to an embodiment of the present invention, the phishing detection device collecting the IP address of the conversation counterpart; Extracting, by the phishing detection device, local information about the IP address; And the phishing detection apparatus assigning a risk weight to a risk value of the message based on the extracted region information.

In the above-described methods for detecting phishing through messenger, the phishing detection device is preferably installed in a messenger server or a client receiving the message.

Meanwhile, hereinafter, a phishing detection apparatus described above provides a computer readable recording medium having recorded thereon a program for executing phishing detection through a computer.

Various embodiments of the present invention may automatically detect messenger phishing with the help of a phishing detection device by analyzing a conversation pattern from an early message of a conversation counterpart who attempts phishing to calculate the risk of the message, The user's attention level can be raised by accurately exposing the warning message considering the context rather than the response, and the accuracy of the IM phishing detection can be improved by considering the connection IP address of the conversation partner at the same time.

1 is a flowchart illustrating a method for detecting phishing through a messenger according to an embodiment of the present invention.
2 is a flowchart illustrating a process of calculating a risk value of a message by analyzing a conversation pattern in the phishing detection method of FIG. 1 according to an exemplary embodiment of the present invention.
3 is a flow chart illustrating in more detail a process of analyzing a conversation pattern in consideration of the temporal order and risk of a message not received from a conversation counterpart in the phishing detection method of FIG. 1 according to an embodiment of the present invention.
FIG. 4 is a flowchart illustrating a process of calculating a risk value of a message in consideration of a risk weight based on an IP address of a conversation counterpart in a phishing detection apparatus detecting phishing through a messenger according to an embodiment of the present invention.
5 is a system block diagram illustrating a case where an apparatus for detecting phishing through a messenger is implemented in a client according to an embodiment of the present invention.
6 is a system block diagram illustrating a case where an apparatus for detecting phishing through a messenger according to an embodiment of the present invention is implemented in a server.

Before describing embodiments of the present invention, a brief introduction to the technical field in which the embodiments of the present invention are implemented, that is, the operating environment of a security system corresponding to messenger phishing, will be given. It is intended to present the basic idea of the invention that can be devised.

As briefly introduced above, messenger phishing essentially sends a conversation that obscures the messenger's judgment as a real person as a conversation partner. Through such a series of conversation processes, suspects or criminals attempting to phishing messengers can naturally obtain personal financial information from messenger users. Therefore, it is a technically very difficult problem to determine whether a conversation counterpart is attempting messenger phishing based on the contents of the conversation by such a person.

Currently, as a security system for messenger phishing, when a specific word related to finance is input, a method of mechanically displaying a warning message in a messenger chat window is used. For example, if the word 'bank' is entered, the messenger program will automatically warn you of messenger phishing. However, if the word entered by the conversation partner meant the fruit of the plant 'ginkgo' and not 'bank', then this warning message would be very inappropriate and would only interfere with the conversation. Therefore, due to this problem, unnecessary warning messages are displayed in more cases than actual messenger phishing occurs, and if the messenger user is continuously and repeatedly exposed to such warning messages, the level of attention may be lowered. exist.

On the other hand, when the access IP address of the other party of the conversation is not an domestic IP address, a method of mechanically displaying a warning message to warn of messenger phishing on the messenger chat window simply because of a connection from an overseas region may be utilized. However, in the case of the application of such a mechanical IP address, it may cause discomfort to the messenger user and the conversation counterpart by displaying an unnecessary warning message in a conversation with a friend who lives abroad. In this case, even though the general users are in a normal conversation with the normal conversation counterpart, since the warning message is continuously and repeatedly exposed, the attention level of the messenger user may be lowered.

In addition, when illegal users residing abroad access or use a network bypass means such as proxy server or virtual private network (VPN) for phishing of messengers, or access by changing IP, There is a limitation in that it can be disguised as if connected in, so that it can not detect whether or not messenger phishing is accurate.

Accordingly, embodiments of the present invention to be described below are to propose a technical means that can detect a phishing attempt in a messenger or chat-enabled online service, to alert the timely or automatically verify the other party to prevent messenger phishing accidents do. To this end, embodiments of the present invention may largely include two technical elements.

First, embodiments of the present invention can quantitatively calculate the degree of risk of a conversation message by analyzing the conversation pattern from the message transmitted by the conversation partner in consideration of the context. In particular, in analyzing such conversation patterns, the risks of the messages are objectively determined by pre-defining the order and type of terms used for messenger phishing, and checking whether messages input in real time from the conversation partners comply with defined rules. Will be calculated as

Second, embodiments of the present invention may consider the access IP address of the other party with the analysis of the above-described conversation pattern. In other words, it is not considered to be a phishing messenger based on the contact IP of the other party, but whether the threat is presumed to be a phishing messenger in the contents of the actual conversation and whether the other party is connecting from an IP address band classified as a dangerous area. At the same time, the detection performance of messenger phishing can be greatly improved.

Hereinafter, embodiments of the present invention for detecting a messenger phishing attempt based on a conversation pattern will be described in more detail with reference to the accompanying drawings.

1 is a flowchart illustrating a method of detecting a phishing message through a messenger according to an embodiment of the present invention, and includes the following steps.

In operation 110, the phishing detection apparatus receives and collects a certain number of sentences from the first time when the conversation counterpart of the messenger attempts a conversation. Messenger phishing is characterized by the fact that all of its initiation is done by a conversation partner (suspect or criminal attempting to phish). Thus, when a messenger user (usually a user) starts a conversation first, it is not considered messenger phishing. In addition, the conversation counterpart who attempts to messenger phishing has a certain pattern or tendency within the initial conversation after attempting the conversation because the conversation counterpart should lead the conversation as intended. Therefore, the phishing detection device needs to collect and concentrate on a certain number of sentences after the conversation counterpart of the messenger attempts a conversation.

At this time, it was found that the target sentences collected by the phishing detection device are about 10 to 15 sentences in general. Therefore, embodiments of the present invention are preferably collected by focusing on this number of sentences (10-15 sentences at the beginning of the conversation). However, the number of sentences to be collected can be flexibly expanded or reduced depending on the environment in which the present invention is implemented or the language used.

In operation 120, the phishing detection apparatus analyzes a conversation pattern from the sentences collected in operation 110, and calculates a risk value of the message. This process corresponds to the step in which the phishing detection device grasps the context of the conversation from the collected sentences. To this end, the phishing detection device analyzes the morphemes of the collected sentences, extracts keywords from them, and applies a predefined rule to the extracted keywords to determine whether the message of the currently entered conversation corresponds to the conversation pattern of messenger phishing. Judge. Each keyword is assigned a corresponding risk value, and the individual risk value is summed from a conversation message collected through a series of messenger phishing processes to calculate a result value. A more detailed pattern analysis process will be described later with reference to FIGS. 2 and 3.

In operation 130, the phishing detection apparatus detects the messenger phishing attempt by determining whether the risk calculated in operation 120 is greater than or equal to a preset threshold. Such a threshold may be set and supplied to an appropriate level in advance by the messenger producer, but may be implemented to adjust the level if necessary by the user. If the calculated risk value is still below the threshold value because the normal messenger user, the conversation counterpart, proceeds to step 160 to continuously maintain the messenger session.

On the other hand, if the calculated risk is above the threshold, it is determined that messenger phishing is attempted. At this time, if the threshold value or more, a warning message for notifying the messenger phishing may be displayed for the whole, but the degree of risk may be divided by dividing the interval according to the calculated degree of risk. In the latter case, the countermeasures may be changed according to the degree of risk, and if necessary, the warning message may be displayed only to the normal messenger user. For example, the current messenger user (usually the user) can be warned that the other party is attempting to phishing the message, and the corresponding method (such as blocking a session or sending an SMS to the true owner who owns the instant messaging account) May be selected). In addition, if the level of risk is the highest level of risk, additional countermeasures to be reported to the CSI may be proposed.

In operation 140, when the risk value calculated in operation 120 is greater than or equal to a preset threshold, the phishing detection apparatus may request additional authentication information from the conversation counterpart in operation 140. In this case, the additional authentication information may be information for identifying whether the conversation partner who is currently connected is a true account user. For example, if there is a mobile phone number or e-mail address that was used during the initial sign-up of the messenger service, a verification code may be transmitted through the mobile phone or e-mail, and the received verification code may be requested to be entered again in the messenger authentication window. .

Alternatively, when an answer to a question that only oneself knows when the first subscription of the messenger service is described, the response may be displayed by displaying it to a conversation counterpart currently connected. For example, a messenger user may automatically display a question such as "You met my brother yesterday?" At this time, if you see the response of the conversation counterpart, and if an answer different from the fact is returned or responds with no response, the conversation counterpart may be regarded as a person who attempts phishing.

The above authentication process may be optionally included and may be implemented as one of the various countermeasures presented above.

In step 150, if the conversation counterpart does not respond to the request for additional authentication information in step 140, the phishing detection device may block the service of the conversation counterpart. To this end, the phishing detection apparatus waits a predetermined time after the request for the additional authentication information in step 140, and if there is no response within the corresponding time, the phishing detection device may block the use of the service of the conversation counterpart or terminate the session.

In addition, the phishing detection device may transmit a notification message that warns of the theft of a messenger to a genuine user (a messenger user whose account is stolen). In this case, it is preferable that the phishing detection device transmits a notification message through SMS or email by referring to the true user information of the corresponding account. The notification message may include a suspicion of account theft and instructions on how to deal with the account theft.

The series of steps described above are performed through a phishing detection device, and may be physically implemented by including at least one processor. That is, the phishing detection device receives data input in an electronic form, processes a defined operation, and calculates a result value to be displayed on the screen. In this process, the present embodiment includes not only one or more processors, but also memory for storing temporary or permanent data for computation, and software code for defining such computation and appropriately controlling each hardware. can do.

2 is a flowchart illustrating a process of calculating a risk value of a message by analyzing a conversation pattern in the phishing detection method of FIG. 1 according to an embodiment of the present invention. The phishing detection apparatus receives a predetermined number of sentences. Assume immediately after step 110 of collection.

In operation 210, the phishing detection apparatus extracts a keyword in a sentence using morphological analysis. In other words, the contextually significant keywords are extracted from the collected sentences and set as the target of the pattern analysis. Various methods and technical means for analyzing the morphemes may be appropriately selected and utilized by those skilled in the art, and there is a risk of obscuring the essence of the present invention. do.

In operation 220, the phishing detection apparatus analyzes a conversation pattern from the extracted keyword. More specifically, in step 221, it is determined whether the extracted keyword corresponds to a predefined phishing conversation pattern, and in step 222, whether the keyword corresponding to the phishing conversation pattern also corresponds to the predefined phishing step sequentially. To judge. That is, the process of analyzing the conversation patterns through the steps 221 and 222 is performed in consideration of the temporal order and the risk for the keywords included in the sentence collected in step 110.

In the case of messenger phishing, a conversation partner who attempts to phish has discovered a series of flows and logics that lead the conversation to the contents of the conversation from the start of the first conversation to the actual process of requesting financial information. It is defined as. In particular, in the conversation pattern for messenger phishing, there are characteristics in the type and order of keywords, which are not independent variables but have a constant correlation with each other. For example, only after the emergence of greetings to initiate conversations do daily conversation attempts take place, and then keywords revert to topics related to finance. Therefore, in the above example, 'greeting' → 'topic change' → 'financial term' appear sequentially in the dialogue, and this order is necessarily followed. If the conversation partner proceeds to another story by 'switching the topic' immediately after using the 'financial terminology', the conversation partner is most likely not a person who attempts to phishing a messenger. Therefore, it is necessary to check whether the conversation pattern determined from the extracted keyword coincides with the order according to the predefined phishing conversation pattern.

In operation 230, the phishing detection apparatus calculates a risk value of the message by assigning a weight to each keyword corresponding to the phishing step and summing the assigned weights. That is, weights are given for each phishing stage defined according to the dialogue direction, and the weights of all the weights collected through the sentences collected from the conversation counter are summed to calculate a result value for the risk value of the message.

On the other hand, in the sum of the weights in step 230, it is preferable that a relatively high value is given to the weight as the temporal order of the phishing step goes backward. This is because, in general, in case of messenger phishing, the risk increases further during each stage of the conversation. For example, even after a greeting, a keyword representing topical conversions may appear, the average user could talk about the results of a weekend baseball game. In this case, the risk of the message no longer increases. On the other hand, if a user attempts to messenger a messenger, the user's financial information is required as the conversation progresses. Therefore, the weight given through step 230 may be set to increase as time passes and the conversation flows. Do.

3 is a flow chart illustrating in more detail a process of analyzing a conversation pattern in consideration of the temporal order and risk of messages not received from a conversation counterpart in the phishing detection method of FIG. 1 according to an embodiment of the present invention. As in the case of the present invention, it is assumed that immediately after step 110 in which the phishing detection device receives and collects a certain number of sentences.

In operation 310, the phishing detection apparatus extracts a keyword in a sentence using morphological analysis. In this case, the keywords extracted from the collected sentences are preferably divided into greetings, connection words, and financial terms, but may be variously expanded and changed through a sample survey according to an environment in which embodiments of the present invention are implemented.

In operation 320, the phishing detection apparatus performs pattern analysis on the extracted keyword step by step. Each analysis process is described in more detail in the order defined.

In step 321, it is determined whether a greeting other than a horn is present among extracted keywords. When attempting to phishing an IM, the suspect is usually "are you in place?", "How are you?" Greetings in half-words and the like were generally investigated. Therefore, if a database for greetings other than nonverbal is established, and the extracted keywords correspond to this, it can be regarded as the start of messenger phishing. Of course, in this case, as described above with reference to FIG. 2, a relatively low value of weight may be given, which means that the degree of risk is relatively low.

In step 322, the phishing detection apparatus attempts to check when there is a non-horn greeting in step 321. The phishing detection device determines whether there is a connection word for switching topics among keywords extracted after the greeting. A suspect attempting to messenger a messenger typically sends a few more unrelated words after the greeting, and then reverses the connection (eg, "but", "I have a request", "nothing", It can be found that there is a tendency to use sentences to switch topics. Therefore, a database for such a topic-switched connection word is constructed, and if the extracted keyword corresponds to this, it can be regarded that messenger phishing has been performed. In this case, a value larger than the weight given in step 321 may be given.

In step 323, the phishing detection apparatus attempts to check when there is a connection word in step 322, and determines whether a financial term exists among keywords extracted after the connection word. Suspects attempting to messenger messengers have been found to tend to attempt conversations in financial terms (eg, "account transfer", "internet banking", etc.) immediately after a topical change. Therefore, if a database of such financial related terms is established and the extracted keyword corresponds to this, it can be regarded that messenger phishing is more advanced. In this case, a value larger than the weight given in step 322 may be given.

Finally, in step 324, the phishing detection apparatus attempts to check if a financial term exists in step 323, and determines whether financial transaction information exists among keywords extracted after the financial term. . Although financial-related terms appeared during the conversation as described above in step 323, it cannot be concluded that the conversation partner attempts to phish the messenger. This is because an ordinary conversation partner may simply talk about the economic situation. Therefore, it is necessary to accurately grasp the context of the conversation and to determine whether the financial-related story developed by the conversation counterpart is a messenger phishing activity that attempts to inflict economic damage on the messenger user. To this end, an embodiment of the present invention provides a request for a financial transaction activity (eg, "a specific bank name", "account number", "specific deficit amount") that may be economically damaging with respect to a messenger user in step 324. Check again to see if there is a " Therefore, a database of such financial transaction information is constructed, and when the extracted keyword corresponds to this, it can be considered that messenger phishing is attempted. Of course, if necessary, only the check in step 323 may be regarded as an attempt of messenger phishing, and this decision may be flexibly applied according to the set security level. Now, when it is determined in step 324 that the financial transaction information exists, a relatively large value may be given to the weights given above.

Finally, in step 330, the risk value of the message is calculated by summing weights assigned to each keyword.

FIG. 4 is a flowchart illustrating a process of calculating a risk value of a message in consideration of a risk weight based on an IP address of a conversation counterpart in a method for detecting phishing through a messenger according to an embodiment of the present invention. 1 to 3 may optionally and additionally be performed in the method of analyzing the conversation pattern described with reference to FIGS. Since steps 110 and 120 have been described with reference to FIG. 1, the description will be focused on steps 410 to 430 to avoid duplication.

In step 410, the phishing detection device collects the IP address of the conversation counterpart.

In operation 420, the phishing detection apparatus extracts region information on the collected IP address in operation 410. In this case, the area information may be country code or city location information, and the area information may be extracted using a database such as GeoIP. GeoIP can return the country, city, or ISP information of a given host or IP address. To do this, map the host / IP address to country / city / ISP information and store it. In summary, the process of extracting the region information by the server is performed by querying a database that maps the IP address band and region information using the collected access IP addresses and receiving the region information corresponding to the query. In addition, for convenience, the area information received is preferably at least one of a country code or a city code.

In operation 430, a risk weight is calculated on the risk value of the message based on the local information extracted through the phishing detection apparatus 420. Depending on the region, there may be a region set as a messenger phishing crime zone, and when a conversation partner attempts to access from the crime zone, a very high risk weight may be given.

In step 125, the risk weights calculated by analyzing the IP address through steps 410 through 430 are added to the risk value of the message calculated by analyzing the conversation patterns in steps 110 and 120. Such a configuration can reduce indiscriminate warning messages that can be caused by determining whether or not a messenger phishing is detected through only an IP address, and can detect whether or not a messenger phishing is more accurate.

Meanwhile, the phishing detection device described above with reference to FIGS. 1 to 4 may be implemented or installed anywhere in a messenger server or a client receiving the message. Such an installation may be flexibly determined according to the characteristics of a communication environment or an application in which the embodiments of the present invention are implemented. Hereinafter, each embodiment will be described with reference to FIGS. 5 and 6 based on the above two cases. Since the role played by each hardware configuration has been described in detail above with reference to FIGS. 1 to 4, in order to avoid duplication of description, only the general role of the corresponding configuration will be outlined below.

FIG. 5 is a system block diagram illustrating a case where an apparatus for detecting phishing through a messenger according to an embodiment of the present invention is implemented in a client 20, although a separate messenger server (not shown) is provided to provide a messenger service. ) May be utilized, but only the conversation counterpart 10 and the client 20 are shown to focus on phishing detection. In addition, the system may optionally include a notification server 40 for notifying a genuine user (meaning a messenger service subscriber whose account has been stolen) when messenger phishing is detected.

The communication unit 21 transmits and receives data and message packets so that the conversation counterpart 10 and the messenger user 20 can communicate with each other.

The processor 22 receives and collects a certain number of sentences from the first time when the conversation counterpart of the messenger attempts a conversation, and analyzes the conversation pattern from the collected sentences to calculate a risk value of the message. In this process, a predefined dialogue pattern analysis database 23 may be referred to, and if necessary, newly discovered phishing risk patterns may be updated in the dialogue pattern analysis database 23. The processor 22 may detect the messenger phishing by determining whether the risk value calculated through the above process is greater than or equal to a preset threshold.

If a messenger phishing attempt is detected, the processor 22 may request additional authentication information from the conversation counterpart 10, and if it fails to respond to the request for additional authentication information within a predetermined time, the account of the conversation counterpart 10 is displayed. Block the use of the service, and sends a notification message to the user through the notification server 40, referring to the user information of the account. At this time, the notification server 40 should be able to truly access the account information of the user, may be configured with the same hardware as the server of the messenger service for convenience.

Meanwhile, the processor 22 collects the IP address of the conversation counterpart 10 through the message of the conversation counterpart 10 received through the communication unit 21, and refers to the GeoIP database 24 to obtain regional information about the IP address. Can be extracted. Through this, the processor 22 may assign a risk weight to the risk value of the message based on the extracted region information.

FIG. 6 is a system block diagram illustrating a case where an apparatus for detecting phishing through a messenger according to an embodiment of the present invention is implemented in a server. In addition to the conversation counterpart 10 and the messenger user 20, FIG. Is configured to detect IM phishing. In addition, the system may optionally include a notification server 40 for notifying a genuine user (meaning a messenger service subscriber whose account has been stolen) when messenger phishing is detected.

In this case, the server 30 is preferably implemented with the same hardware as the messenger server that provides a messenger service, but may be implemented as separate hardware as necessary. The communication components 31, the processing unit 32, the conversation pattern analysis database 33, and the GeoIP database 34, which are individual components of the server 30 for detecting phishing, are the same as described above with reference to FIG. 5.

According to the embodiments of the present invention described above, by analyzing the conversation pattern from the initial message of the conversation counterpart who attempts phishing to calculate the risk of the message, messenger phishing can be automatically detected with the help of a phishing detection device, and The user's attention can be raised by accurately exposing the warning message considering the context rather than the mechanical response to the word.

According to embodiments of the present invention, early detection of messenger phishing is possible through analysis of an initial conversation pattern that can detect symptoms of messenger phishing without analyzing the whole conversation. Even if a criminal attempting to phish a messenger changes a conversation sentence variously, it is possible to distinguish half words and honor words by analyzing the tone of the conversation, the distribution of the words used, and the morphemes of the conversation. It has the advantage of being able to determine whether or not. In particular, since the embodiments of the present invention are detection systems based on pattern analysis, rather than mechanically responding to the words themselves, the distinction is that relatively few warning messages are exposed in normal conversation.

Also, by considering the connection IP address of the other party at the same time, the accuracy of the IM phishing detection can be improved. In addition, the authentication is automatically performed to determine whether the user is a genuine user. This can effectively reduce the impact of messenger phishing.

Meanwhile, embodiments of the present invention can be implemented by computer readable codes on a computer readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored.

Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device and the like, and also a carrier wave (for example, transmission via the Internet) . In addition, the computer-readable recording medium may be distributed over network-connected computer systems so that computer readable codes can be stored and executed in a distributed manner. In addition, functional programs, codes, and code segments for implementing the present invention can be easily deduced by programmers skilled in the art to which the present invention belongs.

The present invention has been described above with reference to various embodiments. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The scope of the present invention is defined by the appended claims rather than by the foregoing description, and all differences within the scope of equivalents thereof should be construed as being included in the present invention.

10: IM conversation counterpart (party trying to phish)
20: messenger user
30: messenger server (phishing detection device)
21, 31: communication unit 22, 32: processing unit
23, 33: dialogue pattern analysis DB 24, 34: GeoIP DB
40: Notification server

Claims (12)

In the phishing detection device detects phishing by messenger,
Receiving and collecting a predetermined number of sentences by the phishing detection device from an initial point of time when a conversation counterpart of the messenger attempts a conversation;
The phishing detection device analyzing a conversation pattern from the collected sentence to calculate a risk value of a message; And
Determining, by the phishing detection device, whether the calculated risk value is greater than or equal to a preset threshold. The method of claim 1,
Analyzing the conversation pattern,
The method is performed in consideration of the temporal order and the risk for the keywords included in the collected sentences. The method of claim 1,
The keywords extracted from the collected sentences are divided into greetings, connection words, and financial related terms. The method of claim 1,
Analyzing the conversation pattern,
Extracting keywords in the collected sentences using morphological analysis;
Determining whether there is a non-verbal greeting among the extracted keywords;
Determining whether there is a connection word for switching topics among the keywords extracted after the greeting when there is a greeting other than the honor word;
Determining whether a financial term exists among keywords extracted after the connection word when the connection word exists; And
Determining whether financial transaction information exists among the keywords extracted after the financial related term when the financial related term exists. The method of claim 1,
Analyzing the conversation pattern to calculate the risk of the message,
Extracting keywords in the collected sentences using morphological analysis;
Determining whether the extracted keyword corresponds to a predefined phishing conversation pattern;
Determining whether keywords corresponding to the phishing conversation pattern sequentially correspond to a predefined phishing step; And
Weighting each keyword corresponding to the phishing step and summing the assigned weights. The method of claim 5, wherein
And a higher value is assigned to the weight as the temporal order of the phishing step goes backwards. The method of claim 1,
If the determined risk value is more than the threshold value,
Requesting, by the phishing detection device, further authentication information from the conversation counterpart. The method of claim 7, wherein
If the other party does not respond to the additional authentication information request within a predetermined time,
Blocking service use of the account of the other party; And
And transmitting a notification message with reference to the user information of the account. The method of claim 1,
Collecting, by the phishing detection device, an IP address of the conversation counterpart;
Extracting, by the phishing detection device, local information about the IP address; And
And by the phishing detection device, assigning a risk weight to a risk value of the message based on the extracted region information. The method of claim 9,
The step of assigning a risk weight to the risk value of the message,
Calculating a risk weight corresponding to the extracted region information by using the stored risk region table by mapping the region information and the risk weight; And
Summing the calculated risk weight with the calculated risk value of the message. The method of claim 1,
The phishing detection device is installed on a messenger server or a client receiving the message. A computer-readable recording medium storing a program for causing a computer to execute the method according to any one of claims 1 to 11.

Images