KR20230089691A - Method, apparatus and program for checking electronic message based on machine learning - Google Patents

Abstract

The present invention relates to a method, an apparatus, and a program for inspecting electronic messages based on machine learning, which can filter illegal spam emails in response to various email attack patterns. The method for inspecting electronic messages based on machine learning comprises: a step of receiving and storing electronic messages; a step of extracting an email file from the stored electronic messages; a step of conducting a spam inspection on the extracted email file and generating a first flag corresponding to the spam inspection; a step of, when the spam inspection is completed, checking whether there is an attached file in the email file; a step of, when there is the attached file, inputting a first feature value corresponding to the type of the attached file into a previously trained first neural network model, performing a static inspection, and generating a second flag corresponding to the static inspection; a step of, when the static inspection is completed, sandboxing the attached file; a step of inputting a second feature value corresponding to a specific indicator for the sandboxed attached file into a previously trained second neural network model, performing a dynamic inspection, and generating a third flag corresponding to the dynamic inspection; and a step classifying the electronic message based on the first, second, and third flags and displaying malicious probability information. Therefore, the method for inspecting electronic messages based on machine learning can accurately filter illegal spam emails with the minimum time and cost in response to continuously changing various email attack patterns.

Description

Method, apparatus and program for checking electronic messages based on machine learning

The present invention relates to an electronic message inspection method, and more particularly, to a machine learning-based electronic message inspection method, apparatus, and program capable of filtering illegal spam mails in response to various email attack patterns.

Security solutions provided by mail service companies basically use RBL (Real-time Black List) provided by KISA to filter spam mail, check SFP (Sender Policy Framework) record, display sender IP and country, etc. of mail service elements as security technology.

For example, settings with clear standards such as foreign IP blocking and spam word filter are provided by the user. Alternatively, the feature of encrypting and storing the main text is being promoted as a security element of the mail service.

In the security solution provided by the mail security solution, since the mail service is not provided, a solution to analyze and block mail before it enters the mail server is provided.

Companies using corporate mail services will block spam mails by using mail security solutions. At this time, from the point of view of a company using a mail security solution, it is required not to cause performance degradation without affecting mail traffic.

The security technology provided by the mail service, the security technology provided by the mail security solution, and the spam filter methods provided from these two perspectives all have strengths and weaknesses.

Mail service companies have the advantage of providing settings with certain standards, such as blocking foreign IPs and spam word filters, but they are not specialized in mail security, so they use separate mail solutions or provide minimal filters. It has the disadvantage of providing security technology.

In order not to affect mail traffic, mail security solution companies provide SPF record verification, DKIM signature, and DMARC authentication to additionally perform authentication functions in the process of sending and receiving mail.

Therefore, in the future, it is required to develop an electronic message inspection technology capable of accurately filtering illegal spam mails with minimum time and cost in response to constantly changing various email attack patterns.

Republic of Korea Patent No. 10-1005643 (2010. 12. 27)

One object of the present invention to solve the problems described above is to perform spam inspection of email files and static inspection and dynamic inspection of attachments using a neural network model, thereby continuously changing various email attack patterns. In response to this, it is to provide an electronic message inspection method, device, and program capable of accurately filtering out illegal spam mails with minimum time and cost.

The problems to be solved by the present invention are not limited to the problems mentioned above, and other problems not mentioned will be clearly understood by those skilled in the art from the description below.

An electronic message scanning method of an electronic message scanning apparatus according to an embodiment of the present invention for solving the above problems includes receiving and storing an electronic message, extracting an electronic mail file from the stored electronic message, and the extracted electronic message. Performing a spam scan of an e-mail file and generating a first flag corresponding to the spam scan, checking whether or not there is an attachment file in the e-mail file when the spam scan is completed, and if the attachment file is present, the attachment type Performing a static test by inputting a corresponding first feature value into a pre-learned first neural network model and generating a second flag corresponding thereto; sandboxing the attached file when the static test is completed; Entering a second characteristic value corresponding to a specific indicator of the sandbox-executed attachment into a pre-learned second neural network model to perform a dynamic inspection and generate a third flag corresponding thereto; and , classifying the electronic message based on the second and third flags and displaying malicious probability information.

In an embodiment, the receiving and storing of the electronic message may include storing the electronic message received while generating the first, second, and third flags.

In an embodiment, the extracting of the electronic mail file from the stored electronic message may include extracting an EML file from the plurality of stored electronic messages.

In an embodiment, the generating of the first flag may include checking whether the extracted e-mail file is spam corresponding to a user spam rule, and generating a malicious flag if the extracted e-mail file is spam corresponding to the user spam rule. do.

In an embodiment, the step of checking whether the extracted e-mail file is spam corresponding to the user spam rule may include determining whether the e-mail file is an advertisement or promotion corresponding to the user spam rule if it is not spam corresponding to the user spam rule. and generating an advertisement flag if it is an advertisement or promotion corresponding to the user spam rule.

In an embodiment, the user spam rule includes blocking mail domains and IPs including similar domains or malicious domains, blocking when the sender's domain is different from the actual sender's domain, blocking malicious URLs, blocking double extensions of attachments, and unsafe attachments. It is characterized by including classification and blocking of user-specified keywords.

In an embodiment, in the generating of the second flag, if the attached file is a document file type, a first characteristic value corresponding thereto is input to a pre-learned first neural network model to perform a static check, and the static check is performed. A malicious probability value corresponding to the test is predicted, and a second flag is generated based on the predicted malicious probability value.

In an embodiment, the generating of the second flag may include PDF version information, main keyword information in the PDF file, user-defined tag information, and arbitrary tag information if the attached file is a PDF file among document file types. It is characterized in that a static inspection is performed by inputting a feature value to a first neural network model trained in advance, a malicious probability value corresponding to the static inspection is predicted, and a second flag is generated based on the predicted malicious probability value. .

In an embodiment, in the generating of the second flag, if the attached file is a DOCX, XLSX, or HWP file among document file types, a first neural network model pre-learned feature values including a structural path by performing pre-processing. It is characterized in that a static inspection is performed by inputting to , a malicious probability value corresponding to the static inspection is predicted, and a second flag is generated based on the predicted malicious probability value.

In an embodiment, the first neural network model is at least one of a RandomForest model, a support vector machine model, a DecisionTree model, and a Naive Bayes model. characterized by

In an embodiment, the generating of the third flag may include inputting a second feature value including content information having a high weight from an infringement indicator for the sandbox-executed attachment to a pre-learned second neural network model. dynamic inspection is performed, a malicious probability value corresponding to the static inspection is predicted, and a third flag is generated based on the predicted malicious probability value.

In an embodiment, the second characteristic value may include file hash and create file information.

In an embodiment, the displaying of the malicious probability information may include a first flag including the malicious flag and an advertisement flag, a first malicious probability value, a second flag including a first neural network model accuracy, and a second malicious probability value. and second, based on the third flag including the accuracy of the neural network model, the e-mail file is classified into spam mail, advertisement mail, and normal mail, and malicious probability information is displayed on the classified mail.

In an embodiment, the step of displaying the malicious probability information is characterized in that the malicious probability information having different colors is displayed so that the classified spam mail, advertisement mail, and normal mail are visually distinguished from each other.

In addition, a computing device according to an embodiment of the present invention is a computing device for providing a method for checking an electronic message, and includes a processor including one or more cores, and a memory, wherein the processor receives and stores an electronic message and , Extracts an e-mail file from the stored e-mail message, performs a spam test on the extracted e-mail file, generates a first flag corresponding thereto, and determines whether the e-mail file has an attached file when the spam scan is completed. and if the attached file exists, a static test is performed by inputting a first characteristic value corresponding to the type of the attached file to a first pre-learned neural network model, and a second flag corresponding thereto is generated, and the static test is performed. When the execution is completed, the attached file is sandbox-executed, and a second characteristic value corresponding to a specific indicator for the sandbox-executed attachment is entered into a pre-learned second neural network model to perform a dynamic inspection, and the corresponding generating a third flag, and classifying the electronic message based on the first, second, and third flags, and displaying malicious probability information.

A computer program providing a method for checking an electronic message according to another embodiment of the present invention for solving the above problems is combined with a computer, which is hardware, and stored in a medium to perform any one of the above methods.

In addition to this, another method for implementing the present invention, another system, and a computer readable recording medium recording a computer program for executing the method may be further provided.

As described above, according to the present invention, spam inspection of e-mail files and static and dynamic inspection of attached files are performed using a neural network model, thereby responding to various constantly changing email attack patterns with minimal time and cost. Illegal spam mail can be accurately filtered.

In addition, since the present invention expresses a spam probability value in the form of a traffic light, it makes users aware of spam mail.

In addition, the present invention may include a mail server and an analysis server. By using only the analysis server, spam inspection of e-mail files by extracting EML and static inspection and dynamic inspection of attachments using a neural network model are performed. Therefore, spam, static, and dynamic scanning of e-mails can be efficiently performed by the analysis server even while the mails are being received and stored by the mail server.

In addition, since the present invention performs static inspection mainly on document files, it is possible to minimize the time required for the sandbox.

In addition, according to the present invention, maintenance costs can be reduced in terms of companies through self-learning of malicious files for models.

The effects of the present invention are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the description below.

1 is a block diagram of a computing device that performs an operation to provide a method for checking an electronic message, according to an embodiment of the present invention.
2 is a conceptual diagram illustrating an electronic message checking apparatus according to an embodiment of the present invention.
3 is a diagram for explaining a learning process of a neural network model that performs a static test.
4 to 7 are diagrams for explaining performance evaluation of a neural network model that performs a static test.
8 is a diagram for explaining a process of extracting feature values input to a neural network model that performs a dynamic inspection.
9 is a diagram for explaining malicious probability information displayed on a mail list.
10 is a flowchart illustrating a method of checking an electronic message according to an embodiment of the present invention.

Advantages and features of the present invention, and methods of achieving them, will become clear with reference to the detailed description of the following embodiments taken in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in various different forms, only these embodiments are intended to complete the disclosure of the present invention, and are common in the art to which the present invention belongs. It is provided to fully inform the person skilled in the art of the scope of the invention, and the invention is only defined by the scope of the claims.

Terminology used herein is for describing the embodiments and is not intended to limit the present invention. In this specification, singular forms also include plural forms unless specifically stated otherwise in a phrase. As used herein, "comprises" and/or "comprising" does not exclude the presence or addition of one or more other elements other than the recited elements. Like reference numerals throughout the specification refer to like elements, and “and/or” includes each and every combination of one or more of the recited elements. Although "first", "second", etc. are used to describe various components, these components are not limited by these terms, of course. These terms are only used to distinguish one component from another. Accordingly, it goes without saying that the first element mentioned below may also be the second element within the technical spirit of the present invention.

Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used with meanings commonly understood by those skilled in the art to which the present invention belongs. In addition, terms defined in commonly used dictionaries are not interpreted ideally or excessively unless explicitly specifically defined.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

Prior to the description, the meaning of the terms used in this specification will be briefly described. However, it should be noted that the description of terms is intended to help the understanding of the present specification, and is not used in the sense of limiting the technical spirit of the present invention unless explicitly described as limiting the present invention.

In this specification, neural networks, artificial neural networks, and network functions may often be used interchangeably.

Also, throughout this specification, a neural network, a neural network, and a network function may be used with the same meaning. A neural network may consist of a set of interconnected computational units, which may be generally referred to as “nodes”. These “nodes” may also be referred to as “neurons”. A neural network includes at least two or more nodes. Nodes (or neurons) constituting neural networks may be interconnected by one or more “links”.

1 is a block diagram of a computing device that performs an operation to provide a method for checking an electronic message, according to an embodiment of the present invention.

The configuration of the computing device 100 shown in FIG. 1 is only a simplified example. In one embodiment of the present invention, the computing device 100 may include other components for performing a computing environment of the computing device 100, and only some of the disclosed components may constitute the computing device 100.

The computing device 100 may include a processor 110 , a memory 130 , and a network unit 150 .

In the present invention, the processor 110 receives and stores the electronic message, extracts an electronic mail file from the stored electronic message, performs a spam check on the extracted electronic mail file and generates a first flag corresponding thereto, and When the inspection is completed, it is checked whether the e-mail file has an attached file, and if there is an attached file, a first characteristic value corresponding to the type of the attached file is entered into the pre-learned first neural network model to perform a static inspection, and the corresponding When the static inspection is completed, the attached file is sandbox-executed, and a second characteristic value corresponding to a specific indicator for the sandbox-executed attachment is input to the pre-learned second neural network model. It is possible to perform a dynamic inspection, generate a third flag corresponding thereto, classify the electronic message based on the first, second, and third flags, and display malicious probability information.

When receiving and storing an electronic message, the processor 110 may store the received electronic message even while generating the first, second, and third flags.

Here, when receiving and storing an electronic message, the processor 110 stores the contents of the received electronic message in a first database when the electronic message is received, and stores summary information and flag information of the electronic message in a second database. can

Subsequently, when extracting an electronic mail file from stored electronic messages, the processor 110 may extract an EML file from a plurality of stored electronic messages.

In some cases, when extracting an electronic mail file from stored electronic messages, the processor 110 may collect electronic mail information from a plurality of stored electronic messages.

Next, when generating the first flag, the processor 110 checks whether the extracted e-mail file is spam corresponding to the user spam rule, and generates a malicious flag if it is spam corresponding to the user spam rule.

Here, the processor 110, when checking whether the extracted e-mail file is spam corresponding to the user spam rule, if it is not spam corresponding to the user spam rule, checks whether the e-mail file is an advertisement or promotion corresponding to the user spam rule. And, if it is an advertisement or promotion corresponding to the user spam rule, an advertisement flag can be generated.

For example, user spam rules include blocking mail domains and IPs including similar domains or malicious domains, blocking when the sender's domain and the actual sender's domain are different, blocking malicious URLs, blocking attachment double extensions, classifying unsafe attachments, and user spam rules. Blocking of specified keywords may be included, which is only an example, but is not limited thereto.

Further, when generating the second flag, if the attached file is a document file type, the processor 110 inputs a first characteristic value corresponding thereto to the pre-learned first neural network model to perform static inspection, and static inspection A malicious probability value corresponding to is predicted, and a second flag may be generated based on the predicted malicious probability value.

For example, when the processor 110 generates the second flag, if the attached file is a PDF file among document file types, the processor 110 includes PDF version information, main keyword information in the PDF file, user-defined tag information, and arbitrary tag information. A static test may be performed by inputting a feature value of a pre-learned first neural network model, a malicious probability value corresponding to the static test may be predicted, and a second flag may be generated based on the predicted malicious probability value.

As another example, when the processor 110 generates the second flag, if the attached file is a DOCX, XLSX, or HWP file among document file types, the processor 110 performs pre-processing to obtain a pre-learned first neural feature including a structural path. Static inspection may be performed by inputting the data to the network model, a malicious probability value corresponding to the static examination may be predicted, and a second flag may be generated based on the predicted malicious probability value.

Here, the processor 110, when performing pre-processing, converts Microsoft ^TM- based Word (DOCX), Excel (XLSX) and PowerPoint (PPT) format files into Zipfiles to create a name list (nanelist) ) to extract arguments and extract structural features by excluding redundant values, which is only one embodiment, but is not limited thereto. In addition, the processor 110, when performing pre-processing, can extract the structural characteristics of data in the HWP file storage and stream, which is only one embodiment, but is not limited thereto.

Next, when generating the second flag, if the attached file is not a document file type, the processor 110 may directly sandbox execute the attached file.

For example, the first neural network model may be at least one of a RandomForest model, a support vector machine model, a DecisionTree model, and a Naive Bayes model, This is only one example, but is not limited thereto.

Also, when generating the second flag, the processor 110 may generate a first malicious probability value and a first neural network model accuracy together with the second flag.

Further, when generating the third flag, the processor 110 inputs a second feature value including content information having a high weight from the infringement index for the sandbox-executed attachment to the pre-learned second neural network model. It is possible to perform dynamic inspection, predict a malicious probability value corresponding to the static inspection, and generate a third flag based on the predicted malicious probability value.

For example, the second characteristic value may include file hash and create file information, which is only one embodiment, but is not limited thereto.

That is, as the second characteristic value, an API call sequence, which is one of sandbox result values, may be used.

In addition, the second neural network model may be at least one of a RandomForest model, a support vector machine model, a DecisionTree model, and a Naive Bayes model, which is It is only an example, and is not limited thereto.

In some cases, the second neural network model may be different from the first neural network model, but this is only an example, but is not limited thereto.

Also, when generating the third flag, the processor 110 may generate a second malicious probability value and a second neural network model accuracy together with the third flag.

Next, when displaying the malicious probability information, the processor 110 displays a first flag including a malicious flag and an advertisement flag, a first malicious probability value, a second flag including the first neural network model accuracy, and a second malicious probability value. And based on the third flag including the accuracy of the second neural network model, the e-mail file may be classified as spam mail, advertisement mail, and normal mail, and malicious probability information may be displayed on the classified mail.

Here, when displaying the malicious probability information, the processor 110 may display the malicious probability information having different colors so that the classified spam mail, advertisement mail, and normal mail are visually distinguished from each other.

For example, malicious probability information may be displayed on one side of a corresponding mail list after being classified by the color of a traffic light, but this is only one embodiment, and is not limited thereto.

Also, the aforementioned neural network model may be a deep neural network. Throughout this specification, neural network, network function, and neural network may be used interchangeably. A deep neural network (DNN) may refer to a neural network including a plurality of hidden layers in addition to an input layer and an output layer. Deep neural networks can reveal latent structures in data. In other words, it can identify the latent structure of a photo, text, video, sound, or music (e.g., what objects are in the photo, what the content and emotion of the text are, what the content and emotion of the audio are, etc.). . Deep neural networks include a convolutional neural network (CNN), a recurrent neural network (RNN), a restricted boltzmann machine (RBM), and a deep belief network (DBN). , Q network, U network, Siamese network, and the like.

A convolutional neural network is a type of deep neural network and includes a neural network including a convolutional layer. A convolutional neural network is a type of multilayer perceptron designed to use minimal preprocessing. A CNN may be composed of one or several convolutional layers and artificial neural network layers combined therewith. CNNs can additionally utilize weights and pooling layers. Thanks to this structure, CNNs can fully utilize the two-dimensional structure of the input data. Convolutional neural networks can be used to recognize objects in images. A convolutional neural network can represent and process image data as a matrix having dimensions. For example, in the case of image data encoded in RGB (red-green-blue), each R, G, and B color may be represented as a two-dimensional (eg, two-dimensional image) matrix. That is, the color value of each pixel of the image data can be a component of a matrix, and the size of the matrix can be the same as the size of the image. Thus, image data can be represented by three two-dimensional matrices (a three-dimensional data array).

In a convolutional neural network, a convolutional process (input/output of a convolutional layer) can be performed by moving the convolutional filter and multiplying the convolutional filter with matrix components at each position of the image. A convolutional filter may be composed of an n*n matrix. A convolutional filter can consist of a fixed shape filter, which is usually smaller than the total number of pixels in an image. That is, when an m*m image is input to a convolutional layer (for example, a convolutional layer whose size of convolutional filter is n*n), a matrix representing n*n pixels including each pixel of the image It can be component multiplied with this convolutional filter (ie, multiplication of each component of the matrix). A component matching the convolutional filter can be extracted from the image by multiplication with the convolutional filter. For example, a 3*3 convolutional filter to extract top and bottom linear components from an image would be constructed as [[0,1,0], [0,1,0], [0,1,0]] can When a 3*3 convolutional filter for extracting up and down linear components from an image is applied to an input image, up and down linear components matching the convolutional filter may be extracted from the image and output. The convolutional layer may apply a convolutional filter to each matrix for each channel representing an image (ie, R, G, B colors in the case of an R, G, B coded image). The convolutional layer may extract features matching the convolutional filter from the input image by applying the convolutional filter to the input image. The filter value of the convolutional filter (that is, the value of each element of the matrix) may be updated by backpropagation during the learning process of the convolutional neural network.

A subsampling layer is connected to the output of the convolutional layer to simplify the output of the convolutional layer, thereby reducing memory usage and computational complexity. For example, if the output of the convolutional layer is input to a pooling layer with a 2*2 max pooling filter, the image is compressed by outputting the maximum value included in each patch for each 2*2 patch in each pixel of the image. can The aforementioned pooling may be a method of outputting a minimum value of a patch or an average value of a patch, and any pooling method may be included in the present invention.

A convolutional neural network may include one or more convolutional layers and subsampling layers. A convolutional neural network may extract features from an image by repeatedly performing a convolutional process and a subsampling process (eg, max pooling described above). Through an iterative convolutional process and subsampling process, a neural network can extract global features of an image.

An output of the convolutional layer or the subsampling layer may be input to a fully connected layer. A fully connected layer is a layer in which all neurons in one layer are connected to all neurons in neighboring layers. A fully connected layer may refer to a structure in which all nodes of each layer are connected to all nodes of other layers in a neural network.

According to an embodiment of the present invention, the processor 110 may be composed of one or more cores, a central processing unit (CPU) of a computing device, a general purpose graphics processing unit (GPGPU) ), a processor for data analysis and deep learning, such as a tensor processing unit (TPU). The processor 110 may read a computer program stored in the memory 130 and perform data processing for machine learning according to an embodiment of the present invention. According to an embodiment of the present invention, the processor 110 may perform an operation for learning a neural network. The processor 110 performs neural network learning, such as processing input data for learning in deep learning (DL), extracting features from input data, calculating errors, and updating neural network weights using backpropagation. calculations can be performed for At least one of the CPU, GPGPU, and TPU of the processor 110 may process learning of the network function. For example, the CPU and GPGPU can process learning of network functions and data classification using network functions. In addition, in one embodiment of the present invention, the learning of a network function and data classification using a network function may be processed by using processors of a plurality of computing devices together. In addition, a computer program executed in a computing device according to an embodiment of the present invention may be a CPU, GPGPU or TPU executable program.

According to an embodiment of the present invention, the memory 130 may store a computer program for performing a method of filtering noise data of medical text, and the stored computer program may be read and driven by the processor 120 . The memory 130 may store any type of information generated or determined by the processor 110 and any type of information received by the network unit 150 .

According to an embodiment of the present invention, the memory 130 is a flash memory type, a hard disk type, a multimedia card micro type, or a card type memory (eg SD or XD memory, etc.), RAM (Random Access Memory, RAM), SRAM (Static Random Access Memory), ROM (Read-Only Memory, ROM), EEPROM (Electrically Erasable Programmable Read-Only Memory), PROM (Programmable Memory) Read-Only Memory), a magnetic memory, a magnetic disk, and an optical disk may include at least one type of storage medium. The computing device 100 may operate in relation to a web storage that performs a storage function of the memory 130 on the Internet. The description of the above memory is only an example, and is not limited thereto.

The network unit 150 according to an embodiment of the present invention may transmit and receive information to other computing devices and servers. In addition, the network unit 150 may enable communication between a plurality of computing devices so that operations for electronic message inspection or model learning may be distributedly performed in each of the plurality of computing devices. The network unit 150 may enable communication between a plurality of computing devices to perform distributed processing of an operation for examining an electronic message or learning a model using a network function.

The network unit 150 according to an embodiment of the present invention may operate based on any type of wired or wireless communication technology currently used and implemented, such as short-distance (short-distance), long-distance, wired, and wireless, and other networks. can also be used in

The computing device 100 of the present invention may further include an output unit and an input unit.

The output unit according to an embodiment of the present invention may display a user interface (UI) for performing the electronic message checking method. The output unit may output any type of information generated or determined by the processor 110 and any type of information received by the network unit 150 .

In one embodiment of the present invention, the output unit is a liquid crystal display (liquid crystal display, LCD), thin film transistor liquid crystal display (thin film transistor-liquid crystal display, TFT LCD), organic light-emitting diode (organic light-emitting diode, OLED) , a flexible display, and a 3D display. Some of these display modules may be of a transparent type or a light transmissive type so that the outside can be seen through them. This may be referred to as a transparent display module, and a representative example of the transparent display module is TOLED (Transparent OLED) and the like.

The input unit according to an embodiment of the present invention may receive a user input. The input unit may include keys and/or buttons on a user interface for receiving user input, or physical keys and/or buttons. A computer program for controlling a display according to embodiments of the present invention may be executed according to a user input through an input unit.

The input unit according to embodiments of the present invention may detect a user's button operation or touch input and receive a signal, or may receive a user's voice or motion through a camera or microphone and convert it into an input signal. For this purpose, speech recognition technology or motion recognition technology may be used.

The input unit according to embodiments of the present invention may be implemented as an external input device connected to the computing device 100 . For example, the input device may be at least one of a touch pad, a touch pen, a keyboard, or a mouse for receiving a user input, but this is only an example and is not limited thereto.

The input unit according to an embodiment of the present invention may recognize a user touch input. The input unit according to an embodiment of the present invention may have the same configuration as the output unit. The input unit may include a touch screen implemented to receive a user's selection input. The touch screen may use any one of a contact capacitive method, an infrared light sensing method, a surface ultrasonic (SAW) method, a piezoelectric method, and a resistive film method. Detailed description of the touch screen described above is only an example according to an embodiment of the present invention, and various touch screen panels may be employed in the computing device 100 . The input unit configured as a touch screen may include a touch sensor. The touch sensor may be configured to convert a change in pressure applied to a specific portion of the input unit or capacitance generated at a specific portion of the input unit into an electrical input signal. The touch sensor may be configured to detect not only the touched position and area, but also the pressure upon touch. When there is a touch input to the touch sensor, the corresponding signal(s) is sent to the touch controller. The touch controller may process the signal(s) and then transmit corresponding data to processor 110 . Accordingly, the processor 110 can recognize which area of the input unit has been touched.

In one embodiment of the present invention, the server may include other configurations for performing the server environment of the server. The server may include any type of device. The server may be a digital device, such as a laptop computer, a notebook computer, a desktop computer, a web pad, or a mobile phone, equipped with a processor and having an arithmetic capability with a memory.

A server (not shown) performing an operation for providing a user interface displaying a result of checking an electronic message according to an embodiment of the present invention to a user terminal may include a network unit, a processor, and a memory.

The server may generate a user interface according to embodiments of the present invention. The server may be a computing system that provides information to clients (eg, user terminals) over a network. The server may transmit the generated user interface to the user terminal. In this case, the user terminal may be any type of computing device 100 capable of accessing the server. The processor of the server may transmit the user interface to the user terminal through the network unit. A server according to embodiments of the present invention may be, for example, a cloud server. The server may be a web server that processes services. The types of servers described above are examples only and are not limited thereto.

In this way, the present invention, by performing spam inspection of e-mail files and static inspection and dynamic inspection of attached files using a neural network model, in response to various email attack patterns that are constantly changing, is illegal with minimum time and cost. Spam mail can be accurately filtered.

In addition, since the present invention expresses a spam probability value in the form of a traffic light, it makes users aware of spam mail.

In addition, the present invention may include a mail server and an analysis server. By using only the analysis server, spam inspection of e-mail files by extracting EML and static inspection and dynamic inspection of attachments using a neural network model are performed. Therefore, spam, static, and dynamic scanning of e-mails can be efficiently performed by the analysis server even while the mails are being received and stored by the mail server.

In addition, since the present invention performs static inspection mainly on document files, it is possible to minimize the time required for the sandbox.

In addition, according to the present invention, maintenance costs can be reduced in terms of companies through self-learning of malicious files for models.

2 is a conceptual diagram illustrating an electronic message checking apparatus according to an embodiment of the present invention.

As shown in FIG. 2 , the electronic message inspection apparatus of the present invention may be a computing device 100 including a mail server area 1100 and an analysis server area 1200 .

Here, the mail server area 1100 receives and stores an electronic message through an external communication network, stores classification information and malicious probability information of the electronic message received from the analysis server area 1200, and analyzes the classified electronic messages. Malicious probability information can be displayed.

For example, the mail server area 1100 may include a mail server 1110, a mail server database 1120, a webmail backend system 1130, a webmail database 1140, and a front end 1150.

The mail server 1110 of the mail server area 1100 may store electronic messages received through an external communication network in the mail server database 1120 and transmit them to the webmail backend system 1130 as well.

Here, when the mail server 1110 of the mail server area 1100 receives and stores an electronic message, the spam filter unit 1210, the static inspection unit 1220, and the dynamic inspection unit 1240 of the analysis server area 1200 The received electronic message may be stored even while generating the first, second, and third flags.

Therefore, since the present invention can continuously perform spam, static, and dynamic inspection of e-mail in the analysis server area 1200 even while receiving and storing mail in the mail server area 1100, the overall system operation is efficient. can be operated as

Subsequently, the webmail backend system 1130 of the mail server area 1100 may store some information of the electronic message in the webmail database 1140, and classify information of the electronic message received from the analysis server area 1200 and Malicious probability information may be stored in the webmail database 1140 .

For example, the mail server 1110 of the mail server area 1100 may store the contents of the received electronic message in the mail server database 1120, and the webmail backend system 1130 of the mail server area 1100 may store the contents of the received electronic message in the mail server database 1120. , the summary information of the electronic message and its flag information can be stored in the webmail database 1140.

In addition, the webmail backend system 1130 of the mail server area 1100 may display malicious probability information of the classified electronic message and provide it to the user 10 through the front end 1150 .

Next, the analysis server area 1200 may include a spam filter unit 1210, a static inspection unit 1220, a sandbox execution unit 1230, a dynamic inspection unit 1240, and a classification unit 1250.

Here, the spam filter unit 1210 may extract an e-mail file from an e-mail stored in the mail server database 1120 of the mail server area 1100 .

Here, the spam filter unit 1210 may extract an EML file from a plurality of stored electronic messages when extracting an electronic mail file from a stored electronic message, which is only one embodiment, but is not limited thereto.

In some cases, when extracting an e-mail file from stored electronic messages, the spam filter unit 1210 may collect e-mail information from a plurality of stored electronic messages.

Also, the spam filter unit 1210 may perform a spam check on the extracted e-mail file and generate a first flag corresponding thereto.

Here, when generating the first flag, the spam filter unit 1210 checks whether the extracted e-mail file is spam corresponding to the user spam rule, and generates a malicious flag if it is spam corresponding to the user spam rule. .

For example, user spam rules include blocking mail domains and IPs including similar domains or malicious domains, blocking when the sender's domain and the actual sender's domain are different, blocking malicious URLs, blocking attachment double extensions, classifying unsafe attachments, and user spam rules. Blocking of specified keywords may be included, which is only an example, but is not limited thereto.

In some cases, when the spam filter unit 1210 checks whether the extracted e-mail file is spam corresponding to the user spam rule, if it is not spam corresponding to the user spam rule, the e-mail file is an advertisement or advertisement corresponding to the user spam rule. It is checked whether it is a promotion, and if it is an advertisement or promotion corresponding to the user spam rule, an advertisement flag can be generated.

For example, user spam rules include blocking mail domains and IPs including similar domains or malicious domains, blocking when the sender's domain and the actual sender's domain are different, blocking malicious URLs, blocking attachment double extensions, classifying unsafe attachments, and user spam rules. Blocking of specified keywords may be included, which is only an example, but is not limited thereto.

For example, mail domains including similar domains or malicious domains may include goog1e.com, dauum.net, qoogle.com, and the like, and attachment file extensions include meeting materials.xlsx.exe and excerpts. It may include pdf.exe, etc.

Next, the static inspection unit 1220, when the spam inspection is completed, may check whether or not there is an attached file in the e-mail file.

Subsequently, if there is an attached file, the static checker 1220 inputs a first feature value corresponding to the type of the attached file to the pre-learned first neural network model to perform a static check and generate a second flag corresponding thereto. can

Here, when generating the second flag, the static checker 1220 performs a static check by inputting a first characteristic value corresponding to the attached file to the pre-learned first neural network model if the attached file is a document file type. A malicious probability value corresponding to the test may be predicted, and a second flag may be generated based on the predicted malicious probability value.

For example, when the static inspection unit 1220 generates the second flag, if the attached file is a PDF file among the document file types, PDF version information, main keyword information in the PDF file, user-defined tag information, and arbitrary tag information are displayed. A static test may be performed by inputting the included feature value to the pre-learned first neural network model, a malicious probability value corresponding to the static test may be predicted, and a second flag may be generated based on the predicted malicious probability value.

For example, the main keyword information in the PDF file is 'obj', 'endobj', 'stream', 'endstream', 'xref', 'trailer', 'startxref', '/Page', '/Encrypt' , '/ObjStm', '/JS', '/JavaScript', '/AA', '/OpenAction', '/AcroForm', '/JBIG2Decode', '/RichMedia', '/Launch', '/EmbeddedFile' , '/XFA', '/Type', '/Catalog', '/Version', '/Pages', '/rovers', '/abdula', '/Kids', '/Count', '/S' , '/Filter', '/FlateDecode', '/Length', '/ASCIIHexDecode', '/ASCII85Decode', '/LZWDecode', '/RunLengthDecode', '/CCITTFaxDecode', '/DCTDecode', '/JPXDecode' , '/Crypt', etc., user-defined tag information and arbitrary tag information are /Colors_2^24, /0, /01, /02, /05, /07, /1, /18, / 1999,/22, etc., which is only an example, but is not limited thereto, and the name of the user-defined tag information can be arbitrarily defined by the user.

As another example, when the static inspection unit 1220 generates the second flag, if the attached file is a DOCX, XLSX, or HWP file among document file types, the static inspection unit 1220 pre-processes the first pre-learned feature value including the structural path. Static inspection may be performed by inputting the input to the neural network model, a malicious probability value corresponding to the static examination may be predicted, and a second flag may be generated based on the predicted malicious probability value.

Here, the static inspection unit 1220 converts Microsoft ^TM- based Word (DOCX), Excel (XLSX), and PowerPoint (PPT) format files into Zipfiles when performing preprocessing to obtain a name list ( A structural feature may be extracted by extracting an argument with nanelist and excluding duplicate values, which is only one embodiment, but is not limited thereto.

In addition, the processor 110, when performing pre-processing, can extract the structural characteristics of data in the HWP file storage and stream, which is only one embodiment, but is not limited thereto.

In some cases, when generating the second flag, if the attached file is not a document file type, the static inspection unit 1220 may sandbox the attached file directly.

For example, the first neural network model may be at least one of a RandomForest model, a support vector machine model, a DecisionTree model, and a Naive Bayes model, This is only one example, but is not limited thereto.

Also, when generating the second flag, the static checker 1220 may generate a first malicious probability value and a first neural network model accuracy together with the second flag.

Next, the sandbox executor 1230 may perform sandbox execution of an attached file for which static inspection has been completed, or sandbox execution of an attached file other than a document file type without static inspection.

In addition, the dynamic inspection unit 1240 inputs a second feature value corresponding to a specific index to the pre-learned second neural network model for the sandbox-executed attachment file, performs dynamic inspection, and generates a third flag corresponding thereto. can create

Here, when generating the third flag, the dynamic inspection unit 1240 assigns a second feature value including content information having a high weight from the infringement index to the sandbox-executed attachment to the pre-learned second neural network model. It is possible to perform dynamic inspection by inputting the input, predict a malicious probability value corresponding to the static inspection, and generate a third flag based on the predicted malicious probability value.

For example, the second characteristic value may include file hash and create file information, which is only one embodiment, but is not limited thereto.

That is, as the second characteristic value, an API call sequence, which is one of sandbox result values, may be used.

In addition, the second neural network model may be at least one of a RandomForest model, a support vector machine model, a DecisionTree model, and a Naive Bayes model, which is It is only an example, and is not limited thereto.

In some cases, the second neural network model may be different from the first neural network model, but this is only an example, but is not limited thereto.

Also, when generating the third flag, the dynamic inspector 1240 may generate a second malicious probability value and a second neural network model accuracy together with the third flag.

Subsequently, the classification unit 1250 may display malicious probability information by classifying the electronic message based on the first, second, and third flags.

Here, when the classification unit 1250 displays the malicious probability information, the first flag including the malicious flag and the advertisement flag, the second flag including the first malicious probability value and the first neural network model accuracy, and the second malicious Based on the third flag including the probability value and the accuracy of the second neural network model, the e-mail file may be classified as spam mail, advertisement mail, and normal mail, and malicious probability information may be displayed on the classified mail.

For example, when the classification unit 1250 displays the malicious probability information, the malicious probability information having different colors may be displayed so that the classified spam mail, advertisement mail, and normal mail are visually distinguished from each other.

For example, malicious probability information may be displayed on one side of a corresponding mail list after being classified by the color of a traffic light, but this is only one embodiment, and is not limited thereto.

3 is a diagram for explaining a learning process of a neural network model that performs a static test.

As shown in FIG. 3 , according to the present invention, a static check may be performed by inputting a feature value corresponding to a type of an attached file to a pre-learned neural network model, and a flag corresponding thereto may be generated.

Here, if the attached file is a document file type, the static inspection unit 1220 performs a static inspection by inputting a corresponding feature value into a pre-learned neural network model, predicts a malicious probability value corresponding to the static inspection, and A flag may be generated based on the malicious probability value.

The neural network model of the present invention collects and loads original data, divides the data through refinement and preprocessing, performs training based on the divided data, evaluates the training performance of the model, and evaluates the model. By deriving the performance of and storing the model itself, the model training process can be performed.

In addition, the neural network model of the present invention collects and loads data, refines and preprocesses the data, infers the probability of maliciousness based on the learned model, and generates a probability of maliciousness.

4 to 7 are diagrams for explaining performance evaluation of a neural network model that performs a static test.

As shown in FIGS. 4 to 7, neural network models that perform static inspection include a RandomForest model, a support vector machine model, a DecisionTree model, and a Naive Base model. This is the result of k-fold cross validation with k = 5 by using the Bayes model and adding voting and bagging among the ensembles.

Here, the performance evaluation index may include Accuracy, Precision, Recall, F1 Score, and Auc.

For example, accuracy is a value obtained by dividing the number of correctly predicted data by the total number of data, and may be (TP + TN) / (TP + TN + FP + FN), and precision is a model As the number of data recognized as true, it can be TP / TP + FN, the F1 score can be the average of precision and recall, and Auc is an index representing the area under the ROC curve , it is an index that compensates for the disadvantages of accuracy when the distribution by class is different.

4 is a result of k-fold cross-validation of the docx file, and it can be seen that the performance of the support vector machine model is the best.

5 is a result of k-fold cross-validation of the pdf file, and it can be seen that the performance of the support vector machine model is the best.

6 is a result of k-fold cross-validation of the xlsx file, and it can be seen that the performance of the support vector machine model is the best.

7 is a result of k-fold cross-validation of the hwp file, and it can be seen that the performance of the support vector machine model is the best.

8 is a diagram for explaining a process of extracting feature values input to a neural network model that performs a dynamic inspection.

As shown in FIG. 8, the neural network model performing the dynamic inspection inputs a feature value corresponding to a specific indicator for the sandbox-executed attachment to the pre-learned neural network model to perform the dynamic inspection, and the corresponding flags can be created.

For example, a neural network model performing dynamic inspection performs dynamic inspection by inputting a feature value including content information having a high weight from an infringement indicator for a sandbox-executed attachment into a pre-learned neural network model, A malicious probability value corresponding to the static test is predicted, and a flag may be generated based on the predicted malicious probability value.

For example, the feature value may include file hash and create file information, which is only one embodiment, but is not limited thereto.

That is, as a feature value, an API call sequence, which is one of sandbox result values, can be used.

Here, the neural network model performing the dynamic inspection may be at least one of a RandomForest model, a support vector machine model, a DecisionTree model, and a Naive Bayes model. However, this is only an example, and is not limited thereto.

9 is a diagram for explaining malicious probability information displayed on a mail list.

As shown in FIG. 9, the present invention provides a first flag including a malicious flag and an advertisement flag, a first malicious probability value and a second flag including a first neural network model accuracy, a second malicious probability value, and a second neural network model. Based on the third flag including network model accuracy, e-mail files may be classified as spam mail, advertisement mail, and normal mail, and malicious probability information may be displayed on the classified mail.

For example, as shown in FIG. 9 , when displaying malicious probability information, the present invention may display malicious probability information having different colors so that classified spam mail, advertisement mail, and normal mail are visually distinguished from each other.

For example, malicious probability information may be displayed on one side of a corresponding mail list after being classified by the color of a traffic light, but this is only one embodiment, and is not limited thereto.

10 is a flowchart illustrating a method of checking an electronic message according to an embodiment of the present invention.

As shown in FIG. 10, the mail server of the present invention can receive and store electronic messages through a communication network.

And, the EML extraction unit of the present invention can extract an e-mail file from an e-message stored in the mail server.

Here, the EML extraction unit of the present invention may extract EML files from a plurality of stored electronic messages when extracting an electronic mail file from stored electronic messages, which is only one embodiment, but is not limited thereto.

Next, the spam filter unit of the present invention checks whether the extracted e-mail file is spam corresponding to the user spam rule, and generates a malicious flag if it is spam corresponding to the user spam rule.

And, the spam filter unit of the present invention, if it is not spam corresponding to the user spam rule, checks whether the e-mail file is an advertisement or promotion corresponding to the user spam rule, and generates an advertisement flag if it is an advertisement or promotion corresponding to the user spam rule. can do.

For example, user spam rules include blocking mail domains and IPs including similar domains or malicious domains, blocking when the sender's domain and the actual sender's domain are different, blocking malicious URLs, blocking attachment double extensions, classifying unsafe attachments, and user spam rules. Blocking of specified keywords may be included, which is only an example, but is not limited thereto.

Then, the static inspection unit of the present invention, when the spam inspection is completed, can check whether or not there is an attached file in the e-mail file.

In addition, if there is an attached file, the static inspection unit of the present invention inputs a first characteristic value corresponding to the type of the attached file to the pre-learned first neural network model to perform static inspection and generate a second flag corresponding thereto. can

That is, when the static inspection unit of the present invention generates the second flag, if the attached file is a document file type, the static inspection is performed by inputting a first characteristic value corresponding to the attached file to the pre-learned first neural network model. A malicious probability value corresponding to the test may be predicted, and a second flag may be generated based on the predicted malicious probability value.

Here, the first neural network model may be at least one of a RandomForest model, a support vector machine model, a DecisionTree model, and a Naive Bayes model, which is It is only an example, and is not limited thereto.

Next, the sandbox execution unit of the present invention may perform sandbox execution of the attached file for which static inspection has been performed.

In addition, the dynamic inspection unit of the present invention inputs a second characteristic value corresponding to a specific index to the pre-learned second neural network model for the sandboxed attached file, performs dynamic inspection, and generates a third flag corresponding thereto. can create

Here, the dynamic inspection unit performs dynamic inspection by inputting a second feature value including content information having a high weight from the infringement index for the sandbox-executed attachment to a pre-learned second neural network model, and performs a dynamic inspection on the static inspection. A corresponding malicious probability value may be predicted, and a third flag may be generated based on the predicted malicious probability value.

Here, the second neural network model may be at least one of a RandomForest model, a support vector machine model, a DecisionTree model, and a Naive Bayes model, which is It is only an example, and is not limited thereto.

Subsequently, the classification unit of the present invention may display malicious probability information by classifying the electronic message based on the first, second, and third flags.

Here, when the classification unit of the present invention displays the malicious probability information, a first flag including a malicious flag and an advertisement flag, a second flag including a first malicious probability value and a first neural network model accuracy, and a second malicious probability value And based on the third flag including the accuracy of the second neural network model, the e-mail file may be classified as spam mail, advertisement mail, and normal mail, and malicious probability information may be displayed on the classified mail.

For example, when displaying the malicious probability information, the classification unit may display the malicious probability information having different colors so that the classified spam mail, advertisement mail, and normal mail are visually distinguished from each other.

For example, malicious probability information may be displayed on one side of a corresponding mail list after being classified by the color of a traffic light, but this is only one embodiment, and is not limited thereto.

In this way, the present invention, by performing spam inspection of e-mail files and static inspection and dynamic inspection of attached files using a neural network model, in response to various email attack patterns that are constantly changing, is illegal with minimum time and cost. Spam mail can be accurately filtered.

In addition, since the present invention expresses a spam probability value in the form of a traffic light, it makes users aware of spam mail.

In addition, the present invention may include a mail server and an analysis server. By using only the analysis server, spam inspection of e-mail files by extracting EML and static inspection and dynamic inspection of attachments using a neural network model are performed. Therefore, spam, static, and dynamic scanning of e-mails can be efficiently performed by the analysis server even while the mails are being received and stored by the mail server.

In addition, since the present invention performs static inspection mainly on document files, it is possible to minimize the time required for the sandbox.

In addition, according to the present invention, maintenance costs can be reduced in terms of companies through self-learning of malicious files for models.

The method according to an embodiment of the present invention described above may be implemented as a program (or application) to be executed in combination with a server, which is hardware, and stored in a medium.

The aforementioned program is C, C++, JAVA, machine language, etc. It may include a code coded in a computer language of. These codes may include functional codes related to functions defining necessary functions for executing the methods, and include control codes related to execution procedures necessary for the processor of the computer to execute the functions according to a predetermined procedure. can do. In addition, these codes may further include memory reference related codes for which location (address address) of the computer's internal or external memory should be referenced for additional information or media required for the computer's processor to execute the functions. there is. In addition, when the processor of the computer needs to communicate with any other remote computer or server in order to execute the functions, the code uses the computer's communication module to determine how to communicate with any other remote computer or server. It may further include communication-related codes for whether to communicate, what kind of information or media to transmit/receive during communication, and the like.

The storage medium is not a medium that stores data for a short moment, such as a register, cache, or memory, but a medium that stores data semi-permanently and is readable by a device. Specifically, examples of the storage medium include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc., but are not limited thereto. That is, the program may be stored in various recording media on various servers accessible by the computer or various recording media on the user's computer. In addition, the medium may be distributed to computer systems connected through a network, and computer readable codes may be stored in a distributed manner.

Steps of a method or algorithm described in connection with an embodiment of the present invention may be implemented directly in hardware, implemented in a software module executed by hardware, or implemented by a combination thereof. A software module may include random access memory (RAM), read only memory (ROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, hard disk, removable disk, CD-ROM, or It may reside in any form of computer readable recording medium well known in the art to which the present invention pertains.

Although the embodiments of the present invention have been described with reference to the accompanying drawings, those skilled in the art to which the present invention pertains can be implemented in other specific forms without changing the technical spirit or essential features of the present invention. you will be able to understand Therefore, it should be understood that the embodiments described above are illustrative in all respects and not restrictive.

Claims (10)

An electronic message checking method of an electronic message checking device, comprising:
receiving and storing electronic messages;
extracting an electronic mail file from the stored electronic message;
performing a spam check on the extracted e-mail file and generating a first flag corresponding thereto;
checking whether or not there is an attached file in the e-mail file when the spam check is completed;
if the attached file exists, performing a static test by inputting a first characteristic value corresponding to the type of the attached file to a pre-learned first neural network model, and generating a second flag corresponding thereto;
sandboxing the attached file when the static inspection is completed;
performing a dynamic inspection by inputting a second characteristic value corresponding to a specific indicator of the sandbox-executed attachment to a pre-learned second neural network model, and generating a third flag corresponding thereto; and
and displaying malicious probability information by classifying the electronic message based on the first, second, and third flags. According to claim 1,
Generating the second flag,
If the attached file is a document file type, a first characteristic value corresponding thereto is input to the first pre-learned neural network model to perform a static scan, a malicious probability value corresponding to the static scan is predicted, and the predicted malicious probability value An electronic message inspection method comprising generating a second flag based on According to claim 2,
Generating the second flag,
If the attached file is a PDF file among document file types, feature values including PDF version information, main keyword information in the PDF file, user-defined tag information, and arbitrary tag information are input to the first neural network model trained in advance to generate static static An electronic message inspection method comprising: performing inspection, predicting a malicious probability value corresponding to the static inspection, and generating a second flag based on the predicted malicious probability value. According to claim 2,
Generating the second flag,
If the attached file is a DOCX, XLSX, or HWP file among document file types, preprocessing is performed to input a feature value including a structural path into a pre-learned first neural network model to perform a static inspection, and a static inspection corresponding to the static inspection is performed. An electronic message inspection method comprising predicting a malicious probability value and generating a second flag based on the predicted malicious probability value. According to claim 1,
Generating the third flag,
For the sandbox-executed attachment, a dynamic inspection is performed by inputting a second feature value including content information having a high weight from an infringement indicator into a pre-learned second neural network model, and a malicious probability value corresponding to the static inspection. and generating a third flag based on the predicted malicious probability value. According to claim 5,
The second feature value is,
An electronic message inspection method comprising file hash and create file information. According to claim 1,
In the step of displaying the malicious probability information,
Based on a first flag including the malicious flag and advertisement flag, a second flag including a first malicious probability value and a first neural network model accuracy, and a third flag including a second malicious probability value and a second neural network model accuracy An electronic message inspection method characterized by classifying e-mail files into spam mail, advertisement mail, and normal mail, and displaying malicious probability information for the classified mail. According to claim 7,
In the step of displaying the malicious probability information,
and displaying malicious probability information having different colors so that the classified spam mail, advertisement mail, and normal mail are visually distinguished from each other. A computer program that provides an electronic message checking method of an electronic message checking device, combined with a computer that is hardware, stored in a medium to execute the electronic message checking method according to any one of claims 1 to 8. A computing device for providing a method for inspecting electronic messages, comprising:
a processor comprising one or more cores; and
Memory;
including,
the processor,
receive and store electronic messages;
extracting an electronic mail file from the stored electronic message;
Perform spam checking of the extracted e-mail file, and generate a first flag corresponding thereto;
When the spam inspection is completed, the presence or absence of an attachment of the e-mail file is checked,
If there is the attached file, a first feature value corresponding to the type of the attached file is input to a pre-learned first neural network model to perform a static test, and a second flag corresponding thereto is generated;
When the static inspection is completed, sandbox the attached file,
For the sandbox-executed attachment, a second feature value corresponding to a specific indicator is input to a pre-learned second neural network model to perform a dynamic inspection, and a third flag corresponding thereto is generated;
The computing device characterized in that the electronic message is classified based on the first, second and third flags and malicious probability information is displayed.

Images