WO2014101758A1 - 一种检测邮件攻击的方法、装置及设备 - Google Patents
一种检测邮件攻击的方法、装置及设备 Download PDFInfo
- Publication number
- WO2014101758A1 WO2014101758A1 PCT/CN2013/090383 CN2013090383W WO2014101758A1 WO 2014101758 A1 WO2014101758 A1 WO 2014101758A1 CN 2013090383 W CN2013090383 W CN 2013090383W WO 2014101758 A1 WO2014101758 A1 WO 2014101758A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- address
- attack
- recipient
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000001514 detection method Methods 0.000 claims abstract description 130
- 238000012546 transfer Methods 0.000 claims description 11
- 238000004458 analytical method Methods 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000003449 preventive effect Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000010921 in-depth analysis Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/28—Timers or timing mechanisms used in protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/212—Monitoring or handling of messages using filtering or selective blocking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Definitions
- the present invention relates to the field of communications technologies, and in particular, to a method, device, and device for detecting a mail attack.
- BACKGROUND OF THE INVENTION Mail attack also known as "mail bomb attack”
- English is E-Mail Bomb, which is a means of attacking an e-mail (E-mail) mailbox (hereinafter referred to as an e-mail), and continuously to a target e-mail address in a short time.
- spam is such that the target email capacity reaches the upper limit without extra space to accommodate new emails (hereinafter referred to as emails).
- emails new emails
- the transmission of spam on the network consumes a large amount of network resources, which may cause network congestion, resulting in the inability of other large numbers of e-mails to receive and send mail, and also burden the mail server.
- the mail server When a mail attack occurs, the mail server receives abnormal mail traffic.
- the general mail server receives mail through a specific port (for example, port 25). Therefore, when detecting whether a mail attack occurs, it is usually directed to the mail server.
- the traffic is counted on a specific port. When the mail traffic exceeds the preset traffic threshold within a certain period of time, the mail attack is considered to occur, and the traffic of the specific port of the mail server is restricted.
- the embodiment of the invention provides a method, a device and a device for detecting a mail attack, which are used to solve the problem that the detection result of the mail attack existing in the prior art is inaccurate.
- a method for detecting a mail attack including:
- Receiving a data stream Obtaining a mail flow parameter for each statistical period in a predetermined number of statistical periods, wherein, in each statistical period, determining a mail flow parameter of each of the statistical periods according to a protocol type of the received data stream;
- the determining, by the protocol type of the received data stream, the mail flow parameter in each of the statistical periods includes:
- the mail flow parameters in each statistical period are obtained according to the determined mail.
- the mail traffic parameter includes:
- the number of SMTP concurrent connections used to transfer mail is increased.
- a recipient email address in which the number of occurrences in any one of the predetermined number of detection periods exceeds a second threshold is determined as the target address of the mail attack.
- the method further includes:
- the method further includes:
- an apparatus for detecting a mail attack including:
- a receiving unit configured to receive a data stream
- a first obtaining unit configured to obtain a mail flow parameter for each statistical period in a predetermined number of statistical periods, where each of the statistical periods is determined according to a protocol type of the data stream received by the receiving unit Mail flow parameters for the statistical period;
- a determining unit configured to determine that the mail attack is detected when the mail flow parameter in each statistical period in the predetermined number of statistical periods obtained by the first obtaining unit matches the first threshold.
- the first obtaining unit includes: a protocol type analyzing subunit, configured to analyze each of the statistical periods in each statistical period The protocol type of the received data stream;
- a mail determining subunit configured to determine that the data stream is a mail when a protocol type of the data stream analyzed by the protocol type analyzing subunit belongs to a mail protocol type;
- the parameter obtaining subunit is configured to obtain the mail flow parameter of each of the statistical periods according to the mail determined by the mail determining subunit.
- the method further includes:
- a second obtaining unit configured to obtain, after the determining unit determines that the mail attack is detected, obtain a recipient email address of the mail received in each detection period within a predetermined number of detection periods;
- a first statistic unit configured to count the number of occurrences of each recipient email address obtained by the second obtaining unit in each detection period
- a target address determining unit configured to determine, by the first statistical unit, a recipient email address whose number of occurrences in any one of the predetermined number of detection periods exceeds a second threshold is a target address of the mail attack .
- the method further includes:
- a third obtaining unit configured to obtain a sender network protocol IP of the mail while the second obtaining unit obtains a recipient email address of the mail received in each detection period within a predetermined number of detection periods
- a corresponding relationship establishing unit configured to establish a correspondence between the recipient email address obtained by the second obtaining unit and the sender IP address obtained by the third obtaining unit in each detection period
- a second statistic unit configured to: after the target address determining unit determines the target address, count the number of occurrences of each sender IP address corresponding to the target address according to the correspondence established by the correspondence relationship establishing unit;
- the address determining unit is configured to determine, as the attacker IP address of the email attack, the sender IP address whose number of occurrences counted by the second statistical unit exceeds a third threshold.
- the third aspect provides a device for detecting a mail attack, including:
- a network interface configured to receive a data stream
- a processor configured to obtain a mail flow parameter for each statistical period in a predetermined number of statistical periods, where each statistical period is determined according to a protocol type of the data stream received by the network interface in each statistical period
- the mail flow parameter determines that the mail attack is detected when the mail flow parameter of each statistical period matches the first threshold in the predetermined number of statistical periods.
- the processor is specifically configured to: analyze, in each statistical period, data received by the network interface in each statistical period The protocol type of the stream, when the protocol type belongs to the mail protocol type, determining that the data stream is a mail, and obtaining the mail flow parameter in each statistical period according to the determined mail.
- the processor is further configured to: after the determining that the mail attack is detected, Obtaining a recipient email address of the mail received by the network interface in each detection period within a predetermined number of detection periods, and counting the number of occurrences of each recipient email address in each detection period, The recipient email address of the number of occurrences in any one of the predetermined number of detection periods exceeding the second threshold is determined as the target address of the mail attack.
- the processor is further configured to: perform, in the detection period, each detection period in the obtaining a predetermined number of detection periods While obtaining the recipient email address of the mail received by the network interface, obtaining the sender network protocol IP address of the mail, establishing the recipient email address and the sender IP address in each detection period.
- the mail flow parameter is first determined, and then the mail attack is determined according to the determined mail flow parameter, wherein the mail is determined according to the protocol type of the received data stream.
- Piece flow parameters It can be seen that when the received data stream includes other data traffic except the mail flow, the mail flow included in the received data flow can be determined according to the protocol type of the data flow, so that the mail flow parameter can be accurately determined. Make the detection results of mail attacks more accurate.
- FIG. 1 is a schematic flow chart of a method for detecting a mail attack in an embodiment of the present invention
- FIG. 2 is a schematic flow chart of a method for detecting a mail attack in another embodiment of the present invention.
- FIG. 3 is a schematic flow chart of a method for detecting a mail attack in another embodiment of the present invention.
- FIG. 4 is a schematic diagram of a network architecture in an embodiment of the present invention.
- FIG. 5 is a schematic diagram of a monitoring item in an embodiment of the present invention.
- FIG. 6 is a schematic structural diagram of an apparatus for detecting a mail attack in an embodiment of the present invention.
- FIG. 7 is a schematic structural diagram of a first obtaining unit 601 in an embodiment of the present invention.
- FIG. 8 is a schematic structural diagram of an apparatus for detecting a mail attack according to another embodiment of the present invention.
- FIG. 9 is a schematic structural diagram of an apparatus for detecting a mail attack according to another embodiment of the present invention.
- FIG. 10 is a schematic structural diagram of an apparatus for detecting a mail attack according to an embodiment of the present invention.
- the technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. example. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without departing from the inventive scope are the scope of the present invention. Attackers of mail attacks often use some mail attack software to attack the target email address.
- a mail attack When a mail attack is performed on the target email address, a large number of emails are sent to the target email address or a large-capacity email is sent, so that the space of the target email mailbox is occupied, the new email cannot be received, and the email cannot be used normally. Even some The mail attack will send a large number of emails to the target email address by controlling the botnet, occupying network resources, and affecting the normal email sending and receiving of other email addresses.
- the inventors of the present invention found that most of the mails in the mail attack are randomly generated or randomly written, and it is difficult to extract the feature fields from them, so the existing feature field-based traffic is utilized. Detection to detect mail attacks is not feasible.
- the abnormal traffic detection method cannot accurately detect the mail attack.
- the protocol type of the data stream belongs to the mail protocol type, for example, the simple mail transfer protocol (English full name is Simple Mai l Transfer Protocol (referred to as the SMTP protocol) type, and is a real communication connection based on the Transmission Control Protocol (English) called Transmission Control Protocol (TCP).
- the simple mail transfer protocol English full name is Simple Mai l Transfer Protocol (referred to as the SMTP protocol) type
- TCP Transmission Control Protocol
- the present invention proposes a technical solution capable of accurately identifying a mail attack, and can detect a mail attack, so that the target email address to be attacked is not attacked, can be used normally, and does not affect the network. The normal use of other e-mail addresses. As shown in FIG.
- Step 101 Receive a data stream.
- Step 102 Obtain a mail flow parameter for each statistical period in a predetermined number of statistical periods, where, in each statistical period, a mail flow parameter of each statistical period is determined according to a protocol type of the received data stream.
- the execution body of this embodiment may be a mail server or a gateway device in an existing network.
- determining the mail flow parameter in each statistical period according to the protocol type of the received data stream may adopt the following method: analyzing the protocol type of the data stream received in each statistical period, when the protocol type belongs to When the mail protocol type is determined, the data stream is determined to be a mail, and the mail flow parameters in each statistical period are obtained according to the determined mail.
- the above-mentioned mail protocol type may be an SMTP protocol, a post office protocol (Post Office Protocol 3 in English), and an Internet Information Access Protocol (IMAP).
- IMAP Internet Information Access Protocol
- the above mail flow parameters may include: the number of mails or the number of new SMTP connections used to transfer mail or the number of SMTP concurrent connections used to transfer mail.
- Step 103 When the mail flow parameter in each statistical period in the predetermined number of statistical periods matches the first threshold, determining that the mail attack is detected.
- the corresponding preventive measures may be taken. Specifically, the following three preventive measures may be taken: After determining that the mail attack is detected, the mail server is restricted to prevent network jam caused by the mail attack; Or, after determining that the mail attack is detected, further determining a target address of the mail attack, that is, determining an email address attacked by the mail attack, so as to limit the flow of the determined target address; or, after determining that the mail attack is detected, first Further determining the target address of the mail attack, and then determining the attacker IP address of the mail attack, so as to limit the determined attacker IP address, for example, blocking the attacker's IP address from sending the mail.
- the embodiment of the present invention may further include a process of determining the target address: first obtaining a predetermined number of detections. The recipient's email address of the received mail for each detection period in the period, and then counts the number of occurrences of each recipient's email address in each detection period, and then detects any of the predetermined number of detection periods. The recipient's email address in the period that exceeds the second threshold is determined as the destination address of the mail attack.
- the embodiment of the present invention includes the processing of confirming the target address.
- the process (which is similar to the process flow in taking the second precaution, and is not described again) may further include a process of determining the IP address of the attacker: each of the predetermined number of detection cycles is obtained.
- While detecting the recipient's email address of the received mail obtain the sender's IP address of the mail, and establish the correspondence between the recipient's email address and the sender's IP address in each detection cycle, and then determine After the target address of the mail attack, the number of occurrences of each sender IP address corresponding to the target address is counted according to the corresponding relationship, and the sender IP address whose number of occurrences exceeds the third threshold is determined as the attacker IP address of the mail attack.
- the first threshold is preset to be a fixed value, and further, in the process of detecting the mail attack, when the mail flow parameter does not match the first threshold, according to The mail flow parameter adjusts the first threshold, so that the mail attack can be detected according to the adjusted first threshold. It can be seen that, in the method for detecting a mail attack in the embodiment of the present invention, the mail flow parameter is first determined, and then the mail attack is determined according to the determined mail flow parameter. Determining the mail flow parameters needs to be determined based on the protocol type of the received data stream.
- the mail flow included in the received data flow can be determined according to the protocol type of the data flow, so that the mail flow parameter can be accurately determined, and accordingly, the mail The detection result of the attack is more accurate.
- FIG. 2 it is another embodiment of the method for detecting a mail attack according to the present invention.
- the target address of the mail attack is further determined, and the specific processing procedure is as follows: 201.
- the execution body of this embodiment may be a mail server or a gateway device in an existing network.
- determining the mail flow parameter of each statistical period according to the protocol type of the received data stream may adopt the following method: analyzing the protocol type of the data stream received in each statistical period, when the protocol type belongs to the mail When the protocol type is determined, the data stream is determined to be a mail, and the mail flow parameters in each statistical period are obtained according to the determined mail.
- the above mail flow parameters may include: the number of mails or the number of new SMTP connections used to transfer mail or the number of SMTP concurrent connections used to transfer mail.
- Step 203 When the mail flow parameter in each statistical period matches the first threshold, it is determined that the mail attack is detected.
- the reference value of the mail flow parameter can be set in advance, and the reference value is the first threshold.
- the first threshold is preset to be a fixed value, and further, in the process of detecting the mail attack, when the mail flow parameter does not match the first threshold, according to the mail
- the traffic parameter adjusts the first threshold, so that the email attack can be detected according to the adjusted first threshold.
- Mail flow The parameter does not match the first threshold, which may include: The mail flow parameter does not exceed the first threshold.
- the method for determining the first threshold may include the following process: determining, by using a process of traffic learning, traffic modeling, and model output, an initial value of the first threshold, where the initial value of the first threshold is A fixed value is usually referred to as the learning phase before the detection of the mail attack. After the completion of the learning phase, the mail attack can be detected, that is, the working state is entered.
- Step 204 Obtain a recipient email address of the mail received in each detection period within a predetermined number of detection periods.
- the content of the mail may be analyzed to obtain the email address of the recipient of the mail.
- Step 205 Count the number of occurrences of each recipient email address in each detection period.
- the recipient email address is standardized, converted into the same capitalization mode, and then searched in the stored recipient email address. If the recipient email address is not found, the recipient email address is stored, and the number of occurrences of the recipient email address is initialized to 1. If the recipient email address is found, the recipient is received. The number of occurrences of the person's email address is increased by one.
- Step 206 Determine a recipient email address whose number of occurrences in any one of the detection periods exceeds a second threshold in a predetermined number of detection periods as a target address of the mail attack.
- the target address of the mail attack is further determined, so that the determined target can be determined. Address, take preventive measures such as current limiting.
- FIG. 3 it is another embodiment of the method for detecting a mail attack according to the present invention. In this embodiment, after determining that a mail attack is detected, the target address of the mail attack is further determined, and then the attacker IP of the mail attack is determined.
- Step 301 Analyze the protocol type of the data stream received in each statistical period. When the protocol type belongs to the mail protocol type, determine the data stream as the mail.
- the execution body of this embodiment may be a mail server or a gateway device in an existing network.
- Step 302 Obtain a mail flow parameter in each statistical period according to the determined mail.
- Step 303 Determine whether the mail flow parameter in each statistical period matches the first threshold in a predetermined number of statistical periods. If the determination result is yes, step 304 is performed; if the determination result is no, the current process ends.
- Step 304 Obtain a recipient email address and a sender IP address of the mail received in each detection period in a predetermined number of detection periods, and establish a correspondence between the two.
- the above correspondence is the correspondence between the recipient email address and the sender IP address in each detection cycle.
- a monitoring entry may be established in each detection period, where the monitoring entry is used to store the correspondence between the recipient email address of the received mail and the sender IP address in the detection period.
- the number of occurrences of the recipient email address and the recipient email address in the detection period may be stored in the hash node corresponding to each recipient email address, and the slave node of the hash node is saved.
- the initial value of the number of occurrences of each recipient email address in each detection period is 1; if the result of searching for the monitoring entry is that there is a hash node corresponding to the email address of the recipient, the search will be found.
- the number of occurrences of the recipient email address stored in the hash node is increased by one during the detection period.
- Step 306 Determine a recipient email address whose number of occurrences in any one of the detection periods exceeds a second threshold in a predetermined number of detection periods as a target address of the mail attack.
- Step 307 Count the number of occurrences of each sender IP address corresponding to the target address according to the correspondence relationship. In this embodiment, after determining the target address of the mail attack, all the slave nodes of the hash node corresponding to the target address may be traversed, and the number of occurrences of each sender IP address corresponding to the target address is counted.
- Step 308 Determine the sender IP address whose number of occurrences exceeds the third threshold as the attacker IP address of the mail attack, and end the current process. It can be seen that, in the method for detecting a mail attack in the embodiment of the present invention, not only the detection result is more accurate, but also after determining that the mail attack is detected, the target address of the mail attack is further determined, and then the attacker IP of the mail attack is determined. The address is used to limit the IP address of the attacker. For example, blocking the attacker's IP address from sending emails makes the mail attack more targeted and effective.
- FIG. 4 it is a schematic diagram of a network architecture of a method for detecting a mail attack according to the present invention, wherein a mail server
- the 404 is responsible for the email sending and receiving management, and the attacking device 401 initiates a mail attack through a master host 402 and a plurality of controlled hosts 403. Since there are multiple controlled hosts as attacking hosts, the mail attack mode shown in FIG. 4 belongs to the distribution.
- the DDoS attack mode shown in FIG. 4 is only an example. For other types of mail attack modes, the embodiment of the present invention may also be used. The detection is performed, and the embodiment of the present invention is not limited. Based on the network architecture shown in FIG.
- the following processing method may be adopted: first, obtaining the number of mails in each statistical period in a predetermined number of statistical periods, where, in one statistical period, according to receiving The protocol type of the data stream to be determined determines the number of messages in a statistical period. When the number of messages in each statistical period matches the first threshold, it is determined that the mail attack is detected, and then enters the detection mode, and is established in each detection cycle.
- a monitoring entry where the monitoring entry is used to store the correspondence between the recipient email address of the received mail during the detection period and the sender IP address.
- a detection cycle after receiving the mail, first obtain the recipient's email address and sender's IP address.
- For each recipient email address obtained look for the hash node corresponding to the recipient email address in the established monitoring entry. If the search result is that there is no hash node corresponding to the recipient email address. , the hash node corresponding to the recipient email address is established, and the number of occurrences of the recipient email address and the recipient email address in the detection period is stored in the hash node, and the initial number of occurrences is 1; If the search result is that there is a hash node corresponding to the recipient's email address, the number of occurrences of the recipient email address stored in the searched hash node is increased by one in the detection period.
- the slave node of the hash node saves the sender IP address and the sender IP address in the detection period, and refreshes the entry data during the detection period.
- a detection period ends, according to Established monitoring entries to get each recipient's email address during the detection cycle
- the number of occurrences the recipient email address whose number of occurrences exceeds the second threshold in the detection period is determined as the target address of the mail attack, and then traverses all the slave nodes of the hash node corresponding to the target address, and the number of occurrences (ie, the transmission)
- the sender IP address that exceeds the third threshold is determined as the attacker IP address of the mail attack. As shown in FIG.
- D represents the recipient email address
- Total (D) represents the recipient email address D in the detection period.
- the number of occurrences, the hash node corresponding to D has three slave nodes, respectively storing the sender IP address IP1 and its occurrence number MCount (IP1) in the detection period, the sender IP address IP2 and its Number of occurrences in the detection cycle
- IP2 MCount
- IP3 MCount
- M MCount
- MCount MCount
- MCount MCount
- IP3 MCount
- MCount MCount
- MCount MCount
- M Another recipient's email address
- M Total (M) represents the recipient's email address M.
- IP4 sender IP address
- IP5 sender IP address
- IP6 sender IP address
- IP6 sender IP address
- IP7 sender IP address
- FIG. 6 shows an embodiment of an apparatus for detecting a mail attack according to the present invention.
- the apparatus includes: a receiving unit 601, a first obtaining unit 602, and a determining unit 603.
- the receiving unit 601 is configured to receive a data stream, where the first obtaining unit 602 is configured to obtain a mail flow parameter for each statistical period in a predetermined number of statistical periods, where, in each statistical period, according to the receiving unit 601, the protocol type of the received data stream determines the mail flow parameter of each of the statistical periods; and the determining unit 603 is configured to: use the mail in each statistical period within a predetermined number of statistical periods obtained by the first obtaining unit 602 When the traffic parameters match the first threshold, it is determined that a mail attack is detected.
- the detecting device for detecting a mail attack obtains the mail flow parameter by the first obtaining unit 602, and then the determining unit 603 determines that the mail attack is detected according to the mail flow parameter obtained by the first obtaining unit 602, wherein, An obtaining unit 602 determines a mail flow parameter according to a protocol type of the received data stream. It can be seen from the above that when the received data stream includes other data traffic except mail traffic, the first obtaining unit 602 According to the protocol type of the data stream, the mail flow included in the received data stream can be determined, so that the mail flow parameter can be accurately determined, so that the determining unit 603 determines that the detection result of detecting the mail attack is more accurate.
- the first obtaining unit 602 includes: a protocol type analyzing subunit 6021, a mail determining subunit 6022, and a parameter obtaining subunit 6023.
- the protocol type analysis sub-unit 6021 is configured to analyze, in each statistical period, a protocol type of the data stream received in each of the statistical periods; a mail determining sub-unit 6022, configured to use the protocol type analyzer When the protocol type of the data stream analyzed by the unit 6021 belongs to the mail protocol type, the data stream is determined to be a mail; the parameter obtaining sub-unit 6023 is configured to determine, according to the mail, the mail determined by the message 6022 to obtain each of the mails. Mail flow parameters during the statistical period.
- the mail flow parameter obtained by the first obtaining unit 602 includes: a quantity of mail; or a newly created number of SMTP connections for transmitting mail; or for transmitting mail The number of SMTP concurrent connections is increased.
- FIG. 8 is another embodiment of an apparatus for detecting a mail attack according to the present invention.
- the apparatus includes: a receiving unit 801, a first obtaining unit 802, a determining unit 803, a second obtaining unit 804, a first counting unit 805, and Target address determining unit 806.
- the receiving unit 801 is configured to receive a data stream, where the first obtaining unit 802 is configured to obtain a mail flow parameter for each statistical period in a predetermined number of statistical periods, where, in each statistical period, according to the receiving unit
- the protocol type of the received data stream 801 determines the mail flow parameter of each of the statistical periods
- the determining unit 803 is configured to: use the mail in each statistical period within a predetermined number of statistical periods obtained by the first obtaining unit 802 When the traffic parameters are matched with the first threshold, it is determined that the mail attack is detected;
- the second obtaining unit 804 is configured to obtain, after the determining unit 803 determines that the mail attack is detected, obtain each detection period in a predetermined number of detection periods.
- FIG. 9 another embodiment of the apparatus for detecting a mail attack according to the present invention includes: a receiving unit 901, a first obtaining unit 902, a determining unit 903, a second obtaining unit 904, and a first counting unit 905.
- the receiving unit 901 is configured to receive a data stream, where the first obtaining unit 902 is configured to obtain a mail flow parameter for each statistical period in a predetermined number of statistical periods, where, in each statistical period, according to the receiving unit 901, the protocol type of the received data stream determines the mail flow parameter of each of the statistical periods; and the determining unit 903 is configured to: when the first obtaining unit 902 obtains the mail within each statistical period within a predetermined number of statistical periods When the traffic parameters are matched with the first threshold, it is determined that the mail attack is detected; the second obtaining unit 904 is configured to obtain, after the determining unit 903 determines that the mail attack is detected, each detection period in a predetermined number of detection periods.
- a recipient email address of the received mail a first statistic unit 905, configured to count the number of occurrences of each recipient email address obtained by the second obtaining unit 904 in each detection period;
- the unit 906 is configured to use the first statistics unit 905 to count out in any one of the predetermined number of detection periods.
- the recipient email address whose current number exceeds the second threshold is determined as the target address of the mail attack;
- the third obtaining unit 907 is configured to receive each detection period within the predetermined number of detection periods obtained by the second obtaining unit 904.
- the sender IP address of the mail is obtained, and the sender IP address of the mail is obtained.
- the correspondence establishing unit 908 is configured to establish the recipient obtained by the second obtaining unit 904 in each detection period.
- an embodiment of an apparatus for detecting a mail attack includes: a network interface 1001 and a processor 1002.
- the network interface 1001 is configured to receive a data stream.
- the processor 1002 is configured to obtain a mail flow parameter for each statistical period in a predetermined number of statistical periods, where the receiving, according to the network interface 1001, is received in each statistical period. And determining, by the protocol type of the data flow, the mail flow parameter of each of the statistical periods, when the mail flow parameter of each statistical period in the predetermined number of statistical periods matches the first threshold, determining that the mail attack is detected .
- the processor 1002 may be specifically configured to: analyze, during each statistical period, data received by the network interface in each statistical period.
- the protocol type of the stream when the protocol type belongs to the mail protocol type, determining that the data stream is a mail, and obtaining the mail flow parameter in each statistical period according to the determined mail.
- the mail flow parameters obtained by the processor 1002 include: a quantity of mail; or a newly created number of SMTP connections for transmitting mail; or for transmitting mail The number of SMTP concurrent connections is increased.
- the processor 1002 is further configured to: after the determining that the mail attack is detected, obtaining each detection period in a predetermined number of detection periods The recipient email address of the mail received by the network interface 1001, and the counted number of occurrences of each recipient email address in each of the detection periods will be detected in the predetermined number of detection periods. The recipient email address whose number of occurrences in the period exceeds the second threshold is determined as the target address of the mail attack.
- the processor 1002 is further configured to: receive, by the network interface 1001, each detection period in the obtaining a predetermined number of detection periods At the same time as the recipient's email address of the mail, obtain the sender's IP address of the mail, establish a correspondence between the recipient's email address and the sender's IP address in each detection period, and the After the recipient email address of the number of occurrences in any one of the detection periods exceeds the second threshold in the predetermined number of detection periods is determined as the target address of the mail attack, each of the target addresses is counted according to the correspondence relationship.
- the number of occurrences of the sender's IP address, and the sender's IP address whose number of occurrences exceeds the third threshold is determined as the attacker's IP address of the mail attack.
- the apparatus for detecting a mail attack shown in the foregoing FIG. 6 can be integrated in the device for detecting a mail attack shown in this embodiment.
- the device for detecting a mail attack in the embodiment of the present invention may be specifically a mail server or a gateway device.
- the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software or a combination of both, in order to clearly illustrate hardware and software.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明实施例公开了一种检测邮件攻击的方法、装置及设备,该方法包括:接收数据流;获得预定数目个统计周期内每个统计周期的邮件流量参数,其中,在每个统计周期内,根据接收到的数据流的协议类型确定所述每个统计周期的邮件流量参数;当所述预定数目个统计周期内每个统计周期的邮件流量参数均与第一阈值相匹配时,确定检测到邮件攻击。应用本发明实施例,可以使邮件攻击的检测结果更为准确。
Description
一种检测邮件攻击的方法、 装置及设备 本申请要求于 2012年 12月 27日提交中国专利局、 申请号为 201210579285. X、 发 明名称为 "一种检测邮件攻击的方法、 装置及设备"的中国专利申请的优先权, 其全部 内容通过引用结合在本申请中。 技术领域 本发明涉及通信技术领域, 尤其涉及一种检测邮件攻击的方法、 装置及设备。 背景技术 邮件攻击, 也称为 "邮件炸弹攻击", 英文是 E-Mail Bomb, 是一种攻击电子邮件 (E-mail ) 邮箱 (下文简称电子邮箱)的手段, 通过短时间内向目标电子邮箱连续发送 垃圾邮件的方式, 使该目标电子邮箱容量达到上限而没有多余的空间来容纳新的电子邮 件 (下文简称为邮件)。 并且, 发生邮件攻击时, 垃圾邮件在网络中传输会消耗大量的 网络资源,从而可能引起网络堵塞,导致其他大量的电子邮箱无法正常接收和发送邮件, 同时也会给邮件服务器造成负担。
发生邮件攻击时, 邮件服务器所接收的邮件流量往往会出现异常, 而一般邮件服务 器是通过特定端口 (例如, 端口 25) 接收邮件的, 因此, 在检测是否发生邮件攻击时, 通常先针对邮件服务器的特定端口进行流量统计, 当一定时间内邮件流量超过预设的流 量阈值时, 就认为发生了邮件攻击, 并对邮件服务器的特定端口的流量进行限制。
采用这种检测邮件攻击的方式时, 由于邮件服务器的特定端口除了接收邮件以外, 还会接收其他的数据, 因此针对邮件服务器的特定端口进行流量统计时, 所统计的流量 中可能包含除邮件流量的其它数据流量, 例如, 命令数据等, 因此对邮件攻击的检测结 果是不准确的, 不能正确地对邮件攻击进行限制和处理。 发明内容
本发明实施例中提供了一种检测邮件攻击的方法、 装置及设备, 用以解决现有技术 中存在的邮件攻击的检测结果不准确的问题。
为解决上述问题, 本发明实施例提供的技术方案如下:
第一方面, 提供一种检测邮件攻击的方法, 包括:
接收数据流;
获得预定数目个统计周期内每个统计周期的邮件流量参数, 其中, 在每个统计周期 内, 根据接收到的数据流的协议类型确定所述每个统计周期的邮件流量参数;
当所述预定数目个统计周期内每个统计周期的邮件流量参数均与第一阈值相匹配 时, 确定检测到邮件攻击。
结合第一方面, 在第一方面的第一种可能的实现方式中, 所述根据接收到的数据流 的协议类型确定所述每个统计周期内的邮件流量参数, 包括:
分析所述每个统计周期内接收到的数据流的协议类型;
当所述协议类型属于邮件协议类型时, 确定所述数据流为邮件;
根据确定的邮件获得所述每个统计周期内的邮件流量参数。
结合第一方面, 或第一方面的第一种可能的实现方式, 在第一方面的第二种可能的 实现方式中, 所述邮件流量参数包括:
邮件数量; 或
新建的用于传输邮件的简单邮件传输协议 SMTP连接数; 或
用于传输邮件的 SMTP并发连接增加数。
结合第一方面, 或第一方面的第一种可能的实现方式, 或第一方面的第二种可能的 实现方式, 在第一方面的第三种可能的实现方式中, 在所述确定检测到邮件攻击之后, 还包括:
获得预定数目个检测周期内每个检测周期所接收到的邮件的收件人邮箱地址; 统计获得的每个收件人邮箱地址在所述每个检测周期的出现次数;
将在所述预定数目个检测周期内任一检测周期中的出现次数超过第二阈值的收件 人邮箱地址确定为所述邮件攻击的目标地址。
结合第一方面的第三种可能的实现方式, 在第一方面的第四种可能的实现方式中, 还包括:
在所述获得预定数目个检测周期内每个检测周期所接收到的邮件的收件人邮箱地 址的同时, 获得所述邮件的发件人网络协议 IP地址;
建立所述每个检测周期中收件人邮箱地址和发件人 IP地址的对应关系;
在所述将在所述预定数目个检测周期内任一检测周期中的出现次数超过第二阈值 的收件人邮箱地址确定为所述邮件攻击的目标地址之后, 还包括:
根据所述对应关系统计所述目标地址对应的每个发件人 IP地址的出现次数; 将出现次数超过第三阈值的发件人 IP地址确定为所述邮件攻击的攻击方 IP地址。
第二方面, 提供一种检测邮件攻击的装置, 包括:
接收单元, 用于接收数据流;
第一获得单元, 用于获得预定数目个统计周期内每个统计周期的邮件流量参数, 其 中, 在每个统计周期内, 根据所述接收单元接收到的数据流的协议类型确定所述每个统 计周期的邮件流量参数;
确定单元,用于当所述第一获得单元获得的预定数目个统计周期内每个统计周期内 的邮件流量参数均与第一阈值相匹配时, 确定检测到邮件攻击。
结合第二方面, 在第二方面的第一种可能的实现方式中, 所述第一获得单元包括: 协议类型分析子单元, 用于在每个统计周期内, 分析所述每个统计周期内接收到的 数据流的协议类型;
邮件确定子单元,用于当所述协议类型分析子单元分析出的数据流的协议类型属于 邮件协议类型时, 确定所述数据流为邮件;
参数获得子单元,用于根据所述邮件确定子单元所确定的邮件获得所述每个统计周 期内的邮件流量参数。
结合第二方面, 或第二方面的第一种可能的实现方式, 在第二方面的第二种可能的 实现方式中, 还包括:
第二获得单元, 用于在所述确定单元确定检测到邮件攻击之后, 获得预定数目个检 测周期内每个检测周期所接收到的邮件的收件人邮箱地址;
第一统计单元,用于统计所述第二获得单元获得的每个收件人邮箱地址在所述每个 检测周期的出现次数;
目标地址确定单元,用于将所述第一统计单元统计的在所述预定数目个检测周期内 任一检测周期中的出现次数超过第二阈值的收件人邮箱地址确定为邮件攻击的目标地 址。
结合第二方面的第二种可能的实现方式, 在第二方面的第三种可能的实现方式中, 还包括:
第三获得单元,用于在所述第二获得单元获得预定数目个检测周期内每个检测周期 所接收到的邮件的收件人邮箱地址的同时, 获得所述邮件的发件人网络协议 IP地址; 对应关系建立单元,用于建立所述每个检测周期中所述第二获得单元获得的收件人 邮箱地址和所述第三获得单元获得的发件人 IP地址的对应关系;
第二统计单元, 用于在所述目标地址确定单元确定目标地址之后, 根据所述对应关 系建立单元建立的对应关系统计所述目标地址对应的每个发件人 IP地址的出现次数; 攻击方地址确定单元,用于将所述第二统计单元统计的出现次数超过第三阈值的发 件人 IP地址确定为所述邮件攻击的攻击方 IP地址。
第三方面, 提供一种检测邮件攻击的设备, 包括:
网络接口, 用于接收数据流;
处理器, 用于获得预定数目个统计周期内每个统计周期的邮件流量参数, 其中, 在 每个统计周期内,根据所述网络接口接收到的数据流的协议类型确定所述每个统计周期 的邮件流量参数, 当所述预定数目个统计周期内每个统计周期的邮件流量参数均与第一 阈值相匹配时, 确定检测到邮件攻击。
结合第三方面, 在第三方面的第一种可能的实现方式中, 所述处理器具体用于: 在 每个统计周期内, 分析所述每个统计周期内所述网络接口接收到的数据流的协议类型, 当所述协议类型属于邮件协议类型时, 确定所述数据流为邮件, 根据确定的邮件获得所 述每个统计周期内的邮件流量参数。
结合第三方面, 或第三方面的第一种可能的实现方式, 在第三方面的第二种可能的 实现方式中, 所述处理器还用于: 在所述确定检测到邮件攻击之后, 获得预定数目个检 测周期内每个检测周期所述网络接口所接收到的邮件的收件人邮箱地址, 统计获得的每 个收件人邮箱地址在所述每个检测周期的出现次数,将在所述预定数目个检测周期内任 一检测周期中的出现次数超过第二阈值的收件人邮箱地址确定为所述邮件攻击的目标 地址。
结合第三方面的第二种可能的实现方式, 在第三方面的第三种可能的实现方式中, 所述处理器还用于: 在所述获得预定数目个检测周期内每个检测周期所述网络接口所接 收到的邮件的收件人邮箱地址的同时, 获得所述邮件的发件人网络协议 IP地址, 建立所 述每个检测周期中收件人邮箱地址和发件人 IP地址的对应关系,在所述将在所述预定数 目个检测周期内任一检测周期中的出现次数超过第二阈值的收件人邮箱地址确定为所 述邮件攻击的目标地址之后,根据所述对应关系统计所述目标地址对应的每个发件人 IP 地址的出现次数,将出现次数超过第三阈值的发件人 IP地址确定为所述邮件攻击的攻击 方 IP地址。
本发明实施例的检测邮件攻击的方法中, 先要确定邮件流量参数, 然后根据确定出 的邮件流量参数, 确定检测到邮件攻击, 其中, 根据接收到的数据流的协议类型确定邮
件流量参数。 由上可见, 当接收到的数据流中包含除邮件流量的其他数据流量时, 根据 数据流的协议类型可以确定出接收到的数据流中包含的邮件流量, 从而可以准确地确定 邮件流量参数, 使邮件攻击的检测结果更为准确。 附图说明 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实施例中所需 要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图仅仅是本发明的一些实施 例, 对于本领域普通技术人员来讲, 在不付出创造性劳动的前提下, 还可以根据这些附 图获得其他的附图。
图 1是本发明一个实施例中的检测邮件攻击的方法流程示意图;
图 2是本发明另一个实施例中的检测邮件攻击的方法流程示意图;
图 3是本发明另一个实施例中的检测邮件攻击的方法流程示意图;
图 4是本发明一个实施例中的网络架构示意图;
图 5是本发明一个实施例中的监控表项示意图;
图 6是本发明一个实施例中的检测邮件攻击的装置结构示意图;
图 7是本发明一个实施例中的第一获得单元 601的结构示意图;
图 8是本发明另 一个实施例中的检测邮件攻击的装置结构示意图;
图 9是本发明另一个实施例中的检测邮件攻击的装置结构示意图;
图 10是本发明一个实施例中的检测邮件攻击的设备结构示意图。 具体实施方式 下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整 的描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是全部的实施例。 基 于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有 其他实施例, 都属于本发明保护的范围。 邮件攻击的攻击方经常采用一些邮件攻击软件来对目标电子邮箱进行邮件攻击。对 目标电子邮箱进行邮件攻击时,会向目标电子邮箱发送大量的邮件或是发送容量很大的 邮件, 使目标电子邮箱的空间被占用完, 无法接收新的邮件, 无法正常使用。 甚至有些
邮件攻击会通过控制僵尸网络向目标电子邮箱发送大量的邮件, 占用网络资源, 影响其 他电子邮箱正常的收发邮件。 经过对大量的邮件攻击进行分析, 本发明的发明人发现, 邮件攻击中的邮件大都是 随机产生或者是随意编写的, 很难从中提炼出特征字段, 因此要利用现有的基于特征字 段的流量检测来检测邮件攻击并不可行。 另外, 由于邮件攻击会有基于小流量的洪量攻 击 (flood攻击) , 还有一些正常流量数据也可能会在短时间内流量很大, 因此通过异 常流量检测的方式也不能准确的检测出邮件攻击。 经过深入的分析发现, 邮件攻击存在 一些共同的特征, 如目标邮箱确定, 即收件人邮箱地址确定; 数据流的协议类型属于邮 件协议类型, 例如, 简单邮件传输协议 (英文全称为 Simple Mai l Transfer Protocol, 简称 SMTP协议) 类型, 并且是基于传输控制协议 (英文全称为 Transmission Control Protocol , 简称 TCP协议) 采用的真实通信连接; 发生邮件攻击时, 同一个邮件服务器 一定时间周期内接收到的邮件数目较多。 另外, , 发生邮件攻击时发出的垃圾邮件, 也 有一些共同的特征, 如邮件的收件人邮箱地址和发件人邮箱地址相同, 或者邮件的文本 内容相似等。 可以理解的是, 本领域的技术人员可以从上述特征中推导出其他更多的特 征, 在此不——进行论述。 针对这些邮件攻击时的共同特征, 本发明提出了能够准确识别邮件攻击的技术方 案,能够检测出邮件攻击,这样被攻击的目标电子邮箱就不会受到攻击,可以正常使用, 也不会影响网络中其他电子邮箱的正常使用。 如图 1所示, 为本发明检测邮件攻击的方法的一个实施例, 其具体处理过程如下: 步骤 101 : 接收数据流。 步骤 102, 获得预定数目个统计周期内每个统计周期的邮件流量参数, 其中, 在每 个统计周期内, 根据接收到的数据流的协议类型确定每个统计周期的邮件流量参数。 本实施例的执行主体可以是现有网络中的邮件服务器或网关设备。 本发明实施例中,根据接收到的数据流的协议类型确定每个统计周期内的邮件流量 参数可以采用下述方法: 分析每个统计周期内接收到的数据流的协议类型, 当协议类型 属于邮件协议类型时, 确定数据流为邮件, 根据确定的邮件获得每个统计周期内的邮件 流量参数。
上述邮件协议类型可以为 SMTP协议, 邮局协议 (英文全称为 Post Office Protocol 3, 简称 P0P3协议) , 互联网信息访问协议 (英文全称为 Internet Message Access Protocol , 简称 IMAP协议) , 本发明实施例以 SMTP协议为例进行说明。 上述邮件流量参数可以包括: 邮件数量或新建的用于传输邮件的 SMTP连接数或用于 传输邮件的 SMTP并发连接增加数。 步骤 103, 当预定数目个统计周期内每个统计周期内的邮件流量参数均与第一阈值 相匹配时, 确定检测到邮件攻击。 当确定检测到邮件攻击后, 可以采取相应的防范措施, 具体可以采取下述三种防范 措施: 当确定检测到邮件攻击后, 针对邮件服务器进行限流, 从而避免邮件攻击所引起 的网络阻塞; 或者, 当确定检测到邮件攻击后, 进一步确定邮件攻击的目标地址, 即确 定邮件攻击所攻击的邮箱地址, 以便针对确定出的目标地址进行限流; 或者, 当确定检 测到邮件攻击后, 先进一步确定邮件攻击的目标地址, 然后再确定邮件攻击的攻击方 IP 地址, 以便针对确定出的攻击方 IP地址进行限流,例如, 阻止该攻击方 IP地址发送邮件。 其中, 当采取上述第一种防范措施时, 可以在确定检测到邮件攻击后立即进行。 当采取上述第二种防范措施时, 在确定检测到邮件攻击之后, 由于还要确定邮件攻 击的目标地址, 因此本发明实施例进一步还可以包括确定目标地址的处理流程: 先获得 预定数目个检测周期内每个检测周期所接收到的邮件的收件人邮箱地址,然后统计获得 的每个收件人邮箱地址在每个检测周期的出现次数, 再将在预定数目个检测周期内任一 检测周期中的出现次数超过第二阈值的收件人邮箱地址确定为邮件攻击的目标地址。 当采取上述第三种防范措施时, 在确定检测到邮件攻击之后, 不仅要确定邮件攻击 的目标地址, 还要确定邮件攻击的攻击方 IP地址, 因此本发明实施例除了包括确认目标 地址的处理流程(该处理流程与采取第二防范措施中的处理流程类似, 在些不再进行描 述)夕卜, 进一步还可以包括确定攻击方 IP地址的处理流程: 在获得预定数目个检测周期 内每个检测周期所接收到的邮件的收件人邮箱地址的同时, 获得邮件的发件人 IP地址, 并建立每个检测周期中收件人邮箱地址和发件人 IP地址的对应关系,然后在确定邮件攻 击的目标地址之后, 根据对应关系统计目标地址对应的每个发件人 IP地址的出现次数, 再将出现次数超过第三阈值的发件人 IP地址确定为邮件攻击的攻击方 IP地址。
本发明实施例中, 可以在检测邮件攻击前, 预先设定上述第一阈值为一固定数值, 进一步还可以在检测邮件攻击的过程中, 当邮件流量参数与第一阈值不相匹配时, 根据 邮件流量参数调整第一阈值, 以使后续可以根据调整后的第一阈值检测邮件攻击。 由上可见, 本发明实施例的检测邮件攻击的方法中, 先要确定邮件流量参数, 然后 根据确定出的邮件流量参数, 确定检测到邮件攻击。 确定邮件流量参数时需要根据接收 到的数据流的协议类型来确定。 当接收到的数据流中包含除邮件流量的其他数据流量 时, 根据数据流的协议类型可以确定出接收到的数据流中包含的邮件流量, 从而可以准 确地确定邮件流量参数, 相应地, 邮件攻击的检测结果更为准确。 如图 2所示, 为本发明检测邮件攻击的方法的另一个实施例, 该实施例中, 在确定 检测到邮件攻击之后, 还要进一步确定邮件攻击的目标地址, 其具体处理过程如下: 步骤 201, 接收数据流。 步骤 202, 获得预定数目个统计周期内每个统计周期的邮件流量参数, 其中, 在每 个统计周期内, 根据接收到的数据流的协议类型确定每个统计周期的邮件流量参数。 本实施例的执行主体可以是现有网络中的邮件服务器或网关设备。 本发明实施例中,根据接收到的数据流的协议类型确定每个统计周期的邮件流量参 数可以采用下述方法: 分析每个统计周期内接收到的数据流的协议类型, 当协议类型属 于邮件协议类型时, 确定数据流为邮件, 根据确定的邮件获得每个统计周期内的邮件流 量参数。 上述邮件流量参数可以包括: 邮件数量或新建的用于传输邮件的 SMTP连接数或用于 传输邮件的 SMTP并发连接增加数。 步骤 203, 当每个统计周期内的邮件流量参数均与第一阈值相匹配时, 确定检测到 邮件攻击。 由于正常情况下邮件流量参数的数值是平稳变化的, 当受到邮件攻击时邮件流量参 数的数值会发生明显的突变, 因此可以预先设定邮件流量参数的参考值, 参考值即上述 第一阈值。 本发明实施例中, 可以在检测邮件攻击前, 预先设定第一阈值为一固定数值, 进一 步还可以在检测邮件攻击的过程中, 当邮件流量参数与第一阈值不相匹配时, 根据邮件 流量参数调整第一阈值, 以使后续可以根据调整后的第一阈值检测邮件攻击。 邮件流量
参数与第一阈值不相匹配具体可以包括: 邮件流量参数不超过第一阈值, 例如, 当邮件 流量参数为邮件数目, 第一阈值为 100时, 若确定出的邮件数量为 10, 由于邮件数量不 超过第一阈值, 则表示邮件流量参数与第一阈值不相匹配, 若确定出的邮件数量为 200, 由于邮件数量超过第一阈值, 则表示邮件流量参数与第一阈值匹配。 第一阈值的确定方法具体可以包括如下处理流程: 在检测邮件攻击前, 通过流量学 习、 流量建模和模型输出的过程, 确定第一阈值的初始值, 其中, 上述第一阈值的初始 值为一固定数值, 通常将这一过程称为检测邮件攻击前的学习阶段, 在学习阶段完成后 才能检测邮件攻击, 即进入工作状态。 在检测邮件攻击时, 在一个统计周期内, 根据接 收到的数据流的协议类型确定一个统计周期的邮件流量参数, 当确定出的邮件流量参数 与第一阈值不相匹配时, 根据邮件流量参数调整第一阈值, 其中, 可以基于上述学习阶 段确定出的第一阈值的初始值, 根据邮件流量参数调整第一阈值。 步骤 204, 获得预定数目个检测周期内每个检测周期所接收到的邮件的收件人邮箱 地址。 本发明实施例中, 可以在接收到邮件后, 对邮件进行内容分析, 从而获得邮件的收 件人邮箱地址。 步骤 205, 统计获得的每个收件人邮箱地址在每个检测周期的出现次数。 本发明实施例中, 可以在获得邮件的收件人邮箱地址后, 对收件人邮箱地址进行标 准化处理, 转换成同一种大小写模式, 然后在已存储的收件人邮箱地址中进行查找, 若 未查找到该收件人邮箱地址, 则存储该收件人邮箱地址, 并将该收件人邮箱地址的出现 次数初始化为 1, 若查找到该收件人邮箱地址, 则将该收件人邮箱地址的出现次数加 1。 步骤 206, 将在预定数目个检测周期内任一检测周期中的出现次数超过第二阈值的 收件人邮箱地址确定为邮件攻击的目标地址。 当在预定数目个检测周期内任一检测周期中均未检测出目标地址时,确认未发生邮 件攻击。 由上可见, 本发明实施例的检测邮件攻击的方法中, 不仅检测结果更为准确, 而且 在确定检测到邮件攻击之后, 还进一步确定出了邮件攻击的目标地址, 从而可以针对确 定出的目标地址, 采取限流等防范措施。
如图 3所示, 为本发明检测邮件攻击的方法的另一个实施例, 该实施例中在确定检 测到邮件攻击之后, 先进一步确定邮件攻击的目标地址, 然后再确定邮件攻击的攻击方 IP地址, 其具体处理过程如下: 步骤 301, 分析每个统计周期内接收到的数据流的协议类型, 当协议类型属于邮件 协议类型时, 确定数据流为邮件。 本实施例的执行主体可以是现有网络中的邮件服务器或网关设备。 步骤 302, 根据确定的邮件获得每个统计周期内的邮件流量参数。 步骤 303, 判断预定数目个统计周期内是否每个统计周期内的邮件流量参数均与第 一阈值相匹配, 若判断结果为是, 则执行步骤 304; 若判断结果为否, 则结束当前流程。 步骤 304, 获得预定数目个检测周期内每个检测周期所接收到的邮件的收件人邮箱 地址和发件人 IP地址, 并建立两者的对应关系。 上述对应关系为每个检测周期中收件人邮箱地址和发件人 IP地址的对应关系。 本实施例中, 可以在每个检测周期中建立一个监控表项, 上述监控表项用于存储该 检测周期内接收到的邮件的收件人邮箱地址与发件人 IP地址的对应关系。在每个检测周 期中, 接收到邮件后, 可以先获得邮件的收件人邮箱地址和发件人 IP地址。 对于获得的每个收件人邮箱地址,可以在建立的监控表项中查找是否存在该收件人 邮箱地址对应的哈希节点, 若查找结果为不存在该收件人邮箱地址对应的哈希节点, 则 建立该收件人邮箱地址对应的哈希节点。 其中, 可以在每个收件人邮箱地址对应的哈希 节点中存储该收件人邮箱地址和该收件人邮箱地址在检测周期的出现次数, 同时在该哈 希节点的从属节点中保存发件人 IP地址和该发件人 IP地址在检测周期中的出现次数。 步骤 305, 统计获得的每个收件人邮箱地址在每个检测周期的出现次数。 本实施例中, 每个收件人邮箱地址在每个检测周期内出现次数初始数值为 1 ; 若查 找监控表项的结果为存在该收件人邮箱地址对应的哈希节点, 则将查找到的哈希节点中 存储的收件人邮箱地址在检测周期的出现次数加一, 当一个检测周期结束时, 根据建立 的监控表项统计每个收件人邮箱地址在每个检测周期的出现次数。 步骤 306, 将在预定数目个检测周期内任一检测周期中的出现次数超过第二阈值的 收件人邮箱地址确定为邮件攻击的目标地址。
步骤 307, 根据对应关系统计目标地址对应的每个发件人 IP地址的出现次数。 本实施例中, 在确定了邮件攻击的目标地址后, 可以遍历该目标地址对应的哈希节 点的所有从属节点, 统计目标地址对应的每个发件人 IP地址的出现次数。 步骤 308, 将出现次数超过第三阈值的发件人 IP地址确定为邮件攻击的攻击方 IP地 址, 结束当前流程。 由上可见, 本发明实施例的检测邮件攻击的方法中, 不仅检测结果更为准确, 而且 在确定检测到邮件攻击之后, 先进一步确定邮件攻击的目标地址, 然后再确定邮件攻击 的攻击方 IP地址, 以便针对该攻击方 IP地址进行限流, 例如, 阻止该攻击方 IP地址发送 邮件, 从而使得防范邮件攻击时更有针对性, 也更有效。 如图 4所示, 为本发明检测邮件攻击的方法的网络架构示意图, 其中, 邮件服务器
404负责电子邮件收发管理,攻击方设备 401通过一个主控主机 402和多个受控主机 403发 起邮件攻击, 由于存在多个受控主机作为攻击主机, 因此图 4示出的邮件攻击方式属于 分布式拒绝服务(英文全称为 Distributed Denial of Service, 简称 DDoS)攻击, 需要 说明的是, 图 4示出的 DDoS攻击方式仅为一种示例, 对于其他类型的邮件攻击方式也可 以采用本发明实施例进行检测, 对此本发明实施例不进行限制。 基于图 4所示的网络架构, 本发明的另一个实施例中可以采用下述处理方法: 先获 得预定数目个统计周期内每个统计周期的邮件数量, 其中, 在一个统计周期内, 根据接 收到的数据流的协议类型确定一个统计周期的邮件数量, 当每个统计周期的邮件数量均 与第一阈值相匹配时, 确定检测到邮件攻击, 然后进入检测模式, 在每个检测周期中建 立一个监控表项, 上述监控表项用于存储该检测周期内接收到的邮件的收件人邮箱地址 与发件人 IP地址的对应关系。 在一个检测周期中, 接收到邮件后, 先获得邮件的收件人 邮箱地址和发件人 IP地址。 对于获得的每个收件人邮箱地址, 在建立的监控表项中查找 是否存在该收件人邮箱地址对应的哈希节点,若查找结果为不存在该收件人邮箱地址对 应的哈希节点, 则建立该收件人邮箱地址对应的哈希节点, 在该哈希节点中存储该收件 人邮箱地址和该收件人邮箱地址在检测周期的出现次数, 出现次数初始数值为 1 ; 若查 找结果为存在该收件人邮箱地址对应的哈希节点, 则将查找到的哈希节点中存储的收件 人邮箱地址在检测周期的出现次数加一。 同时在该哈希节点的从属节点中保存发件人 IP 地址和该发件人 IP地址在检测周期中的出现次数, 在检测周期内进行表项数据的刷新, 当一个检测周期结束时,根据建立的监控表项获得每个收件人邮箱地址在该检测周期的
出现次数,将在检测周期内出现次数超过第二阈值的收件人邮箱地址确定为邮件攻击的 目标地址, 然后再遍历该目标地址对应的哈希节点的所有从属节点, 将出现次数(即发 送给目标地址的邮件数目)超过第三阈值的发件人 IP地址确定为邮件攻击的攻击方 IP地 址。 如图 5所示, 为本发明上述检测邮件攻击的方法实施例中所建立的监控表项示意图, 图中 D代表收件人邮箱地址, Total (D)代表收件人邮箱地址 D在检测周期的出现次数, D 所对应的哈希节点共有三个从属节点, 分别存储发件人 IP地址 IP1和其在该检测周期中 的出现次数 MCount (IP1)、 发件人 IP地址 IP2和其在该检测周期中的出现次数
MCount (IP2)以及发件人 IP地址 IP3和其在该检测周期中的出现次数 MCount (IP3); 图中 M 代表另一个收件人邮箱地址, Total (M)代表收件人邮箱地址 M在检测周期的出现次数, M 所对应的哈希节点共有 4个从属节点, 分别存储发件人 IP地址 IP4和其在该检测周期中的 出现次数 MCount (IP4)、发件人 IP地址 IP5和其在该检测周期中的出现次数 MCount (IP5)、 发件人 IP地址 IP6和其在该检测周期中的出现次数 MCount (IP6)以及发件人 IP地址 IP7和 其在该检测周期中的出现次数 MCount (IP7)。 与本发明检测邮件攻击的方法的实施例相对应,本发明还提供了检测邮件攻击的装 置及设备的实施例。 如图 6所示为本发明检测邮件攻击的装置的一个实施例, 所述装置包括: 接收单元 601、 第一获得单元 602和确定单元 603。 其中, 接收单元 601, 用于接收数据流; 第一获得单元 602,用于获得预定数目个统计周期内每个统计周期的邮件流量参数, 其中, 在每个统计周期内, 根据所述接收单元 601接收到的数据流的协议类型确定所述 每个统计周期的邮件流量参数; 确定单元 603,用于当所述第一获得单元 602获得的预定数目个统计周期内每个统计 周期内的邮件流量参数均与第一阈值相匹配时, 确定检测到邮件攻击。 采用本发明实施例的检测邮件攻击的检测装置, 由第一获得单元 602获得邮件流量 参数, 然后由确定单元 603根据第一获得单元 602获得的邮件流量参数, 确定检测到邮件 攻击, 其中, 第一获得单元 602根据接收到的数据流的协议类型确定邮件流量参数。 由 上可见, 当接收到的数据流中包含除邮件流量的其他数据流量时, 第一获得单元 602根
据数据流的协议类型可以确定出接收到的数据流中包含的邮件流量, 从而可以准确地确 定邮件流量参数, 使确定单元 603确定检测到邮件攻击的检测结果更为准确。 如图 7所示为上述第一获得单元 602的一个具体的实施例, 所述第一获得单元 602包 括: 协议类型分析子单元 6021、 邮件确定子单元 6022和参数获得子单元 6023。 其中, 协议类型分析子单元 6021, 用于在每个统计周期内, 分析所述每个统计周期 内接收到的数据流的协议类型; 邮件确定子单元 6022,用于当所述协议类型分析子单元 6021分析出的数据流的协议 类型属于邮件协议类型时, 确定所述数据流为邮件; 参数获得子单元 6023, 用于根据所述邮件确定子单, 6022所确定的邮件获得所述每 个统计周期内的邮件流量参数。 在上述检测邮件攻击的检测装置的一个具体的实施例中, 所述第一获得单元 602获 得的邮件流量参数包括: 邮件数量; 或新建的用于传输邮件的 SMTP连接数; 或用于传输 邮件的 SMTP并发连接增加数。 如图 8所示为本发明检测邮件攻击的装置的另一个实施例, 所述装置包括: 接收单 元 801、 第一获得单元 802、 确定单元 803、 第二获得单元 804、 第一统计单元 805和目标 地址确定单元 806。 其中, 接收单元 801, 用于接收数据流; 第一获得单元 802,用于获得预定数目个统计周期内每个统计周期的邮件流量参数, 其中, 在每个统计周期内, 根据所述接收单元 801接收到的数据流的协议类型确定所述 每个统计周期的邮件流量参数; 确定单元 803,用于当所述第一获得单元 802获得的预定数目个统计周期内每个统计 周期内的邮件流量参数均与第一阈值相匹配时, 确定检测到邮件攻击; 第二获得单元 804, 用于在所述确定单元 803确定检测到邮件攻击之后, 获得预定数 目个检测周期内每个检测周期所接收到的邮件的收件人邮箱地址; 第一统计单元 805,用于统计所述第二获得单元 804获得的每个收件人邮箱地址在所 述每个检测周期的出现次数;
目标地址确定单元 806,用于将所述第一统计单元 805统计的在所述预定数目个检测 周期内任一检测周期中的出现次数超过第二阈值的收件人邮箱地址确定为邮件攻击的 目标地址。 如图 9所示为本发明检测邮件攻击的装置的另一个实施例, 所述装置包括: 接收单 元 901、 第一获得单元 902、 确定单元 903、 第二获得单元 904、 第一统计单元 905、 目标 地址确定单元 906、 第三获得单元 907、 对应关系建立单元 908、 第二统计单元 909和攻击 方地址确定单元 910。 其中, 接收单元 901, 用于接收数据流; 第一获得单元 902,用于获得预定数目个统计周期内每个统计周期的邮件流量参数, 其中, 在每个统计周期内, 根据所述接收单元 901接收到的数据流的协议类型确定所述 每个统计周期的邮件流量参数; 确定单元 903,用于当所述第一获得单元 902获得的预定数目个统计周期内每个统计 周期内的邮件流量参数均与第一阈值相匹配时, 确定检测到邮件攻击; 第二获得单元 904, 用于在所述确定单元 903确定检测到邮件攻击之后, 获得预定数 目个检测周期内每个检测周期所接收到的邮件的收件人邮箱地址; 第一统计单元 905,用于统计所述第二获得单元 904获得的每个收件人邮箱地址在所 述每个检测周期的出现次数; 目标地址确定单元 906,用于将所述第一统计单元 905统计的在所述预定数目个检测 周期内任一检测周期中的出现次数超过第二阈值的收件人邮箱地址确定为邮件攻击的 目标地址; 第三获得单元 907,用于在所述第二获得单元 904获得预定数目个检测周期内每个检 测周期所接收到的邮件的收件人邮箱地址的同时, 获得所述邮件的发件人 IP地址; 对应关系建立单元 908,用于建立所述每个检测周期中所述第二获得单元 904获得的 收件人邮箱地址和所述第三获得单元 907获得的发件人 IP地址的对应关系; 第二统计单元 909, 用于在所述目标地址确定单元 906确定目标地址之后, 根据所述 对应关系建立单元 908建立的对应关系统计所述目标地址对应的每个发件人 IP地址的出 现次数;
攻击方地址确定单元 910,用于将所述第二统计单元 909统计的出现次数超过第三阈 值的发件人 IP地址确定为所述邮件攻击的攻击方 IP地址。 如图 10所示为本发明检测邮件攻击的设备的一个实施例, 所述设备包括: 网络接口 1001和处理器 1002。 其中, 网络接口 1001, 用于接收数据流; 处理器 1002,用于获得预定数目个统计周期内每个统计周期的邮件流量参数,其中, 在每个统计周期内,根据所述网络接口 1001接收到的数据流的协议类型确定所述每个统 计周期的邮件流量参数, 当所述预定数目个统计周期内每个统计周期的邮件流量参数均 与第一阈值相匹配时, 确定检测到邮件攻击。 在上述本发明检测邮件攻击的设备的一个具体的实施例中,所述处理器 1002可以具 体用于: 在每个统计周期内, 分析所述每个统计周期内所述网络接口接收到的数据流的 协议类型, 当所述协议类型属于邮件协议类型时, 确定所述数据流为邮件, 根据确定的 邮件获得所述每个统计周期内的邮件流量参数。 在上述本发明检测邮件攻击的设备的另一个具体的实施例中,所述处理器 1002获得 的邮件流量参数包括: 邮件数量; 或新建的用于传输邮件的 SMTP连接数; 或用于传输邮 件的 SMTP并发连接增加数。 在上述本发明检测邮件攻击的设备的另一个具体的实施例中,所述处理器 1002还可 以用于: 在所述确定检测到邮件攻击之后, 获得预定数目个检测周期内每个检测周期所 述网络接口 1001所接收到的邮件的收件人邮箱地址, 统计获得的每个收件人邮箱地址在 所述每个检测周期的出现次数,将在所述预定数目个检测周期内任一检测周期中的出现 次数超过第二阈值的收件人邮箱地址确定为所述邮件攻击的目标地址。 在上述本发明检测邮件攻击的设备的另一个具体的实施例中,所述处理器 1002还可 以用于: 在所述获得预定数目个检测周期内每个检测周期所述网络接口 1001所接收到的 邮件的收件人邮箱地址的同时, 获得所述邮件的发件人 IP地址, 建立所述每个检测周期 中收件人邮箱地址和发件人 IP地址的对应关系,在所述将在所述预定数目个检测周期内 任一检测周期中的出现次数超过第二阈值的收件人邮箱地址确定为所述邮件攻击的目 标地址之后, 根据所述对应关系统计所述目标地址对应的每个发件人 IP地址的出现次 数, 将出现次数超过第三阈值的发件人 IP地址确定为所述邮件攻击的攻击方 IP地址。
需要说明的是, 前述图 6中示出的检测邮件攻击的装置可以集成在本实施例中示出 的检测邮件攻击的设备中。 在实际应用中, 本发明实施例中的检测邮件攻击的设备可以具体为邮件服务器, 或 网关设备。 专业人员还可以进一步应能意识到, 结合本文中所公开的实施例描述的各示例的单 元及算法步骤, 能够以电子硬件、 计算机软件或者二者的结合来实现, 为了清楚地说明 硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步 骤。 这些功能究竟以硬件还是软件方式来执行, 取决于技术方案的特定应用和设计约束 条件。 专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能, 但是 这种实现不应认为超出本发明实施例的范围。 结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行 的软件模块, 或者二者的结合来实施。 对所公开的实施例的上述说明, 使本领域专业技术人员能够实现或使用本发明实施 例。 对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的, 本文中所 定义的一般原理可以在不脱离本发明实施例的精神或范围的情况下,在其他实施例中实 现。 因此, 本发明实施例将不会被限制于本文所示的这些实施例, 而是要符合与本文所 公开的原理和新颖特点相一致的最宽的范围。 以上所述仅为本发明实施例的较佳实施例而已, 并不用以限制本发明实施例, 凡在 本发明实施例的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本 发明实施例的保护范围之内。
Claims
1.一种检测邮件攻击的方法, 其特征在于, 包括:
接收数据流;
获得预定数目个统计周期内每个统计周期的邮件流量参数, 其中, 在每个统计周期 内, 根据接收到的数据流的协议类型确定所述每个统计周期的邮件流量参数;
当所述预定数目个统计周期内每个统计周期的邮件流量参数均与第一阈值相匹配 时, 确定检测到邮件攻击。
2.如权利要求 1所述的方法, 其特征在于, 所述根据接收到的数据流的协议类型确 定所述每个统计周期内的邮件流量参数, 包括:
分析所述每个统计周期内接收到的数据流的协议类型;
当所述协议类型属于邮件协议类型时, 确定所述数据流为邮件;
根据确定的邮件获得所述每个统计周期内的邮件流量参数。
3.如权利要求 1或 2所述的方法, 其特征在于, 所述邮件流量参数包括:
邮件数量; 或
新建的用于传输邮件的简单邮件传输协议 SMTP连接数; 或
用于传输邮件的 SMTP并发连接增加数。
4.如权利要求 1至 3中任一权利要求所述的方法, 其特征在于, 在所述确定检测到邮 件攻击之后, 还包括:
获得预定数目个检测周期内每个检测周期所接收到的邮件的收件人邮箱地址; 统计获得的每个收件人邮箱地址在所述每个检测周期的出现次数;
将在所述预定数目个检测周期内任一检测周期中的出现次数超过第二阈值的收件 人邮箱地址确定为所述邮件攻击的目标地址。
5.如权利要求 4所述的方法, 其特征在于, 还包括:
在所述获得预定数目个检测周期内每个检测周期所接收到的邮件的收件人邮箱地 址的同时, 获得所述邮件的发件人网络协议 IP地址;
建立所述每个检测周期中收件人邮箱地址和发件人 IP地址的对应关系;
在所述将在所述预定数目个检测周期内任一检测周期中的出现次数超过第二阈值 的收件人邮箱地址确定为所述邮件攻击的目标地址之后, 还包括:
根据所述对应关系统计所述目标地址对应的每个发件人 IP地址的出现次数; 将出现次数超过第三阈值的发件人 IP地址确定为所述邮件攻击的攻击方 IP地址。
6.—种检测邮件攻击的装置, 其特征在于, 包括:
接收单元, 用于接收数据流;
第一获得单元, 用于获得预定数目个统计周期内每个统计周期的邮件流量参数, 其 中, 在每个统计周期内, 根据所述接收单元接收到的数据流的协议类型确定所述每个统 计周期的邮件流量参数;
确定单元,用于当所述第一获得单元获得的预定数目个统计周期内每个统计周期内 的邮件流量参数均与第一阈值相匹配时, 确定检测到邮件攻击。
7.如权利要求 6所述的装置, 其特征在于, 所述第一获得单元包括:
协议类型分析子单元, 用于在每个统计周期内, 分析所述每个统计周期内接收到的 数据流的协议类型;
邮件确定子单元,用于当所述协议类型分析子单元分析出的数据流的协议类型属于 邮件协议类型时, 确定所述数据流为邮件;
参数获得子单元,用于根据所述邮件确定子单元所确定的邮件获得所述每个统计周 期内的邮件流量参数。
8.如权利要求 6或 7所述的装置, 其特征在于, 还包括:
第二获得单元, 用于在所述确定单元确定检测到邮件攻击之后, 获得预定数目个检 测周期内每个检测周期所接收到的邮件的收件人邮箱地址;
第一统计单元,用于统计所述第二获得单元获得的每个收件人邮箱地址在所述每个 检测周期的出现次数;
目标地址确定单元,用于将所述第一统计单元统计的在所述预定数目个检测周期内 任一检测周期中的出现次数超过第二阈值的收件人邮箱地址确定为邮件攻击的目标地 址。
9.如权利要求 8所述的装置, 其特征在于, 还包括:
第三获得单元,用于在所述第二获得单元获得预定数目个检测周期内每个检测周期 所接收到的邮件的收件人邮箱地址的同时, 获得所述邮件的发件人网络协议 IP地址; 对应关系建立单元,用于建立所述每个检测周期中所述第二获得单元获得的收件人 邮箱地址和所述第三获得单元获得的发件人 IP地址的对应关系;
第二统计单元, 用于在所述目标地址确定单元确定目标地址之后, 根据所述对应关 系建立单元建立的对应关系统计所述目标地址对应的每个发件人 ip地址的出现次数; 攻击方地址确定单元,用于将所述第二统计单元统计的出现次数超过第三阈值的发 件人 IP地址确定为所述邮件攻击的攻击方 IP地址。
10.—种检测邮件攻击的设备, 其特征在于, 包括:
网络接口, 用于接收数据流;
处理器, 用于获得预定数目个统计周期内每个统计周期的邮件流量参数, 其中, 在 每个统计周期内,根据所述网络接口接收到的数据流的协议类型确定所述每个统计周期 的邮件流量参数, 当所述预定数目个统计周期内每个统计周期的邮件流量参数均与第一 阈值相匹配时, 确定检测到邮件攻击。
11.如权利要求 10所述的设备, 其特征在于, 所述处理器具体用于: 在每个统计周 期内, 分析所述每个统计周期内所述网络接口接收到的数据流的协议类型, 当所述协议 类型属于邮件协议类型时, 确定所述数据流为邮件, 根据确定的邮件获得所述每个统计 周期内的邮件流量参数。
12.如权利要求 10或 11所述的设备, 其特征在于, 所述处理器还用于: 在所述确定 检测到邮件攻击之后, 获得预定数目个检测周期内每个检测周期所述网络接口所接收到 的邮件的收件人邮箱地址, 统计获得的每个收件人邮箱地址在所述每个检测周期的出现 次数,将在所述预定数目个检测周期内任一检测周期中的出现次数超过第二阈值的收件 人邮箱地址确定为所述邮件攻击的目标地址。
13.如权利要求 12所述的设备, 其特征在于, 所述处理器还用于: 在所述获得预定 数目个检测周期内每个检测周期所述网络接口所接收到的邮件的收件人邮箱地址的同 时, 获得所述邮件的发件人网络协议 IP地址, 建立所述每个检测周期中收件人邮箱地址
和发件人 IP地址的对应关系,在所述将在所述预定数目个检测周期内任一检测周期中的 出现次数超过第二阈值的收件人邮箱地址确定为所述邮件攻击的目标地址之后,根据所 述对应关系统计所述目标地址对应的每个发件人 IP地址的出现次数,将出现次数超过第 三阈值的发件人 IP地址确定为所述邮件攻击的攻击方 IP地址。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP13866926.2A EP2800333B1 (en) | 2012-12-27 | 2013-12-25 | Method, apparatus and device for detecting an e-mail bomb |
US14/512,777 US10135844B2 (en) | 2012-12-27 | 2014-10-13 | Method, apparatus, and device for detecting e-mail attack |
US16/156,514 US10673874B2 (en) | 2012-12-27 | 2018-10-10 | Method, apparatus, and device for detecting e-mail attack |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210579285.XA CN103078752B (zh) | 2012-12-27 | 2012-12-27 | 一种检测邮件攻击的方法、装置及设备 |
CN201210579285.X | 2012-12-27 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/512,777 Continuation US10135844B2 (en) | 2012-12-27 | 2014-10-13 | Method, apparatus, and device for detecting e-mail attack |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014101758A1 true WO2014101758A1 (zh) | 2014-07-03 |
Family
ID=48155162
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2013/090383 WO2014101758A1 (zh) | 2012-12-27 | 2013-12-25 | 一种检测邮件攻击的方法、装置及设备 |
Country Status (4)
Country | Link |
---|---|
US (2) | US10135844B2 (zh) |
EP (1) | EP2800333B1 (zh) |
CN (1) | CN103078752B (zh) |
WO (1) | WO2014101758A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150281917A1 (en) * | 2014-03-25 | 2015-10-01 | Wavemarket, Inc. | Device messaging attack detection and control system and method |
Families Citing this family (40)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103078752B (zh) | 2012-12-27 | 2016-03-30 | 华为技术有限公司 | 一种检测邮件攻击的方法、装置及设备 |
US10971896B2 (en) | 2013-04-29 | 2021-04-06 | Nuburu, Inc. | Applications, methods and systems for a laser deliver addressable array |
US10562132B2 (en) | 2013-04-29 | 2020-02-18 | Nuburu, Inc. | Applications, methods and systems for materials processing with visible raman laser |
US10694029B1 (en) | 2013-11-07 | 2020-06-23 | Rightquestion, Llc | Validating automatic number identification data |
US11646549B2 (en) | 2014-08-27 | 2023-05-09 | Nuburu, Inc. | Multi kW class blue laser system |
CN104348712B (zh) * | 2014-10-15 | 2017-10-27 | 新浪网技术(中国)有限公司 | 一种垃圾邮件过滤方法及装置 |
US10104117B2 (en) * | 2016-02-24 | 2018-10-16 | Microsoft Technology Licensing, Llc | Identifying user behavior in a distributed computing system |
US11980970B2 (en) | 2016-04-29 | 2024-05-14 | Nuburu, Inc. | Visible laser additive manufacturing |
US10940562B2 (en) | 2017-01-31 | 2021-03-09 | Nuburu, Inc. | Methods and systems for welding copper using blue laser |
US11612957B2 (en) | 2016-04-29 | 2023-03-28 | Nuburu, Inc. | Methods and systems for welding copper and other metals using blue lasers |
US10880322B1 (en) * | 2016-09-26 | 2020-12-29 | Agari Data, Inc. | Automated tracking of interaction with a resource of a message |
US10805314B2 (en) | 2017-05-19 | 2020-10-13 | Agari Data, Inc. | Using message context to evaluate security of requested data |
US10805270B2 (en) * | 2016-09-26 | 2020-10-13 | Agari Data, Inc. | Mitigating communication risk by verifying a sender of a message |
US11936604B2 (en) | 2016-09-26 | 2024-03-19 | Agari Data, Inc. | Multi-level security analysis and intermediate delivery of an electronic message |
CN107743087B (zh) * | 2016-10-27 | 2020-05-12 | 腾讯科技(深圳)有限公司 | 一种邮件攻击的检测方法及系统 |
US11044267B2 (en) | 2016-11-30 | 2021-06-22 | Agari Data, Inc. | Using a measure of influence of sender in determining a security risk associated with an electronic message |
US10715543B2 (en) | 2016-11-30 | 2020-07-14 | Agari Data, Inc. | Detecting computer security risk based on previously observed communications |
US11722513B2 (en) | 2016-11-30 | 2023-08-08 | Agari Data, Inc. | Using a measure of influence of sender in determining a security risk associated with an electronic message |
KR102423330B1 (ko) | 2017-04-21 | 2022-07-20 | 누부루 인크. | 다중-피복 광섬유 |
US11019076B1 (en) | 2017-04-26 | 2021-05-25 | Agari Data, Inc. | Message security assessment using sender identity profiles |
CN107018067A (zh) * | 2017-05-02 | 2017-08-04 | 深圳市安之天信息技术有限公司 | 一种基于僵尸网络监控的恶意邮件预警方法及系统 |
CN107172023A (zh) * | 2017-05-03 | 2017-09-15 | 成都国腾实业集团有限公司 | 面向内容的网络安全监控系统及方法 |
US11757914B1 (en) | 2017-06-07 | 2023-09-12 | Agari Data, Inc. | Automated responsive message to determine a security risk of a message sender |
US11102244B1 (en) | 2017-06-07 | 2021-08-24 | Agari Data, Inc. | Automated intelligence gathering |
CN110999000B (zh) | 2017-06-13 | 2021-10-08 | 努布鲁有限公司 | 高密集波长束组合激光系统 |
CN107888484A (zh) * | 2017-11-29 | 2018-04-06 | 北京明朝万达科技股份有限公司 | 一种邮件处理方法及系统 |
CN108055195B (zh) * | 2017-12-22 | 2021-03-30 | 广东睿江云计算股份有限公司 | 一种过滤垃圾电子邮件的方法 |
JP6783261B2 (ja) * | 2018-02-15 | 2020-11-11 | 日本電信電話株式会社 | 脅威情報抽出装置及び脅威情報抽出システム |
CN109327453B (zh) * | 2018-10-31 | 2021-04-13 | 北斗智谷(北京)安全技术有限公司 | 一种特定威胁的识别方法及电子设备 |
WO2020107030A1 (en) | 2018-11-23 | 2020-05-28 | Nuburu, Inc | Multi-wavelength visible laser source |
JP2022523725A (ja) | 2019-02-02 | 2022-04-26 | ヌブル インク | 高信頼性、高パワー、高輝度の青色レーザーダイオードシステムおよびその製造方法 |
CN111835683B (zh) * | 2019-04-19 | 2021-10-15 | 上海哔哩哔哩科技有限公司 | 连接控制方法、系统、设备及计算机可读存储介质 |
CN111835682B (zh) | 2019-04-19 | 2021-05-11 | 上海哔哩哔哩科技有限公司 | 连接控制方法、系统、设备及计算机可读存储介质 |
CN110417643B (zh) * | 2019-07-29 | 2021-10-08 | 世纪龙信息网络有限责任公司 | 邮件处理方法和装置 |
US11159464B2 (en) * | 2019-08-02 | 2021-10-26 | Dell Products L.P. | System and method for detecting and removing electronic mail storms |
CN111866002A (zh) * | 2020-07-27 | 2020-10-30 | 中国工商银行股份有限公司 | 用于检测邮件安全性的方法、装置、系统及介质 |
CN112165445B (zh) * | 2020-08-13 | 2023-04-07 | 杭州数梦工场科技有限公司 | 用于检测网络攻击的方法、装置、存储介质及计算机设备 |
US11616809B1 (en) * | 2020-08-18 | 2023-03-28 | Wells Fargo Bank, N.A. | Fuzzy logic modeling for detection and presentment of anomalous messaging |
CN113783857B (zh) * | 2021-08-31 | 2023-11-07 | 新华三信息安全技术有限公司 | 一种防攻击方法、装置、设备及机器可读存储介质 |
CN114389872A (zh) * | 2021-12-29 | 2022-04-22 | 卓尔智联(武汉)研究院有限公司 | 数据处理方法、模型训练方法、电子设备及存储介质 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101119321A (zh) * | 2007-09-29 | 2008-02-06 | 杭州华三通信技术有限公司 | 网络流量分类处理方法及网络流量分类处理装置 |
CN101540773A (zh) * | 2009-04-22 | 2009-09-23 | 成都市华为赛门铁克科技有限公司 | 一种垃圾邮件检测方法及其装置 |
US7716297B1 (en) * | 2007-01-30 | 2010-05-11 | Proofpoint, Inc. | Message stream analysis for spam detection and filtering |
CN103078752A (zh) * | 2012-12-27 | 2013-05-01 | 华为技术有限公司 | 一种检测邮件攻击的方法、装置及设备 |
Family Cites Families (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6507866B1 (en) * | 1999-07-19 | 2003-01-14 | At&T Wireless Services, Inc. | E-mail usage pattern detection |
US7032023B1 (en) * | 2000-05-16 | 2006-04-18 | America Online, Inc. | Throttling electronic communications from one or more senders |
US6779021B1 (en) * | 2000-07-28 | 2004-08-17 | International Business Machines Corporation | Method and system for predicting and managing undesirable electronic mail |
US7752665B1 (en) * | 2002-07-12 | 2010-07-06 | TCS Commercial, Inc. | Detecting probes and scans over high-bandwidth, long-term, incomplete network traffic information using limited memory |
US20070050777A1 (en) * | 2003-06-09 | 2007-03-01 | Hutchinson Thomas W | Duration of alerts and scanning of large data stores |
US20040252722A1 (en) * | 2003-06-13 | 2004-12-16 | Samsung Electronics Co., Ltd. | Apparatus and method for implementing VLAN bridging and a VPN in a distributed architecture router |
US9338026B2 (en) * | 2003-09-22 | 2016-05-10 | Axway Inc. | Delay technique in e-mail filtering system |
US7548956B1 (en) * | 2003-12-30 | 2009-06-16 | Aol Llc | Spam control based on sender account characteristics |
US7539871B1 (en) * | 2004-02-23 | 2009-05-26 | Sun Microsystems, Inc. | System and method for identifying message propagation |
US20050198159A1 (en) * | 2004-03-08 | 2005-09-08 | Kirsch Steven T. | Method and system for categorizing and processing e-mails based upon information in the message header and SMTP session |
US7873695B2 (en) * | 2004-05-29 | 2011-01-18 | Ironport Systems, Inc. | Managing connections and messages at a server by associating different actions for both different senders and different recipients |
US7849142B2 (en) * | 2004-05-29 | 2010-12-07 | Ironport Systems, Inc. | Managing connections, messages, and directory harvest attacks at a server |
US8234705B1 (en) * | 2004-09-27 | 2012-07-31 | Radix Holdings, Llc | Contagion isolation and inoculation |
US7607170B2 (en) * | 2004-12-22 | 2009-10-20 | Radware Ltd. | Stateful attack protection |
US7908328B1 (en) * | 2004-12-27 | 2011-03-15 | Microsoft Corporation | Identification of email forwarders |
US7975010B1 (en) * | 2005-03-23 | 2011-07-05 | Symantec Corporation | Countering spam through address comparison |
US20060294588A1 (en) * | 2005-06-24 | 2006-12-28 | International Business Machines Corporation | System, method and program for identifying and preventing malicious intrusions |
US7958557B2 (en) * | 2006-05-17 | 2011-06-07 | Computer Associates Think, Inc. | Determining a source of malicious computer element in a computer network |
US8775521B2 (en) * | 2006-06-30 | 2014-07-08 | At&T Intellectual Property Ii, L.P. | Method and apparatus for detecting zombie-generated spam |
US7984297B2 (en) * | 2006-07-25 | 2011-07-19 | Mypoints.Com Inc. | System and method of spam proof e-mail bounce tracking |
US20080082658A1 (en) * | 2006-09-29 | 2008-04-03 | Wan-Yen Hsu | Spam control systems and methods |
US8689334B2 (en) * | 2007-02-28 | 2014-04-01 | Alcatel Lucent | Security protection for a customer programmable platform |
US7783597B2 (en) * | 2007-08-02 | 2010-08-24 | Abaca Technology Corporation | Email filtering using recipient reputation |
CN101803305B (zh) * | 2007-09-28 | 2014-06-11 | 日本电信电话株式会社 | 网络监视装置、网络监视方法 |
CN101707539B (zh) * | 2009-11-26 | 2012-01-04 | 成都市华为赛门铁克科技有限公司 | 蠕虫病毒检测方法、装置和网关设备 |
US10104029B1 (en) * | 2011-11-09 | 2018-10-16 | Proofpoint, Inc. | Email security architecture |
US9876742B2 (en) * | 2012-06-29 | 2018-01-23 | Microsoft Technology Licensing, Llc | Techniques to select and prioritize application of junk email filtering rules |
US9401932B2 (en) * | 2012-12-04 | 2016-07-26 | Cyber Adapt, Inc. | Device and method for detection of anomalous behavior in a computer network |
-
2012
- 2012-12-27 CN CN201210579285.XA patent/CN103078752B/zh active Active
-
2013
- 2013-12-25 EP EP13866926.2A patent/EP2800333B1/en not_active Not-in-force
- 2013-12-25 WO PCT/CN2013/090383 patent/WO2014101758A1/zh active Application Filing
-
2014
- 2014-10-13 US US14/512,777 patent/US10135844B2/en active Active
-
2018
- 2018-10-10 US US16/156,514 patent/US10673874B2/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7716297B1 (en) * | 2007-01-30 | 2010-05-11 | Proofpoint, Inc. | Message stream analysis for spam detection and filtering |
CN101119321A (zh) * | 2007-09-29 | 2008-02-06 | 杭州华三通信技术有限公司 | 网络流量分类处理方法及网络流量分类处理装置 |
CN101540773A (zh) * | 2009-04-22 | 2009-09-23 | 成都市华为赛门铁克科技有限公司 | 一种垃圾邮件检测方法及其装置 |
CN103078752A (zh) * | 2012-12-27 | 2013-05-01 | 华为技术有限公司 | 一种检测邮件攻击的方法、装置及设备 |
Non-Patent Citations (1)
Title |
---|
See also references of EP2800333A4 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150281917A1 (en) * | 2014-03-25 | 2015-10-01 | Wavemarket, Inc. | Device messaging attack detection and control system and method |
US9237426B2 (en) * | 2014-03-25 | 2016-01-12 | Location Labs, Inc. | Device messaging attack detection and control system and method |
Also Published As
Publication number | Publication date |
---|---|
US20190044962A1 (en) | 2019-02-07 |
US20150033343A1 (en) | 2015-01-29 |
CN103078752B (zh) | 2016-03-30 |
US10673874B2 (en) | 2020-06-02 |
US10135844B2 (en) | 2018-11-20 |
EP2800333A4 (en) | 2015-03-11 |
EP2800333B1 (en) | 2016-04-06 |
EP2800333A1 (en) | 2014-11-05 |
CN103078752A (zh) | 2013-05-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2014101758A1 (zh) | 一种检测邮件攻击的方法、装置及设备 | |
KR101745624B1 (ko) | 실시간 스팸 탐색 시스템 | |
EP2289221B1 (en) | Network intrusion protection | |
US7426634B2 (en) | Method and apparatus for rate based denial of service attack detection and prevention | |
US8245300B2 (en) | System and method for ARP anti-spoofing security | |
US7796515B2 (en) | Propagation of viruses through an information technology network | |
KR20090006838A (ko) | 악의적 공격 검출 시스템 및 이에 연계된 유용한 방법 | |
US20080222717A1 (en) | Detecting Anomalous Network Application Behavior | |
CN110166480B (zh) | 一种数据包的分析方法及装置 | |
US7478168B2 (en) | Device, method and program for band control | |
US7958557B2 (en) | Determining a source of malicious computer element in a computer network | |
EP1732288A1 (en) | Adaptive defense against various network attacks | |
US8301712B1 (en) | System and method for protecting mail servers from mail flood attacks | |
CN106878326A (zh) | 基于反向检测的IPv6邻居缓存保护方法及其装置 | |
EP3618355B1 (en) | Systems and methods for operating a networking device | |
WO2019096104A1 (zh) | 攻击防范 | |
Wang et al. | An approach for protecting the openflow switch from the saturation attack | |
WO2006066444A1 (fr) | Systeme de filtrage du courrier indesirable oriente connexion et procede associe | |
Zamil et al. | A behavior based algorithm to detect spam bots | |
US12058156B2 (en) | System and method for detecting and mitigating port scanning attacks | |
Moon et al. | A Multi-resolution Port Scan Detection Technique for High-speed Networks. | |
Sul et al. | Countering Interest flooding DDoS attacks in NDN Network | |
JP2009284529A (ja) | 帯域制御装置、帯域制御方法及び帯域制御プログラム | |
CN118555300A (zh) | 一种共享上网检测方法及装置 | |
JP2007068208A (ja) | 帯域制御装置、帯域制御方法及び帯域制御プログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 2013866926 Country of ref document: EP |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13866926 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |