WO2019141091A1 - 一种邮件的监控方法、系统与装置 - Google Patents

一种邮件的监控方法、系统与装置 Download PDF

Info

Publication number
WO2019141091A1
WO2019141091A1 PCT/CN2019/070302 CN2019070302W WO2019141091A1 WO 2019141091 A1 WO2019141091 A1 WO 2019141091A1 CN 2019070302 W CN2019070302 W CN 2019070302W WO 2019141091 A1 WO2019141091 A1 WO 2019141091A1
Authority
WO
WIPO (PCT)
Prior art keywords
attachment
accessory
mail
file
malware
Prior art date
Application number
PCT/CN2019/070302
Other languages
English (en)
French (fr)
Inventor
陈磊华
潘庆峰
李晓文
Original Assignee
论客科技(广州)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 论客科技(广州)有限公司 filed Critical 论客科技(广州)有限公司
Publication of WO2019141091A1 publication Critical patent/WO2019141091A1/zh
Priority to ZA2020/04846A priority Critical patent/ZA202004846B/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/07User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail characterised by the inclusion of specific contents
    • H04L51/08Annexed information, e.g. attachments
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Definitions

  • the present invention relates to the field of information security technologies, and in particular, to a method, system and device for monitoring emails.
  • Patent No. CN201110442195.1 discloses a system and method for detecting unknown malware, which includes generating genes for known malicious and clean objects; analyzing different target genes using different malware analysis methods; Knowing the analysis of the genes of malicious objects to calculate the level of successful detection of malicious objects by one or a combination of malware analysis methods; calculating one or a combination of clean objects by malware analysis methods based on analysis of genes of known clean objects False positive detection level; measure the effectiveness of each or combination of malicious analysis methods as a function of successful detection levels and false positive detection levels; and select one or a combination of the most effective malware analysis methods to analyze the presence of unknown objects malicious software.
  • the above method has the following drawbacks: Since many anti-virus systems have a time lag in response to emerging malware, and when anti-virus systems can detect malware with e-mail attachments, many e-mails have been delivered to the user.
  • the mailbox is anti-virus software that reacts too slowly to the latest unknown samples that appear in the mail system.
  • the current anti-virus software is not designed for the mail system, there is a lack of information for determining whether the email attachment is malware, and the malware detection effect is poor.
  • the object of the present invention is to provide a method, system and device for monitoring mails, which can quickly and accurately identify whether an attachment carried by a mail is malware, and timely filter mails carrying malware to ensure the security of the mail receiving end.
  • an embodiment of the present invention provides a method for monitoring a mail, including:
  • a suspicious software token is added to the attachment and a warning email carrying the new email is generated to cause the recipient to open the new email via the warning email.
  • the accessory when the accessory is identified as suspicious software, adding a suspicious software tag to the accessory and generating a warning email carrying the new email, so that the recipient opens the new email by using the warning email, specifically including :
  • the suspicious software tag of the accessory is updated to a malware tag.
  • the method for monitoring the mail further includes:
  • the file feature is input into an SVM classifier for feature training, and the preset filter model is constructed.
  • the identifying the accessory by using the preset sandbox tool comprises:
  • the preset sandbox tool virtually opens the accessory, detecting whether the accessory generates malicious behavior to the sandbox tool; wherein the malicious behavior includes adding a file in an important directory of the sandbox tool, The important files and configurations of the sandbox tool are modified and the process is injected into the external logic;
  • the accessory is identified as malware when the accessory generates malicious behavior against the sandbox tool
  • the accessory is identified as suspicious software when the accessory does not cause malicious behavior to the sandbox tool.
  • the accessory when the accessory is determined to be malware, updating the suspicious software tag of the accessory to a malware tag, specifically:
  • the accessory is determined to be malware, detecting a close relationship between the sender and the recipient;
  • the suspicious software tag of the attachment is updated to a malware token.
  • the method is performed by using a hash algorithm to obtain the hash feature of the accessory, which specifically includes:
  • the attachment is an executable file or a dynamic link library file, acquiring an assembly code of the attachment and constructing an assembly code sequence, and performing a calculation by using a hash algorithm on the assembly code sequence to obtain a hash feature of the attachment;
  • the token of the attachment is extracted, and the token of the attachment is calculated by using a hash algorithm to obtain a hash feature of the attachment;
  • the attachment When the attachment is a pdf file or an Office file, acquiring a tree structure of the attachment, extracting a node path corresponding to the tree structure of the attachment, and performing a hash algorithm on the node path to obtain the attachment. Hash feature.
  • the accessory when the accessory is an executable file or a dynamic link library file, acquiring assembly code of the accessory and constructing an assembly code sequence, and performing a calculation by using a hash algorithm on the assembly code sequence to obtain the accessory Hash features, including:
  • a hash algorithm is used to calculate the assembly code sequence to obtain a hash feature of the attachment.
  • the accessory is a pdf file or an Office file
  • acquiring a tree structure of the accessory extracting a node path corresponding to the tree structure of the accessory, and performing a hash algorithm calculation on the node path
  • Obtaining the hash feature of the attachment specifically including:
  • the attachment When the attachment is a pdf file or an Office file, the attachment is subjected to text split processing to obtain a plurality of text data blocks;
  • a hash algorithm is performed on the node path to obtain a hash feature of the attachment.
  • the present invention also provides a mail monitoring system, including:
  • An email attachment obtaining module for acquiring an attachment carried by a new mail
  • a hash feature calculation module configured to perform a calculation by using a hash algorithm on the accessory, to obtain a hash feature of the accessory;
  • An accessory prediction module configured to input a hash feature of the accessory into a preset filtering model, to obtain a predicted value of the accessory as malware;
  • An accessory sending module configured to send the accessory to a preset sandbox tool when the predicted value is greater than a set threshold
  • a sandbox detection module configured to identify the accessory by the preset sandbox tool
  • a mail rejection module configured to add a malware mark to the attachment and reject the new mail when the accessory is identified as malware
  • a mail warning module configured to add a suspicious software mark to the attachment when the accessory is identified as suspicious software and generate a warning message carrying the new mail to cause the addressee to open the new mail through the warning mail.
  • An embodiment of the present invention further provides a mail monitoring device, including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, when the processor executes the computer program, Implement the above monitoring method of mail.
  • a mail monitoring device including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, when the processor executes the computer program, Implement the above monitoring method of mail.
  • the method for monitoring the mail includes acquiring an attachment carried by the new mail; using the hash algorithm for calculating the attachment, obtaining the a hash feature of the attachment; inputting a hash feature of the attachment into a preset filtering model to obtain a predicted value of the accessory as malware; and sending the accessory when the predicted value is greater than a set threshold Go to a preset sandbox tool; identify the attachment by the preset sandbox tool; add the malware mark to the attachment and reject the new mail when the accessory is identified as malware;
  • a suspicious software token is added to the attachment and a warning email carrying the new email is generated to cause the recipient to open the new email through the warning email.
  • the embodiment of the invention further provides a monitoring system and device for mail.
  • FIG. 1 is a flowchart of a method for monitoring an email according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of a mail monitoring system according to an embodiment of the present invention.
  • the method for monitoring the mail includes:
  • S200 Perform a calculation by using a hash algorithm on the accessory, and obtain a hash feature of the accessory.
  • S300 input the hash feature of the accessory into a preset filtering model, and obtain the predicted value of the accessory as malware;
  • S500 identify the accessory by using the preset sandbox tool
  • S700 When the accessory is identified as suspicious software, adding a suspicious software tag to the accessory and generating a warning email carrying the new mail, so that the recipient opens the new mail by using the warning email.
  • the filtering model Predicting whether the accessory is malware by the filtering model, obtaining a predicted value, and then the sandbox tool performs malware identification on the accessory whose predicted value is greater than a set threshold, by using the above
  • the method can quickly and accurately identify whether the attachment carried by the mail is malware, and timely filter the mail carrying the malicious software to ensure the security of the mail receiving end.
  • S700 when the accessory is identified as suspicious software, adding a suspicious software tag to the accessory and generating a warning message carrying the new mail to enable the addressee to open through the warning message
  • the new mail includes:
  • the suspicious software tag of the accessory is updated to a malware tag.
  • the preset anti-virus tool may be a third-party anti-virus software pre-deployed in the recipient's mailbox.
  • the anti-virus tool will check again through the sandbox tool marked as "suspicious software”.
  • the anti-virus tool determines that it is malware, and updates the tag of the attachment to "malware", otherwise it remains marked as "suspicious software”. .
  • Re-checking the accessory by the anti-virus tool can improve the accuracy of the accessory being identified as malware and reduce the possibility of misjudgment.
  • the method for monitoring the mail further includes:
  • the file feature is input into an SVM classifier for feature training, and the preset filter model is constructed.
  • the preset sample file is automatically obtained at a low cost through the communication relationship of the mail system. For example, for two mailboxes with a large number of communication relationships, the attachments sent to each other will be marked as “comprehensive”. These “comprehensive” sample files will be executed through the sandbox tool, excluding some possible After the attachment to the problem, the sample is labeled "Suspicious Software.” Those who have not had a communication relationship before will execute it through the sandbox tool. If there is any suspicious behavior (modifying system important files, injecting some execution logic, etc.), the sample file will be marked as "malware.”
  • the file features of the plurality of marked sample files obtained by the above method are input into an SVM classifier for feature training (machine learning training classification model method), and the filtering model is trained. For each attachment encountered by the mail system, a preliminary determination is made by using the filtering model. If the filtering model is determined to be suspicious, the sandbox tool is used to check the attachment, and the determination is malware. The attachment is rejected, and the accessory that is determined to be suspicious software can prompt the recipient that the attachment is suspicious, alert the recipient, and reduce the chance of the recipient's system being infected by malware.
  • the identifying the accessory by using the preset sandbox tool comprises:
  • the preset sandbox tool virtually opens the accessory, detecting whether the accessory generates malicious behavior to the sandbox tool; wherein the malicious behavior includes adding a file in an important directory of the sandbox tool, The important files and configurations of the sandbox tool are modified and the process is injected into the external logic;
  • the accessory is identified as malware when the accessory generates malicious behavior against the sandbox tool
  • the accessory is identified as suspicious software when the accessory does not cause malicious behavior to the sandbox tool.
  • updating the suspicious software tag of the accessory to a malware tag specifically:
  • the accessory is determined to be malware, detecting a close relationship between the sender and the recipient;
  • the suspicious software tag of the attachment is updated to a malware token.
  • the sandbox tool is determined to be an attachment of the suspicious software, and the anti-virus software check finds that the sender and the recipient have a close communication relationship, that is, the sender and the recipient communicate with each other.
  • the number is greater than the preset tight threshold. For example, if the number of mutual signaling is greater than 10 (10 is the empirical value), the attachment tag is maintained as "suspicious software".
  • the sender and the recipient do not have a close communication relationship, that is, the number of mutual transmissions between the sender and the recipient is less than a preset tight threshold, for example, the number of mutual transmissions is less than 10 (10 is an empirical value), and the mutual setting is set.
  • the attachment tag is updated to "malware."
  • malware the attachment of the sender's mail is malware.
  • the two mailboxes frequently communicate with each other, the attachments between the two mailboxes are malicious.
  • the probability of the software is relatively small; if the same (or similar content) attachment is sent to another mailbox by a mailbox that has not had any previous communication relationship within a certain period of time, the probability of the attachment being malware bigger.
  • the method is performed by using a hash algorithm to obtain the hash feature of the accessory, which specifically includes:
  • the attachment is an executable file or a dynamic link library file, acquiring an assembly code of the attachment and constructing an assembly code sequence, and performing a calculation by using a hash algorithm on the assembly code sequence to obtain a hash feature of the attachment;
  • the token of the attachment is extracted, and the token of the attachment is calculated by using a hash algorithm to obtain a hash feature of the attachment;
  • the attachment When the attachment is a pdf file or an Office file, acquiring a tree structure of the attachment, extracting a node path corresponding to the tree structure of the attachment, and performing a hash algorithm on the node path to obtain the attachment. Hash feature.
  • the hash feature is md5(Set)md5(objShell)md5(wscript.CreateObject("Wscript.Shell”)).
  • the accessory when the accessory is an executable file or a dynamic link library file, acquiring assembly code of the accessory and constructing an assembly code sequence, and adopting a hash algorithm on the assembly code sequence Performing a calculation to obtain a hash feature of the attachment, specifically including:
  • a hash algorithm is used to calculate the assembly code sequence to obtain a hash feature of the attachment.
  • an executable file scans the assembly code of the executable file, and merges the adjacent three assembly codes into one generated assembly code sequence, and generates an assembly code sequence A, B, C in total. D, E, and calculating the hash feature of the assembly code sequence, the corresponding hash feature is md5(A+B+C)md5(B+C+D)md5(C+D+E).
  • the accessory when the accessory is a pdf file or an Office file, acquiring a tree structure of the accessory, extracting a node path corresponding to the tree structure of the accessory, and the node The path is calculated by using a hash algorithm to obtain the hash feature of the attachment, which specifically includes:
  • the attachment When the attachment is a pdf file or an Office file, the attachment is subjected to text split processing to obtain a plurality of text data blocks;
  • a hash algorithm is performed on the node path to obtain a hash feature of the attachment.
  • a pdf file text detaching the pdf text, and constructing the following tree structure A+B+C+D+E (the root of the pdf file is A, and the lower layer has B, C, E three child nodes, C lower layer has D child nodes), the hash algorithm is used to calculate the node path, and the hash feature of the pdf file is md5(A+B)md5(A+C+D) Md5(A+E).
  • FIG. 2 is a schematic diagram of a mail monitoring system provided by the implementation of the present invention.
  • the mail monitoring system includes:
  • the mail attachment obtaining module 1 is configured to obtain an attachment carried by the new mail
  • a hash feature calculation module 2 configured to perform a calculation by using a hash algorithm on the accessory, to obtain a hash feature of the accessory;
  • the accessory prediction module 3 is configured to input a hash feature of the accessory into a preset filtering model, and obtain the predicted value of the accessory as malware;
  • the accessory sending module 4 is configured to send the accessory to a preset sandbox tool when the predicted value is greater than a set threshold;
  • a sandbox detecting module 5 configured to identify the accessory by using the preset sandbox tool
  • the mail rejection module 6 is configured to add a malware mark to the attachment and reject the new mail when the accessory is identified as malware;
  • the mail warning module 7 is configured to add a suspicious software mark to the accessory and generate a warning mail carrying the new mail when the accessory is identified as suspicious software, so that the addressee opens the new mail through the warning mail.
  • the filtering model Predicting whether the accessory is malware by the filtering model, obtaining a predicted value, and then the sandbox tool performs malware identification on the accessory whose predicted value is greater than a set threshold, by using the above
  • the method can quickly and accurately identify whether the attachment carried by the mail is malware, and timely filter the mail carrying the malicious software to ensure the security of the mail receiving end.
  • the mail warning module includes an accessory sending unit and an identifying unit:
  • the accessory sending unit is configured to: when the accessory is identified as suspicious software, send the accessory to a preset anti-virus tool;
  • the identification unit is configured to identify the accessory again by using the preset anti-virus tool
  • the identifying unit is further configured to: when the accessory is determined to be suspicious software, maintain the suspicious software tag of the accessory and generate a warning email carrying the new mail, so that the recipient opens the new mail by using the warning email ;
  • the identification unit is further configured to update the suspicious software tag of the accessory to a malware tag when the accessory is determined to be malware.
  • the preset anti-virus tool may be a third-party anti-virus software pre-deployed in the recipient's mailbox.
  • the anti-virus tool will check again through the sandbox tool marked as "suspicious software”.
  • the anti-virus tool determines that it is malware, and updates the tag of the attachment to "malware", otherwise it remains marked as "suspicious software”. .
  • Re-checking the accessory by the anti-virus tool can improve the accuracy of the accessory being identified as malware and reduce the possibility of misjudgment.
  • the monitoring system of the mail further includes a sample marking module and a machine learning module;
  • the sample marking module is configured to scan a preset sample file, and extract a file feature of the preset sample file; wherein the preset sample file includes a sample file marked as malware and a sample marked as suspicious software file;
  • the machine learning module is configured to input the file feature into an SVM classifier for feature training, and construct the preset filter model.
  • the preset sample file is automatically obtained at a low cost through the communication relationship of the mail system. For example, for two mailboxes with a large number of communication relationships, the attachments sent to each other will be marked as “comprehensive”. These “comprehensive” sample files will be executed through the sandbox tool, excluding some possible After the attachment to the problem, the sample is labeled "Suspicious Software.” Those who have not had a communication relationship before will execute it through the sandbox tool. If there is any suspicious behavior (modifying system important files, injecting some execution logic, etc.), the sample file will be marked as "malware.”
  • the file features of the plurality of marked sample files obtained by the above method are input into an SVM classifier for feature training (machine learning training classification model method), and the filtering model is trained. For each attachment encountered by the mail system, a preliminary determination is made by using the filtering model. If the filtering model is determined to be suspicious, the sandbox tool is used to check the attachment, and the determination is malware. The attachment is rejected, and the accessory that is determined to be suspicious software can prompt the recipient that the attachment is suspicious, alert the recipient, and reduce the chance of the recipient's system being infected by malware.
  • the sandbox detection module includes a behavior detecting unit
  • the behavior detecting unit is configured to detect, when the preset sandbox tool virtually opens the accessory, whether the accessory generates malicious behavior to the sandbox tool; wherein the malicious behavior includes the sandbox Adding files to important directories of the tool, important files of the sandbox tool, and configuration being modified and processes are injected into external logic;
  • the behavior detecting unit is configured to identify the accessory as malware when the accessory generates malicious behavior to the sandbox tool;
  • the behavior detecting unit is configured to identify the accessory as suspicious software when the accessory does not cause malicious behavior to the sandbox tool.
  • the sandbox detection module includes a close relationship detecting unit
  • the close relationship detecting unit is configured to detect a close relationship between the sender and the addressee when the accessory is determined to be malware
  • the close relationship detecting unit is configured to maintain the suspicious software tag of the accessory when the number of mutual signaling between the sender and the recipient is greater than a preset tight threshold;
  • the close relationship detecting unit is configured to update the suspicious software tag of the accessory to a malware tag when the number of mutual signalings between the sender and the recipient is not greater than the preset tight threshold.
  • the sandbox tool is determined to be an attachment of the suspicious software, and the anti-virus software check finds that the sender and the recipient have a close communication relationship, that is, the sender and the recipient communicate with each other.
  • the number is greater than the preset tight threshold. For example, if the number of mutual signaling is greater than 10 (10 is the empirical value), the attachment tag is maintained as "suspicious software".
  • the sender and the recipient do not have a close communication relationship, that is, the number of mutual transmissions between the sender and the recipient is less than a preset tight threshold, for example, the number of mutual transmissions is less than 10 (10 is an empirical value), and the mutual setting is set.
  • the attachment tag is updated to "malware."
  • malware the attachment of the sender's mail is malware.
  • the two mailboxes frequently communicate with each other, the attachments between the two mailboxes are malicious.
  • the probability of the software is relatively small; if the same (or similar content) attachment is sent to another mailbox by a mailbox that has not had any previous communication relationship within a certain period of time, the probability of the attachment being malware bigger.
  • the hash feature calculation module includes a file format identification unit, an assembly code hash feature calculation unit, a token hash feature calculation unit, and a node path hash feature calculation unit;
  • the file format identifying unit is configured to identify a file format of the attachment
  • the assembly code hash feature calculation unit is configured to acquire an assembly code of the attachment and construct an assembly code sequence when the attachment is an executable file or a dynamic link library file, and adopt a hash algorithm on the assembly code sequence Performing a calculation to obtain a hash feature of the attachment;
  • the token hash feature calculation unit is configured to: when the attachment is a script file, extract a token of the attachment, and perform a calculation by using a hash algorithm on the token of the attachment to obtain a hash feature of the attachment;
  • the node path hash feature calculation unit is configured to acquire a tree structure of the attachment when the attachment is a pdf file or an Office file, and extract a node path corresponding to the tree structure of the attachment, and the node is The path is calculated using a hash algorithm to obtain the hash feature of the attachment.
  • the hash feature is md5(Set)md5(objShell)md5(wscript.CreateObject("Wscript.Shell”)).
  • the assembly code hash feature calculation unit includes an assembly code acquisition unit, an assembly code sequence generation unit, and a first hash feature calculation unit;
  • the assembly code obtaining unit is configured to acquire an assembly code of the attachment when the attachment is an executable file or a dynamic link library file;
  • the assembly code sequence generating unit is configured to merge three adjacent assembly codes of the attachment to generate the assembly code sequence
  • the first hash feature calculation unit is configured to perform a calculation by using a hash algorithm on the assembly code sequence to obtain a hash feature of the attachment.
  • an executable file scans the assembly code of the executable file, and merges the adjacent three assembly codes into one generated assembly code sequence, and generates an assembly code sequence A, B, C in total. D, E, and calculating the hash feature of the assembly code sequence, the corresponding hash feature is md5(A+B+C)md5(B+C+D)md5(C+D+E).
  • the node path hash feature calculation unit includes a text splitting unit, a tree structure construction unit, a node path extraction unit, and a second hash feature calculation unit;
  • the text splitting unit is configured to perform text splitting processing on the attachment when the attachment is a pdf file or an Office file, to obtain a plurality of text data blocks;
  • the tree structure construction unit is configured to construct a tree structure of the attachment according to the text data block;
  • the node path extracting unit is configured to extract a node path of the tree structure of the accessory from a root node to an arbitrary leaf node;
  • the second hash feature calculation unit is configured to perform a calculation by using a hash algorithm on the node path to obtain a hash feature of the attachment.
  • a pdf file text detaching the pdf text, and constructing the following tree structure A+B+C+D+E (the root of the pdf file is A, and the lower layer has B, C, E three child nodes, C lower layer has D child nodes), the hash algorithm is used to calculate the node path, and the hash feature of the pdf file is md5(A+B)md5(A+C+D) Md5(A+E).
  • An embodiment of the present invention further provides a mail monitoring device, including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, when the processor executes the computer program, Implement the above monitoring method of mail.
  • a mail monitoring device including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, when the processor executes the computer program, Implement the above monitoring method of mail.
  • the computer program can be partitioned into one or more modules/units that are stored in the memory and executed by the processor to perform the present invention.
  • the one or more modules/units may be a series of computer program instruction segments capable of performing a particular function, the instruction segments being used to describe the execution of the computer program in the monitoring device of the mail.
  • the computer program may be divided into a mail attachment obtaining module for acquiring an attachment carried by a new mail; a hash feature calculation module, configured to perform a calculation by using a hash algorithm on the attachment, and obtain a hash of the attachment.
  • a feature prediction module configured to input a hash feature of the accessory into a preset filtering model, to obtain a predicted value of the accessory as malware
  • an accessory sending module configured to: when the predicted value is greater than a set threshold And sending the accessory to a preset sandbox tool; the sandbox detecting module is configured to identify the accessory by using the preset sandbox tool; and the mail rejecting module is configured to identify the accessory as malicious Software, adding a malware mark to the attachment and rejecting the new mail; and a mail warning module, configured to add a suspicious software mark to the attachment and generate the new mail when the accessory is identified as suspicious software
  • the warning message is such that the recipient opens the new mail through the warning message.
  • the monitoring device of the mail may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server.
  • the monitoring device of the mail may include, but is not limited to, a processor and a memory. It can be understood by those skilled in the art that the schematic diagram 2 is only an example of a monitoring device for mail, and does not constitute a limitation on the monitoring device of the mail, and may include more or less components than those illustrated, or may combine some
  • the components, or different components, such as the mail monitoring device may also include input and output devices, network access devices, buses, and the like.
  • the so-called processor can be a central processing unit (CPU), or other general-purpose processor, digital signal processor (DSP), application specific integrated circuit (ASIC), ready-made Field-Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like, and the processor is a control center of the monitoring device of the mail, and connects the monitoring device of the entire mail by using various interfaces and lines.
  • Various parts are possible to handle the Internet or other electronic mail.
  • the memory can be used to store the computer program and/or module, the processor implementing the mail by running or executing a computer program and/or module stored in the memory, and recalling data stored in the memory Various functions of the monitoring device.
  • the memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may be stored. Data created based on the use of the mobile phone (such as audio data, phone book, etc.).
  • the memory may include a high-speed random access memory, and may also include non-volatile memory such as a hard disk, a memory, a plug-in hard disk, a smart memory card (SMC), and a Secure Digital (SD) card.
  • non-volatile memory such as a hard disk, a memory, a plug-in hard disk, a smart memory card (SMC), and a Secure Digital (SD) card.
  • Flash Card at least one disk storage device, flash memory device, or other volatile solid-state storage device.
  • the module/unit integrated by the monitoring device of the mail can be stored in a computer readable storage medium if it is implemented in the form of a software functional unit and sold or used as a separate product.
  • the present invention implements all or part of the processes in the foregoing embodiments, and may also be completed by a computer program to instruct related hardware.
  • the computer program may be stored in a computer readable storage medium. The steps of the various method embodiments described above may be implemented when the program is executed by the processor.
  • the computer program comprises computer program code, which may be in the form of source code, object code form, executable file or some intermediate form.
  • the computer readable medium may include any entity or device capable of carrying the computer program code, a recording medium, a USB flash drive, a removable hard disk, a magnetic disk, an optical disk, a computer memory, a read-only memory (ROM). , random access memory (RAM, Random Access Memory), electrical carrier signals, telecommunications signals, and software distribution media. It should be noted that the content contained in the computer readable medium may be appropriately increased or decreased according to the requirements of legislation and patent practice in a jurisdiction, for example, in some jurisdictions, according to legislation and patent practice, computer readable media Does not include electrical carrier signals and telecommunication signals.
  • the method for monitoring the mail includes acquiring an attachment carried by the new mail; using the hash algorithm for calculating the attachment, obtaining the a hash feature of the attachment; inputting a hash feature of the attachment into a preset filtering model to obtain a predicted value of the accessory as malware; and sending the accessory when the predicted value is greater than a set threshold Go to a preset sandbox tool; identify the attachment by the preset sandbox tool; add the malware mark to the attachment and reject the new mail when the accessory is identified as malware; When the attachment is identified as suspicious software, a suspicious software token is added to the attachment and a warning email carrying the new email is generated to cause the recipient to open the new email through the warning email.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

本发明公开了一种邮件的监控方法、系统与装置,所述方法包括获取新邮件携带的附件;对所述附件采用哈希算法进行计算,获得所述附件的哈希特征;将所述附件的哈希特征输入预设的过滤模型,获得所述附件为恶意软件的预测值;当所述预测值大于设定的阈值时,将所述附件发送到预设的沙箱工具;通过所述预设的沙箱工具识别所述附件;当所述附件识别为恶意软件时,对所述附件添加恶意软件标记并拒收所述新邮件;当所述附件识别为可疑软件时,对所述附件添加可疑软件标记并生成携带所述新邮件的警告邮件。通过上述邮件的监控方法能够快速以及准确识别邮件携带的附件是否为恶意软件,并及时过滤携带恶意软件的邮件,保证邮件接收端的安全。

Description

一种邮件的监控方法、系统与装置 技术领域
本发明涉及信息安全技术领域,具体涉及一种邮件的监控方法、系统与装置。
背景技术
随着电子邮件的广泛使用,其安全隐患也逐渐显现,在利益的驱使下,黑客为了扩展其僵尸网络,通常使用电子邮件传播恶意代码、发送垃圾邮件。邮件接收者通常防不胜防,被动的沦为垃圾邮件的目标、潜在的恶意代码受害者。黑客通常通过控制僵尸网络发送垃圾邮件,发送邮件的内容会随着当前的热点事件而变化,恶意链接会随着近期出现的漏洞而构造,导致邮件服务器对于垃圾邮件、恶意邮件的过滤一直都没有很好的措施。
专利号为CN201110442195.1公开了一种用于检测未知恶意软件的系统和方法,该方法包括为已知恶意的和干净的对象生成基因;使用不同的恶意软件分析方法分析对象基因;基于对已知恶意对象的基因的分析来计算通过恶意软件分析方法的一个或组合对恶意对象的成功检测水平;基于对已知干净对象的基因的分析来计算通过恶意软件分析方法的一个或组合对干净对象的误报检测水平;以成功检测水平和误报检测水平的函数来衡量恶意分析方法的每一个或组合的有效性;以及选择最有效的恶意软件分析方法的一个或组合来分析未知对象是否存在恶意软件。但是,上述方法存在如下缺陷:由于很多反病毒系统对新出现的恶意软件的反应有一个时间差,导致等反病毒系统能检测出邮件附件带有恶意软件的时候,很多邮件都已经投递进入了用户的邮箱了,反病毒软件对邮件系统中出现的最新的未知样本反应速度过慢。其次由于当前的反病毒软件都不是为邮件系统查毒设计的,缺少了一些用于判定邮件附件是否恶意软件的 信息,恶意软件的检测效果差。
发明内容
本发明的目的是提供一种邮件的监控方法、系统与装置,能够快速以及准确识别邮件携带的附件是否为恶意软件,并及时过滤携带恶意软件的邮件,保证邮件接收端的安全。
为解决以上技术问题,本发明实施例提供一种邮件的监控方法,包括:
获取新邮件携带的附件;
对所述附件采用哈希算法进行计算,获得所述附件的哈希特征;
将所述附件的哈希特征输入预设的过滤模型,获得所述附件为恶意软件的预测值;
当所述预测值大于设定的阈值时,将所述附件发送到预设的沙箱工具;
通过所述预设的沙箱工具识别所述附件;
当所述附件识别为恶意软件时,对所述附件添加恶意软件标记并拒收所述新邮件;
当所述附件识别为可疑软件时,对所述附件添加可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件。
优选地,所述当所述附件识别为可疑软件时,对所述附件添加可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件,具体包括:
当所述附件识别为可疑软件时,将所述附件发送预设的杀毒工具;
通过所述预设的杀毒工具再次识别所述附件;
当所述附件判定为可疑软件时,维持所述附件的可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件;
当所述附件判定为恶意软件时,将所述附件的可疑软件标记更新为恶意软件标记。
优选地,所述邮件的监控方法还包括:
扫描预设的样本文件,提取所述预设的样本文件的文件特征;其中所述预设的样本文件包括标记为恶意软件的样本文件以及标记为可疑软件的样本文件;
将所述文件特征输入SVM分类器进行特征训练,构建所述预设的过滤模型。
优选地,所述通过所述预设的沙箱工具识别所述附件,具体包括:
当所述预设的沙箱工具虚拟打开所述附件后,检测所述附件是否对所述沙箱工具产生恶意行为;其中,所述恶意行为包括所述沙箱工具的重要目录中增加文件、所述沙箱工具的重要文件以及配置被修改以及进程被注入外部逻辑;
当所述附件对所述沙箱工具产生恶意行为时,所述附件识别为恶意软件;
当所述附件对所述沙箱工具没有产生恶意行为时,所述附件识别为可疑软件。
优选地,所述当所述附件判定为恶意软件时,将所述附件的可疑软件标记更新为恶意软件标记,具体包括:
当所述附件判定为恶意软件时,检测发信人与所述收信人的紧密关系;
当所述发信人与所述收信人的相互发信数量大于预设的紧密阈值时,维持所述附件的可疑软件标记;
当所述发信人与所述收信人的相互发信数量不大于所述预设的紧密阈值时,将所述附件的可疑软件标记更新为恶意软件标记。
优选地,所述对所述附件采用哈希算法进行计算,获得所述附件的哈希特征,具体包括:
识别所述附件的文件格式;
当所述附件为可执行文件或动态链接库文件时,获取所述附件的汇编代码并构造汇编代码序列,对所述汇编代码序列采用哈希算法进行计算,获得所述附件的哈希特征;
当所述附件为脚本文件时,提取所述附件的token,对所述附件的token采用哈希算法进行计算,获得所述附件的哈希特征;
当所述附件为pdf文件或Office文件时,获取所述附件的树状结构,提取所述附件的树状结构对应的节点路径,对所述节点路径采用哈希算法进行计算, 获得所述附件的哈希特征。
优选地,所述当所述附件为可执行文件或动态链接库文件时,获取所述附件的汇编代码并构造汇编代码序列,对所述汇编代码序列采用哈希算法进行计算,获得所述附件的哈希特征,具体包括:
当所述附件为可执行文件或动态链接库文件时,获取所述附件的汇编代码;
将所述附件的三个相邻的所述汇编代码合并生成所述汇编代码序列;
对所述汇编代码序列采用哈希算法进行计算,获得所述附件的哈希特征。
优选地,所述当所述附件为pdf文件或Office文件时,获取所述附件的树状结构,提取所述附件的树状结构对应的节点路径,对所述节点路径采用哈希算法进行计算,获得所述附件的哈希特征,具体包括:
当所述附件为pdf文件或Office文件时,对所述附件进行文本拆分处理,得到多个文本数据块;
根据所述文本数据块,构造所述附件的树状结构;
提取所述附件的树状结构从根节点到任意一个叶子节点的节点路径;
对所述节点路径采用哈希算法进行计算,获得所述附件的哈希特征。
本发明实施还提供一种邮件的监控系统,包括:
邮件附件获取模块,用于获取新邮件携带的附件;
哈希特征计算模块,用于对所述附件采用哈希算法进行计算,获得所述附件的哈希特征;
附件预测模块,用于将所述附件的哈希特征输入预设的过滤模型,获得所述附件为恶意软件的预测值;
附件发送模块,用于当所述预测值大于设定的阈值时,将所述附件发送到预设的沙箱工具;
沙箱检测模块,用于通过所述预设的沙箱工具识别所述附件;
邮件拒收模块,用于当所述附件识别为恶意软件时,对所述附件添加恶意软件标记并拒收所述新邮件;
邮件警告模块,用于当所述附件识别为可疑软件时,对所述附件添加可疑 软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件。
本发明实施例还提供一种邮件的监控装置,包括处理器,存储器以及存储在所述存储器中且被配置为由所述处理器执行的计算机程序,所述处理器执行所述计算机程序时,实现上述的邮件的监控方法。
相对于现有技术,本发明实施例提供的一种邮件的监控方法的有益效果在于:所述邮件的监控方法包括获取新邮件携带的附件;对所述附件采用哈希算法进行计算,获得所述附件的哈希特征;将所述附件的哈希特征输入预设的过滤模型,获得所述附件为恶意软件的预测值;当所述预测值大于设定的阈值时,将所述附件发送到预设的沙箱工具;通过所述预设的沙箱工具识别所述附件;当所述附件识别为恶意软件时,对所述附件添加恶意软件标记并拒收所述新邮件;当所述附件识别为可疑软件时,对所述附件添加可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件。通过上述邮件的监控方法能够快速以及准确识别邮件携带的附件是否为恶意软件,并及时过滤携带恶意软件的邮件,保证邮件接收端的安全。本发明实施例还提供一种邮件的监控系统与装置。
附图说明
图1是本发明实施例提供的一种邮件的监控方法的流程图;
图2是本发明实施例提供的一种邮件的监控系统的示意图。
具体实施方式
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。
请参阅图1,其是本发明实施例提供的一种邮件的监控方法的流程图,所述 邮件的监控方法包括:
S100:获取新邮件携带的附件;
S200:对所述附件采用哈希算法进行计算,获得所述附件的哈希特征;
S300:将所述附件的哈希特征输入预设的过滤模型,获得所述附件为恶意软件的预测值;
S400:当所述预测值大于设定的阈值时,将所述附件发送到预设的沙箱工具;
S500:通过所述预设的沙箱工具识别所述附件;
S600:当所述附件识别为恶意软件时,对所述附件添加恶意软件标记并拒收所述新邮件;
S700:当所述附件识别为可疑软件时,对所述附件添加可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件。
通过所述过滤模型对所述附件是否为恶意软件的可能性进行预测,得到预测值,然后所述沙箱工具对所述预测值大于设定的阈值的所述附件进行恶意软件识别,通过上述方法能够快速以及准确识别邮件携带的附件是否为恶意软件,并及时过滤携带恶意软件的邮件,保证邮件接收端的安全。
在一种可选的实施例中,S700:当所述附件识别为可疑软件时,对所述附件添加可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件,具体包括:
当所述附件识别为可疑软件时,将所述附件发送预设的杀毒工具;
通过所述预设的杀毒工具再次识别所述附件;
当所述附件判定为可疑软件时,维持所述附件的可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件;
当所述附件判定为恶意软件时,将所述附件的可疑软件标记更新为恶意软件标记。
在本实施中,所述预设的杀毒工具可以是预先部署在所述收信人的邮箱的第三方杀毒软件。所述杀毒工具将通过沙箱工具标记为“可疑软件”的附件再次进 行检查,所述杀毒工具判定是恶意软件的,将附件的标记更新为“恶意软件”,否则保持标记为“可疑软件”。通过所述杀毒工具对所述附件进行再次检查,可以提高所述附件识别为恶意软件的准确性,降低误判的可能性。
在一种可选的实施例中,所述邮件的监控方法还包括:
扫描预设的样本文件,提取所述预设的样本文件的文件特征;其中所述预设的样本文件包括标记为恶意软件的样本文件以及标记为可疑软件的样本文件;
将所述文件特征输入SVM分类器进行特征训练,构建所述预设的过滤模型。
在本实施例中,所述预设的样本文件通过邮件系统的通讯关系低成本的自动获得。例如,对于两个有大量沟通关系的邮箱,其互相之间发送的附件会标记为“比较可信”,这些“比较可信”的样本文件,会通过沙箱工具执行一遍,排除一些可能有问题的附件之后,标记为“可疑软件”样本。而那些之前没有过通讯关系,则会通过沙箱工具执行一遍,如果有任何可疑行为的(修改系统重要文件,注入某些执行逻辑等),则会将样本文件标记为“恶意软件”。
将通过上述方法得到的大量标记好的样本文件的文件特征输入SVM分类器进行特征训练(机器学习训练分类模型办法),训练出所述过滤模型。对于邮件系统遇到的每个附件,都是用所述过滤模型做一次初步判定,如果所述过滤模型判定为可疑软件,则再使用所述沙箱工具检查所述附件,判定是恶意软件的附件则拒收,判定是可疑软件的附件则可以提示收信人附件是可疑软件,让收信人警惕,减少收信人系统被恶意软件感染的几率。
在一种可选的实施例中,所述通过所述预设的沙箱工具识别所述附件,具体包括:
当所述预设的沙箱工具虚拟打开所述附件后,检测所述附件是否对所述沙箱工具产生恶意行为;其中,所述恶意行为包括所述沙箱工具的重要目录中增加文件、所述沙箱工具的重要文件以及配置被修改以及进程被注入外部逻辑;
当所述附件对所述沙箱工具产生恶意行为时,所述附件识别为恶意软件;
当所述附件对所述沙箱工具没有产生恶意行为时,所述附件识别为可疑软件。
在一种可选的实施例中,所述当所述附件判定为恶意软件时,将所述附件的可疑软件标记更新为恶意软件标记,具体包括:
当所述附件判定为恶意软件时,检测发信人与所述收信人的紧密关系;
当所述发信人与所述收信人的相互发信数量大于预设的紧密阈值时,维持所述附件的可疑软件标记;
当所述发信人与所述收信人的相互发信数量不大于所述预设的紧密阈值时,将所述附件的可疑软件标记更新为恶意软件标记。
在本实施例中,对所述沙箱工具判定为可疑软件的附件,所述杀毒软件检查发现,发信人和收信人具有紧密沟通关系,即所述发信人与所述收信人的相互发信数量大于预设的紧密阈值,例如:互相发信数量大于10(10是经验值),则将所述附件标记维持为“可疑软件”。发信人和收信人不具有紧密沟通关系,即所述发信人与所述收信人的相互发信数量小于预设的紧密阈值,例如:互相发信数量小于10(10是经验值),设置互相发信数量为0,则将所述附件标记更新为“恶意软件”。通过对收发信人的紧密沟通关系,可以有效得出来及发信人邮件的附件为恶意软件的几率,例如两个邮箱之间如果经常互相沟通的,则这两个邮箱之间互发的附件为恶意软件的几率比较小;如果同一个(或者内容相似)的附件,在某个时间段之内,都是由之前没有过任何通讯关系的邮箱发往另外一个邮箱的,这个附件为恶意软件的几率比较大。
在一种可选的实施例中,所述对所述附件采用哈希算法进行计算,获得所述附件的哈希特征,具体包括:
识别所述附件的文件格式;
当所述附件为可执行文件或动态链接库文件时,获取所述附件的汇编代码并构造汇编代码序列,对所述汇编代码序列采用哈希算法进行计算,获得所述附件的哈希特征;
当所述附件为脚本文件时,提取所述附件的token,对所述附件的token采用哈希算法进行计算,获得所述附件的哈希特征;
当所述附件为pdf文件或Office文件时,获取所述附件的树状结构,提取所 述附件的树状结构对应的节点路径,对所述节点路径采用哈希算法进行计算,获得所述附件的哈希特征。
在本实施例中,例如所述附件为vbs脚本文件Set objShell=wscript.CreateObject(“Wscript.Shell”),则根据vbs语法,一个一个的提取所述附件的token,并计算所述附件的哈希特征为md5(Set)md5(objShell)md5(wscript.CreateObject(“Wscript.Shell”))。
在一种可选的实施例中,所述当所述附件为可执行文件或动态链接库文件时,获取所述附件的汇编代码并构造汇编代码序列,对所述汇编代码序列采用哈希算法进行计算,获得所述附件的哈希特征,具体包括:
当所述附件为可执行文件或动态链接库文件时,获取所述附件的汇编代码;
将所述附件的三个相邻的所述汇编代码合并生成所述汇编代码序列;
对所述汇编代码序列采用哈希算法进行计算,获得所述附件的哈希特征。
在本实施例中,例如一个可执行文件,扫描所述可执行文件的汇编代码,并将相邻的三个汇编代码合并成一个生成汇编代码序列,共计生成汇编代码序列A,B,C,D,E,并计算所述汇编代码序列的哈希特征,则对应的哈希特征为md5(A+B+C)md5(B+C+D)md5(C+D+E)。
在一种可选的实施例中,所述当所述附件为pdf文件或Office文件时,获取所述附件的树状结构,提取所述附件的树状结构对应的节点路径,对所述节点路径采用哈希算法进行计算,获得所述附件的哈希特征,具体包括:
当所述附件为pdf文件或Office文件时,对所述附件进行文本拆分处理,得到多个文本数据块;
根据所述文本数据块,构造所述附件的树状结构;
提取所述附件的树状结构从根节点到任意一个叶子节点的节点路径;
对所述节点路径采用哈希算法进行计算,获得所述附件的哈希特征。
在本实施中,例如一个pdf文件,对该pdf文本进行文本拆分处理,并构造下述的树状结构A+B+C+D+E(pdf文件的根是A,A下层有B,C,E三个子节点,C下层有D子节点),对所述节点路径采用哈希算法进行计算,得到该pdf文件的 哈希特征为md5(A+B)md5(A+C+D)md5(A+E)。
请参阅图2,其是本发明实施提供的一种邮件的监控系统的示意图,所述邮件的监控系统包括:
邮件附件获取模块1,用于获取新邮件携带的附件;
哈希特征计算模块2,用于对所述附件采用哈希算法进行计算,获得所述附件的哈希特征;
附件预测模块3,用于将所述附件的哈希特征输入预设的过滤模型,获得所述附件为恶意软件的预测值;
附件发送模块4,用于当所述预测值大于设定的阈值时,将所述附件发送到预设的沙箱工具;
沙箱检测模块5,用于通过所述预设的沙箱工具识别所述附件;
邮件拒收模块6,用于当所述附件识别为恶意软件时,对所述附件添加恶意软件标记并拒收所述新邮件;
邮件警告模块7,用于当所述附件识别为可疑软件时,对所述附件添加可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件。
通过所述过滤模型对所述附件是否为恶意软件的可能性进行预测,得到预测值,然后所述沙箱工具对所述预测值大于设定的阈值的所述附件进行恶意软件识别,通过上述方法能够快速以及准确识别邮件携带的附件是否为恶意软件,并及时过滤携带恶意软件的邮件,保证邮件接收端的安全。
在一种可选的实施例中,所述邮件警告模块包括附件发送单元、识别单元:
所述附件发送单元,用于当所述附件识别为可疑软件时,将所述附件发送预设的杀毒工具;
所述识别单元,用于通过所述预设的杀毒工具再次识别所述附件;
所述识别单元,还用于当所述附件判定为可疑软件时,维持所述附件的可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件;
所述识别单元,还用于当所述附件判定为恶意软件时,将所述附件的可疑软件标记更新为恶意软件标记。
在本实施中,所述预设的杀毒工具可以是预先部署在所述收信人的邮箱的第三方杀毒软件。所述杀毒工具将通过沙箱工具标记为“可疑软件”的附件再次进行检查,所述杀毒工具判定是恶意软件的,将附件的标记更新为“恶意软件”,否则保持标记为“可疑软件”。通过所述杀毒工具对所述附件进行再次检查,可以提高所述附件识别为恶意软件的准确性,降低误判的可能性。
在一种可选的实施例中,所述邮件的监控系统还包括样本标记模块、机器学习模块;
所述样本标记模块,用于扫描预设的样本文件,提取所述预设的样本文件的文件特征;其中所述预设的样本文件包括标记为恶意软件的样本文件以及标记为可疑软件的样本文件;
所述机器学习模块,用于将所述文件特征输入SVM分类器进行特征训练,构建所述预设的过滤模型。
在本实施例中,所述预设的样本文件通过邮件系统的通讯关系低成本的自动获得。例如,对于两个有大量沟通关系的邮箱,其互相之间发送的附件会标记为“比较可信”,这些“比较可信”的样本文件,会通过沙箱工具执行一遍,排除一些可能有问题的附件之后,标记为“可疑软件”样本。而那些之前没有过通讯关系,则会通过沙箱工具执行一遍,如果有任何可疑行为的(修改系统重要文件,注入某些执行逻辑等),则会将样本文件标记为“恶意软件”。
将通过上述方法得到的大量标记好的样本文件的文件特征输入SVM分类器进行特征训练(机器学习训练分类模型办法),训练出所述过滤模型。对于邮件系统遇到的每个附件,都是用所述过滤模型做一次初步判定,如果所述过滤模型判定为可疑软件,则再使用所述沙箱工具检查所述附件,判定是恶意软件的附件则拒收,判定是可疑软件的附件则可以提示收信人附件是可疑软件,让收信人警惕,减少收信人系统被恶意软件感染的几率。
在一种可选的实施例中,所述沙箱检测模块包括行为检测单元;
所述行为检测单元,用于当所述预设的沙箱工具虚拟打开所述附件后,检测所述附件是否对所述沙箱工具产生恶意行为;其中,所述恶意行为包括所述沙箱工具的重要目录中增加文件、所述沙箱工具的重要文件以及配置被修改以及进程被注入外部逻辑;
当所述附件对所述沙箱工具产生恶意行为时,所述行为检测单元用于将所述附件识别为恶意软件;
当所述附件对所述沙箱工具没有产生恶意行为时,所述行为检测单元用于将所述附件识别为可疑软件。
在一种可选的实施例中,所述沙箱检测模块包括紧密关系检测单元;
所述紧密关系检测单元,用于当所述附件判定为恶意软件时,检测发信人与所述收信人的紧密关系;
当所述发信人与所述收信人的相互发信数量大于预设的紧密阈值时,所述紧密关系检测单元,用于维持所述附件的可疑软件标记;
当所述发信人与所述收信人的相互发信数量不大于所述预设的紧密阈值时,所述紧密关系检测单元,用于将所述附件的可疑软件标记更新为恶意软件标记。
在本实施例中,对所述沙箱工具判定为可疑软件的附件,所述杀毒软件检查发现,发信人和收信人具有紧密沟通关系,即所述发信人与所述收信人的相互发信数量大于预设的紧密阈值,例如:互相发信数量大于10(10是经验值),则将所述附件标记维持为“可疑软件”。发信人和收信人不具有紧密沟通关系,即所述发信人与所述收信人的相互发信数量小于预设的紧密阈值,例如:互相发信数量小于10(10是经验值),设置互相发信数量为0,则将所述附件标记更新为“恶意软件”。通过对收发信人的紧密沟通关系,可以有效得出来及发信人邮件的附件为恶意软件的几率,例如两个邮箱之间如果经常互相沟通的,则这两个邮箱之间互发的附件为恶意软件的几率比较小;如果同一个(或者内容相似)的附件,在某个时间段之内,都是由之前没有过任何通讯关系的邮箱发往另外一个邮箱的,这个附件为恶意软件的几率比较大。
在一种可选的实施例中,所述哈希特征计算模块包括文件格式识别单元、 汇编代码哈希特征计算单元、令牌哈希特征计算单元、节点路径哈希特征计算单元;
所述文件格式识别单元,用于识别所述附件的文件格式;
所述汇编代码哈希特征计算单元,用于当所述附件为可执行文件或动态链接库文件时,获取所述附件的汇编代码并构造汇编代码序列,对所述汇编代码序列采用哈希算法进行计算,获得所述附件的哈希特征;
所述令牌哈希特征计算单元,用于当所述附件为脚本文件时,提取所述附件的token,对所述附件的token采用哈希算法进行计算,获得所述附件的哈希特征;
所述节点路径哈希特征计算单元,用于当所述附件为pdf文件或Office文件时,获取所述附件的树状结构,提取所述附件的树状结构对应的节点路径,对所述节点路径采用哈希算法进行计算,获得所述附件的哈希特征。
在本实施例中,例如所述附件为vbs脚本文件Set objShell=wscript.CreateObject(“Wscript.Shell”),则根据vbs语法,一个一个的提取所述附件的token,并计算所述附件的哈希特征为md5(Set)md5(objShell)md5(wscript.CreateObject(“Wscript.Shell”))。
在一种可选的实施例中,所述汇编代码哈希特征计算单元包括汇编代码获取单元、汇编代码序列生成单元、第一哈希特征计算单元;
所述汇编代码获取单元,用于当所述附件为可执行文件或动态链接库文件时,获取所述附件的汇编代码;
所述汇编代码序列生成单元,用于将所述附件的三个相邻的所述汇编代码合并生成所述汇编代码序列;
所述第一哈希特征计算单元,用于对所述汇编代码序列采用哈希算法进行计算,获得所述附件的哈希特征。
在本实施例中,例如一个可执行文件,扫描所述可执行文件的汇编代码,并将相邻的三个汇编代码合并成一个生成汇编代码序列,共计生成汇编代码序列A,B,C,D,E,并计算所述汇编代码序列的哈希特征,则对应的哈希特征为 md5(A+B+C)md5(B+C+D)md5(C+D+E)。
在一种可选的实施例中,所述节点路径哈希特征计算单元包括文本拆分单元、树状结构构造单元、节点路径提取单元、第二哈希特征计算单元;
所述文本拆分单元,用于当所述附件为pdf文件或Office文件时,对所述附件进行文本拆分处理,得到多个文本数据块;
所述树状结构构造单元,用于根据所述文本数据块,构造所述附件的树状结构;
所述节点路径提取单元,用于提取所述附件的树状结构从根节点到任意一个叶子节点的节点路径;
所述第二哈希特征计算单元,用于对所述节点路径采用哈希算法进行计算,获得所述附件的哈希特征。
在本实施中,例如一个pdf文件,对该pdf文本进行文本拆分处理,并构造下述的树状结构A+B+C+D+E(pdf文件的根是A,A下层有B,C,E三个子节点,C下层有D子节点),对所述节点路径采用哈希算法进行计算,得到该pdf文件的哈希特征为md5(A+B)md5(A+C+D)md5(A+E)。
本发明实施例还提供一种邮件的监控装置,包括处理器,存储器以及存储在所述存储器中且被配置为由所述处理器执行的计算机程序,所述处理器执行所述计算机程序时,实现上述的邮件的监控方法。
示例性的,所述计算机程序可以被分割成一个或多个模块/单元,所述一个或者多个模块/单元被存储在所述存储器中,并由所述处理器执行,以完成本发明。所述一个或多个模块/单元可以是能够完成特定功能的一系列计算机程序指令段,该指令段用于描述所述计算机程序在所述邮件的监控装置中的执行过程。例如,所述计算机程序可以被分割成邮件附件获取模块,用于获取新邮件携带的附件;哈希特征计算模块,用于对所述附件采用哈希算法进行计算,获得所述附件的哈希特征;附件预测模块,用于将所述附件的哈希特征输入预设的过滤模型,获得所述附件为恶意软件的预测值;附件发送模块,用于当所述预测值大于设定的阈值时,将所述附件发送到预设的沙箱工具;沙箱检测模块,用 于通过所述预设的沙箱工具识别所述附件;邮件拒收模块,用于当所述附件识别为恶意软件时,对所述附件添加恶意软件标记并拒收所述新邮件;邮件警告模块,用于当所述附件识别为可疑软件时,对所述附件添加可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件。
所述邮件的监控装置可以是桌上型计算机、笔记本、掌上电脑及云端服务器等计算设备。所述邮件的监控装置可包括,但不仅限于,处理器、存储器。本领域技术人员可以理解,所述示意图2仅仅是邮件的监控装置的示例,并不构成对所述邮件的监控装置的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件,例如所述邮件的监控装置还可以包括输入输出设备、网络接入设备、总线等。
所称处理器可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等,所述处理器是所述邮件的监控装置的控制中心,利用各种接口和线路连接整个邮件的监控装置的各个部分。
所述存储器可用于存储所述计算机程序和/或模块,所述处理器通过运行或执行存储在所述存储器内的计算机程序和/或模块,以及调用存储在存储器内的数据,实现所述邮件的监控装置的各种功能。所述存储器可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等;存储数据区可存储根据手机的使用所创建的数据(比如音频数据、电话本等)等。此外,存储器可以包括高速随机存取存储器,还可以包括非易失性存储器,例如硬盘、内存、插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)、至少一个磁盘存储器件、闪存器件、或其他易失性固 态存储器件。
其中,所述邮件的监控装置集成的模块/单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明实现上述实施例方法中的全部或部分流程,也可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储于一计算机可读存储介质中,该计算机程序在被处理器执行时,可实现上述各个方法实施例的步骤。其中,所述计算机程序包括计算机程序代码,所述计算机程序代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。所述计算机可读介质可以包括:能够携带所述计算机程序代码的任何实体或装置、记录介质、U盘、移动硬盘、磁碟、光盘、计算机存储器、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、电载波信号、电信信号以及软件分发介质等。需要说明的是,所述计算机可读介质包含的内容可以根据司法管辖区内立法和专利实践的要求进行适当的增减,例如在某些司法管辖区,根据立法和专利实践,计算机可读介质不包括电载波信号和电信信号。
相对于现有技术,本发明实施例提供的一种邮件的监控方法的有益效果在于:所述邮件的监控方法包括获取新邮件携带的附件;对所述附件采用哈希算法进行计算,获得所述附件的哈希特征;将所述附件的哈希特征输入预设的过滤模型,获得所述附件为恶意软件的预测值;当所述预测值大于设定的阈值时,将所述附件发送到预设的沙箱工具;通过所述预设的沙箱工具识别所述附件;当所述附件识别为恶意软件时,对所述附件添加恶意软件标记并拒收所述新邮件;当所述附件识别为可疑软件时,对所述附件添加可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件。通过上述邮件的监控方法能够快速以及准确识别邮件携带的附件是否为恶意软件,并及时过滤携带恶意软件的邮件,保证邮件接收端的安全。本发明实施例还提供一种邮件的监控装置与系统
以上是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人 员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也视为本发明的保护范围。

Claims (10)

  1. 一种邮件的监控方法,其特征在于,包括:
    获取新邮件携带的附件;
    对所述附件采用哈希算法进行计算,获得所述附件的哈希特征;
    将所述附件的哈希特征输入预设的过滤模型,获得所述附件为恶意软件的预测值;
    当所述预测值大于设定的阈值时,将所述附件发送到预设的沙箱工具;
    通过所述预设的沙箱工具识别所述附件;
    当所述附件识别为恶意软件时,对所述附件添加恶意软件标记并拒收所述新邮件;
    当所述附件识别为可疑软件时,对所述附件添加可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件。
  2. 如权利要求1所述的邮件的监控方法,其特征在于,所述当所述附件识别为可疑软件时,对所述附件添加可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件,具体包括:
    当所述附件识别为可疑软件时,将所述附件发送预设的杀毒工具;
    通过所述预设的杀毒工具再次识别所述附件;
    当所述附件判定为可疑软件时,维持所述附件的可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件;
    当所述附件判定为恶意软件时,将所述附件的可疑软件标记更新为恶意软件标记。
  3. 如权利要求1所述的邮件的监控方法,其特征在于,所述邮件的监控方法还包括:
    扫描预设的样本文件,提取所述预设的样本文件的文件特征;其中所述预设的样本文件包括标记为恶意软件的样本文件以及标记为可疑软件的样本文件;
    将所述文件特征输入SVM分类器进行特征训练,构建所述预设的过滤模型。
  4. 如权利要求1所述的邮件的监控方法,其特征在于,所述通过所述预设的沙箱工具识别所述附件,具体包括:
    当所述预设的沙箱工具虚拟打开所述附件后,检测所述附件是否对所述沙箱工具产生恶意行为;其中,所述恶意行为包括所述沙箱工具的重要目录中增加文件、所述沙箱工具的重要文件以及配置被修改以及进程被注入外部逻辑;
    当所述附件对所述沙箱工具产生恶意行为时,所述附件识别为恶意软件;
    当所述附件对所述沙箱工具没有产生恶意行为时,所述附件识别为可疑软件。
  5. 如权利要求2所述的邮件的监控方法,其特征在于,所述当所述附件判定为恶意软件时,将所述附件的可疑软件标记更新为恶意软件标记,具体包括:
    当所述附件判定为恶意软件时,检测发信人与所述收信人的紧密关系;
    当所述发信人与所述收信人的相互发信数量大于预设的紧密阈值时,维持所述附件的可疑软件标记;
    当所述发信人与所述收信人的相互发信数量不大于所述预设的紧密阈值时,将所述附件的可疑软件标记更新为恶意软件标记。
  6. 如权利要求1所述的邮件的监控方法,其特征在于,所述对所述附件采用哈希算法进行计算,获得所述附件的哈希特征,具体包括:
    识别所述附件的文件格式;
    当所述附件为可执行文件或动态链接库文件时,获取所述附件的汇编代码并构造汇编代码序列,对所述汇编代码序列采用哈希算法进行计算,获得所述附件的哈希特征;
    当所述附件为脚本文件时,提取所述附件的token,对所述附件的token采用哈希算法进行计算,获得所述附件的哈希特征;
    当所述附件为pdf文件或Office文件时,获取所述附件的树状结构,提取所述附件的树状结构对应的节点路径,对所述节点路径采用哈希算法进行计算,获得所述附件的哈希特征。
  7. 如权利要求6所述的邮件的监控方法,其特征在于,所述当所述附件为可执行文件或动态链接库文件时,获取所述附件的汇编代码并构造汇编代码序列,对所述汇编代码序列采用哈希算法进行计算,获得所述附件的哈希特征,具体包括:
    当所述附件为可执行文件或动态链接库文件时,获取所述附件的汇编代码;
    将所述附件的三个相邻的所述汇编代码合并生成所述汇编代码序列;
    对所述汇编代码序列采用哈希算法进行计算,获得所述附件的哈希特征。
  8. 如权利要求6所述的邮件的监控方法,其特征在于,所述当所述附件为pdf文件或Office文件时,获取所述附件的树状结构,提取所述附件的树状结构对应的节点路径,对所述节点路径采用哈希算法进行计算,获得所述附件的哈希特征,具体包括:
    当所述附件为pdf文件或Office文件时,对所述附件进行文本拆分处理,得到多个文本数据块;
    根据所述文本数据块,构造所述附件的树状结构;
    提取所述附件的树状结构从根节点到任意一个叶子节点的节点路径;
    对所述节点路径采用哈希算法进行计算,获得所述附件的哈希特征。
  9. 一种邮件的监控系统,其特征在于,包括:
    邮件附件获取模块,用于获取新邮件携带的附件;
    哈希特征计算模块,用于对所述附件采用哈希算法进行计算,获得所述附件的哈希特征;
    附件预测模块,用于将所述附件的哈希特征输入预设的过滤模型,获得所 述附件为恶意软件的预测值;
    附件发送模块,用于当所述预测值大于设定的阈值时,将所述附件发送到预设的沙箱工具;
    沙箱检测模块,用于通过所述预设的沙箱工具识别所述附件;
    邮件拒收模块,用于当所述附件识别为恶意软件时,对所述附件添加恶意软件标记并拒收所述新邮件;
    邮件警告模块,用于当所述附件识别为可疑软件时,对所述附件添加可疑软件标记并生成携带所述新邮件的警告邮件以使得收信人通过所述警告邮件打开所述新邮件。
  10. 一种邮件的监控装置,其特征在于,包括处理器,存储器以及存储在所述存储器中且被配置为由所述处理器执行的计算机程序,所述处理器执行所述计算机程序时,实现如权利要求1至8所述的邮件的监控方法。
PCT/CN2019/070302 2018-01-19 2019-01-03 一种邮件的监控方法、系统与装置 WO2019141091A1 (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
ZA2020/04846A ZA202004846B (en) 2018-01-19 2020-08-04 Method, system, and device for mail monitoring

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810055496.0 2018-01-19
CN201810055496.0A CN108337153B (zh) 2018-01-19 2018-01-19 一种邮件的监控方法、系统与装置

Publications (1)

Publication Number Publication Date
WO2019141091A1 true WO2019141091A1 (zh) 2019-07-25

Family

ID=62925359

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/070302 WO2019141091A1 (zh) 2018-01-19 2019-01-03 一种邮件的监控方法、系统与装置

Country Status (3)

Country Link
CN (1) CN108337153B (zh)
WO (1) WO2019141091A1 (zh)
ZA (1) ZA202004846B (zh)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111291372A (zh) * 2020-01-21 2020-06-16 上海戎磐网络科技有限公司 一种基于软件基因技术对终端设备文件检测的方法及装置
CN112822168A (zh) * 2020-12-30 2021-05-18 绿盟科技集团股份有限公司 一种异常邮件检测方法及装置
CN114006721A (zh) * 2021-09-14 2022-02-01 北京纽盾网安信息技术有限公司 电子邮件的风险检测方法及系统

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108337153B (zh) * 2018-01-19 2020-10-23 论客科技(广州)有限公司 一种邮件的监控方法、系统与装置
CN109347819A (zh) * 2018-10-12 2019-02-15 杭州安恒信息技术股份有限公司 一种病毒邮件检测方法、系统及电子设备和存储介质
CN109327453B (zh) * 2018-10-31 2021-04-13 北斗智谷(北京)安全技术有限公司 一种特定威胁的识别方法及电子设备
CN109672607A (zh) * 2018-12-20 2019-04-23 东软集团股份有限公司 一种邮件处理方法、装置及存储设备、程序产品
CN111049733A (zh) * 2019-12-10 2020-04-21 公安部第三研究所 一种钓鱼邮件攻击的蔽性标识方法
CN112305591B (zh) * 2020-10-10 2022-04-29 中国地质大学(北京) 隧道超前地质预报方法、计算机可读存储介质
CN113965349B (zh) * 2021-09-14 2023-07-18 上海纽盾科技股份有限公司 具有安全检测功能的网络安全防护系统及方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833240A (zh) * 2012-08-17 2012-12-19 中国科学院信息工程研究所 一种恶意代码捕获方法及系统
CN106778268A (zh) * 2016-11-28 2017-05-31 广东省信息安全测评中心 恶意代码检测方法与系统
CN106815518A (zh) * 2015-11-30 2017-06-09 华为技术有限公司 一种应用安装方法及电子设备
CN106874765A (zh) * 2017-03-03 2017-06-20 努比亚技术有限公司 一种恶意软件拦截方法、装置及终端
CN108337153A (zh) * 2018-01-19 2018-07-27 论客科技(广州)有限公司 一种邮件的监控方法、系统与装置

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1922837A (zh) * 2004-05-14 2007-02-28 布赖特梅有限公司 基于相似性量度过滤垃圾邮件的方法和装置
US7908653B2 (en) * 2004-06-29 2011-03-15 Intel Corporation Method of improving computer security through sandboxing
CN101877680A (zh) * 2010-05-21 2010-11-03 电子科技大学 一种垃圾邮件发送行为控制系统及方法
CN102930210B (zh) * 2012-10-14 2015-11-25 江苏金陵科技集团有限公司 恶意程序行为自动化分析、检测与分类系统及方法
CN103546449A (zh) * 2012-12-24 2014-01-29 哈尔滨安天科技股份有限公司 一种基于附件格式的邮件病毒检测方法和装置
CN105007218B (zh) * 2015-08-20 2018-07-31 世纪龙信息网络有限责任公司 反垃圾电子邮件方法和系统
JP2017129893A (ja) * 2016-01-18 2017-07-27 株式会社日立製作所 マルウェア検知方法及びシステム

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833240A (zh) * 2012-08-17 2012-12-19 中国科学院信息工程研究所 一种恶意代码捕获方法及系统
CN106815518A (zh) * 2015-11-30 2017-06-09 华为技术有限公司 一种应用安装方法及电子设备
CN106778268A (zh) * 2016-11-28 2017-05-31 广东省信息安全测评中心 恶意代码检测方法与系统
CN106874765A (zh) * 2017-03-03 2017-06-20 努比亚技术有限公司 一种恶意软件拦截方法、装置及终端
CN108337153A (zh) * 2018-01-19 2018-07-27 论客科技(广州)有限公司 一种邮件的监控方法、系统与装置

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111291372A (zh) * 2020-01-21 2020-06-16 上海戎磐网络科技有限公司 一种基于软件基因技术对终端设备文件检测的方法及装置
CN111291372B (zh) * 2020-01-21 2024-04-30 上海戎磐网络科技有限公司 一种基于软件基因技术对终端设备文件检测的方法及装置
CN112822168A (zh) * 2020-12-30 2021-05-18 绿盟科技集团股份有限公司 一种异常邮件检测方法及装置
CN114006721A (zh) * 2021-09-14 2022-02-01 北京纽盾网安信息技术有限公司 电子邮件的风险检测方法及系统

Also Published As

Publication number Publication date
ZA202004846B (en) 2022-01-26
CN108337153B (zh) 2020-10-23
CN108337153A (zh) 2018-07-27

Similar Documents

Publication Publication Date Title
WO2019141091A1 (zh) 一种邮件的监控方法、系统与装置
US11516248B2 (en) Security system for detection and mitigation of malicious communications
US10819744B1 (en) Collaborative phishing attack detection
US10218740B1 (en) Fuzzy hash of behavioral results
CN104660594B (zh) 一种面向社交网络的虚拟恶意节点及其网络识别方法
US9398038B2 (en) Collaborative phishing attack detection
CN103679031B (zh) 一种文件病毒免疫的方法和装置
RU2601193C2 (ru) Системы и способы обнаружения спама с помощью символьных гистограмм
JP2020505707A (ja) 侵入検出のための継続的な学習
RU2601190C2 (ru) Система и способы обнаружения спама с помощью частотных спектров строк символов
CN110519150B (zh) 邮件检测方法、装置、设备、系统及计算机可读存储介质
US20210250369A1 (en) System and method for providing cyber security
WO2015047802A2 (en) Advanced persistent threat (apt) detection center
CN107222511B (zh) 恶意软件的检测方法及装置、计算机装置及可读存储介质
US10623426B1 (en) Building a ground truth dataset for a machine learning-based security application
CN107395650B (zh) 基于沙箱检测文件识别木马回连方法及装置
CN108183888A (zh) 一种基于随机森林算法的社会工程学入侵攻击路径检测方法
KR20170083494A (ko) 악성 전자 메시지의 검출 기술
US20120260339A1 (en) Imposter Prediction Using Historical Interaction Patterns
US10778840B1 (en) Systems and methods for identifying unsolicited communications on a computing device
CN112559595A (zh) 安全事件挖掘方法、装置、存储介质及电子设备
US11176251B1 (en) Determining malware via symbolic function hash analysis
CN115037542A (zh) 一种异常邮件检测方法及装置
CN114003914A (zh) 一种文件的安全性检测方法、装置、电子设备及存储介质
Elmendili et al. A security approach based on honeypots: Protecting Online Social network from malicious profiles

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19741718

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19741718

Country of ref document: EP

Kind code of ref document: A1