[go: up one dir, main page]

CN114465977A - Method, device, equipment and storage medium for detecting mailbox login abnormity - Google Patents

Method, device, equipment and storage medium for detecting mailbox login abnormity Download PDF

Info

Publication number
CN114465977A
CN114465977A CN202210013302.7A CN202210013302A CN114465977A CN 114465977 A CN114465977 A CN 114465977A CN 202210013302 A CN202210013302 A CN 202210013302A CN 114465977 A CN114465977 A CN 114465977A
Authority
CN
China
Prior art keywords
login
records
mailbox
trusted
record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210013302.7A
Other languages
Chinese (zh)
Other versions
CN114465977B (en
Inventor
林延中
潘庆峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Yingshi Computer Technology Co ltd
Original Assignee
Guangdong Yingshi Computer Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Yingshi Computer Technology Co ltd filed Critical Guangdong Yingshi Computer Technology Co ltd
Priority to CN202210013302.7A priority Critical patent/CN114465977B/en
Publication of CN114465977A publication Critical patent/CN114465977A/en
Application granted granted Critical
Publication of CN114465977B publication Critical patent/CN114465977B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

本发明公开了一种邮箱登录异常的检测方法、装置、设备及存储介质,包括:获取用户邮箱的所有登录记录,并根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像;根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度;其中,每一个登录记录包含一个登录IP和一个登录时间;根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录;根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除操作,并将剔除操作后的可疑登录记录作为异常记录。本发明解决了现有技术中登录地区切换的登录异常检测准确性低的技术问题。

Figure 202210013302

The invention discloses a method, device, equipment and storage medium for detecting abnormality of mailbox login, comprising: acquiring all login records of a user's mailbox, and establishing a trusted IP list and standard according to normal emails preset in the user's mailbox User portrait; according to the preset geographic information database of the login IP, obtain the longitude and latitude of the corresponding area of each login record; wherein, each login record includes a login IP and a login time; The switching speed of the latitude and longitude of the region corresponding to the secondary login record, and screen out suspicious login records according to a preset speed threshold; according to the trusted IP list and the standard user portrait, the suspicious login records are eliminated. The suspicious login records after the removal operation are regarded as abnormal records. The invention solves the technical problem of low detection accuracy of log-in abnormality for log-in area switching in the prior art.

Figure 202210013302

Description

一种邮箱登录异常的检测方法、装置、设备及存储介质A method, device, device and storage medium for detecting abnormality of mailbox login

技术领域technical field

本发明涉及网络信息技术安全领域,尤其涉及一种邮箱登录异常的检测方法、装置、设备及存储介质。The invention relates to the field of network information technology security, and in particular, to a method, device, device and storage medium for detecting abnormality of mailbox login.

背景技术Background technique

电子邮箱的非授权登录检测是邮件安全领域的重要应用。电子邮箱的应用非常广泛,企业邮箱的安全性更关乎公司、企业等的利益,绝大多数企业、政府部门、科研单位等采用企业邮件进行公文传递、修改和审批,许多高度机密的数据都包含在其中。但是电子邮件在传输过程中,需要在不同的邮件服务器上进行转发,这就给攻击者带来了可乘之机。电子邮箱的密码泄露途径非常多,包括但不限于钓鱼邮件(骗取用户点击邮件中的不明链接URL到一个非法登录页面并盗取用户的账号密码),暴力破解(使用大量的IP快速的尝试大量账号的大量密码,有一定的概率能破解一些简单密码的邮箱账号),木马(通过邮件或者其他下载途径在客户机器安装木马并偷取用户账号密码),撞库(用户的账号密码在多个网站共用,导致其中一个网站后台被攻陷账号密码被盗后,能用同一个密码登录其他系统或者对应的邮件系统)。由于攻击方法层出不穷,所以只能认为肯定有用户因为上述某些原因被盗走了对应的邮箱账号密码,因此需要一个办法判别当前登录的是用户自己还是其他非授权的用户。Unauthorized login detection of e-mail is an important application in the field of email security. The application of e-mail is very extensive, and the security of enterprise e-mail is more related to the interests of companies, enterprises, etc. Most enterprises, government departments, scientific research units, etc. use enterprise e-mails for official document delivery, modification and approval. Many highly confidential data contains in it. However, during the transmission process of e-mail, it needs to be forwarded on different mail servers, which brings opportunities for attackers. There are many ways to leak email passwords, including but not limited to phishing emails (deceiving users to click an unknown URL in the email to an illegal login page and stealing the user's account password), brute force cracking (using a large number of IPs to quickly try a large number of A large number of account passwords, there is a certain probability that some email accounts with simple passwords can be cracked), Trojans (install Trojans on client machines through email or other download methods and steal user account passwords), credential stuffing (users account passwords in multiple After the website is shared, one of the website backgrounds is compromised and the account password is stolen, and the same password can be used to log in to other systems or the corresponding mail system). Due to the endless emergence of attack methods, it can only be considered that some users must have their corresponding mailbox account passwords stolen for some of the above reasons. Therefore, a method is needed to determine whether the user is currently logged in or other unauthorized users.

目前,绝大多数的邮箱账号登录风险控制的安全检测都是针对于某一个特定泄漏途径,例如,通过聚类等方法获得攻击者的使用IP,最终确定可疑邮箱的共同登录IP确定攻击者,但对于有大量代理可疑从不同IP登录被盗账号的攻击者,或者针对少量高价值账号的低频持续监控攻击,基于共同登录IP的方法不一定能够捕获这类异常登录;对于暴力破解,对于同一个IP尝试大量不同的账号,大量不同密码的,设定一定阈值;对于异地登录风险控制,需额外对登录的用户做双因子认证,但对于用户可能使用VPN等代理,切换对应地理位置时,或基于不同的IP地理未知信息库,有一定的概率返回错误的IP对应地理位置,导致登录过程复杂,甚至失败。At present, the vast majority of email account login risk control security detections are aimed at a specific leakage route. For example, the attacker's IP address is obtained by clustering and other methods, and the common login IP of the suspicious mailbox is finally determined to determine the attacker. However, for attackers with a large number of agents suspected of logging into stolen accounts from different IPs, or low-frequency continuous monitoring attacks targeting a small number of high-value accounts, the method based on common login IP may not be able to capture such abnormal logins; for brute force cracking, for the same One IP tries a large number of different accounts and a large number of different passwords, and a certain threshold is set; for remote login risk control, additional two-factor authentication is required for the logged in user, but for users who may use VPN and other proxies, when switching the corresponding geographical location, Or based on different IP geographic unknown information bases, there is a certain probability that the wrong IP corresponding geographic location will be returned, resulting in complicated login process or even failure.

因此,目前亟需一种对于企业邮箱的登录异常进行检测的策略,以解决现有技术中用户使用代理导致登录地区切换引起误报,使得检测不准确的情况。Therefore, there is an urgent need for a strategy for detecting the login anomaly of an enterprise mailbox, so as to solve the situation in the prior art that the user uses an agent to switch the login area and cause false alarms, which makes the detection inaccurate.

发明内容SUMMARY OF THE INVENTION

本发明提供了一种邮箱登录异常的检测方法、装置、设备及存储介质,以解决现有技术中登录地区切换的登录异常检测准确性低的技术问题。The present invention provides a method, device, device and storage medium for detecting abnormality of mailbox login, so as to solve the technical problem of low detection accuracy of login abnormality for login area switching in the prior art.

为了解决上述技术问题,本发明实施例提供了一种邮箱登录异常的检测方法,包括:In order to solve the above technical problems, an embodiment of the present invention provides a method for detecting abnormality of mailbox login, including:

获取用户邮箱的所有登录记录,并根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像;Acquire all login records of the user's mailbox, and establish a trusted IP list and standard user portraits according to the normal emails preset in the user's mailbox;

根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度;其中,每一个登录记录包含一个登录IP和一个登录时间;Obtain the latitude and longitude of the region corresponding to each login record according to the preset geographic information database of the login IP; wherein, each login record includes a login IP and a login time;

根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录;According to the login time, successively calculate the switching speed of the latitude and longitude of the area corresponding to each adjacent two login records, and filter out suspicious login records according to a preset speed threshold;

根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除操作,并将剔除操作后的可疑登录记录作为异常记录。According to the trusted IP list and the standard user portrait, the suspicious login record is eliminated, and the suspicious login record after the elimination operation is regarded as an abnormal record.

作为优选方案,在所述将剔除操作后的可疑登录记录作为异常记录之后,还包括:As a preferred solution, after the suspicious login records after the removal operation are regarded as abnormal records, the method further includes:

响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常;In response to the mailbox login operation of the current user, a first login record is generated, and according to the trusted IP list and the standard user portrait, it is judged whether the first login record is normal;

若所述第一登录记录正常,则保存该登录记录;If the first login record is normal, save the login record;

若所述第一登录记录不正常,则触发双因子认证,以使所述当前用户确认登录。If the first login record is abnormal, two-factor authentication is triggered, so that the current user confirms the login.

作为优选方案,在所述响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常之后,还包括:As a preferred solution, after generating a first login record in response to the current user's mailbox login operation, and judging whether the first login record is normal according to the trusted IP list and the standard user portrait, the method further includes:

记录在第一预设时间段内生成的登录记录的数量,若所述生成的登录记录的数量大于预设的第一阈值,则封禁所述当前用户的邮箱。The number of login records generated within a first preset time period is recorded, and if the number of generated login records is greater than a preset first threshold, the mailbox of the current user is banned.

作为优选方案,在所述根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度之后,还包括:As a preferred solution, after obtaining the latitude and longitude of the region corresponding to each login record according to the preset geographic information database of the login IP, it also includes:

获取第二预设时间段内所有登录失败的登录记录,根据预设的暴力破解规则,对所述所有登录失败的登录记录进行分类操作,获得暴力破解记录和非暴力破解记录;Obtaining all login records of failed logins within the second preset time period, and classifying all the login records of failed logins according to the preset brute force cracking rules, to obtain brute force cracking records and non-brute force cracking records;

若所述暴力破解记录超过预设的第二阈值,则将所述暴力破解记录中的所有登录IP进行标记,作为暴力破解IP列表;If the brute force cracking record exceeds the preset second threshold, then mark all login IPs in the brute force cracking record as a brute force cracking IP list;

根据符合所述暴力破解IP列表的登录IP所对应的登录记录,更新所述异常记录。The abnormal record is updated according to the login record corresponding to the login IP that matches the brute force IP list.

作为优选方案,所述获取用户邮箱的所有登录记录,根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像,具体为:As a preferred solution, obtaining all the login records of the user mailbox, establishing a trusted IP list and standard user portraits according to the normal emails preset in the user mailbox, specifically:

获取用户的邮箱中所有预设的正常邮件的IP所对应的唯一发信人的数量,将所述唯一发信人的数量大于第三阈值的IP作为可信IP种子,并将所有发自所述可信IP的邮件的客户端ID作为可信ID列表;其中,每个登录记录还包含一个客户端ID;Obtain the number of unique senders corresponding to the IPs of all preset normal mails in the user's mailbox, take the IPs whose number of the unique senders is greater than the third threshold as a trusted IP seed, and send all messages from the The client ID of the mail that trusts IP is used as a list of trusted IDs; wherein, each login record also contains a client ID;

根据所述可信IP种子和所述可信ID列表,将每个所述可信IP种子作为一个顶点,每个所述顶点的权值为每个所述可信IP种子所对应的唯一发信人的数量,从而构建信誉传输图,对所述信誉传输图进行迭代生长与传播,直至迭代次数达到预设值,获得迭代后每个顶点的权值,并根据所述迭代后每个顶点的权值,获得可信IP列表;According to the trusted IP seed and the trusted ID list, take each trusted IP seed as a vertex, and the weight of each vertex is the unique distribution corresponding to each trusted IP seed The number of trusted people is used to construct a reputation transmission graph, and the reputation transmission graph is iteratively grown and propagated until the number of iterations reaches a preset value, the weight of each vertex after the iteration is obtained, and the weight of each vertex after the iteration is obtained. Weight, get a list of trusted IPs;

根据所述可信IP列表,计算得到标准用户画像。According to the trusted IP list, a standard user portrait is obtained by calculation.

作为优选方案,所述根据所述可信IP,计算得到标准用户画像,具体为:As a preferred solution, the standard user portrait is calculated and obtained according to the trusted IP, specifically:

获取所述用户的邮箱的所有登录记录,根据所述可信IP列表,筛选出符合所述可信IP列表的登录记录;Obtain all the login records of the user's mailbox, and filter out the login records that meet the trusted IP list according to the trusted IP list;

根据所述符合所述可信IP列表的登录记录,计算出所述用户的特征向量,作为标准用户画像。According to the login records conforming to the trusted IP list, the feature vector of the user is calculated as a standard user portrait.

作为优选方案,所述根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录,具体为:As a preferred solution, according to the login time, successively calculate the switching speed of the latitude and longitude of the area corresponding to each adjacent two login records, and filter out suspicious login records according to a preset speed threshold, specifically:

根据所述登录时间,对所有登录记录进行排序,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出大于所述预设的速度阈值的切换速度所对应的相邻两次登录记录,作为可疑登录记录。According to the login time, sort all the login records, calculate the switching speed of the latitude and longitude of the area corresponding to each adjacent login records in turn, and filter out the speed greater than the preset speed threshold according to the preset speed threshold. The two adjacent login records corresponding to the switching speed are regarded as suspicious login records.

相应地,本发明还提供一种邮箱登录异常的检测装置,包括:列表画像模块、地区位置模块、可疑登录模块和异常记录模块;Correspondingly, the present invention also provides a detection device for mailbox login abnormality, including: a list portrait module, a regional location module, a suspicious login module and an abnormality record module;

所述列表画像模块,用于获取用户邮箱的所有登录记录,并根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像;The list portrait module is used to obtain all login records of the user mailbox, and establish a trusted IP list and standard user portraits according to the normal emails preset in the user mailbox;

所述地区位置模块,用于根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度;其中,每一个登录记录包含一个登录IP和一个登录时间;The regional location module is used to obtain the latitude and longitude of the corresponding region of each login record according to the preset geographic information database of the login IP; wherein, each login record includes a login IP and a login time;

所述可疑登录模块,用于根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录;The suspicious login module is used to sequentially calculate the switching speed of the latitude and longitude of the region corresponding to each adjacent two login records according to the login time, and filter out suspicious login records according to a preset speed threshold;

所述异常记录模块,用于根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除操作,并将剔除操作后的可疑登录记录作为异常记录。The abnormality record module is used for removing the suspicious login records according to the trusted IP list and the standard user portrait, and taking the suspicious login records after the removal operation as abnormal records.

相应地,本发明还提供一种终端设备,包括处理器、存储器以及存储在所述存储器中且被配置为由所述处理器执行的计算机程序,所述处理器在执行所述计算机程序时实现如上任一项所述的邮箱登录异常的检测方法。Correspondingly, the present invention also provides a terminal device, comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, the processor being implemented when the computer program is executed The method for detecting abnormality of mailbox login as described in any one of the above.

相应地,本发明还提供一种计算机可读存储介质,所述计算机可读存储介质包括存储的计算机程序;其中,所述计算机程序在运行时控制所述计算机可读存储介质所在的设备执行如上任一项所述的邮箱登录异常的检测方法。Correspondingly, the present invention also provides a computer-readable storage medium, the computer-readable storage medium includes a stored computer program; wherein, the computer program controls the device where the computer-readable storage medium is located to execute the The method for detecting abnormality of mailbox login described in any one of the preceding items.

相比于现有技术,本发明实施例具有如下有益效果:Compared with the prior art, the embodiments of the present invention have the following beneficial effects:

本发明的技术方案获取用户邮箱的所有登录记录,根据所述用户邮箱中预设的正常邮件,来建立可信IP列表和标准用户画像,以实现从用户的使用邮箱的习惯来对邮箱登录异常进行检测,提高了对登录异常检测的准确性,根据相邻两次登录记录所对应地区的经纬度的切换速度进行计算,从而筛选出可疑登录记录,提高了对两次登录记录的筛选精准度,根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除,避免了现有技术中使用代理后登录地区切换后导致的检测异常出现误报,提升了用户使用邮箱的体验感以及提高了对邮箱登录异常的检测准确性。The technical scheme of the present invention obtains all login records of a user's mailbox, and establishes a trusted IP list and a standard user portrait according to the normal emails preset in the user's mailbox, so as to detect abnormal mailbox logins from the user's habit of using mailboxes The detection improves the accuracy of the login anomaly detection, and calculates according to the switching speed of the latitude and longitude of the region corresponding to the two adjacent login records, thereby screening out suspicious login records and improving the screening accuracy of the two login records. According to the trusted IP list and the standard user portrait, the suspicious login records are eliminated, so as to avoid false positives in the detection abnormality caused by switching the login area after using the proxy in the prior art, and improve the user's ability to use mailboxes. Experience and improve the detection accuracy of mailbox login anomalies.

附图说明Description of drawings

图1:为本发明实施例所提供的一种邮箱登录异常的检测方法的步骤流程图;FIG. 1 is a flowchart of steps of a method for detecting abnormality of mailbox login provided by an embodiment of the present invention;

图2:为本发明实施例所提供的一种邮箱登录异常的检测方法中初始状态下的IP信誉传播图;FIG. 2 is an IP reputation propagation diagram in an initial state in a method for detecting abnormality of mailbox login provided by an embodiment of the present invention;

图3:为本发明实施例所提供的一种邮箱登录异常的检测方法中IP1的信誉传播示意图;3 is a schematic diagram of reputation propagation of IP1 in a method for detecting abnormality of mailbox login provided by an embodiment of the present invention;

图4:为本发明实施例所提供的一种邮箱登录异常的检测方法中IP2的信誉传播示意图;4 is a schematic diagram of reputation propagation of IP2 in a method for detecting abnormality of mailbox login provided by an embodiment of the present invention;

图5:为本发明实施例所提供的一种邮箱登录异常的检测方法中IP3的信誉传播示意图;5 is a schematic diagram of reputation propagation of IP3 in a method for detecting abnormality of mailbox login provided by an embodiment of the present invention;

图6:为本发明实施例所提供的一种邮箱登录异常的检测装置的结构示意图。FIG. 6 is a schematic structural diagram of an apparatus for detecting abnormality of mailbox login provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

实施例一Example 1

请参照图1,为本发明实施例提供的一种邮箱登录异常的检测方法,包括一下步骤:Referring to FIG. 1, a method for detecting abnormality of mailbox login provided by an embodiment of the present invention includes the following steps:

S101:获取用户邮箱的所有登录记录,并根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像。S101: Acquire all login records of a user mailbox, and establish a trusted IP list and a standard user portrait according to normal emails preset in the user mailbox.

具体地,获取用户的邮箱中所有预设的正常邮件的IP所对应的唯一发信人的数量,将所述唯一发信人的数量大于第三阈值的IP作为可信IP种子,并将所有发自所述可信IP的邮件的客户端ID作为可信ID列表;其中,每个登录记录还包含一个客户端ID;根据所述可信IP种子和所述可信ID列表,将每个所述可信IP种子作为一个顶点,每个所述顶点的权值为每个所述可信IP种子所对应的唯一发信人的数量,从而构建信誉传输图,对所述信誉传输图进行迭代生长与传播,直至迭代次数达到预设值,获得迭代后每个顶点的权值,并根据所述迭代后每个顶点的权值,获得可信IP列表;根据所述可信IP列表,计算得到标准用户画像。Specifically, the number of unique senders corresponding to the IPs of all preset normal mails in the user's mailbox is obtained, and the IPs whose number of unique senders is greater than the third threshold are used as trusted IP seeds, and all messages sent from The client ID of the mail of the trusted IP is used as a trusted ID list; wherein, each login record also includes a client ID; according to the trusted IP seed and the trusted ID list, each of the The trusted IP seed is used as a vertex, and the weight of each vertex is the number of unique senders corresponding to each trusted IP seed, so as to construct a reputation transfer graph, and iteratively grow and iteratively grow the reputation transfer graph. Propagating until the number of iterations reaches a preset value, obtain the weight of each vertex after the iteration, and obtain a trusted IP list according to the weight of each vertex after the iteration; calculate the standard according to the trusted IP list User portrait.

需要说明的是,预设的正常邮件为:发件箱中收信人与发送人之间有过多次互相收发沟通关系的邮件。通过预设的正常邮件,可以保证发送该正常邮件时的IP为用户本人操作时的IP,从而可以确保生成精准、具有可信价值的可信IP列表和用户画像。对用户的邮箱中所有预设的正常邮件的IP所对应的唯一发信人的数量进行获取,将唯一发信人的数量大于第三阈值的IP作为可信IP种子,优选地,在实践过程中,对于企业邮箱,一般会发现这些IP多数为公司办公室的共同出口IP。其中,正常邮件的IP所对应的唯一发信人的数量,可以理解为,每封正常邮件均有一个IP,统计出对应于同一个IP下的唯一发信人的数量。It should be noted that the default normal emails are: emails in the outbox that the recipient and the sender have sent and received with each other for many times. Through the preset normal email, it can be guaranteed that the IP when the normal email is sent is the IP of the user himself, so as to ensure the generation of an accurate and trusted IP list and user portrait with credible value. Obtain the number of unique senders corresponding to the IPs of all preset normal mails in the user's mailbox, and use the IP whose number of unique senders is greater than the third threshold as a trusted IP seed, preferably, in practice, For corporate mailboxes, it is generally found that most of these IPs are the common export IPs of the company office. Among them, the number of unique senders corresponding to the IPs of normal emails can be understood as that each normal email has an IP, and the number of unique senders corresponding to the same IP is counted.

在本实施例中,获取用户的邮箱中所有正常邮件的IP所对应的唯一发信人的数量后,将所述唯一发信人的数量大于第三阈值的IP作为可信IP种子,剔除唯一发信人数量过少的IP,并将所有发自所述可信IP的邮件的客户端ID作为可信ID列表,以可信IP种子为顶点,顶点的权重为对应IP的唯一发信人数量,即信誉大小,可信ID列表为每个顶点之间的边线,构建初始的信誉传播图。随后,对信誉传输图进行迭代生长与传播,直至迭代次数达到预设值,获得迭代后每个顶点的权值,并根据所述迭代后每个顶点的权值,获得可信IP列表。In this embodiment, after obtaining the number of unique senders corresponding to the IPs of all normal mails in the user's mailbox, the IPs with the number of the unique senders greater than the third threshold are used as trusted IP seeds, and the unique senders are eliminated The number of IPs is too small, and the client IDs of all emails sent from the trusted IPs are used as the trusted ID list, with the trusted IP seed as the vertex, and the weight of the vertex is the number of unique senders of the corresponding IP, that is, the reputation Size, trusted ID list for each edge between vertices to build an initial reputation propagation graph. Then, the reputation transmission graph is iteratively grown and propagated until the number of iterations reaches a preset value, the weight of each vertex after the iteration is obtained, and the trusted IP list is obtained according to the weight of each vertex after the iteration.

作为本实施例的优选方案,请参阅图2,其为初始状态下的信誉传播图。在本优选方案中,共获得四个IP,分别为IP1、IP2、IP3和IP4,其中IP1有100个唯一发信人,初始信誉为100,共有100个可信ID,即100条边线,与IP2连接7条边线,即与IP2有7个共同ID,与IP3连接3条边线,即与IP3有3个共同ID;IP2有10个唯一发信人,初始信誉为10,共有10个可信ID,即10条边,与IP1连接7条边线,剩下3条边线与外部其他IP相连;IP3有0个唯一发信人,初始信誉为0,仅与IP1连接3条边线;IP4无唯一发信人,初始信誉为0,且与IP1、IP2和IP3无共同客户端,因此IP4不存在信誉传播。对IP1、IP2和IP3分别进行信誉传播,每一次传播的信誉大小根据与每个IP的边线连接数量的比例来进行传播,每个IP均进行一次信誉传播为一次迭代过程。优选地,请参阅图3,其为IP1传播信誉至IP2和IP3的信誉传播示意图,IP2获得IP1传来的100*(7/100)=7信誉,即IP2当前信誉17,IP3获得IP1传来的100*(3/100)=3信誉,即IP3当前信誉3;请参阅图4,其为IP2传播信誉至IP1的信誉传播示意图,IP1获得IP2传来的17*(7/10)=11.9信誉,即IP1当前信誉111.9;请参阅图5,其为IP3传播信誉至IP1的信誉传播示意图,IP1获得IP3传来的3*(3/3)=3信誉,即IP1当前信誉114.9;在本优选实施例中,所有IP均完成一次信誉传播,即进行了一次信誉计算的迭代过程。As a preferred solution of this embodiment, please refer to FIG. 2 , which is a reputation propagation diagram in an initial state. In this preferred solution, a total of four IPs are obtained, namely IP1, IP2, IP3 and IP4. Among them, IP1 has 100 unique senders, the initial reputation is 100, and there are a total of 100 trusted IDs, that is, 100 edges, and IP2 Connect 7 sidelines, that is, have 7 common IDs with IP2, and connect 3 sidelines with IP3, that is, have 3 common IDs with IP3; IP2 has 10 unique senders, the initial reputation is 10, and a total of 10 trusted IDs, That is, 10 edges, 7 edges are connected to IP1, and the remaining 3 edges are connected to other external IPs; IP3 has 0 unique senders, the initial reputation is 0, and only 3 edges are connected to IP1; IP4 has no unique sender, The initial reputation is 0, and there is no common client with IP1, IP2, and IP3, so there is no reputation propagation for IP4. Reputation propagation is performed for IP1, IP2 and IP3 respectively. The reputation size of each propagation is propagated according to the proportion of the number of edge connections with each IP. Each IP performs reputation propagation once as an iterative process. Preferably, please refer to FIG. 3 , which is a schematic diagram of reputation propagation from IP1 to IP2 and IP3. IP2 obtains the 100*(7/100)=7 reputation from IP1, that is, the current reputation of IP2 is 17, and IP3 obtains the reputation from IP1. 100*(3/100)=3 reputation, that is IP3 current reputation 3; please refer to Figure 4, which is a schematic diagram of reputation spreading from IP2 to IP1, IP1 obtains 17*(7/10)=11.9 from IP2 Reputation, that is, the current reputation of IP1 is 111.9; please refer to Figure 5, which is a schematic diagram of reputation propagation from IP3 to IP1. IP1 obtains 3*(3/3)=3 reputation from IP3, that is, the current reputation of IP1 is 114.9; in this In a preferred embodiment, all IPs complete a reputation propagation, that is, an iterative process of reputation calculation is performed.

优选地,迭代次数达到4次,每个IP的信誉值大小排名基本稳定收敛,对信誉值排名最大的前80%的IP进行保留,作为可信任IP列表。Preferably, the number of iterations reaches 4, the ranking of the reputation value of each IP is basically stable and convergent, and the top 80% IPs with the largest reputation value ranking are reserved as a list of trusted IPs.

通过信誉传递过程,能够将可信IP的信誉值传播至其他可信IP,包括但不限于用户使用网络代理等改变IP的情况,即可得到相对可信的IP列表,为了避免主观因素等潜在的作弊过程,仅保留信誉传播后的信誉值排名靠前的IP,将信誉较低的IP进行剔除,其中保留的比例根据实际情况需求确定。Through the reputation transfer process, the reputation value of the trusted IP can be propagated to other trusted IPs, including but not limited to the situation where the user uses a network proxy to change the IP, and a relatively trusted IP list can be obtained. In order to avoid potential factors such as subjective factors In the cheating process, only the IPs with the highest reputation value after the reputation spread are retained, and the IPs with lower reputation are eliminated, and the retained ratio is determined according to the actual situation.

具体地,获取所述用户的邮箱的所有登录记录,根据所述可信IP列表,筛选出符合所述可信IP列表的登录记录;根据所述符合所述可信IP列表的登录记录,计算出所述用户的特征向量,作为标准用户画像。Specifically, obtain all the login records of the user's mailbox, and filter out the login records that conform to the trusted IP list according to the trusted IP list; calculate the login records that conform to the trusted IP list according to the login records The feature vector of the user is obtained as a standard user portrait.

需要说明的是,登录记录还包括登录时间、登录国家、登录城市、登录IP的C段和登录客户端ID,根据所述符合所述可信IP列表的登录记录,优选地,通过item2vec的方法,计算出用户的特征向量,作为标准用户画像。It should be noted that the login record also includes the login time, the login country, the login city, the C segment of the login IP, and the login client ID. According to the login record conforming to the trusted IP list, preferably, through the method of item2vec , and calculate the feature vector of the user as a standard user portrait.

S102:根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度;其中,每一个登录记录包含一个登录IP和一个登录时间。S102: Acquire the longitude and latitude of the region corresponding to each login record according to the preset geographic information database of the login IP; wherein, each login record includes a login IP and a login time.

作为本实施例的优选方案,在所述根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度之后,还包括:获取第二预设时间段内所有登录失败的登录记录,根据预设的暴力破解规则,对所述所有登录失败的登录记录进行分类操作,获得暴力破解记录和非暴力破解记录;若所述暴力破解记录超过预设的第二阈值,则将所述暴力破解记录中的所有登录IP进行标记,作为暴力破解IP列表;根据符合所述暴力破解IP列表的登录IP所对应的登录记录,更新所述异常记录。As a preferred solution of this embodiment, after obtaining the longitude and latitude of the region corresponding to each log-in record according to the preset geographic information database of the log-in IP, the method further includes: obtaining all log-in records of failed log-ins within the second preset time period, According to the preset brute force cracking rules, classify all the login records that failed to log in to obtain brute force cracking records and non-brute force cracking records; if the brute force cracking records exceed the preset second threshold, the brute force cracking records will be All login IPs in the cracking records are marked as a brute force cracking IP list; the abnormal records are updated according to the login records corresponding to the login IPs that match the brute force cracking IP list.

优选地,预设的暴力破解规则将所有登录失败的登录记录进行分类操作,共分为四种情况,第一种情况a:黑客可能用少量IP用大量的不同密码破解相同的账号,会有大量的失败记录;第二种情况b:黑可能用少量IP用同一个密码尝试破解大量的不同账号,会有大量的失败记录;第三种情况c:黑客可能会用少量IP用大量的不同密码破解大量不同的账号,会有大量的失败记录;第四种情况d:正常用户有可能在修改邮箱密码之后忘记修改自己的邮件客户端的密码,导致会出现单一IP用同样的密码尝试同一个账号,并有部分失败记录的情况。预设的暴力破解规则将a、b和c分类为暴力破解记录,d为非暴力破解记录。当暴力破解记录a、b或c超过了第二阈值,则将暴力破解记录a、b或c所对应的IP进行标记,作为暴力破解IP列表,从而根据暴力破解IP列表,来对所有的登录IP进行分析,将与暴力破解IP列表所对应IP的登录记录作为新的异常记录,来更新步骤S104中所得到的异常记录。Preferably, the preset brute force cracking rules classify all failed login records, which are divided into four cases. The first case a: a hacker may use a small number of IPs to crack the same account with a large number of different passwords. A large number of failure records; the second case b: the hacker may use a small number of IPs to try to crack a large number of different accounts with the same password, and there will be a large number of failure records; the third case c: the hacker may use a small number of IPs with a large number of different accounts Password cracking of a large number of different accounts will result in a large number of failure records; the fourth case d: normal users may forget to change the password of their email client after changing the mailbox password, resulting in a single IP trying the same password with the same password account, and there are some failure records. The preset brute force rules classify a, b, and c as brute force records, and d as non-brute force records. When the brute force cracking record a, b or c exceeds the second threshold, the IP corresponding to the brute force cracking record a, b or c will be marked as the brute force cracking IP list, so that all logins will be processed according to the brute force cracking IP list. The IP is analyzed, and the login record of the IP corresponding to the brute force IP list is used as a new abnormal record to update the abnormal record obtained in step S104.

S103:根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录。S103: According to the login time, sequentially calculate the switching speed of the latitude and longitude of the region corresponding to each adjacent login records, and filter out suspicious login records according to a preset speed threshold.

具体地,根据所述登录时间,对所有登录记录进行排序,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出大于所述预设的速度阈值的切换速度所对应的相邻两次登录记录,作为可疑登录记录。Specifically, according to the login time, sort all the login records, sequentially calculate the switching speed of the latitude and longitude of the area corresponding to each adjacent two login records, and filter out a speed greater than the preset speed threshold according to the preset speed threshold. The two adjacent login records corresponding to the switching speed of the speed threshold are regarded as suspicious login records.

需要说明的是,预设的速度阈值为最大合理移动速度,优选地,该速度阈值为800km/h,即飞机的平均速度,若相邻两次登录记录所对应地区的经纬度的切换速度大于速度阈值,则将该两次登录记录作为可疑登录记录。相邻两次登录记录所对应地区的经纬度的切换速度通过经纬度之间地理的差值和两次登录时间差值之比求得。It should be noted that the preset speed threshold is the maximum reasonable moving speed. Preferably, the speed threshold is 800km/h, which is the average speed of the aircraft. threshold, the two login records are regarded as suspicious login records. The switching speed of the latitude and longitude of the area corresponding to the two adjacent login records is obtained by the ratio of the geographic difference between the latitude and longitude and the difference between the two login times.

S104:根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除操作,并将剔除操作后的可疑登录记录作为异常记录。S104: Perform a culling operation on the suspicious login records according to the trusted IP list and the standard user portrait, and use the suspicious login records after the culling operation as abnormal records.

作为本实施例的优选方案,在所述将剔除操作后的可疑登录记录作为异常记录之后,还包括:响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常;若所述第一登录记录正常,则保存该登录记录;若所述第一登录记录不正常,则触发双因子认证,以使所述当前用户确认登录。As a preferred solution of this embodiment, after taking the suspicious login record after the elimination operation as the abnormal record, the method further includes: in response to the mailbox login operation of the current user, generating a first login record, according to the trusted IP list and The standard user portrait, to determine whether the first login record is normal; if the first login record is normal, save the login record; if the first login record is abnormal, trigger two-factor authentication, so that all Confirm the login by the current user.

需要说明的是,响应于当前用户的邮箱登录操作,所生成得第一登录记录为当前用户进行邮箱登录操作的登录记录,在登录过程中,会根据当前用户的可信IP列表和标准用户画像,来对第一登录记录进行判断是否正常;若不正常,则会触发双因子认证,双因子认证的方式包括但不限于手机验证码、电话语音验证。It should be noted that, in response to the current user's mailbox login operation, the generated first login record is the login record of the current user's mailbox login operation. During the login process, the current user's trusted IP list and standard user portrait will be used. , to judge whether the first login record is normal; if it is not normal, two-factor authentication will be triggered. Two-factor authentication methods include but are not limited to mobile phone verification codes and telephone voice verification.

作为本实施例的优选方案,在所述响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常之后,还包括:记录在第一预设时间段内生成的登录记录的数量,若所述生成的登录记录的数量大于预设的第一阈值,则封禁所述当前用户的邮箱。As a preferred solution of this embodiment, after the first login record is generated in response to the current user's mailbox login operation, it is determined whether the first login record is normal according to the trusted IP list and the standard user portrait. , and further comprising: recording the number of login records generated within a first preset time period, and if the number of generated login records is greater than a preset first threshold, banning the mailbox of the current user.

需要说明的是,在每一次进行登录操作后,会对第一预设时间段内生成的登录记录的数量进行记录与检测,第一预设时间段和预设的第一阈值均根据实际需求的情况来确定,若在第一预设时间段内生成的登录记录的数量大于预设的第一阈值,即在第一预设时间段内存在多次登录记录,则会封禁当前用户的邮箱,直到当前用户使用双因子认证的方式取回并修改密码后才被允许使用该邮箱。It should be noted that after each login operation, the number of login records generated within the first preset time period will be recorded and detected. The first preset time period and the preset first threshold are based on actual needs. If the number of login records generated in the first preset time period is greater than the preset first threshold, that is, there are multiple login records in the first preset time period, the mailbox of the current user will be blocked. , the current user is not allowed to use the mailbox until the current user retrieves and modifies the password using two-factor authentication.

实施本发明实施例,具备如下效果:Implementing the embodiment of the present invention has the following effects:

本发明实施例获取用户邮箱的所有登录记录,根据所述用户邮箱中预设的正常邮件,来建立可信IP列表和标准用户画像,并通过信誉传播图的方式,来对可信IP列表进行迭代计算,提高了可信IP列表的准确性以及可信度,并实现从用户的使用邮箱的习惯来对邮箱登录异常进行检测,提高了对登录异常检测的准确性,根据相邻两次登录记录所对应地区的经纬度的切换速度进行计算,从而筛选出可疑登录记录,对所述可疑登录记录进行剔除,提升了用户使用邮箱的体验感以及提高了对邮箱登录异常的检测准确性。The embodiment of the present invention acquires all the login records of the user mailbox, establishes a trusted IP list and standard user portraits according to the normal emails preset in the user mailbox, and conducts the trusted IP list by means of a reputation propagation map. Iterative calculation improves the accuracy and reliability of the trusted IP list, and realizes the detection of mailbox login anomalies from the user's habit of using mailboxes, which improves the accuracy of login anomaly detection. The switching speed of the latitude and longitude of the corresponding area is recorded for calculation, thereby screening out suspicious login records, and eliminating the suspicious login records, which improves the user's experience of using mailboxes and improves the detection accuracy of abnormal mailbox logins.

实施例二Embodiment 2

相应地,请参阅图6,其为本发明还提供一种邮箱登录异常的检测装置,包括:列表画像模块201、地区位置模块202、可疑登录模块203和异常记录模块204。Correspondingly, referring to FIG. 6 , the present invention further provides an apparatus for detecting abnormality of mailbox login, including: a list portrait module 201 , a regional location module 202 , a suspicious login module 203 and an abnormality recording module 204 .

所述列表画像模块201,用于获取用户邮箱的所有登录记录,并根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像。The list portrait module 201 is used to obtain all login records of the user mailbox, and establish a trusted IP list and standard user portrait according to the normal emails preset in the user mailbox.

作为本实施例的优选方案,所述获取用户邮箱的所有登录记录,根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像,具体为:As a preferred solution of the present embodiment, the acquisition of all the login records of the user's mailbox, according to the preset normal mail in the user's mailbox, establishes a trusted IP list and a standard user portrait, specifically:

获取用户的邮箱中所有预设的正常邮件的IP所对应的唯一发信人的数量,将所述唯一发信人的数量大于第三阈值的IP作为可信IP种子,并将所有发自所述可信IP的邮件的客户端ID作为可信ID列表;其中,每个登录记录还包含一个客户端ID;根据所述可信IP种子和所述可信ID列表,将每个所述可信IP种子作为一个顶点,每个所述顶点的权值为每个所述可信IP种子所对应的唯一发信人的数量,从而构建信誉传输图,对所述信誉传输图进行迭代生长与传播,直至迭代次数达到预设值,获得迭代后每个顶点的权值,并根据所述迭代后每个顶点的权值,获得可信IP列表;根据所述可信IP列表,计算得到标准用户画像。Obtain the number of unique senders corresponding to the IPs of all preset normal mails in the user's mailbox, take the IPs whose number of the unique senders is greater than the third threshold as a trusted IP seed, and send all messages from the The client ID of the mail of the trusted IP is used as a trusted ID list; wherein, each login record also includes a client ID; according to the trusted IP seed and the trusted ID list, each trusted IP The seed is used as a vertex, and the weight of each vertex is the number of unique senders corresponding to each of the trusted IP seeds, so as to construct a reputation transmission graph, and iteratively grow and propagate the reputation transmission graph until When the number of iterations reaches a preset value, the weight of each vertex after the iteration is obtained, and according to the weight of each vertex after the iteration, a trusted IP list is obtained; according to the trusted IP list, a standard user portrait is obtained by calculation.

作为本实施例的优选方案,所述根据所述可信IP,计算得到标准用户画像,具体为:As a preferred solution of this embodiment, the standard user portrait is calculated and obtained according to the trusted IP, specifically:

获取所述用户的邮箱的所有登录记录,根据所述可信IP列表,筛选出符合所述可信IP列表的登录记录;根据所述符合所述可信IP列表的登录记录,计算出所述用户的特征向量,作为标准用户画像。Obtain all the login records of the user's mailbox, and filter out the login records that conform to the trusted IP list according to the trusted IP list; The user's feature vector, as a standard user portrait.

所述地区位置模块202,用于根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度;其中,每一个登录记录包含一个登录IP和一个登录时间。The regional location module 202 is configured to obtain the latitude and longitude of the region corresponding to each login record according to the preset geographic information database of the login IP; wherein, each login record includes a login IP and a login time.

作为本实施例的优选方案,在所述根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度之后,还包括:As a preferred solution of the present embodiment, after obtaining the latitude and longitude of the region corresponding to each login record according to the preset geographic information database of the login IP, the method further includes:

获取第二预设时间段内所有登录失败的登录记录,根据预设的暴力破解规则,对所述所有登录失败的登录记录进行分类操作,获得暴力破解记录和非暴力破解记录;若所述暴力破解记录超过预设的第二阈值,则将所述暴力破解记录中的所有登录IP进行标记,作为暴力破解IP列表;根据符合所述暴力破解IP列表的登录IP所对应的登录记录,更新所述异常记录。Acquire all login records of failed logins within the second preset time period, and classify all login records of failed logins according to the preset brute force cracking rules to obtain brute force cracking records and non-brute force cracking records; If the cracking record exceeds the preset second threshold, then mark all the login IPs in the brute force cracking record as the brute force cracking IP list; update all the login IPs corresponding to the login IPs that meet the brute force cracking IP list. the exception record.

所述可疑登录模块203,用于根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录。The suspicious login module 203 is configured to sequentially calculate the switching speed of the latitude and longitude of the region corresponding to each adjacent two login records according to the login time, and filter out suspicious login records according to a preset speed threshold.

作为本实施例的优选方案,所述根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录,具体为:As a preferred solution of this embodiment, according to the login time, the switching speed of the latitude and longitude of the region corresponding to each adjacent two login records is sequentially calculated, and the suspicious login records are screened out according to the preset speed threshold, which is specifically: :

根据所述登录时间,对所有登录记录进行排序,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出大于所述预设的速度阈值的切换速度所对应的相邻两次登录记录,作为可疑登录记录。According to the login time, sort all the login records, calculate the switching speed of the latitude and longitude of the area corresponding to each adjacent login records in turn, and filter out the speed greater than the preset speed threshold according to the preset speed threshold. The two adjacent login records corresponding to the switching speed are regarded as suspicious login records.

所述异常记录模块204,用于根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除操作,并将剔除操作后的可疑登录记录作为异常记录。The abnormality record module 204 is configured to perform a culling operation on the suspicious login records according to the trusted IP list and the standard user portrait, and use the suspicious login records after the culling operation as an abnormality record.

作为本实施例的优选方案,在所述将剔除操作后的可疑登录记录作为异常记录之后,还包括:As a preferred solution of the present embodiment, after the suspicious login record after the removal operation is regarded as an abnormal record, it further includes:

响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常;若所述第一登录记录正常,则保存该登录记录;若所述第一登录记录不正常,则触发双因子认证,以使所述当前用户确认登录。In response to the current user's mailbox login operation, generate a first login record, and determine whether the first login record is normal according to the trusted IP list and the standard user portrait; if the first login record is normal, save it The login record; if the first login record is abnormal, two-factor authentication is triggered, so that the current user confirms the login.

作为本实施例的优选方案,在所述响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常之后,还包括:As a preferred solution of this embodiment, after the first login record is generated in response to the current user's mailbox login operation, it is determined whether the first login record is normal according to the trusted IP list and the standard user portrait. ,Also includes:

记录在第一预设时间段内生成的登录记录的数量,若所述生成的登录记录的数量大于预设的第一阈值,则封禁所述当前用户的邮箱。The number of login records generated within a first preset time period is recorded, and if the number of generated login records is greater than a preset first threshold, the mailbox of the current user is banned.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的装置的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, for the specific working process of the device described above, reference may be made to the corresponding process in the foregoing method embodiments, which will not be repeated here.

实施以上实施例,具有如下效果:Implement the above embodiment, have the following effects:

本发明实施例获取用户邮箱的所有登录记录,根据所述用户邮箱中预设的正常邮件,来建立可信IP列表和标准用户画像,并通过信誉传播图的方式,来对可信IP列表进行迭代计算,提高了可信IP列表的准确性以及可信度,并实现从用户的使用邮箱的习惯来对邮箱登录异常进行检测,提高了对登录异常检测的准确性,根据相邻两次登录记录所对应地区的经纬度的切换速度进行计算,从而筛选出可疑登录记录,对所述可疑登录记录进行剔除,对当前用户的登录操作进行检测,只在出现可疑登录记录的情况下才会触发双因子认证,避免了现有技术中每次登录都需进行双因子认证,从而降低用户使用体验的情况。The embodiment of the present invention acquires all the login records of the user mailbox, establishes a trusted IP list and standard user portraits according to the normal emails preset in the user mailbox, and conducts the trusted IP list by means of a reputation propagation map. Iterative calculation improves the accuracy and reliability of the trusted IP list, and realizes the detection of mailbox login anomalies from the user's habit of using mailboxes, which improves the accuracy of login anomaly detection. Record the switching speed of the latitude and longitude of the corresponding area for calculation, thereby screening out suspicious login records, eliminating the suspicious login records, and detecting the login operation of the current user. The factor authentication avoids the situation that two-factor authentication is required for each login in the prior art, thereby reducing the user experience.

实施例三Embodiment 3

本发明实施例还提供了一种终端设备,所述终端设备包括处理器、存储器以及存储在所述存储器中且被配置为由所述处理器执行的计算机程序,所述处理器在执行所述计算机程序时实现上述任一实施例所述的邮箱登录异常的检测方法。An embodiment of the present invention further provides a terminal device, the terminal device includes a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, where the processor executes the The computer program implements the method for detecting abnormality of mailbox login described in any of the above embodiments.

优选地,所述计算机程序可以被分割成一个或多个模块/单元(如计算机程序、计算机程序),所述一个或者多个模块/单元被存储在所述存储器中,并由所述处理器执行,以完成本发明。所述一个或多个模块/单元可以是能够完成特定功能的一系列计算机程序指令段,该指令段用于描述所述计算机程序在所述终端设备中的执行过程。Preferably, the computer program can be divided into one or more modules/units (eg computer program, computer program), the one or more modules/units are stored in the memory, and are executed by the processor Execute to complete the present invention. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, and the instruction segments are used to describe the execution process of the computer program in the terminal device.

所述处理器可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等,通用处理器可以是微处理器,或者所述处理器也可以是任何常规的处理器,所述处理器是所述终端设备的控制中心,利用各种接口和线路连接所述终端设备的各个部分。The processor may be a central processing unit (Central Processing Unit, CPU), other general-purpose processors, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf processor Programmable Gate Array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor, or the processor may be any A conventional processor, which is the control center of the terminal equipment, uses various interfaces and lines to connect various parts of the terminal equipment.

所述存储器主要包括程序存储区和数据存储区,其中,程序存储区可存储操作系统、至少一个功能所需的应用程序等,数据存储区可存储相关数据等。此外,所述存储器可以是高速随机存取存储器,还可以是非易失性存储器,例如插接式硬盘,智能存储卡(SmartMedia Card,SMC)、安全数字(Secure Digital,SD)卡和闪存卡(Flash Card)等,或所述存储器也可以是其他易失性固态存储器件。The memory mainly includes a program storage area and a data storage area, wherein the program storage area can store an operating system, an application program required for at least one function, and the like, and the data storage area can store related data and the like. In addition, the memory may be a high-speed random access memory, and may also be a non-volatile memory, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) card, and a flash memory card ( Flash Card), etc., or the memory can also be other volatile solid-state storage devices.

需要说明的是,上述终端设备可包括,但不仅限于,处理器、存储器,本领域技术人员可以理解,上述终端设备仅仅是示例,并不构成对终端设备的限定,可以包括更多或更少的部件,或者组合某些部件,或者不同的部件。It should be noted that the above-mentioned terminal equipment may include, but is not limited to, a processor and a memory. Those skilled in the art can understand that the above-mentioned terminal equipment is only an example, and does not constitute a limitation on the terminal equipment, and may include more or less parts, or a combination of certain parts, or different parts.

实施例四Embodiment 4

本发明实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质包括存储的计算机程序;其中,所述计算机程序在运行时控制所述计算机可读存储介质所在的设备执行上述任一实施例所述的邮箱登录异常的监测方法。An embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium includes a stored computer program; wherein, the computer program controls a device where the computer-readable storage medium is located to execute the above-mentioned operation when running. The monitoring method for mailbox login abnormality described in any one of the embodiments.

以上所述的具体实施例,对本发明的目的、技术方案和有益效果进行了进一步的详细说明,应当理解,以上所述仅为本发明的具体实施例而已,并不用于限定本发明的保护范围。特别指出,对于本领域技术人员来说,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The specific embodiments described above further describe the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific embodiments of the present invention, and are not intended to limit the protection scope of the present invention. . It is particularly pointed out that for those skilled in the art, any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included within the protection scope of the present invention.

Claims (10)

1.一种邮箱登录异常的检测方法,其特征在于,包括:1. an abnormal detection method of mailbox login, is characterized in that, comprises: 获取用户邮箱的所有登录记录,并根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像;Acquire all login records of the user's mailbox, and establish a trusted IP list and standard user portraits according to the normal emails preset in the user's mailbox; 根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度;其中,每一个登录记录包含一个登录IP和一个登录时间;Obtain the latitude and longitude of the region corresponding to each login record according to the preset geographic information database of the login IP; wherein, each login record includes a login IP and a login time; 根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录;According to the login time, successively calculate the switching speed of the latitude and longitude of the area corresponding to each adjacent two login records, and filter out suspicious login records according to a preset speed threshold; 根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除操作,并将剔除操作后的可疑登录记录作为异常记录。According to the trusted IP list and the standard user portrait, the suspicious login record is eliminated, and the suspicious login record after the elimination operation is regarded as an abnormal record. 2.如权利要求1所述的一种邮箱登录异常的检测方法,其特征在于,在所述将剔除操作后的可疑登录记录作为异常记录之后,还包括:2. The method for detecting abnormality of mailbox login as claimed in claim 1, characterized in that, after said taking the suspicious login record after the elimination operation as the abnormal record, it also comprises: 响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常;In response to the mailbox login operation of the current user, a first login record is generated, and according to the trusted IP list and the standard user portrait, it is judged whether the first login record is normal; 若所述第一登录记录正常,则保存该登录记录;If the first login record is normal, save the login record; 若所述第一登录记录不正常,则触发双因子认证,以使所述当前用户确认登录。If the first login record is abnormal, two-factor authentication is triggered, so that the current user confirms the login. 3.如权利要求2所述的一种邮箱登录异常的检测方法,其特征在于,在所述响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常之后,还包括:3. the detection method of a kind of mailbox login abnormality as claimed in claim 2, it is characterized in that, in described in response to the mailbox login operation of current user, generate the first login record, according to described trusted IP list and described The standard user portrait, after judging whether the first login record is normal, also includes: 记录在第一预设时间段内生成的登录记录的数量,若所述生成的登录记录的数量大于预设的第一阈值,则封禁所述当前用户的邮箱。The number of login records generated within a first preset time period is recorded, and if the number of generated login records is greater than a preset first threshold, the mailbox of the current user is banned. 4.如权利要求1所述的一种邮箱登录异常的检测方法,其特征在于,在所述根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度之后,还包括:4. the abnormal detection method of a kind of mailbox login as claimed in claim 1, is characterized in that, after described according to the preset geographic information database of login IP, after obtaining the latitude and longitude of each login record corresponding area, also comprises: 获取第二预设时间段内所有登录失败的登录记录,根据预设的暴力破解规则,对所述所有登录失败的登录记录进行分类操作,获得暴力破解记录和非暴力破解记录;Obtaining all login records of failed logins within the second preset time period, and classifying all the login records of failed logins according to the preset brute force cracking rules, to obtain brute force cracking records and non-brute force cracking records; 若所述暴力破解记录超过预设的第二阈值,则将所述暴力破解记录中的所有登录IP进行标记,作为暴力破解IP列表;If the brute force cracking record exceeds the preset second threshold, then mark all login IPs in the brute force cracking record as a brute force cracking IP list; 根据符合所述暴力破解IP列表的登录IP所对应的登录记录,更新所述异常记录。The abnormal record is updated according to the login record corresponding to the login IP that matches the brute force IP list. 5.如权利要求1所述的一种邮箱登录异常的检测方法,其特征在于,所述获取用户邮箱的所有登录记录,根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像,具体为:5. the detection method of a kind of mailbox login abnormality as claimed in claim 1, is characterized in that, described obtaining all login records of user mailbox, according to the normal mail preset in described user mailbox, establish trusted IP list and Standard user portrait, specifically: 获取用户的邮箱中所有预设的正常邮件的IP所对应的唯一发信人的数量,将所述唯一发信人的数量大于第三阈值的IP作为可信IP种子,并将所有发自所述可信IP的邮件的客户端ID作为可信ID列表;其中,每个登录记录还包含一个客户端ID;Obtain the number of unique senders corresponding to the IPs of all preset normal mails in the user's mailbox, take the IPs whose number of the unique senders is greater than the third threshold as a trusted IP seed, and send all messages from the The client ID of the mail that trusts IP is used as a list of trusted IDs; wherein, each login record also contains a client ID; 根据所述可信IP种子和所述可信ID列表,将每个所述可信IP种子作为一个顶点,每个所述顶点的权值为每个所述可信IP种子所对应的唯一发信人的数量,从而构建信誉传输图,对所述信誉传输图进行迭代生长与传播,直至迭代次数达到预设值,获得迭代后每个顶点的权值,并根据所述迭代后每个顶点的权值,获得可信IP列表;According to the trusted IP seed and the trusted ID list, take each trusted IP seed as a vertex, and the weight of each vertex is the unique distribution corresponding to each trusted IP seed The number of trusted people is used to construct a reputation transmission graph, and the reputation transmission graph is iteratively grown and propagated until the number of iterations reaches a preset value, the weight of each vertex after the iteration is obtained, and the weight of each vertex after the iteration is obtained. Weight, get a list of trusted IPs; 根据所述可信IP列表,计算得到标准用户画像。According to the trusted IP list, a standard user portrait is obtained by calculation. 6.如权利要求5所述的一种邮箱登录异常的检测方法,其特征在于,所述根据所述可信IP,计算得到标准用户画像,具体为:6. the detection method of a kind of mailbox login abnormality as claimed in claim 5, is characterized in that, described according to described trusted IP, calculate and obtain standard user portrait, be specifically: 获取所述用户的邮箱的所有登录记录,根据所述可信IP列表,筛选出符合所述可信IP列表的登录记录;Obtain all the login records of the user's mailbox, and filter out the login records that meet the trusted IP list according to the trusted IP list; 根据所述符合所述可信IP列表的登录记录,计算出所述用户的特征向量,作为标准用户画像。According to the login records conforming to the trusted IP list, the feature vector of the user is calculated as a standard user portrait. 7.如权利要求1所述的一种邮箱登录异常的检测方法,其特征在于,所述根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录,具体为:7. the detection method of a kind of mailbox log-in abnormality as claimed in claim 1, is characterized in that, described according to described log-in time, successively calculates the switching speed of the latitude and longitude of each adjacent two log-in records corresponding area, and according to The preset speed threshold to filter out suspicious login records, specifically: 根据所述登录时间,对所有登录记录进行排序,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出大于所述预设的速度阈值的切换速度所对应的相邻两次登录记录,作为可疑登录记录。Sort all the log-in records according to the log-in time, sequentially calculate the switching speed of the latitude and longitude of the region corresponding to each adjacent two log-in records, and filter out the speed greater than the preset speed threshold according to the preset speed threshold. The two adjacent login records corresponding to the switching speed are regarded as suspicious login records. 8.一种邮箱登录异常的检测装置,其特征在于,包括:列表画像模块、地区位置模块、可疑登录模块和异常记录模块;8. An abnormality detection device for mailbox login, comprising: a list portrait module, a regional location module, a suspicious login module and an abnormal recording module; 所述列表画像模块,用于获取用户邮箱的所有登录记录,并根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像;The list portrait module is used to obtain all login records of the user mailbox, and establish a trusted IP list and standard user portraits according to the normal emails preset in the user mailbox; 所述地区位置模块,用于根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度;其中,每一个登录记录包含一个登录IP和一个登录时间;The regional location module is used to obtain the latitude and longitude of the corresponding region of each login record according to the preset geographic information database of the login IP; wherein, each login record includes a login IP and a login time; 所述可疑登录模块,用于根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录;The suspicious login module is configured to sequentially calculate the switching speed of the latitude and longitude of the region corresponding to each adjacent two login records according to the login time, and screen out suspicious login records according to a preset speed threshold; 所述异常记录模块,用于根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除操作,并将剔除操作后的可疑登录记录作为异常记录。The abnormality record module is used for removing the suspicious login records according to the trusted IP list and the standard user portrait, and taking the suspicious login records after the removal operation as abnormal records. 9.一种终端设备,其特征在于,包括处理器、存储器以及存储在所述存储器中且被配置为由所述处理器执行的计算机程序,所述处理器在执行所述计算机程序时实现如权利要求1-7中任一项所述的邮箱登录异常的检测方法。9. A terminal device, characterized in that it comprises a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, the processor implementing the following when executing the computer program. The method for detecting abnormality of mailbox login according to any one of claims 1-7. 10.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质包括存储的计算机程序;其中,所述计算机程序在运行时控制所述计算机可读存储介质所在的设备执行如权利要求1-7中任一项所述的邮箱登录异常的检测方法。10. A computer-readable storage medium, characterized in that the computer-readable storage medium comprises a stored computer program; wherein, the computer program controls a device where the computer-readable storage medium is located to execute the method described in the claim when running. The method for detecting an abnormality in mailbox login according to any one of requirements 1 to 7 is required.
CN202210013302.7A 2022-01-05 2022-01-05 Mailbox login abnormality detection method, device, equipment and storage medium Active CN114465977B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210013302.7A CN114465977B (en) 2022-01-05 2022-01-05 Mailbox login abnormality detection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210013302.7A CN114465977B (en) 2022-01-05 2022-01-05 Mailbox login abnormality detection method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114465977A true CN114465977A (en) 2022-05-10
CN114465977B CN114465977B (en) 2024-07-16

Family

ID=81409958

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210013302.7A Active CN114465977B (en) 2022-01-05 2022-01-05 Mailbox login abnormality detection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114465977B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118611984A (en) * 2024-08-06 2024-09-06 浙江无界矩阵科技有限责任公司 A vehicle network security terminal threat intrusion detection system

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102325062A (en) * 2011-09-20 2012-01-18 北京神州绿盟信息安全科技股份有限公司 Abnormal login detecting method and device
CN102664877A (en) * 2012-03-30 2012-09-12 北京千橡网景科技发展有限公司 Method and device for exception handling in login process
CN103457923A (en) * 2012-06-05 2013-12-18 阿里巴巴集团控股有限公司 Method, device and system for controlling different-place login
WO2014082484A1 (en) * 2012-11-29 2014-06-05 北京奇虎科技有限公司 User login monitoring device and method
CN107172104A (en) * 2017-07-17 2017-09-15 顺丰科技有限公司 One kind logs in method for detecting abnormality, system and equipment
CN108768943A (en) * 2018-04-26 2018-11-06 腾讯科技(深圳)有限公司 A kind of method, apparatus and server of the abnormal account of detection
CN109067802A (en) * 2018-10-08 2018-12-21 安徽艾可信网络科技有限公司 A kind of identity authorization system of electric business platform account
CN109862029A (en) * 2019-03-01 2019-06-07 论客科技(广州)有限公司 A kind of method and system of the reply Brute Force behavior using big data analysis
CN111400357A (en) * 2020-02-21 2020-07-10 中国建设银行股份有限公司 Method and device for identifying abnormal login
CN111988278A (en) * 2020-07-23 2020-11-24 微梦创科网络科技(中国)有限公司 Abnormal user determination method and device based on user geographical location log
WO2021087684A1 (en) * 2019-11-04 2021-05-14 深圳市欢太科技有限公司 Method and apparatus for processing user behavior data, server, and storage medium
CN113378127A (en) * 2021-06-09 2021-09-10 中国工商银行股份有限公司 Abnormal login identification method, abnormal login identification device and electronic equipment
US20210344708A1 (en) * 2020-05-01 2021-11-04 Adobe Inc. Utilizing clustering to identify ip addresses used by a botnet

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102325062A (en) * 2011-09-20 2012-01-18 北京神州绿盟信息安全科技股份有限公司 Abnormal login detecting method and device
CN102664877A (en) * 2012-03-30 2012-09-12 北京千橡网景科技发展有限公司 Method and device for exception handling in login process
CN103457923A (en) * 2012-06-05 2013-12-18 阿里巴巴集团控股有限公司 Method, device and system for controlling different-place login
WO2014082484A1 (en) * 2012-11-29 2014-06-05 北京奇虎科技有限公司 User login monitoring device and method
CN107172104A (en) * 2017-07-17 2017-09-15 顺丰科技有限公司 One kind logs in method for detecting abnormality, system and equipment
CN108768943A (en) * 2018-04-26 2018-11-06 腾讯科技(深圳)有限公司 A kind of method, apparatus and server of the abnormal account of detection
CN109067802A (en) * 2018-10-08 2018-12-21 安徽艾可信网络科技有限公司 A kind of identity authorization system of electric business platform account
CN109862029A (en) * 2019-03-01 2019-06-07 论客科技(广州)有限公司 A kind of method and system of the reply Brute Force behavior using big data analysis
WO2021087684A1 (en) * 2019-11-04 2021-05-14 深圳市欢太科技有限公司 Method and apparatus for processing user behavior data, server, and storage medium
CN111400357A (en) * 2020-02-21 2020-07-10 中国建设银行股份有限公司 Method and device for identifying abnormal login
US20210344708A1 (en) * 2020-05-01 2021-11-04 Adobe Inc. Utilizing clustering to identify ip addresses used by a botnet
CN111988278A (en) * 2020-07-23 2020-11-24 微梦创科网络科技(中国)有限公司 Abnormal user determination method and device based on user geographical location log
CN113378127A (en) * 2021-06-09 2021-09-10 中国工商银行股份有限公司 Abnormal login identification method, abnormal login identification device and electronic equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118611984A (en) * 2024-08-06 2024-09-06 浙江无界矩阵科技有限责任公司 A vehicle network security terminal threat intrusion detection system

Also Published As

Publication number Publication date
CN114465977B (en) 2024-07-16

Similar Documents

Publication Publication Date Title
US11019094B2 (en) Methods and systems for malicious message detection and processing
US12184662B2 (en) Message security assessment using sender identity profiles
Onaolapo et al. What happens after you are pwnd: Understanding the use of leaked webmail credentials in the wild
US10911467B2 (en) Targeted attack protection from malicious links in messages using predictive sandboxing
US10616272B2 (en) Dynamically detecting abnormalities in otherwise legitimate emails containing uniform resource locators (URLs)
US10715543B2 (en) Detecting computer security risk based on previously observed communications
US9413716B2 (en) Securing email communications
US10104029B1 (en) Email security architecture
US20130333026A1 (en) Malicious message detection and processing
US8713674B1 (en) Systems and methods for excluding undesirable network transactions
CN110620753A (en) System and method for countering attacks on a user's computing device
US20150213449A1 (en) Risk-based control of application interface transactions
Onaolapo et al. {SocialHEISTing}: Understanding stolen facebook accounts
US8738764B1 (en) Methods and systems for controlling communications
EP3195140B1 (en) Malicious message detection and processing
CN114465977B (en) Mailbox login abnormality detection method, device, equipment and storage medium
Mariconti et al. Why allowing profile name reuse is a bad idea
Mehendele et al. Review of Phishing Attacks and Anti Phishing Tools
US20250097263A1 (en) Systems and methods for detecting and mitigating threats in electronic messages

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant