CN114726603A - Mail detection method and device - Google Patents
Mail detection method and device Download PDFInfo
- Publication number
- CN114726603A CN114726603A CN202210326753.6A CN202210326753A CN114726603A CN 114726603 A CN114726603 A CN 114726603A CN 202210326753 A CN202210326753 A CN 202210326753A CN 114726603 A CN114726603 A CN 114726603A
- Authority
- CN
- China
- Prior art keywords
- mails
- preset
- historical
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 171
- 230000002159 abnormal effect Effects 0.000 claims abstract description 23
- 238000003860 storage Methods 0.000 claims description 57
- 238000000034 method Methods 0.000 claims description 30
- 230000008569 process Effects 0.000 claims description 19
- 230000008520 organization Effects 0.000 claims description 5
- 230000004048 modification Effects 0.000 claims description 4
- 238000012986 modification Methods 0.000 claims description 4
- 238000007726 management method Methods 0.000 description 35
- 238000004458 analytical method Methods 0.000 description 15
- 238000010586 diagram Methods 0.000 description 10
- 238000000586 desensitisation Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 3
- 238000012432 intermediate storage Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 230000001174 ascending effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the invention provides a mail detection method and device, and relates to the technical field of information security. The mail detection method comprises the following steps: acquiring historical mails in a preset range under the condition that a sensitive information detection strategy is updated; detecting whether the updated sensitive information detection strategy is hit by the historical mails or not; marking the historical mails hit on the updated sensitive information detection strategy as abnormal mails; and displaying the mail information of the abnormal mail. The technical scheme provided by the embodiment of the invention solves the problem that in the prior art, under the condition that the sensitive information detection strategy is updated, the risk of information leakage may exist in the past history mails which pass the original sensitive information detection strategy.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a mail detection method and device.
Background
In the existing communication mode, the e-mail is a commonly used electronic communication mode, and a user can economically and quickly interact information with other users through the e-mail.
With the advent of the information-oriented era, information security is receiving more and more attention from multiple users. When users communicate through e-mails, the users do not want to disclose some sensitive information of the users, especially for enterprises, information disclosure may seriously affect information security of the enterprises, and therefore some sensitive information detection technologies (such as data leakage protection technologies) are developed at the discretion. The method can detect the current sent mails by a sensitive information detection technology, and block the mails containing sensitive information so as to prevent the mails from being sent out and causing information leakage.
However, the sensitive information detection policy may be updated according to different requirements of the user, and at this time, for some historical mails that have passed the previous sensitive information detection policy, there may be a risk of information leakage, which affects information security.
Disclosure of Invention
The embodiment of the invention provides a mail detection method and a mail detection device, which are used for solving the problem that information leakage risks may exist in historical mails which have passed through an original sensitive information detection strategy in the prior art under the condition that a sensitive information detection strategy is updated.
In a first aspect, an embodiment of the present invention provides a method for detecting an email, including:
acquiring historical mails in a preset range under the condition that a sensitive information detection strategy is updated;
detecting whether the updated sensitive information detection strategy is hit by the historical mails or not;
marking the history mails of the updated sensitive information detection strategy as abnormal mails;
and displaying the mail information of the abnormal mail.
In a second aspect, an embodiment of the present invention further provides an email detection apparatus, including:
the acquisition module is used for acquiring the historical mails in a preset range under the condition that the sensitive information detection strategy is updated;
the detection module is used for detecting whether the updated sensitive information detection strategy is hit by the historical mails or not;
the marking module is used for marking the historical mails which hit the updated sensitive information detection strategy as abnormal mails;
and the display module is used for displaying the mail information of the abnormal mail.
In a third aspect, an embodiment of the present invention further provides an electronic device, which includes a processor and a memory, where the memory stores a program or instructions that are executable on the processor, and when the program or instructions are executed by the processor, the steps of the mail detection method according to the first aspect are implemented.
In a fourth aspect, the embodiment of the present invention further provides a computer-readable storage medium, on which a program or instructions are stored, and when the program or instructions are executed by a processor, the program or instructions implement the steps in the mail detection method according to the first aspect.
In the embodiment of the invention, under the condition that the sensitive information detection strategy is updated, the historical mails can be detected based on the updated sensitive information detection strategy, mails which possibly comprise sensitive information are screened from the historical mails, and the information of the mails which hit the updated sensitive information detection strategy is displayed for the user to check, so that the user can take processing measures aiming at the mails, and the risk of further information leakage is reduced.
Drawings
FIG. 1 is a flowchart illustrating steps of a mail detection method according to an embodiment of the present invention;
FIG. 2 is a schematic block diagram of a system provided by an embodiment of the present invention;
FIG. 3 is one of the flow diagrams provided by the embodiments of the present invention;
FIG. 4 is a second schematic flow chart provided by the embodiment of the present invention;
FIG. 5 is a third schematic flow chart provided by the embodiment of the present invention;
FIG. 6 is a fourth schematic flow chart provided by the embodiment of the present invention;
FIG. 7 is a system topology diagram provided by an embodiment of the present invention;
FIG. 8 is a schematic diagram of a system device deployment provided by an embodiment of the present invention;
FIG. 9 is a block diagram of an apparatus for detecting mail according to an embodiment of the present invention;
fig. 10 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
In various embodiments of the present invention, it should be understood that the sequence numbers of the following processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
The embodiment of the invention provides a mail detection method, which can be applied to an information security system, in particular to a Data Leakage Prevention (DLP) system based on mail scanning.
As shown in fig. 1, the method may include the steps of:
step 101: and acquiring the historical mails in a preset range under the condition that the sensitive information detection strategy is updated.
In the case that the sensitive information detection policy is updated, it is highly probable that some historical mails have a risk of information leakage for a new detection policy, and therefore, in this case, in the embodiment of the present invention, the historical mails may be acquired so as to detect the historical mails based on the new detection policy.
In the embodiment of the present invention, an obtaining range of the historical mails may be preset, where the obtaining range may be a time range, an organization structure range, a combination of the two, and the like, and therefore, the preset range may include, but is not limited to: at least one of a preset time range (hereinafter may be referred to as a second preset time range) and a preset tissue structure range. For example, the mails in the preset range may be mails generated in the time period of 2021 year 10 month 1 day to 12 month 31 day, may also be mails of xx company or yy department of xx company, and may also be mails of xx company or yy department of xx company in the time range of 2021 year 10 month 1 day to 12 month 31 day.
Alternatively, the history mail described herein may be at least one of a sent mail and a received mail. Because the embodiment of the invention aims to reduce the risk of information leakage, and the sent mails are more prone to information leakage, the history mails can be preferably sent mails. Of course, in some cases, since the sent mail may be deleted, but the received mail includes contents of both-way mails, the history mail may also include the received mail in order to avoid omission.
Step 102: and detecting whether the historical mails hit the updated sensitive information detection strategy.
In the embodiment of the invention, after the historical mails in the preset range are obtained, the historical mails can be detected based on the updated detection strategy, and the mails which may include sensitive information are screened from the historical mails.
Step 103: and marking the history mails hit in the updated sensitive information detection strategy as abnormal mails.
For the history mails hitting the updated sensitive information detection strategy, it is indicated that the history mails have high possibility of including sensitive information which is not suitable for leakage, that is, the information leakage risk exists in high probability, so that the history mails can be marked as abnormal mails, so that users can perform special processing on the abnormal mails.
Step 104: and displaying the mail information of the abnormal mail.
In the embodiment of the invention, after the historical mail possibly comprising the sensitive information is marked as the abnormal mail, the mail information of the historical mail can be displayed for the user to check, so that the user can determine whether the mail needs to be further processed. For example, after the mail is a sent mail and a user views the mail, when the user confirms that sensitive information which is not suitable for being leaked is included in the mail, the receiver can be notified to delete the mail and is requested to keep the mail content secret, and therefore the risk of further information leakage is reduced. Specifically, the mail information of the abnormal mail may be displayed by the terminal device in the information detection system.
Optionally, since the sent mail is more prone to information leakage, whether the historical mail is the sent mail or the received mail, the sending content of the sender at the local end can be mainly detected, so as to reduce the data processing amount. For example, when a history mail of the yy department of xx company is detected, the contents of the mail sent by the staff in the yy department are mainly detected.
As an alternative embodiment, the information detection system may further include: a management platform and a file parsing platform. The management platform can provide a sensitive information detection strategy and manage the backtracking tasks of the historical mails (namely the detection tasks of the historical mails). The file analysis platform can analyze the historical mails and report the mail information of the historical mails hitting the sensitive strategies to the management platform.
As shown in fig. 2, the management platform may manage the backtracking task of the historical mails, for example, by using a system initialization module in the platform, initializing system parameters, initializing a work thread, and initializing a thread pool to prepare for mail backtracking. In the process of executing the backtracking task, the management platform can inquire the historical mail information and add the inquired historical mail information to a file blocking queue to be analyzed.
The management platform can also send a sensitive information detection strategy to the file analysis platform. And after receiving the sensitive information detection strategy, the file analysis platform sends a successful receiving identifier to the management platform.
The file analysis platform can acquire the backtracking task thread from the thread pool through an interactive interface with the management platform, and execute corresponding threads, such as: and starting a scanning thread (namely a detection thread), acquiring mail information from a file blocking queue to be analyzed, analyzing the mail information, detecting the mail information according to a sensitive information detection strategy, and reporting a detection result to a management platform. The purpose of the parsing is to convert different file types into the same format, which is convenient for subsequent service processing, for example, extracting file contents of docx, pptx and other types into a text file for processing.
When the management platform and the file parsing platform are respectively deployed in different devices, an interactive interface between the management platform and the file parsing platform may be an http interface, or may be other available types of interfaces.
The management platform can also manage a visual interface on the terminal equipment in the information detection system in a background mode. The visual interface can display strategy configuration information, backtracking task information, mail scanning results and the like. And a communication connection is established between the terminal equipment and the management platform.
As an alternative embodiment, step 101: under the condition that the sensitive information detection strategy is updated, acquiring the historical mails within a preset range may include:
step A1: and displaying prompt information under the condition that the sensitive information detection strategy is updated.
Specifically, the prompt information can be displayed through the terminal device in the information detection system for the user to view.
The prompt information is used for prompting that the sensitive information detection strategy is updated, and can further prompt which information is specifically updated. In addition, the user can be prompted whether to start a detection task for the historical mails.
Step A2: and receiving a starting instruction input by a user according to the prompt message, and acquiring the historical mails in a preset range according to the starting instruction.
And the starting instruction is used for starting a detection task of the historical mails based on the updated sensitive information detection strategy.
As shown in fig. 3, the user may start the backtracking task of the history mails or close the backtracking task of the history mails through the management platform.
Optionally, in the embodiment of the present invention, user permissions may be set for the start operation and the close operation of the backtracking task, that is, corresponding operations may be executed only if corresponding permissions are provided. And when the user does not have the corresponding authority, returning page prompt information to remind the user that the user does not have the corresponding operation authority. The authority determination (i.e., "whether or not to have authority") shown in the figure may be performed according to biometric information (such as fingerprint, voice, face, iris, etc.), password information, or a combination of both.
Optionally, after the detection task is started, page notification information may be fed back to the terminal device to notify the user of the task state of the file collection process (i.e., the detection task state of the historical mail).
Alternatively, the user may input the start instruction through a terminal device in the information detection system. For example, a control page of the information detection system is displayed in a display screen of the terminal device, a control button is displayed in the control page, and the detection task can be started by triggering the control button.
Optionally, in this embodiment of the present invention, the updating of the sensitive information detection policy may include: and modifying the content of the newly added sensitive information detection strategy and the original sensitive information detection strategy, and the like.
Wherein, the step A1 and the step A2 can be realized by a management platform.
As an optional embodiment, as shown in fig. 3, in addition to starting or closing the backtracking task, the user may also set backtracking task information, such as setting a mail scanning range (i.e., a preset range), setting a scanning policy (i.e., a sensitive information detection policy), setting a task execution period, setting a high-level option (e.g., a Central Processing Unit (CPU) upper limit of usage, a hard disk occupancy upper limit, a memory occupancy upper limit, etc.), setting a hardware resource limitation condition (e.g., monitoring hardware information such as a CPU, a hard disk, a memory, etc.), and setting a backup scanning setting (i.e., setting a root directory of a backup mail). After the setup is completed, the setup information may be saved to a management Platform database (e.g., Platform database). After the backtracking task is started, the setting information stored in the management platform database can be stored in the redis so as to be used in the backtracking task execution process.
After the setting is completed, the user can add the backtracking setting information, modify the backtracking setting information or delete the backtracking setting information and the like according to the requirement. When the setting information is edited, the user authority can be set, namely, the user with the authority can edit the setting information. The authority determination (i.e., "whether or not to have authority") described in the figure may be performed according to biometric information (such as fingerprint, voice, face, iris, etc.), password information, or a combination of both.
Optionally, step 101: under the condition that the sensitive information detection strategy is updated, acquiring the historical mails within a preset range may include:
and acquiring the historical mails in a preset range under the condition that the sensitive information detection strategy is updated and the preset acquisition condition is met.
Wherein the preset acquisition condition may include at least one of: the current time is in a first preset time range (namely a task execution period), the currently executed mail detection tasks are greater than or equal to a preset number, and the preset hardware information meets preset conditions.
In order to better execute the detection task of the historical mail and reduce the influence of the detection task of the historical mail on other processing tasks (such as the detection task of the real-time mail), the execution condition of the historical mail detection task can be set.
For example, a limit is imposed on the mail detection task amount. When the current mail detection task amount reaches the preset amount, the detection task is not suitable to be executed again so as to avoid overlarge processor pressure. As shown in fig. 4, the user triggers the task start instruction through the information system control page displayed on the terminal device, that is, the terminal device receives the task start instruction. The terminal device may then determine whether the number of detection tasks that have been currently initiated is greater than or equal to a preset number (e.g., 3). If yes, the task starting instruction is not responded, and the reason of response failure can be displayed. If not, a task starting instruction is sent to the management platform. The initiated detection task (i.e. the currently executed detection task) includes but is not limited to: at least one of a task of detecting historical mail and a task of detecting real-time mail.
As shown in fig. 5, after receiving an instruction, the management platform may analyze the instruction, determine the content of the specific instruction, and change the task state according to the content of the specific instruction. For example, when the instruction is a start instruction, the task state is updated from a closed state to a start state; and when the command is a closing command, updating the task state from the starting state to the closing state. And after the task state is updated, the management platform detects the task state and changes the related information according to the current task state.
For another example, the task execution time is limited, that is, the task execution cycle is set as shown in fig. 3, and the task execution cycle may be set in a time period in which the system is relatively idle, for example, 10 pm to 5 pm in the next day, so as not to increase the system load. For example, as shown in fig. 5, after the local scanning task is started, it is first determined whether the current time is within a preset task execution period. If not, continuing to judge. If yes, the subsequent steps are executed. It is understood that the specific time range can be set according to actual conditions.
For another example, the limitation is performed on the hardware information, such as the CPU usage, the hard disk occupancy, the memory occupancy, and the like, that is, the setting of the hardware resource limitation condition and the setting of the high-level option are described in fig. 3. For example, as shown in FIG. 5, when polling the archived mail query results, it may be determined whether the high level option set limit has been exceeded. If so, the subsequent steps are not executed. If not, the subsequent steps are carried out again.
Wherein, presetting that the hardware information satisfies the preset condition may include: the CPU utilization rate is less than or equal to at least one of a first preset value, the hard disk occupancy rate is less than or equal to a second preset value and the memory occupancy rate is less than or equal to a third preset value. The first preset value, the second preset value and the third preset value may be set according to actual requirements, which is not limited in the embodiment of the present invention.
As an alternative embodiment, step 101: acquiring the historical mails within the preset range may include:
step B1: and inquiring a storage directory of the historical mails generated in a preset range according to a preset inquiry rule.
The preset query rule may include: the mail is divided into the inquiry tasks of year, month, day and hour in turn.
For example, as shown in fig. 5, when querying a mail in a preset mail scanning range, the query task may be split into a year, month, day, and hour query task, and then the query is performed according to the split query task. For example, splitting the query into tasks each year, and recording the current query year; splitting the annual tasks monthly, splitting the annual tasks into monthly tasks, and recording the current query month; for the monthly tasks, splitting the tasks according to the days, splitting the tasks into the tasks every day, and recording the current query days; and for the tasks of each day, splitting the tasks according to hours, splitting the tasks into the tasks of each hour, and recording the current query hour. For the inquired mail, the Security Identifiers (SID) of the mail, i.e. the unique identifier of the mail, are recorded at the same time.
The specific query process may be: and acquiring the time range (namely a second preset time range) of the query task and the historical query page number, querying according to the ascending time sequence, calculating the storage directory of the queried mail, and updating the query page number. The number of pages mentioned here refers to the number of mail pages.
During query, the query can be performed on a local mail, and also can be performed on a network file, such as a mail stored in a network disk. As shown in fig. 5, a scan job for locally archived mail may be started first.
Step B2: and acquiring the historical mails according to the storage directory.
After the storage directory is obtained, the corresponding history mails can be obtained in the storage directory.
Wherein steps B1 and B2 may be performed by the management platform.
Optionally, step B1: according to a preset query rule, querying a storage directory of historical mails generated in a preset range, wherein the querying may include:
step B11: and judging whether the corresponding historical mails are stored under the inquired storage directory.
As shown in fig. 5, after obtaining the query result (i.e. the queried storage directory) of the archived email, the query result of the archived email may be polled to determine whether the archived file exists, i.e. whether the queried storage directory stores the corresponding historical email.
Step B12: and judging whether the history mails have backup mails or not under the condition that the corresponding history mails are not stored in the storage directory.
As shown in fig. 5, in the embodiment of the present invention, when a corresponding history mail is not stored in the storage directory, it may be determined whether an archive backup file of the history mail exists.
Step B13: and acquiring a storage directory of the backup mail under the condition that the backup mail exists in the history mail.
As shown in fig. 5, in the case that an archive backup file of the history mail exists, the storage path (i.e. the storage directory) of the backup file may be determined according to the backup scan setting information (i.e. the root directory information of the preset backup mail), the version information (i.e. the number information corresponding to the middle storage path of the backup file), and the backup file information (e.g. the name information of the backup file).
For example, the preset root directory information is D-disc, and the intermediate storage path (e.g. folder path) indicated by the version information sequentially from the upper level to the lower level is: if the folder a > folder B and the name of the backup file is backup a, the storage path of the backup file according to the information is: d-disc > folder a > folder B > backup a.
In the embodiment of the invention, by associating the version information with the intermediate storage path, a number is stored in the database instead of the same intermediate storage path, and the number is smaller than the specific path information data volume, so that the data storage volume can be greatly reduced compared with the direct storage of the path information.
Because the storage path of the backup file may change, the same backup file may have different storage path numbers corresponding to different periods, that is: version information corresponding to the same backup file at different periods may be different.
As shown in fig. 5, in the case that the archive backup file of the history mail does not exist, it is determined whether the existence of the storage directory is detected for a preset number of consecutive times, that is: if the archive backup file of the history mail does not exist, it is determined again whether the storage directory of the history mail exists. If the storage directory of the historical mail is determined to exist within the preset times, the polling is carried out again. And if the storage directory of the historical mail does not exist after the continuous preset times, recording the detection task state of the historical mail as abnormal stop.
When the corresponding history mails are stored in the storage directory or the corresponding history mails are not stored but backup mails exist, if the archive mails are stored in an encrypted mode, the encrypted compressed mails can be decompressed to the temporary directory through passwords of the archive data records.
When the mail scanning range not only comprises the preset time range but also comprises the preset organization structure range, the stored mail can be obtained from the temporary directory, and whether the mail is in the preset organization range or not is judged according to the information of the receiver and the sender in the mail. If not, acquiring the next historical mail for judgment. If so, judging whether the scanning queue (namely the file cache queue to be analyzed) is overrun. If the threshold is exceeded, the judgment is continued. If not, judging whether the archived mail is scanned, if so, polling the next inquiry result. If not, the mail information of the archived mail is assembled, and the assembled mail information is sent to the scanning queue cache. Wherein, the mail assembling information includes: and splicing the mail information together according to a specified message format, such as information of a sender, a subject, an attachment name, an attachment file path and the like of the mail.
As shown in fig. 5, in the polling process, it may also be determined whether traversal (i.e., polling) is completed, and if so, the detection task cache is cleared, and interface response information is returned to the terminal device to notify the user of the task execution state. When the detection task is stopped, the detection task cache is also cleared, and interface response information is returned, namely, the user is informed of the task execution state.
As an alternative embodiment, step B1: according to a preset query rule, querying a storage directory of historical mails generated in a preset range, wherein the querying may include:
step B14: and recording the current inquiry progress and the inquiry rule in the process of inquiring the storage directory according to the preset inquiry rule.
Step B15: and under the condition that the restart is detected, under the recorded query progress, continuously querying the storage directory according to the recorded query rule.
In the embodiment of the invention, in the inquiry process of the historical mail storage directory, the inquiry progress can be recorded in real time, for example, the inquiry progress is recorded for a certain mail at a certain time and a certain minute in a certain day in a certain month. In addition, the current query rule and the execution state of the detection task can be recorded. Thus, as shown in fig. 5, when the service exception is restarted and the backtracking task is reloaded, the cached task state may be read first, and it may be determined whether the task state is the startup state before the restart according to the cached task state. If the mail is in the starting state, the cached task query rule information is read, the query rule and the cached sid information are added, and the query is continued, so that the queried mails can be prevented from being repeatedly queried.
As an alternative embodiment, step 102: the detecting whether the historical mails hit the updated sensitive information detection policy may include:
and determining to hit the updated sensitive information detection strategy under the condition that the mail content in the historical mails comprises preset keyword information, the mail content in the historical mails is matched with a preset regular expression, and/or the file attribute information of the attachments in the historical mails is matched with the preset file attribute information.
The file attribute information may include: at least one of file size, file creation time, file modification time, file author.
Optionally, the sensitive information detection policies corresponding to different detection tasks may be different, so that a correspondence between the detection task and the sensitive information detection policy may be established in advance, and when the detection task is executed, the sensitive information detection policy corresponding to the executed detection task may be acquired.
In order to better understand the above detection process, the following further explains the parsing process of the file by the file parsing platform by taking fig. 6 as an example.
The file parsing platform may include: the system comprises a file scanning progress module and a strategy matching module.
As shown in fig. 6, the file scanning progress module may read the scanning queue, obtain the file to be scanned, analyze the result of the scanned file, disassemble and assemble the analysis packet, add the scanning task number, and send the detection policy and the file scanning result data to the policy matching module. After acquiring the file to be scanned, the file scanning process module may first determine whether the size of the file to be scanned exceeds a threshold, and if so, add the file to be scanned into a common file parsing queue; and if the threshold value is not exceeded, adding the file to be scanned into a large file analysis queue. And then, the file scanning process module can call a file analysis thread, analyze the file to be scanned, obtain analysis file information, and generate an analysis result message according to the analysis file information. Optionally, the file parsing platform may have a timeout determination mechanism, the timeout thread may obtain the timeout parsing request, and when the timeout parsing request is for the history email, directly delete the information record that is in the parsing queue and does not need to send the notification email to the user.
And the strategy matching module receives the detection strategy and the file scanning result data sent by the file scanning progress module. And reading the detection strategy corresponding to the current scanning task according to the task number of the current scanning task. And detecting the file to be scanned according to the read detection strategy. And then returning the detection result to the file scanning progress module. The document content hit in the detection policy in the mail can be written into JSON (JavaScript Object Notation), and then the JSON is written into the detection result.
And the file scanning process module receives the detection result and sends the detection result as event information to the management platform. Because the embodiment of the invention detects the historical mails, when the detection strategy is detected to be hit by the historical mails, the detection result only needs to be reported to the management platform, and the detection result does not need to be sent to the local senders of the historical mails.
And an event receiving module in the management platform receives the event information, then judges whether an evidence file storage function is started or not, and stores the event evidence file if the evidence file storage function is started. And then judging whether the evidence file backup function is started or not, and if the evidence file backup function is started, adding the evidence file backup queue to backup the evidence file. The event receiving module in the management Platform can also store the event information to the Platform database and delete the corresponding mails in the temporary directory.
Because not all file scans can be processed in time, the overtime backtracking task does not send an overtime notice under the condition of judging as the backtracking task
Finally, the embodiment of the present invention further provides an optional topology diagram and an implementation deployment diagram of a kind of information security system, which are respectively shown in fig. 7 and fig. 8.
Fig. 7 illustrates an alternative general implementation topology for an information security system. The DLP control platform corresponds to the management platform and comprises a background management system. The configuration center corresponds to information middleware such as a database and redis and the like for storing information. The file analysis platform can acquire the mail storage directory from the configuration center, and acquire corresponding mails from local files and/or network files in the file server according to the mail storage directory. The Network file may be a file stored in a Network disk, a Network Attached Storage (NAS), or the like.
Fig. 8 illustrates an alternative embodiment deployment diagram for an information security system. As shown in fig. 8, the user may trigger a backtracking detection task of the history mail through the terminal device. The backtracking detection task is first sent to the responsible equalizer. When the backtracking detection tasks are multiple, the load balancer can allocate the backtracking detection tasks to different management platforms to achieve load balancing, for example, when the number of the backtracking detection tasks is 4, the 4 detection tasks can be respectively allocated to 4 management platforms in the graph. Wherein the load balancer may be an F5 load balancer.
And after receiving the backtracking detection task sent by the load balancer, the management platform executes the backtracking detection task. Some data information generated in the process of executing the backtracking detection task, such as the inquired mail storage directory information, can be stored in the Mysql device, wherein the Mysql device in the figure comprises: mysql master, Mysql slave, and Mysql standby. Furthermore, the generated data information may also be stored in a redis device, wherein the figure includes 6 redis masters.
The management platform can send the detection task to the file analysis platform, after receiving the detection task sent by the management platform, the file analysis platform reads the required mails from a file server (namely, a getfile server), analyzes and detects the read mails, reports the detection results to the corresponding management platform, and sends the detection results to the corresponding terminal equipment through the corresponding management platform for the user to check.
The external mail of the system can be sent to a getfile client (namely, a component with a file storage receiving function), and then uploaded to a getfile server by the getfile client.
When the mail in the getfile server is used outside the system, the getfile client may obtain the mail from the getfile server and send the obtained mail to a desensitization system (non-DLP system). After the mail is desensitized, the desensitization system processes the sensitive information in the mail.
The mails passing through the desensitization system can also be sent to a file analysis platform, the file analysis platform detects the sensitive information of the mails and reports the detection result to a corresponding management platform. Wherein the desensitization system may send detection tasks to the load balancer. And the load balancer sends the data to the file parsing platform. When the desensitization tasks are multiple, the load balancer can allocate the desensitization tasks to different file parsing platforms to execute so as to implement load balancing, for example, when the desensitization tasks are 4, the desensitization tasks can allocate 4 desensitization tasks to 4 file parsing platforms in the graph respectively. Wherein the load balancer may be a nginx load balancer.
In order to avoid server exception, file security, file loss, file damage, and the like, the file server needs to perform high-availability cluster deployment, as shown in fig. 8.
The above is a description of the mail detection method provided in the embodiment of the present application.
In summary, in the embodiment of the present invention, when the sensitive information detection policy is updated, the historical mails may be detected based on the updated sensitive information detection policy, mails which may include sensitive information are screened from the historical mails, and information of the mails which hit the updated sensitive information detection policy is displayed for the user to view, so that the user may take processing measures for the mails, thereby reducing the risk of further information leakage.
The above describes a mail detection method provided by the embodiment of the present invention, and a mail detection apparatus provided by the embodiment of the present invention will be described below with reference to the accompanying drawings.
The embodiment of the invention also provides a mail detection device, which can be applied to an information security system, in particular to a data leakage protection system based on mail scanning.
As shown in fig. 9, the apparatus may include:
the obtaining module 901 is configured to obtain a historical email within a preset range when the sensitive information detection policy is updated.
A detecting module 902, configured to detect whether the historical email hits the updated sensitive information detection policy.
A marking module 903, configured to mark the history email hit in the updated sensitive information detection policy as an abnormal email.
A display module 904, configured to display the mail information of the abnormal mail.
Optionally, the obtaining module 901 includes:
and the first acquisition unit is used for acquiring the historical mails in the preset range under the condition that the sensitive information detection strategy is updated and meets preset acquisition conditions.
Wherein the preset acquisition condition comprises at least one of: the current time is in a first preset time range, the detection task amount executed at the current time is larger than or equal to a preset amount, and the preset hardware information meets preset conditions.
Wherein, the preset hardware information meeting the preset condition comprises: at least one of the CPU utilization rate is less than or equal to a first preset value, the hard disk occupancy rate is less than or equal to a second preset value and the memory occupancy rate is less than or equal to a third preset value.
Optionally, the obtaining module 901 includes:
and the query unit is used for querying the storage directory of the historical mails generated in the preset range according to a preset query rule.
Wherein the preset query rule comprises: and performing segmentation query on the mails in the order of year, month, day and hour.
And the second acquisition unit is used for acquiring the historical mails according to the storage directory.
Optionally, the query unit includes:
and the recording subunit is used for recording the current query progress and the query rule in the process of querying the storage directory according to the preset query rule.
And the query subunit is used for continuing to query according to the recorded query rule under the recorded query progress under the condition of detecting that the restart occurs.
Optionally, the query unit includes:
and the first judgment subunit is used for judging whether the corresponding historical mail is stored under the inquired storage directory.
And the second judging subunit is used for judging whether the history mails have backup mails or not under the condition that the corresponding history mails are not stored in the storage directory.
And the acquisition subunit is used for acquiring the storage directory of the backup mail under the condition that the backup mail exists in the history mail.
Optionally, the preset range includes: at least one of the second preset time range and the mail range corresponding to the preset organization structure.
Optionally, the detecting module 902 includes:
and the detection unit is used for determining the hit updated sensitive information detection strategy under the condition that the mail content in the historical mails comprises preset keyword information, the mail content in the historical mails is matched with a preset regular expression, and/or the file attribute information of the attachments in the historical mails is matched with the preset file attribute information.
Wherein the file attribute information includes: at least one of file size, file creation time, file modification time, file author.
The mail detection device provided by the embodiment of the present invention can implement each process implemented by the mail detection method in the method embodiment shown in fig. 1, and is not described herein again to avoid repetition.
The mail detection device provided by the embodiment of the invention can detect the historical mails based on the updated sensitive information detection strategy under the condition that the sensitive information detection strategy is updated, screen the mails possibly including the sensitive information from the historical mails, and display the information of the mails hitting the updated sensitive information detection strategy for the user to check, so that the user can take processing measures aiming at the mails, thereby reducing the risk of further information leakage
The embodiment of the invention also provides electronic equipment which comprises a memory, a processor and a bus. The memory stores a program or instructions executable on the processor which, when executed by the processor, implement the steps of the mail detection method as described above.
For example, fig. 10 shows a schematic physical structure diagram of an electronic device.
As shown in fig. 10, the electronic device may include: a processor (processor)1010, a communication Interface (Communications Interface)1020, a memory (memory)1030, and a communication bus 1040, wherein the processor 1010, the communication Interface 1020, and the memory 1030 communicate with each other via the communication bus 1040. Processor 1010 may call logic instructions in memory 1030 to perform the method described below:
acquiring historical mails in a preset range under the condition that a sensitive information detection strategy is updated;
detecting whether the historical mails hit the updated sensitive information detection strategy;
marking the history mails of the updated sensitive information detection strategy as abnormal mails;
and displaying the mail information of the abnormal mail.
Furthermore, the logic instructions in the memory 1030 can be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other various media capable of storing program codes.
The embodiment of the present invention further provides a computer-readable storage medium, on which a program or an instruction is stored, where the program or the instruction is implemented by a processor to execute the mail detection method provided in the foregoing embodiments, for example, the following methods may be executed:
acquiring historical mails in a preset range under the condition that a sensitive information detection strategy is updated;
detecting whether the updated sensitive information detection strategy is hit by the historical mails or not;
marking the history mails of the updated sensitive information detection strategy as abnormal mails;
and displaying the mail information of the abnormal mail.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM, RAM, a magnetic disk, an optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for mail detection, the method comprising:
acquiring historical mails in a preset range under the condition that a sensitive information detection strategy is updated;
detecting whether the updated sensitive information detection strategy is hit by the historical mails or not;
marking the history mails of the updated sensitive information detection strategy as abnormal mails;
and displaying the mail information of the abnormal mail.
2. The mail detection method of claim 1, wherein the obtaining of the historical mails within a preset range in case of update of the sensitive information detection policy comprises:
acquiring the historical mails in the preset range under the condition that the sensitive information detection strategy is updated and meets preset acquisition conditions;
wherein the preset acquisition condition comprises at least one of: the current time is in a first preset time range, the number of the mail detection tasks executed at the current time is greater than or equal to the preset number, and the preset hardware information meets the preset condition;
wherein, the preset hardware information meeting preset conditions includes: the CPU utilization rate is less than or equal to at least one of a first preset value, the hard disk occupancy rate is less than or equal to a second preset value and the memory occupancy rate is less than or equal to a third preset value.
3. The mail detection method according to claim 1, wherein the acquiring of the historical mails within the preset range comprises:
inquiring a storage directory of the historical mails generated in the preset range according to a preset inquiry rule; wherein the preset query rule comprises: splitting the mails into query tasks of year, month, day and hour in sequence;
and acquiring the historical mails according to the storage directory.
4. The mail detection method according to claim 3, wherein said querying a storage directory of the historical mails generated within the preset range according to a preset query rule comprises:
recording the current inquiry progress and the inquiry rule in the process of inquiring the storage directory according to the preset inquiry rule;
and under the condition that the restart is detected, continuing to inquire according to the recorded inquiry rule under the recorded inquiry progress.
5. The mail detection method according to claim 3, wherein said searching the storage directory of the history mails generated within the preset range comprises:
judging whether the corresponding historical mails are stored under the inquired storage directory;
under the condition that the corresponding historical mails are not stored in the storage directory, judging whether the historical mails have backup mails or not;
and acquiring a storage directory of the backup mail under the condition that the historical mail has the backup mail.
6. The mail detection method according to claim 1, wherein the preset range includes: and at least one of the second preset time range and the mail range corresponding to the preset organization structure.
7. The method according to claim 1, wherein the detecting whether the historical mails hit the updated sensitive information detection policy comprises:
determining to hit the updated sensitive information detection strategy under the condition that mail content in the historical mails comprises preset keyword information, the mail content in the historical mails is matched with a preset regular expression, and/or file attribute information of attachments in the historical mails is matched with preset file attribute information;
wherein the file attribute information includes: at least one of file size, file creation time, file modification time, file author.
8. A mail detection apparatus, the apparatus comprising:
the acquisition module is used for acquiring the historical mails in a preset range under the condition that the sensitive information detection strategy is updated;
the detection module is used for detecting whether the updated sensitive information detection strategy is hit by the historical mails or not;
the marking module is used for marking the historical mails which hit the updated sensitive information detection strategy as abnormal mails;
and the display module is used for displaying the mail information of the abnormal mail.
9. An electronic device comprising a processor and a memory, the memory having stored thereon a program or instructions executable on the processor, the program or instructions, when executed by the processor, implementing the steps of the mail detection method of any of claims 1 to 7.
10. A computer-readable storage medium, characterized in that a program or instructions are stored on the computer-readable storage medium, which program or instructions, when executed by a processor, carry out the steps of the mail detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210326753.6A CN114726603B (en) | 2022-03-30 | 2022-03-30 | Mail detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210326753.6A CN114726603B (en) | 2022-03-30 | 2022-03-30 | Mail detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114726603A true CN114726603A (en) | 2022-07-08 |
| CN114726603B CN114726603B (en) | 2023-09-01 |
Family
ID=82240567
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210326753.6A Active CN114726603B (en) | 2022-03-30 | 2022-03-30 | Mail detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114726603B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101316246A (en) * | 2008-07-18 | 2008-12-03 | 北京大学 | A spam detection method and system based on classifier dynamic update |
| US20090198785A1 (en) * | 2008-01-23 | 2009-08-06 | Fujitsu Limited | Mail sending and receiving apparatus, method, computer-readable medium, and system |
| US20090248814A1 (en) * | 2008-04-01 | 2009-10-01 | Mcafee, Inc. | Increasing spam scanning accuracy by rescanning with updated detection rules |
| JP2010128761A (en) * | 2008-11-27 | 2010-06-10 | Fuji Xerox Co Ltd | Information processor and program |
| US20100251372A1 (en) * | 2009-03-24 | 2010-09-30 | Barracuda Networks, Inc | Demand scheduled email virus afterburner apparatus, method, and system |
| US8572184B1 (en) * | 2007-10-04 | 2013-10-29 | Bitdefender IPR Management Ltd. | Systems and methods for dynamically integrating heterogeneous anti-spam filters |
| CN108418777A (en) * | 2017-02-09 | 2018-08-17 | 中国移动通信有限公司研究院 | Method, device and system for detecting phishing emails |
| CN112258137A (en) * | 2020-09-06 | 2021-01-22 | 厦门天锐科技股份有限公司 | Mail blocking method and device |
| CN113489734A (en) * | 2021-07-13 | 2021-10-08 | 杭州安恒信息技术股份有限公司 | Phishing mail detection method and device and electronic device |
-
2022
- 2022-03-30 CN CN202210326753.6A patent/CN114726603B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8572184B1 (en) * | 2007-10-04 | 2013-10-29 | Bitdefender IPR Management Ltd. | Systems and methods for dynamically integrating heterogeneous anti-spam filters |
| US20090198785A1 (en) * | 2008-01-23 | 2009-08-06 | Fujitsu Limited | Mail sending and receiving apparatus, method, computer-readable medium, and system |
| US20090248814A1 (en) * | 2008-04-01 | 2009-10-01 | Mcafee, Inc. | Increasing spam scanning accuracy by rescanning with updated detection rules |
| CN101316246A (en) * | 2008-07-18 | 2008-12-03 | 北京大学 | A spam detection method and system based on classifier dynamic update |
| JP2010128761A (en) * | 2008-11-27 | 2010-06-10 | Fuji Xerox Co Ltd | Information processor and program |
| US20100251372A1 (en) * | 2009-03-24 | 2010-09-30 | Barracuda Networks, Inc | Demand scheduled email virus afterburner apparatus, method, and system |
| CN108418777A (en) * | 2017-02-09 | 2018-08-17 | 中国移动通信有限公司研究院 | Method, device and system for detecting phishing emails |
| CN112258137A (en) * | 2020-09-06 | 2021-01-22 | 厦门天锐科技股份有限公司 | Mail blocking method and device |
| CN113489734A (en) * | 2021-07-13 | 2021-10-08 | 杭州安恒信息技术股份有限公司 | Phishing mail detection method and device and electronic device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114726603B (en) | 2023-09-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200125725A1 (en) | Generation and maintenance of identity profiles for implementation of security response | |
| US9219639B2 (en) | Automated alert management | |
| US8122122B1 (en) | Event monitoring and collection | |
| JP5697917B2 (en) | Business management system and business management program | |
| CN107622084A (en) | Log management method, system, and computer-readable storage medium | |
| CN102411599A (en) | Processing method of abnormal behavior in data warehouse and monitoring server | |
| CN109669835B (en) | MySQL database monitoring method, device, equipment and readable storage medium | |
| US20080059123A1 (en) | Management of host compliance evaluation | |
| CN110704872A (en) | Data query method and device, electronic equipment and computer readable storage medium | |
| CN111026606A (en) | Alarm method and device based on hystrix fuse monitoring and computer equipment | |
| CN107786551B (en) | Method for accessing intranet server and device for controlling access to intranet server | |
| CN109951375B (en) | Method and system for triggering service function of SAP system based on mail system | |
| US8468596B2 (en) | Work support apparatus for information processing device | |
| CN112148545B (en) | Security baseline detection method and security baseline detection system of embedded system | |
| US20160357960A1 (en) | Computer-readable storage medium, abnormality detection device, and abnormality detection method | |
| JP6636605B1 (en) | History monitoring method, monitoring processing device, and monitoring processing program | |
| CN114726603A (en) | Mail detection method and device | |
| CN115001967A (en) | Data acquisition method and device, electronic equipment and storage medium | |
| WO2010010393A1 (en) | Monitoring of backup activity on a computer system | |
| CN115934782B (en) | Method for analyzing and processing security log and computer storage medium | |
| CN113316125B (en) | Monitoring method, distributed vehicle-mounted system, vehicle and readable storage medium | |
| CN116431344A (en) | Configuration method and device of financial service resource degradation strategy and electronic equipment | |
| CN116303315A (en) | A log data management method, device, equipment and storage medium | |
| US20210350024A1 (en) | Providing transparency in private-user-data access | |
| CN114726766B (en) | Fingerprint early warning implementation method, system, medium and equipment based on FTP service monitoring |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |