CN115473676A - Phishing mail detection method and device, electronic equipment and storage medium - Google Patents

Abstract

Embodiments of the present invention provide a method, device, electronic device, and storage medium for detecting phishing emails, which relate to the technical field of network security, wherein the method includes: obtaining a pre-trained phishing email detection model, internal information related to the enterprise mailbox business, and the mail gateway log; based on the internal information of the enterprise and the mail gateway log, determine the mail characteristics of the mail to be detected; input the mail characteristics of the mail to be detected into the phishing mail detection model, and obtain the mail type of the mail to be detected output by the phishing mail detection model; The phishing email detection model is obtained by training a binary classification model based on the email features corresponding to the marked historical emails and the tag values of the marked historical emails. The invention can reduce the probability of missing and false positives of phishing emails and improve the reliability of phishing emails detection.

Description

Phishing email detection method, device, electronic equipment and storage medium

technical field

The invention relates to the technical field of network security, in particular to a phishing email detection method, device, electronic equipment and storage medium.

Background technique

E-mail is an important tool for people to communicate in their daily work. Phishing emails are mainly used by attackers to send disguised normal emails to induce recipients to visit malicious links or open malicious attachments, so as to achieve the purpose of controlling the recipient's host or stealing the recipient's private data. For attackers, using phishing emails to break through the boundaries of security protection is one of the common attack methods. In view of this, in order to reduce corporate security risks, enterprises need to detect phishing emails in a timely manner from mass emails.

In the prior art, one way is to match the email information by using keyword matching, and judge the email matching the keyword as a phishing email, but this method can only detect that the email information contains the keyword library Keyword emails are prone to false positives. Another way is to use the email sandbox to perform attachment execution on emails containing attachments, then analyze and monitor the behavior of attachment execution, and determine whether it is a phishing email based on the results of the analysis and monitoring, and then find attachments containing malicious code. However, if the attacker encrypts and compresses the attachment, he can bypass the detection of the email sandbox, resulting in poor detection reliability.

Contents of the invention

Aiming at the problems in the prior art, embodiments of the present invention provide a method, device, electronic device and storage medium for detecting phishing emails.

Specifically, the embodiments of the present invention provide the following technical solutions:

In a first aspect, an embodiment of the present invention provides a method for detecting phishing emails, the method comprising:

Obtain the pre-trained phishing email detection model, enterprise internal information related to the enterprise mailbox business, and mail gateway logs;

Determine the email characteristics of the email to be detected based on the internal information of the enterprise and the email gateway log;

Inputting the email feature of the email to be detected into the phishing email detection model to obtain the email type of the email to be detected output by the phishing email detection model; the email type includes phishing emails and non-phishing emails; the The phishing email detection model is obtained by training a binary classification model based on the email features corresponding to the marked historical emails and the tag values of the marked historical emails.

Further, the email features include at least one of the following:

The characteristics used to distinguish whether an email is a fake internal email, including at least one of the following: whether the email contains attachments, whether the email attachment type corresponds to the abnormal level, whether the email attachment name contains Chinese, the similarity between the email attachment name and the intranet email attachment name, the email The similarity between the subject and the intranet email subject, the similarity between the sender's mailbox domain name and the intranet mailbox domain name, the similarity between the sender's mailbox name and the intranet mailbox domain name, the similarity between the sender's nickname and the intranet mailbox nickname, and the sender The similarity between the nickname and the internal organization of the enterprise;

The characteristics used to distinguish whether the relationship between the sender and receiver in the email is a normal relationship between the receiver and the receiver, including at least one of the following: the number of emails sent by the external network mailbox in history, the number of email recipients, the number of departments corresponding to the email recipients, and the department to which the recipient belongs The number of emails received from this sender in history, the number of emails received from this sender in history by recipients, and the number of emails received by recipients in history from external mailboxes.

Further, the determining the email characteristics of the email to be detected based on the internal information of the enterprise and the email gateway log includes at least one of the following:

When the value of the attachment field corresponding to the mail to be detected in the mail gateway log is not empty, it is determined that the mail to be detected contains an attachment; when the value of the attachment field corresponding to the mail to be detected is empty Next, confirm that the email to be detected does not contain any attachments;

Based on the file suffix of the email attachment of the email to be detected, and the preset correspondence between the file suffix and the abnormality level, determine the abnormality level corresponding to the email attachment type of the email to be detected;

In the case that the name of the mail attachment of the mail to be detected matches a preset regular expression, it is determined that the name of the mail attachment contains Chinese; the regular expression is used to match whether the name of the mail attachment contains Chinese characters; in the If the name of the mail attachment does not match the preset regular expression, it is determined that the name of the mail attachment does not contain Chinese;

From the historical log, extracting sender mailbox is the mail attachment name of at least one historical mail of the internal mailbox of the enterprise; the mail attachment name of each described historical mail is word-segmented to obtain the phrase set; calculate each described phrase set The word frequency of word obtains word frequency set; The mail attachment name of described to-be-detected mail is carried out participle to obtain text phrase; Use described text phrase and described word frequency set to carry out word frequency matching, obtain the word frequency of each word in described text phrase; Calculate The average value of the word frequency of each word in described text phrase; Described average value is carried out normalization process, obtains described mail attachment name and Intranet mail attachment name similarity;

Extract sender's mailbox from described history log and be the mail theme of the historical mail of enterprise internal mailbox; Carry out word segmentation to the mail subject of each described historical mail, obtain phrase set; Calculate the words in each phrase in each described phrase set The word frequency of the word frequency is obtained word frequency set; The mail subject of described to-be-detected mail is carried out word segmentation, obtains text phrase; Use described text phrase and described word frequency set to carry out word frequency matching, obtain the word frequency of each word in the described text phrase; Calculate all The average value of the term frequency of each word in the text phrase; Described average value is carried out normalization process, obtains described mail subject and Intranet mail subject similarity;

Extracting the sender's mailbox domain name from the sender's mailbox of the mail to be detected; determining the similarity between the sender's mailbox domain name and the intranet mailbox domain name;

Extracting the sender's mailbox name from the sender's mailbox of the mail to be detected; determining the similarity between the sender's mailbox name and the intranet mailbox domain name;

From described history log, extracting sender's mailbox is the sender's nickname of the historical mail of internal mailbox of enterprise; The sender's nickname of each described historical mail is carried out participle, obtains phrase collection; Calculate each described phrase collection The word frequency of word in word group, obtain word frequency set; The sender's nickname of described to-be-detected mail is carried out participle, obtain text phrase; Use described text phrase and described word frequency set to carry out word frequency matching, obtain each in described text phrase The word frequency of word; Calculate the average value of the word frequency of each word in described text phrase; Described average value is carried out normalization process, obtains described sender's nickname and intranet mailbox nickname similarity;

Carry out word segmentation to each internal organization based on the enterprise internal organization information set, obtain the phrase set; calculate the word frequency of words in each phrase in each described phrase set, obtain the word frequency set; carry out word segmentation to the sender's nickname of the described mail to be detected, Obtain text phrase; Use described text phrase and described word frequency set to carry out word frequency matching, obtain the word frequency of each word in described text phrase; Calculate the average value of the word frequency of each word in described text phrase; Described average value is normalized Combined processing to obtain the similarity between the sender's nickname and the internal organization of the enterprise;

Extracting the sender's mailbox from the historical log is not the historical number of emails in the internal mailbox of the enterprise, and obtaining the historical number of emails sent by the external network mailbox;

Determine the number of recipients of the email based on the number of recipient mailboxes of the email to be detected;

Extract the recipient mailbox name from the recipient mailbox of the mail to be detected, and determine the corresponding department of the recipient mailbox based on the recipient mailbox name and the enterprise employee and department mapping information set; The corresponding department of the sender's mailbox is deduplicated and counted to obtain the number of the department corresponding to the recipient of the email;

Extract the recipient mailbox name from the recipient mailbox of the mail to be detected, and determine the corresponding department of the recipient mailbox based on the recipient mailbox name and the enterprise employee and department mapping information set; from the history Count the number of mails received from the sender's mailbox of the mail to be detected within the target historical time by the corresponding department of the recipient's mailbox in the log;

Counting the number of mails received by the recipient mailbox of the mail to be detected from the mailbox of the sender of the mail to be detected from the historical log;

Counting the number of emails whose sender mailboxes are external mailboxes received by the recipient mailboxes of the emails to be detected from the historical logs.

Further, the determining the email characteristics of the email to be detected based on the internal information of the enterprise and the email gateway log includes:

In the case that the email attribute information of the email to be detected includes a sender's mailbox name, determining the mailbox domain name information of the email to be detected based on the sender's mailbox name of the email to be detected;

If the internal information of the enterprise includes a set of internal mailbox domain names of the enterprise, and the mailbox domain name information of the mail to be detected does not match the set of internal mailbox domain names of the enterprise, based on the internal information of the enterprise, the mail gateway log and The email attribute information of the email to be detected determines the email feature of the email to be detected.

Further, before the acquisition of the pre-trained phishing email detection model, enterprise internal information related to the enterprise mailbox business, and mail gateway logs, the method further includes:

Obtain the marked historical emails and the internal information of the enterprise;

Based on the marked historical emails and the internal information of the enterprise, determine the email characteristics corresponding to the marked historical emails;

Based on the email features corresponding to the marked historical emails and the tag value of the marked historical emails, perform binary classification model training to obtain the phishing email detection model;

Wherein, the flag value of the marked historical email is used to indicate whether the marked historical email is a phishing email.

Further, the internal information of the enterprise includes at least one of the following:

Collection of organizational information within the enterprise;

A collection of employee and department mapping information;

Collection of mailboxes within the enterprise;

A collection of internal mailbox domain names.

Further, the mail gateway log includes mail attribute information of N mails, and the mail attribute information includes at least one of the following:

sender nickname;

sender email;

Recipient's email address;

Email Subject;

email attachment name;

Email attachment type.

In the second aspect, the embodiment of the present invention also provides a device for detecting phishing emails, including:

The obtaining module is used to obtain the pre-trained phishing email detection model, enterprise internal information related to the enterprise mailbox business, and mail gateway logs;

A determining module, configured to determine the email characteristics of the email to be detected based on the internal information of the enterprise and the email gateway log;

A detection module, configured to input the mail feature of the mail to be detected into the phishing mail detection model, and obtain the mail type of the mail to be detected output by the phishing mail detection model; the mail type includes phishing mail and non-phishing mail Phishing emails; the phishing email detection model is obtained by training a binary classification model based on the email features corresponding to the marked historical emails and the tag values of the marked historical emails.

In the third aspect, the embodiment of the present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and operable on the processor. When the processor executes the program, the first The method for detecting phishing emails described in the aspect.

In a fourth aspect, an embodiment of the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for detecting phishing emails as described in the first aspect is implemented.

In the fifth aspect, the embodiment of the present invention further provides a computer program product, on which executable instructions are stored, and when the instructions are executed by a processor, the processor implements the phishing email detection method described in the first aspect.

The phishing email detection method, device, electronic device, and storage medium provided by the embodiments of the present invention determine the email characteristics of the email to be detected based on the internal information of the enterprise and the email gateway log, and use the pre-trained phishing email detection model to perform real-time phishing email detection. Detecting, judging whether the email to be detected is a phishing email, because the phishing email detection model is obtained by training a binary classification model based on the corresponding email features of the marked historical emails and the tag value of the marked historical emails, this makes the method It has stronger generalization ability, can be applied to different phishing email variants, can reduce the probability of false positives and false positives, and improve the reliability of phishing email detection.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

Fig. 1 is one of the schematic flow charts of the phishing email detection method provided by the embodiment of the present invention;

2 is a schematic diagram of a training method for a phishing email detection model provided by an embodiment of the present invention;

Fig. 3 is the second schematic flow diagram of the phishing email detection method provided by the embodiment of the present invention;

FIG. 4 is a schematic structural diagram of a phishing email detection system provided by an embodiment of the present invention;

5 is a schematic structural diagram of a phishing email detection device provided by an embodiment of the present invention;

FIG. 6 is a schematic diagram of a physical structure of an electronic device provided by an embodiment of the present invention.

detailed description

In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

Fig. 1 is one of the flow diagrams of the phishing email detection method provided by the embodiment of the present invention. As shown in Fig. 1, the phishing email detection method includes the following steps:

Step 101. Obtain the pre-trained phishing email detection model, enterprise internal information related to the enterprise mailbox business, and email gateway logs.

It should be noted that the method for detecting phishing emails provided in the embodiment of the present invention is applicable to the scene of real-time detection of phishing emails. The subject of execution of the method may be a phishing email detection device, such as an electronic device, or a control module in the phishing email detection device for executing the phishing email detection method. Wherein, the electronic device may include a mobile phone, a tablet computer, or a desktop computer, and the like.

In the existing technology, in order to increase the success rate of inducing recipients to visit malicious links or open malicious attachments, attackers often use the collected basic information of the attack target to select from the sender's nickname, sender's email address, email subject, Email content, email attachment names and other information to disguise phishing emails.

In the embodiment of the present invention, a phishing email detection model is obtained through pre-training to detect phishing emails in real time. The phishing email detection model is trained based on marked historical emails and enterprise internal information, and belongs to the machine learning model. The phishing email detection model is used to evaluate the email type of the email to be detected.

Optionally, the enterprise internal information mentioned in the embodiment of the present invention may include at least one of the following: a collection of internal organization information of the enterprise; a collection of mapping information of enterprise employees and departments; a collection of internal mailboxes of the enterprise; a collection of domain names of internal mailboxes of the enterprise.

Optionally, the email gateway log may include a target log and a history log of the email gateway; the target log includes email attribute information of N emails, the N emails include emails to be detected, and N is a positive integer. The target log of the mail gateway is, for example, the log generated by the mail gateway in real time. The historical log of the mail gateway is, for example, the log of the mail gateway within the target historical time; in practice, the historical log is extracted from the database according to the set target historical time range conditions, for example, if the specified target historical time is 6 years before the current date Within a month, the email logs of the past 6 months are extracted from the database as historical logs. It can be understood that any one of the N emails included in the target log can be used as the email to be detected. Using the method for detecting phishing emails provided by the embodiment of the present invention, each of the N emails included in the target log can be detected for phishing emails respectively, and whether each email is a phishing email can be judged respectively.

Optionally, the email attribute information mentioned in the embodiment of the present invention may include at least one of the following: sender's nickname; sender's email address; recipient's email address; email subject; email attachment name; email attachment type.

Step 102, based on the internal information of the enterprise and the email gateway log, determine the email characteristics of the email to be detected.

Wherein, the email feature is used to distinguish whether the email is a fake internal email, and/or distinguish whether the relationship between the sender and receiver in the email is a normal relationship between the sender and receiver.

Optionally, the email features are used by the phishing email detection model to evaluate the email type of the email to be detected. The email feature may include at least one of the following: 1) a feature for distinguishing whether the email is a fake internal email; 2) a feature for distinguishing whether the sender-receiver relationship in the email is a normal sender-receiver relationship. Table 1 shows the specific content of the email features mentioned in the embodiment of the present invention.

Among them, the features used to distinguish whether an email is a fake internal email include at least one of the following: whether the email contains attachments, whether the email attachment type corresponds to the abnormal level, whether the email attachment name contains Chinese, and the similarity between the email attachment name and the intranet email attachment name , the similarity between the email subject and the intranet email subject, the similarity between the sender’s email domain name and the intranet email domain name, the similarity between the sender’s email name and the intranet email domain name, the similarity between the sender’s nickname and the intranet email The similarity between the nickname of the sender and the internal organization of the enterprise;

The characteristics used to distinguish whether the relationship between the sender and receiver in the email is a normal relationship between the receiver and the receiver, including at least one of the following: the number of emails sent by the external network mailbox in history, the number of email recipients, the number of departments corresponding to the email recipients, and the department to which the recipient belongs The number of emails received from this sender in history, the number of emails received from this sender in history by recipients, and the number of emails received by recipients in history from external mailboxes.

Table 1

Step 103, input the email characteristics of the email to be detected into the phishing email detection model, and obtain the email type of the email to be detected output by the phishing email detection model; the email type includes phishing emails and non-phishing emails; The phishing email detection model is obtained by training a binary classification model based on the email features corresponding to the marked historical emails and the tag values of the marked historical emails.

It should be noted that the mail attribute information mentioned in the embodiment of the present invention does not include the mail content, that is, the mail content is not used when the mail feature extraction is performed on the mail to be detected, which can effectively ensure the identity of the mail to be detected. Privacy, and based on the sender's nickname, sender's email address, recipient email address, email subject, email attachment name, email attachment type, and internal information of the email to be detected, it can be extracted to distinguish whether the email is a fake internal email, And/or to distinguish whether the sender-receiver relationship in the email is the email feature of the normal sender-receiver relationship, and then judge the email type of the email to be detected based on the pre-trained phishing email detection model.

The phishing email detection method provided by the embodiment of the present invention determines the email characteristics of the email to be detected based on the internal information of the enterprise and the email gateway log, and uses the pre-trained phishing email detection model to detect the phishing email in real time to determine whether the email to be detected is For phishing emails, since the phishing email detection model is obtained by training a binary classification model based on the email features corresponding to the marked historical emails and the tag values of the marked historical emails, this method has a stronger generalization ability, It can be applied to different variants of phishing emails, which can reduce the probability of false negatives and false positives, and improve the reliability of phishing email detection.

Optionally, for different email features, a determination method suitable for the email feature is adopted. Specifically, based on the internal information of the enterprise and the email gateway log, the specific method for determining the email characteristics of the email to be detected may include at least one of the following methods:

Method 1. The characteristics of the email include whether the email contains attachments:

If the value of the attachment field corresponding to the mail to be detected in the target log is not empty, it is determined that the mail to be detected contains an attachment; when the value of the attachment field corresponding to the mail to be detected is empty, it is determined that the mail to be detected does not contain an attachment .

Method 2. Email characteristics include email attachment types corresponding to abnormal levels:

Based on the file suffix of the mail attachment of the mail to be detected and the preset correspondence between the file suffix and the abnormality level, the abnormality level corresponding to the type of the mail attachment of the mail to be detected is determined.

In practice, when the email to be detected contains an email attachment, the file suffix of the email attachment is extracted. For example, when the value of the email attachment field is "product manual.zip", the extracted suffix value is "zip", and then the abnormal level corresponding to the email attachment type is obtained from the preset correspondence between the file suffix and the abnormal level. For the correspondence between file suffixes and exception levels, see the exception level table shown in Table 2. The exception level table may be a mapping table between types of file suffixes and exception levels provided by security analysts. The higher the abnormal level of the email to be detected, the higher the probability that the email to be detected is a phishing email.

Table 2

Method 3. The characteristics of the email include whether the name of the email attachment contains Chinese:

In the case that the name of the mail attachment of the mail to be detected matches the preset regular expression, it is determined that the name of the mail attachment contains Chinese; the regular expression is used to match whether the name of the mail attachment contains Chinese characters; in the mail attachment If the name does not match the preset regular expression, it is determined that the name of the email attachment does not contain Chinese.

For example, when there are email attachments in the email to be detected, use a regular expression to match whether the email attachment name contains Chinese characters. If the email attachment name contains Chinese characters, the matching result is Yes; if the email attachment name does not contain Chinese characters, then The result of the match is no.

Mode 4, the mail feature includes the similarity between the mail attachment name and the intranet mail attachment name, and the realization process of determining the mail feature of the mail to be detected includes step 4_1 to step 4_6, wherein:

Step 4_1, extracting the mail attachment name of at least one historical mail whose sender mailbox is the internal mailbox of the enterprise from the historical log;

Wherein, the historical log is, for example, the log of the email gateway within the target historical time; the specified target historical time range is determined according to expert analysts, for example, within 6 months of history. In practice, historical logs are extracted from the database according to the set target historical time range conditions. For example, if the specified target historical time is within 6 months from the current date, the mail logs within the past 6 months are extracted from the database , as a history log. The email attachment name of at least one historical email whose sender mailbox is an internal mailbox of the enterprise is extracted from the historical log, and the historical email includes the mailbox attachment.

Step 4_2, carrying out word segmentation to the mail attachment name of each described historical mail to obtain the phrase set;

Use the word segmentation algorithm to perform word segmentation processing on the email attachment name. For example, if the name of the email attachment is "Employee Benefits Adjustment Instructions", the phrase set obtained according to the word segmentation algorithm is: "Employees, Benefits, Adjustments, Instructions".

Step 4-3, calculate the term frequency of each term in each described phrase set, obtain the term frequency set;

The calculation of the word frequency set uses the counting method to count the number of words in the attachment name. For example, there are three emails containing the attachment name within a specified time. The names are "employee welfare adjustment instructions, employee information, and holiday instructions". A set of phrases is: "employee, welfare, adjustment, explanation", "employee, information" and "holiday, explanation", then the word frequency of the word "employee" is 2, the word frequency of the word "explain" is 2, and the word "welfare" The word frequency of is 1, the word frequency of the word "adjustment" is 1, and the word frequency of the word "holiday" is 1. The word frequency set of email attachment names is shown in Table 3.

table 3

words word frequency staff 2 illustrate 2 Welfare 1 Adjustment 1 Have a holiday 1

Step 4-4, carry out word segmentation to the mail attachment name of the mail to be detected to obtain the text phrase;

For example, an email to be detected contains an email attachment, and the name of the email attachment is "Holiday Adjustment Instructions.pdf", then the text segmentation object is "Holiday Adjustment Instructions", and the phrase obtained after word segmentation is "Holiday, Adjustment, Instructions".

Step 4-5, use described text phrase and described word frequency set to carry out word frequency matching, obtain the word frequency of each word in described text phrase;

For the phrase "holiday, adjustment, explanation", the numerical results matched from the word frequency set of the email attachment name in Table 3 are "1, 1, 2". If the word in the text phrase does not exist in the word frequency set, the corresponding word frequency is 0.

Steps 4-6, calculating the average value of the word frequency of each word in the text phrase; normalizing the average value to obtain the similarity between the name of the mail attachment and the name of the intranet mail attachment.

Sum the word frequency of each word in the text phrase, and divide the obtained sum by the number of words in the text phrase to obtain the average value; normalize the average value to obtain the similarity between the email attachment name and the intranet email attachment name .

Among them, after the average value is normalized, the obtained value is less than or equal to 1, so the processed value is used to represent the similarity, and the higher the similarity value, the similarity between the email attachment name and the intranet email attachment name higher.

It should be noted that the content of the normalization process involved in any embodiment of the present patent application can refer to the above explanation, and in order to avoid repetition, details will not be repeated hereafter.

Method 5. Email features include the similarity between the subject of the email and the subject of the intranet email:

Extracting sender's mailbox from the historical log is the mail subject of the historical mail of the internal mailbox of the enterprise; the mail subject of each described historical mail is carried out word segmentation, obtains a phrase set; calculate the word frequency of words in each phrase in each described phrase set , to obtain a word frequency set; the mail subject of the mail to be detected is segmented into words to obtain a text phrase; use the text phrase and the word frequency set to carry out word frequency matching to obtain the word frequency of each word in the text phrase; calculate the text The average value of the word frequency of each word in the phrase group; the average value is normalized to obtain the similarity between the subject of the email and the subject of the intranet email.

Method 6. Email features include the similarity between the sender’s email domain name and the intranet email domain name:

Extracting the sender's mailbox domain name from the sender's mailbox of the email to be detected; determining the similarity between the sender's mailbox domain name and the intranet mailbox domain name. For example, an algorithm library of python is used to determine the similarity between the domain name of the sender's mailbox and the domain name of the intranet mailbox.

For example, if the domain name of the intranet mailbox is "mail.com"; the sender's mailbox is zhangsan@mail1.com, then the extracted sender's mailbox domain name is "mail1.com".

Method 7. Email features include the similarity between the sender’s mailbox name and the domain name of the intranet mailbox:

Extracting the sender's mailbox name from the sender's mailbox of the email to be detected; determining the similarity between the sender's mailbox name and the intranet mailbox domain name.

For example, if the domain name of the intranet mailbox is "mail.com"; the sender's mailbox is mail@qq.com, then the extracted sender's mailbox name is "mail".

Method 8. Email features include the similarity between the sender's nickname and the intranet mailbox nickname:

Extracting sender's mailbox from the history log is the sender's nickname of the historical mail of the internal mailbox of the enterprise; the sender's nickname of each described historical mail is word-segmented to obtain a phrase set; calculate each phrase in each described phrase set The word frequency of the word in the word, obtains word frequency set; The sender's nickname of described to-be-detected mail is carried out word segmentation, obtains text phrase; Use described text phrase and described word frequency set to carry out word frequency matching, obtain the each word in the described text phrase Word frequency: Calculate the average value of the word frequency of each word in the text phrase; Normalize the average value to obtain the similarity between the sender's nickname and the intranet mailbox nickname.

Method 9. Email characteristics include the similarity between the sender's nickname and the internal organization of the enterprise:

Segment each internal organization based on the information set of the internal organization of the enterprise to obtain a phrase set; calculate the word frequency of each word in each phrase set to obtain a word frequency set; perform word segmentation on the sender’s nickname of the email to be detected to obtain a text phrase; use Described text phrase and described word frequency set carry out word frequency matching, obtain the word frequency of each word in the described text phrase; Calculate the average value of the word frequency of each word in the described text phrase; The average value is carried out normalization process, obtain The similarity between the sender's nickname and the internal organization of the enterprise.

Method 10. Email characteristics include the number of historical emails sent by external network mailboxes:

Extract the number of historical emails whose sender's mailbox is not an internal mailbox of the enterprise from the historical log, and obtain the historical number of emails sent by the external network mailbox.

For example, the sender's mailbox that does not belong to the internal mailbox collection of the enterprise is determined as an external mailbox. According to the historical logs of the mail gateway within a given time range (for example, within the past 6 months), the historical sending of external network mailboxes is counted according to the mailbox name. number of mails.

Method 11. Email characteristics include the number of email recipients:

The number of recipients of the email is determined based on the number of recipient mailboxes of the email to be detected.

In practice, one or more recipients can be selected for an email to be detected when it is sent, and the number of mailboxes of the recipients of the email to be detected can be used as the number of recipients of the email.

Method 12. The characteristics of the email include the number of departments corresponding to the email recipient:

Extract the recipient's mailbox name from the recipient's mailbox of the mail to be detected, and determine the corresponding department of the recipient's mailbox based on the recipient's mailbox name and the enterprise employee and department mapping information set; The corresponding department of the mailbox is deduplicated and counted, and the number of the corresponding department of the email recipient is obtained.

Method 13. The characteristics of the email include the number of emails received from the sender in the history of the recipient's department:

Extract the recipient mailbox name from the recipient mailbox of the mail to be detected, and determine the corresponding department of the recipient mailbox based on the recipient mailbox name and the enterprise employee and department mapping information set; from the historical log Counting the number of emails received from the sender's mailbox of the email to be detected by the department corresponding to the recipient's mailbox within the target historical time.

Method 14. Email characteristics include the number of emails received by the sender in the history of the recipient:

The number of emails received by the recipient mailbox of the email to be detected from the sender mailbox of the email to be detected is counted from the historical log.

Method 15. Email characteristics include the number of external mailboxes received by the recipient in history:

The number of emails whose sender mailboxes are external mailboxes received by the recipient mailboxes of the emails to be detected is counted from the historical logs.

Optionally, based on the internal information of the enterprise and the email gateway log, the implementation of determining the email characteristics of the email to be detected may include:

Step 1. In the case that the email attribute information of the email to be detected includes the name of the sender's mailbox, determine the mailbox domain name information of the email to be detected based on the sender's mailbox name of the email to be detected;

Step 2. In the case that the internal information of the enterprise includes the domain name collection of the internal mailbox of the enterprise, and the mailbox domain name information of the email to be detected does not match the domain name collection of the internal mailbox of the enterprise, based on the internal information of the enterprise, the mail gateway log, and the domain name collection of the email to be detected Detecting the mail attribute information of the mail, and determining the mail characteristics of the mail to be detected.

Optionally, this embodiment of the present invention provides a training method for a phishing email detection model. The cycle of model offline training is executed according to the time interval specified by the user. For example, if the user sets the model training time to be trained every Monday morning, the model offline training service will perform offline training at the specified time. Fig. 2 is a schematic diagram of the training method of the phishing email detection model provided by the embodiment of the present invention. As shown in Fig. 2, the phishing email detection method includes the following steps:

Step 201, obtaining model training dependencies;

Model training depends on data including: marked historical emails and internal information of the enterprise.

1) Flagged mail log information. Among them, the fields used in the mail log information are the sender's nickname, the sender's mailbox name, the recipient, the subject of the mail, the name of the mail attachment, and the type of the mail attachment.

2) Enterprise internal information includes: enterprise internal organization information collection, enterprise employee and department mapping information collection, enterprise internal mailbox collection, enterprise internal mailbox domain name collection.

When the model offline training service is started, the service will extract the marked historical email information and enterprise internal information from the database according to the given time range conditions. For example, if the specified time range is within 6 months of history, the email log information within the past 6 months will be extracted during data extraction.

Step 202, based on the marked historical emails and the internal information of the enterprise, determine the email features corresponding to the marked historical emails;

Optionally, based on the marked historical emails and the internal information of the enterprise, the specific method for determining the email features corresponding to the marked historical emails may include at least one of the following methods:

Method a. The characteristics of the email include whether the email contains attachments:

When the value of the attachment field corresponding to the marked historical email is not empty, it is determined that the email to be detected contains an attachment; when the value of the attachment field corresponding to the email to be detected is empty, it is determined that the email to be detected does not contain an attachment.

Method b. Email characteristics include email attachment types corresponding to abnormal levels:

Based on the file suffixes of the email attachments of the marked historical emails and the preset correspondence between the file suffixes and the abnormality levels, the abnormality level corresponding to the type of the email attachments of the marked historical emails is determined.

Method c, email characteristics include whether the email attachment name contains Chinese:

In the case where the mail attachment name of the marked historical mail matches a preset regular expression, it is determined that the mail attachment name contains Chinese; when the mail attachment name does not match a preset regular expression, Make sure that the name of the email attachment does not contain Chinese.

For example, when there are email attachments in the marked historical emails, use a regular expression to match whether the email attachment name contains Chinese characters, if the email attachment name contains Chinese characters, the matching result is Yes; if the email attachment name does not contain Chinese characters , the matching result is no.

Method d. The mail feature includes the similarity between the name of the mail attachment and the name of the intranet mail attachment. The implementation process of determining the mail feature of the marked historical mail includes: extracting at least one historical mail whose sender mailbox is an internal mailbox of the enterprise from the historical log The mail attachment name of each described historical mail is carried out participle to obtain phrase collection; Calculate the word frequency of each word in each described phrase collection, obtain word frequency collection; To the mail attachment name of described marked historical mail Carry out word segmentation to obtain text phrase; Use described text phrase and described word frequency set to carry out word frequency matching, obtain the word frequency of each word in described text phrase; Calculate the average value of the word frequency of each word in text phrase; Described average value is normalized Combined processing, the similarity between the email attachment name and the intranet email attachment name is obtained.

Method e, email features include the similarity between the subject of the email and the subject of the intranet email:

Extracting sender's mailbox from the historical log is the mail subject of the historical mail of the internal mailbox of the enterprise; the mail subject of each described historical mail is carried out word segmentation, obtains a phrase set; calculate the word frequency of words in each phrase in each described phrase set , to obtain a word frequency set; word segmentation is carried out to the mail subject of the marked historical mail to obtain a text phrase; use the text phrase to carry out word frequency matching with the word frequency set to obtain the word frequency of each word in the text phrase; calculate the The average value of the word frequencies of each word in the text phrase; the average value is normalized to obtain the similarity between the subject of the email and the subject of the intranet email.

Method f. Email features include the similarity between the sender’s email domain name and the intranet email domain name:

Extracting the sender's mailbox domain name from the sender's mailbox of the marked historical mail; determining the similarity between the sender's mailbox domain name and the intranet mailbox domain name.

For example, if the email address of the sender is zhangsan@mail1.com, the domain name of the extracted email address of the sender is "mail1.com"; assuming that the domain name of the intranet email address is "mail.com".

Method g. Email features include the similarity between the sender’s mailbox name and the domain name of the intranet mailbox:

Extracting the sender's mailbox name from the sender's mailbox of the marked historical mail; determining the similarity between the sender's mailbox name and the intranet mailbox domain name.

For example, if the sender's email address is mail@qq.com, the name of the extracted sender's email address is "mail"; suppose the domain name of the intranet email address is "mail.com".

Mode h. Email features include the similarity between the sender’s nickname and the nickname of the intranet mailbox:

Extracting sender's mailbox from the history log is the sender's nickname of the historical mail of the internal mailbox of the enterprise; the sender's nickname of each described historical mail is word-segmented to obtain a phrase set; calculate each phrase in each described phrase set The word frequency of the word in the word, obtains the word frequency set; The sender's nickname of the described historical mail of mark is carried out word segmentation, obtains text phrase; Use described text phrase and described word frequency set to carry out word frequency matching, obtain each in the described text phrase The word frequency of word; calculate the average value of the word frequency of each word in described text phrase; Described average value is carried out normalization process, obtains described sender's nickname and intranet mailbox nickname similarity.

Method i. Email characteristics include the similarity between the sender's nickname and the internal organization of the enterprise:

Segment each internal organization based on the information set of the internal organization of the enterprise to obtain a set of phrases; calculate the word frequency of each word in each phrase set to obtain a set of word frequency; perform word segmentation on the sender nickname of the marked historical emails to obtain the text Phrase; use the text phrase and the word frequency set to carry out word frequency matching to obtain the word frequency of each word in the text phrase; calculate the average value of the word frequency of each word in the text phrase; normalize the average Processing to obtain the similarity between the sender's nickname and the internal organization of the enterprise.

Method j, email characteristics include the number of historical emails sent by external network mailboxes:

Extract the number of historical emails whose sender's mailbox is not an internal mailbox of the enterprise from the historical log, and obtain the historical number of emails sent by the external network mailbox.

For example, the sender's mailbox that does not belong to the internal mailbox collection of the enterprise is determined as an external mailbox. According to the historical logs of the mail gateway within a given time range (for example, within the past 6 months), the historical sending of external network mailboxes is counted according to the mailbox name. number of mails.

Mode k, email characteristics include the number of email recipients:

The number of email recipients is determined based on the number of recipient mailboxes of the marked historical emails.

In practice, one or more recipients can be selected when a marked historical email is sent, and the number of recipient mailboxes of the marked historical email can be used as the number of email recipients.

Method L, email characteristics include the number of departments corresponding to email recipients:

Extract the recipient's mailbox name from the recipient's mailbox of the marked historical mail, and determine the corresponding department of the recipient's mailbox based on the recipient's mailbox name and the enterprise employee and department mapping information set; The corresponding department of the sender's mailbox is deduplicated and counted, and the number of the corresponding department of the email recipient is obtained.

Mode m, email characteristics include the number of emails received from this sender in the history of the recipient's department:

Extract the recipient's mailbox name from the recipient's mailbox of the marked historical mail, and determine the corresponding department of the recipient's mailbox based on the recipient's mailbox name and the enterprise employee and department mapping information set; from the history The log counts the number of emails received from the sender mailboxes of the marked historical emails by the department corresponding to the recipient mailbox within the target historical time period.

Method n, email characteristics include the number of emails received by the sender in the history of the recipient:

The number of emails received by the recipient mailbox of the marked historical mail from the sender mailbox of the marked historical mail is counted from the history log.

Mode p, email characteristics include the number of external mailboxes received by the recipient in the history of the recipient:

Count the number of emails whose sender mailboxes are external mailboxes received by the recipient mailboxes of marked historical emails from the historical logs.

Step 203: Based on the email features corresponding to the marked historical emails and the tag value of the marked historical emails, perform binary classification model training to obtain the phishing email detection model; wherein, the marked historical emails The tag value of the email is used to indicate whether the tagged historical email is a phishing email.

During model training, at least one of the email features shown in Table 1 and the tag value of the marked historical emails can be used to train the binary classification model through the extreme gradient boosting (eXtreme Gradient Boosting, XGBoost) algorithm. After the model offline training service completes the training, the trained phishing email detection model files and model dependency files are sent to the model real-time detection service for real-time detection of mail gateway logs.

Fig. 3 is the second schematic flow diagram of the phishing email detection method provided by the embodiment of the present invention. As shown in Fig. 3, the phishing email detection method includes the following steps:

Step 301, loading the pre-trained phishing email detection model, enterprise internal information related to the enterprise mailbox business and historical logs of the mail gateway;

When the detection service of the phishing email detection model starts, it will first load the phishing email detection model file and the data relied on in the model detection process, such as internal information of the enterprise, into the memory.

Step 302, obtaining the target log of the mail gateway in real time; the target log includes the mail attribute information of N mails, and the N mails include the mails to be detected;

After the model real-time detection service is started, the target log of the email gateway is obtained in real time for phishing email detection.

Step 303, judging whether the mailbox domain name information of the mail to be detected matches the internal mailbox domain name collection of the enterprise: in the case that the mailbox domain name information of the mail to be detected does not match the internal mailbox domain name collection of the enterprise, go to step 304; If the mailbox domain name information matches the enterprise internal mailbox domain name collection, exit the phishing email detection process;

In practice, after receiving the target log information of the mail gateway, if the mail attribute information of the mail to be detected includes the sender's mailbox name, the mailbox domain name information of the mail to be detected is determined based on the sender's mailbox name of the mail to be detected ; Compare the email domain name information of the mail to be detected with the domain name collection of internal mailboxes of the enterprise to determine whether the mail to be detected is an internal mail. If it is determined that the mail to be detected is an internal mail, it will directly exit the phishing mail detection process. Internal mail, then go to step 304, further judge whether the mail to be detected is a phishing mail.

Step 304: After the email is determined to be an external email, the email characteristics of the email to be detected are determined based on internal information of the enterprise, historical logs, and email attribute information of the email to be detected.

For example, according to the loaded internal information of the enterprise and the sender's nickname, sender's mailbox name, email subject, recipient's mailbox name, and email attachment information in the email to be detected, the email characteristics of the email to be detected are calculated.

Step 305, input the email characteristics of the email to be detected into the phishing email detection model, and obtain the email type of the email to be detected output by the phishing email detection model; the email type includes phishing emails and non-phishing emails . If the phishing email detection model determines that the email to be detected is a phishing email, then go to step 306; if the phishing email detection model determines that the email to be detected is a normal email, exit the phishing email detection process.

Step 306: Generate a corresponding phishing email alarm event and send it to the alarm module.

The phishing email detection method provided by the embodiment of the present invention extracts various features that can effectively distinguish whether an email is a fake internal email by using attribute information with a low sensitivity in the email information; Information and historical email sending and receiving behaviors extract various features that can distinguish whether the email is an abnormal sending and receiving relationship; only the less sensitive attributes in the email information are used in the feature analysis, which effectively guarantees the privacy of the email; due to phishing The phishing email detection method of the email detection model has stronger generalization ability, can be applied to different phishing email variants, can solve the problem of incomplete detection of encrypted compressed attachments by email sandbox, and solve the problem of incomplete coverage of keyword matching , reduce the probability of false negatives and false positives, and improve the reliability of phishing email detection.

Fig. 4 is the structural representation of the phishing mail detection system that the embodiment of the present invention provides, as shown in Fig. 4, this phishing mail detection system comprises: mail gateway log module 401, model offline training service module 402, model real-time detection service module 403 and Phishing email warning service module 404, wherein:

Mail gateway log module 401, the mail gateway log is the data source for analysis and detection of the entire system, and each mail log includes the sender's nickname, sender's mailbox name, mail subject, recipient's mailbox name, mail content, attachments information etc.

The model offline training service module 402 trains a model for phishing email detection based on marked historical email log information and enterprise internal information combined with machine learning algorithms.

The model real-time detection service module 403, based on the phishing email detection model trained offline, performs real-time anomaly detection on the email gateway log, and generates corresponding alarm events for the email logs that are determined to be phishing emails and sends them to the phishing email alarm service module 404

The phishing email warning service module 404 receives the warning event delivered by the model real-time detection service module 403 and performs a corresponding warning notification.

The embodiment of the present invention conducts machine learning model training based on the mail log information of the mail enterprise mail gateway and the sending and receiving behavior data between mailboxes, and performs real-time detection of phishing mails through the trained model.

The apparatus for detecting phishing emails provided by the present invention is described below, and the apparatus for detecting phishing emails described below and the method for detecting phishing emails described above can be referred to in correspondence.

FIG. 5 is a schematic structural diagram of a phishing email detection device provided by an embodiment of the present invention. As shown in FIG.

The obtaining module 501 is used to obtain the pre-trained phishing email detection model, enterprise internal information related to the enterprise mailbox business, and mail gateway logs;

The first determination module 502 is configured to determine the email characteristics of the email to be detected based on the internal information of the enterprise and the email gateway log;

The detection module 503 is configured to input the mail feature of the mail to be detected into the phishing mail detection model, and obtain the mail type of the mail to be detected output by the phishing mail detection model; the mail type includes phishing mail and Non-phishing emails; the phishing email detection model is obtained by training a binary classification model based on the email features corresponding to the marked historical emails and the tag values of the marked historical emails.

The phishing email detection device provided by the embodiment of the present invention determines the email characteristics of the email to be detected based on the internal information of the enterprise and the mail gateway log, uses the phishing email detection model obtained in advance training to detect the phishing email in real time, and judges whether the email to be detected is For phishing emails, since the phishing email detection model is obtained by training a binary classification model based on the email features corresponding to the marked historical emails and the tag values of the marked historical emails, this method has a stronger generalization ability, It can be applied to different variants of phishing emails, which can reduce the probability of false negatives and false positives, and improve the reliability of phishing email detection.

Optionally, the email features include at least one of the following:

The characteristics used to distinguish whether an email is a fake internal email, including at least one of the following: whether the email contains attachments, whether the email attachment type corresponds to the abnormal level, whether the email attachment name contains Chinese, the similarity between the email attachment name and the intranet email attachment name, the email The similarity between the subject and the intranet email subject, the similarity between the sender's mailbox domain name and the intranet mailbox domain name, the similarity between the sender's mailbox name and the intranet mailbox domain name, the similarity between the sender's nickname and the intranet mailbox nickname, and the sender The similarity between the nickname and the internal organization of the enterprise;

The characteristics used to distinguish whether the relationship between the sender and receiver in the email is a normal relationship between the receiver and the receiver, including at least one of the following: the number of emails sent by the external network mailbox in history, the number of email recipients, the number of departments corresponding to the email recipients, and the department to which the recipient belongs The number of emails received from this sender in history, the number of emails received from this sender in history by recipients, and the number of emails received by recipients in history from external mailboxes.

Optionally, the first determination module 502 is specifically used for at least one of the following:

When the value of the attachment field corresponding to the mail to be detected in the mail gateway log is not empty, it is determined that the mail to be detected contains an attachment; when the value of the attachment field corresponding to the mail to be detected is empty Next, confirm that the email to be detected does not contain any attachments;

Based on the file suffix of the email attachment of the email to be detected, and the preset correspondence between the file suffix and the abnormality level, determine the abnormality level corresponding to the email attachment type of the email to be detected;

In the case that the name of the mail attachment of the mail to be detected matches a preset regular expression, it is determined that the name of the mail attachment contains Chinese; the regular expression is used to match whether the name of the mail attachment contains Chinese characters; in the If the name of the mail attachment does not match the preset regular expression, it is determined that the name of the mail attachment does not contain Chinese;

From the historical log, extracting sender mailbox is the mail attachment name of at least one historical mail of the internal mailbox of the enterprise; the mail attachment name of each described historical mail is word-segmented to obtain the phrase set; calculate each described phrase set The word frequency of word obtains word frequency set; The mail attachment name of described to-be-detected mail is carried out participle to obtain text phrase; Use described text phrase and described word frequency set to carry out word frequency matching, obtain the word frequency of each word in described text phrase; Calculate The average value of the word frequency of each word in described text phrase; Described average value is carried out normalization process, obtains described mail attachment name and Intranet mail attachment name similarity;

Extract sender mailbox from described history log and be the mail subject of the historical mail of enterprise internal mailbox; Carry out word segmentation to the mail subject of each described historical mail, obtain phrase set; Calculate the words in each phrase in each described phrase set The word frequency of the word frequency is obtained word frequency collection; The mail subject of described to-be-detected mail is carried out word segmentation, obtains text phrase; Use described text phrase and described word frequency set to carry out word frequency matching, obtain the word frequency of each word in the described text phrase; Calculate the The average value of the term frequency of each word in the text phrase; Described average value is carried out normalization process, obtains described mail subject and Intranet mail subject similarity;

Extracting the sender's mailbox domain name from the sender's mailbox of the mail to be detected; determining the similarity between the sender's mailbox domain name and the intranet mailbox domain name;

Extracting the sender's mailbox name from the sender's mailbox of the mail to be detected; determining the similarity between the sender's mailbox name and the intranet mailbox domain name;

From described history log, extracting sender's mailbox is the sender's nickname of the historical mail of internal mailbox of enterprise; The sender's nickname of each described historical mail is carried out participle, obtains phrase collection; Calculate each described phrase collection The word frequency of word in word group, obtain word frequency set; The sender's nickname of described to-be-detected mail is carried out participle, obtain text phrase; Use described text phrase and described word frequency set to carry out word frequency matching, obtain each in described text phrase The word frequency of word; Calculate the mean value of the word frequency of each word in described text phrase; Described mean value is carried out normalization process, obtains described sender's nickname and intranet mailbox nickname similarity;

Carry out word segmentation to each internal organization based on the enterprise internal organization information set, obtain the phrase set; calculate the word frequency of words in each phrase in each described phrase set, obtain the word frequency set; carry out word segmentation to the sender's nickname of the described mail to be detected, Obtain text phrase; Use described text phrase and described word frequency set to carry out word frequency matching, obtain the word frequency of each word in described text phrase; Calculate the average value of the word frequency of each word in described text phrase; Described average value is normalized Combined processing to obtain the similarity between the sender's nickname and the internal organization of the enterprise;

Extracting the sender's mailbox from the historical log is not the historical number of emails in the internal mailbox of the enterprise, and obtaining the historical number of emails sent by the external network mailbox;

Determine the number of recipients of the email based on the number of recipient mailboxes of the email to be detected;

Extract the recipient mailbox name from the recipient mailbox of the mail to be detected, and determine the corresponding department of the recipient mailbox based on the recipient mailbox name and the enterprise employee and department mapping information set; The corresponding department of the sender's mailbox is deduplicated and counted to obtain the number of the department corresponding to the recipient of the email;

Extract the recipient mailbox name from the recipient mailbox of the mail to be detected, and determine the corresponding department of the recipient mailbox based on the recipient mailbox name and the enterprise employee and department mapping information set; from the history Count the number of mails received from the sender's mailbox of the mail to be detected within the target historical time by the corresponding department of the recipient's mailbox in the log;

Counting the number of mails received by the recipient mailbox of the mail to be detected from the mailbox of the sender of the mail to be detected from the historical log;

Counting the number of emails whose sender mailboxes are external mailboxes received by the recipient mailboxes of the emails to be detected from the historical logs.

Optionally, the first determination module 502 is specifically configured to:

In the case that the email attribute information of the email to be detected includes a sender's mailbox name, determining the mailbox domain name information of the email to be detected based on the sender's mailbox name of the email to be detected;

If the enterprise internal information includes the enterprise internal mailbox domain name set, and the mailbox domain name information of the email to be detected does not match the enterprise internal mailbox domain name set, based on the enterprise internal information, the mail gateway log and the email attribute information of the email to be detected, to determine the email feature of the email to be detected.

Optionally, the device also includes:

An acquisition module, configured to acquire marked historical emails and the internal information of the enterprise;

The second determination module is configured to determine the email characteristics corresponding to the marked historical emails based on the marked historical emails and the internal information of the enterprise;

A training module, configured to perform binary classification model training based on the email features corresponding to the marked historical emails and the tag value of the marked historical emails to obtain the phishing email detection model;

Wherein, the flag value of the marked historical email is used to indicate whether the marked historical email is a phishing email.

Optionally, the internal information of the enterprise includes at least one of the following:

Collection of organizational information within the enterprise;

A collection of employee and department mapping information;

Collection of mailboxes within the enterprise;

A collection of internal mailbox domain names.

Optionally, the mail gateway log includes mail attribute information of N mails, and the mail attribute information includes at least one of the following:

sender nickname;

sender email;

Recipient's email address;

Email Subject;

email attachment name;

Email attachment type.

FIG. 6 is a schematic diagram of the physical structure of the electronic device provided by the embodiment of the present invention. As shown in FIG. The bus 640 , wherein the processor 610 , the communication interface 620 , and the memory 630 communicate with each other through the communication bus 640 . The processor 610 can call logic instructions in the memory 630 to perform the following methods:

Obtain the pre-trained phishing email detection model, enterprise internal information related to the enterprise mailbox business, and mail gateway logs;

Determine the email characteristics of the email to be detected based on the internal information of the enterprise and the email gateway log;

Inputting the email feature of the email to be detected into the phishing email detection model to obtain the email type of the email to be detected output by the phishing email detection model; the email type includes phishing emails and non-phishing emails; the The phishing email detection model is obtained by training a binary classification model based on the email features corresponding to the marked historical emails and the tag values of the marked historical emails.

In addition, the logic instructions in the above-mentioned memory 630 may be implemented in the form of software functional units and when sold or used as an independent product, may be stored in a computer-readable storage medium. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes. .

On the other hand, an embodiment of the present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the following method is implemented:

Obtain the pre-trained phishing email detection model, enterprise internal information related to the enterprise mailbox business, and mail gateway logs;

Determine the email characteristics of the email to be detected based on the internal information of the enterprise and the email gateway log;

Inputting the email feature of the email to be detected into the phishing email detection model to obtain the email type of the email to be detected output by the phishing email detection model; the email type includes phishing emails and non-phishing emails; the The phishing email detection model is obtained by training a binary classification model based on the email features corresponding to the marked historical emails and the tag values of the marked historical emails.

In yet another aspect, an embodiment of the present invention further provides a computer program product, the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions When executed by a computer, the following methods are implemented:

Obtain the pre-trained phishing email detection model, enterprise internal information related to the enterprise mailbox business, and mail gateway logs;

Determine the email characteristics of the email to be detected based on the internal information of the enterprise and the email gateway log;

Inputting the email feature of the email to be detected into the phishing email detection model to obtain the email type of the email to be detected output by the phishing email detection model; the email type includes phishing emails and non-phishing emails; the The phishing email detection model is obtained by training a binary classification model based on the email features corresponding to the marked historical emails and the tag values of the marked historical emails.

The device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without any creative efforts.

Through the above description of the implementations, those skilled in the art can clearly understand that each implementation can be implemented by means of software plus a necessary general hardware platform, and of course also by hardware. Based on this understanding, the essence of the above technical solution or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic discs, optical discs, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in various embodiments or some parts of the embodiments.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (11)

1. A phishing mail detection method, comprising:

acquiring a phishing mail detection model obtained by pre-training, enterprise internal information related to enterprise mailbox service and a mail gateway log;

determining the mail characteristics of the mail to be detected based on the enterprise internal information and the mail gateway log;

inputting the mail characteristics of the mail to be detected into the phishing mail detection model to obtain the mail type of the mail to be detected output by the phishing mail detection model; the mail types include fishing mail and non-fishing mail; the phishing mail detection model is obtained by performing two-classification model training based on the mail characteristics corresponding to the marked historical mails and the marked values of the marked historical mails.

2. A phishing mail detection method according to claim 1 characterized in that said mail characteristics include at least one of:

features for distinguishing whether a mail is a disguised internal mail, including at least one of: whether the mail contains an attachment, the corresponding abnormal grade of the mail attachment type, whether the mail attachment name contains Chinese, the similarity between the mail attachment name and the intranet mail attachment name, the similarity between the mail subject and the intranet mail subject, the similarity between the sender mailbox domain name and the intranet mailbox domain name, the similarity between the sender mailbox name and the intranet mailbox domain name, the similarity between the sender nickname and the intranet mailbox nickname and the similarity between the sender nickname and the internal organization;

features for distinguishing whether a sender-receiver relationship in a mailpiece is a normal sender-receiver relationship, comprising at least one of: the number of the sent mails in the history of the external mailbox, the number of the receivers of the mails, the number of the departments corresponding to the receivers of the mails, the number of the senders which are received in the history of the departments to which the receivers belong, the number of the senders which are received in the history of the receivers and the number of the external mailboxes which are received in the history of the receivers.

3. A phishing mail detection method according to claim 2, wherein the determining mail characteristics of the mail to be detected based on the enterprise internal information and the mail gateway log comprises at least one of:

determining that the mail to be detected contains an attachment under the condition that the value of the attachment field corresponding to the mail to be detected in the mail gateway log is not null; determining that the mail to be detected does not contain the attachment under the condition that the value of the attachment field corresponding to the mail to be detected is null;

determining an abnormal grade corresponding to the mail attachment type of the mail to be detected based on the file suffix of the mail attachment of the mail to be detected and the corresponding relation between the preset file suffix and the abnormal grade;

under the condition that the mail attachment name of the mail to be detected is matched with a preset regular expression, determining that the mail attachment name contains Chinese; the regular expression is used for matching whether the mail attachment name contains Chinese characters or not; under the condition that the mail attachment name is not matched with a preset regular expression, determining that the mail attachment name does not contain Chinese;

extracting a mail attachment name of at least one historical mail of which the sender mailbox is an enterprise internal mailbox from the history log; carrying out word segmentation on the mail attachment name of each historical mail to obtain a phrase set; calculating the word frequency of each word in each phrase set to obtain a word frequency set; performing word segmentation on the mail attachment name of the mail to be detected to obtain a text phrase; performing word frequency matching by using the text word group and the word frequency set to obtain the word frequency of each word in the text word group; calculating the average value of the word frequency of each word in the text phrase; carrying out normalization processing on the average value to obtain the similarity between the mail attachment name and the intranet mail attachment name;

extracting mail subjects of the historical mails of which the sender mailboxes are internal mailboxes of the enterprise from the historical logs; performing word segmentation on the mail subject of each historical mail to obtain a phrase set; calculating the word frequency of the words in each word group set to obtain a word frequency set; segmenting words of the mail subject of the mail to be detected to obtain text phrases; performing word frequency matching by using the text word group and the word frequency set to obtain the word frequency of each word in the text word group; calculating the average value of the word frequency of each word in the text phrase; carrying out normalization processing on the average value to obtain the similarity between the mail theme and the intranet mail theme;

extracting a sender mailbox domain name from a sender mailbox of the mail to be detected; determining the similarity between the sender mailbox domain name and the intranet mailbox domain name;

extracting a sender mailbox name from a sender mailbox of the mail to be detected; determining the similarity between the sender mailbox name and the intranet mailbox domain name;

extracting a sender nickname of the historical mail of which the sender mailbox is the enterprise internal mailbox from the historical log; dividing words for the nicknames of the senders of the historical mails to obtain a phrase set; calculating the word frequency of the words in each word group set to obtain a word frequency set; dividing words for the nicknames of the senders of the mails to be detected to obtain text phrases; performing word frequency matching by using the text word group and the word frequency set to obtain the word frequency of each word in the text word group; calculating the average value of the word frequency of each word in the text phrase; carrying out normalization processing on the average value to obtain the similarity between the nickname of the sender and the nickname of the intranet mailbox;

dividing words of each internal organization based on the internal organization information set of the enterprise to obtain a phrase set; calculating the word frequency of the words in each word group set to obtain a word frequency set; performing word segmentation on the nickname of the sender of the mail to be detected to obtain a text phrase; performing word frequency matching by using the text word group and the word frequency set to obtain the word frequency of each word in the text word group; calculating the average value of the word frequency of each word in the text phrase; carrying out normalization processing on the average value to obtain the similarity between the nickname of the sender and the internal organization of the enterprise;

extracting the historical mail number of a sender mailbox which is not an enterprise internal mailbox from the historical log to obtain the historical sent mail number of the external network mailbox;

determining the number of the mail recipients based on the number of the recipients of the mail to be detected;

extracting a receiver mailbox name from a receiver mailbox of the mail to be detected, and determining a corresponding department of the receiver mailbox based on the receiver mailbox name and an enterprise employee and department mapping information set; carrying out duplicate removal statistics on the departments corresponding to the mailboxes of the recipients to obtain the number of the departments corresponding to the mailrecipients;

extracting a receiver mailbox name from a receiver mailbox of the mail to be detected, and determining a corresponding department of the receiver mailbox based on the receiver mailbox name and an enterprise employee and department mapping information set; counting the number of the received mails from the sender mailbox of the mail to be detected in the target historical time by the corresponding department of the receiver mailbox from the history log;

counting the number of the mails from the sender mailbox of the mail to be detected, which are received by the receiver mailbox of the mail to be detected, from the history log;

and counting the number of the mails of which the sender mailbox received by the receiver mailbox of the mail to be detected is the external mailbox from the history log.

4. A phishing mail detection method as claimed in claim 1, wherein said determining mail characteristics of the mail to be detected based on said enterprise internal information and said mail gateway log comprises:

determining mailbox domain name information of the mail to be detected based on the name of the sender of the mail to be detected under the condition that the mail to be detected comprises the name of the sender mailbox;

and under the condition that the enterprise internal information comprises an enterprise internal mailbox domain name set and the mailbox domain name information of the mail to be detected is not matched with the enterprise internal mailbox domain name set, determining the mail characteristics of the mail to be detected based on the enterprise internal information, the mail gateway log and the mail attribute information of the mail to be detected.

5. A phishing mail detection method as claimed in claim 1 wherein before said obtaining a pre-trained phishing mail detection model, enterprise internal information related to enterprise mailbox services, and mail gateway logs, the method further comprises:

acquiring marked historical mails and the internal information of the enterprise;

determining mail characteristics corresponding to the marked historical mails based on the marked historical mails and the internal information of the enterprise;

performing two-classification model training based on the mail characteristics corresponding to the marked historical mails and the marked values of the marked historical mails to obtain the phishing mail detection model;

wherein the marking value of the marked historical mail is used for indicating whether the marked historical mail is a phishing mail.

6. A phishing mail detection method according to any of claims 1 to 5 wherein said intra-enterprise information comprises at least one of:

an enterprise internal organization information set;

enterprise employee and department mapping information sets;

an enterprise internal mailbox set;

and (4) an enterprise internal mailbox domain name set.

7. A phishing mail detection method according to any one of claims 1 to 5 wherein the mail gateway log includes mail attribute information for N mails, the mail attribute information including at least one of:

sender nickname;

a sender mailbox;

a recipient mailbox;

a subject of the mail;

a mail attachment name;

a mail attachment type.

8. A phishing mail detection device characterized by comprising:

the acquisition module is used for acquiring a pre-trained phishing mail detection model, enterprise internal information related to enterprise mailbox service and a mail gateway log;

the determining module is used for determining the mail characteristics of the mail to be detected based on the enterprise internal information and the mail gateway log;

the detection module is used for inputting the mail characteristics of the mail to be detected into the phishing mail detection model to obtain the mail type of the mail to be detected output by the phishing mail detection model; the mail types include fishing mail and non-fishing mail; the phishing mail detection model is obtained by performing two-classification model training based on the mail characteristics corresponding to the marked historical mails and the marked values of the marked historical mails.

9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the phishing mail detection method of any of claims 1 to 7 when executing the program.

10. A non-transitory computer-readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the phishing mail detection method as claimed in any one of claims 1 to 7.

11. A computer program product having executable instructions stored thereon, which when executed by a processor cause the processor to implement a phishing mail detection method as claimed in any one of claims 1 to 7.

Images