CN116095035A - Method and device for acquiring context information of mailbox - Google Patents

Abstract

This application provides a method and device for obtaining mailbox context information. The method for obtaining mailbox context information includes: obtaining the mailbox entity to be identified; matching the mailbox entity to be identified with the mailbox entity in the mailbox reputation information database, and the mailbox reputation information The library contains various mailbox entities and their context information. The content of the context information of a mailbox entity in the mailbox reputation intelligence database is more than that extracted from a mailbox entity alone; if the match is successful, the mailbox will be output The mailbox entity and its context information that match the mailbox entity to be identified in the reputation intelligence database; if the match fails, the output is empty. Analysts can efficiently and accurately trace the source of mailbox entities to be identified based on the rich contextual information obtained.

Description

Method and device for obtaining mailbox context information

Technical Field

The present application relates to the field of network security technology, and in particular to a method and device for acquiring mailbox context information, and a method and device for generating a mailbox reputation intelligence library.

Background Art

In security analysis scenarios, analysts need to track and locate attack entities through reputation analysis tools. The most typical attack entity is the mailbox entity. Because most attackers often use phishing mailbox entities, malicious external mailbox entities, etc. to attack and obtain user data. Therefore, reputation analysis of mailbox entities has become an important part of security analysis.

At present, in order to achieve reputation analysis of mailbox entities, the main method used is: the analyst inputs the mailbox entity to be analyzed into the reputation analysis tool, and the reputation analysis tool analyzes the mailbox entity and outputs the analysis result. This analysis result is generally whether the mailbox entity is a malicious mailbox entity and some basic context information extracted from the mailbox entity. If the analysis result shows that the mailbox entity is a malicious mailbox entity, then the analyst needs to track and trace the source based on this context information.

However, when tracing the malicious email entity through the above method, since the context information of the email entity provided by the reputation analysis tool is relatively basic information, analysts cannot accurately trace the source based on this basic context information. Sometimes, analysts are even required to manually associate more dimensional related information based on the malicious email entity, which will reduce the efficiency and accuracy of analysts' tracking and tracing.

Summary of the invention

The purpose of the embodiments of the present application is to provide a method and device for obtaining mailbox context information, as well as a method and device for generating a mailbox reputation intelligence library, so as to improve the efficiency and accuracy of analysts' tracking and tracing.

In order to solve the above technical problems, the embodiments of the present application provide the following technical solutions:

In a first aspect, the present application provides a method for obtaining mailbox context information, the method comprising: obtaining a mailbox entity to be identified; matching the mailbox entity to be identified with a mailbox entity in a mailbox reputation intelligence library, wherein the mailbox reputation intelligence library contains various mailbox entities and their context information, and the content of the context information of one mailbox entity in the mailbox reputation intelligence library is more than the content of the context information extracted from the one mailbox entity alone; if the match is successful, outputting the mailbox entity and its context information in the mailbox reputation intelligence library that match the mailbox entity to be identified; if the match fails, the output is empty.

A second aspect of the present application provides a method for generating an email reputation intelligence database, the method comprising: collecting multiple email entities through multiple information sources; extracting context information from the multiple email entities respectively, the context information being related to the email entity reputation assessment; integrating the context information of the same email entity; performing reputation assessment on the integrated context information to generate assessment results for each email entity; adding the assessment results for each email entity to the corresponding integrated context information and storing it in the email reputation intelligence database.

According to a third aspect of the present application, there is provided a device for acquiring mailbox context information, the device comprising: a receiving module, for acquiring a mailbox entity to be identified; a matching module, for matching the mailbox entity to be identified with a mailbox entity in a mailbox reputation intelligence library, wherein the mailbox reputation intelligence library contains various mailbox entities and their context information, and the content of the context information of one mailbox entity in the mailbox reputation intelligence library is more than the content of the context information extracted from the one mailbox entity alone; if the match is successful, the device enters an output module, wherein the output module is used to output the mailbox entity and its context information that match the mailbox entity to be identified in the mailbox reputation intelligence library; if the match is successful, the device enters a new module, wherein the new module is used to extract the context information in the mailbox entity to be identified, and store the extracted context information and the mailbox entity to be identified in the mailbox reputation intelligence library.

In a fourth aspect, the present application provides a device for generating a mailbox reputation intelligence library, the device comprising: a collection module, used to collect multiple mailbox entities through multiple information sources; an extraction module, used to extract context information from the multiple mailbox entities respectively, wherein the context information is related to the reputation assessment of the mailbox entities; an integration module, used to integrate the context information of the same mailbox entity; a assessment module, used to perform reputation assessment on the integrated context information and generate assessment results for each mailbox entity; a storage module, used to add the assessment results of each mailbox entity to the corresponding integrated context information and store it in the mailbox reputation intelligence library.

A fifth aspect of the present application provides a computer storage medium having a computer program stored thereon, wherein the program, when executed by a processor, can implement the method in the first aspect or the second aspect.

In a sixth aspect, the present application provides an electronic device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor can implement the method in the first aspect or the second aspect when executing the program.

Compared with the prior art, the method for obtaining email context information provided in the first aspect of the present application, when it is necessary to obtain the context information of the email entity to be identified, can match the email entity that is the same as the email entity to be identified from the email reputation intelligence library through the email reputation intelligence library containing various email entities and their rich context information, and then use the context information of the email entity as the context information of the email entity to be identified and provide it to the analyst, so that the analyst can obtain richer context information of the email entity to be identified, and then based on the rich context information, can efficiently and accurately track and trace the email entity to be identified.

The method for generating the mailbox reputation intelligence base provided in the second aspect of the present application, the device for obtaining mailbox context information provided in the third aspect, the device for generating the mailbox reputation intelligence base provided in the fourth aspect, the computer storage medium provided in the fifth aspect, and the electronic device provided in the sixth aspect have the same or similar beneficial effects as the method for generating the mailbox reputation intelligence base provided in the first aspect.

BRIEF DESCRIPTION OF THE DRAWINGS

By reading the detailed description below with reference to the accompanying drawings, the above and other purposes, features and advantages of the exemplary embodiments of the present application will become easy to understand. In the accompanying drawings, several embodiments of the present application are shown in an exemplary and non-limiting manner, and the same or corresponding reference numerals represent the same or corresponding parts, wherein:

FIG1 is a schematic diagram of a flow chart of a method for obtaining mailbox context information in an embodiment of the present application;

FIG2 is a schematic diagram of a production and processing architecture of mailbox reputation intelligence in an embodiment of the present application;

FIG3 is a flow chart of a method for generating a mailbox reputation intelligence database in an embodiment of the present application;

FIG4 is a schematic diagram of context information of a mailbox entity extracted in an embodiment of the present application;

FIG5 is a schematic diagram of context information of a mailbox entity output in an embodiment of the present application;

FIG6 is a schematic diagram of the production process of the mailbox reputation intelligence database in an embodiment of the present application;

FIG. 7 is a schematic diagram of the deployment process of the mailbox reputation intelligence library in an embodiment of the present application;

FIG8 is a schematic diagram of the structure of a device for acquiring mailbox context information in an embodiment of the present application;

FIG. 9 is a schematic diagram of the structure of a device for generating a mailbox reputation intelligence database in an embodiment of the present application.

DETAILED DESCRIPTION

The exemplary embodiments of the present application will be described in more detail below with reference to the accompanying drawings. Although the exemplary embodiments of the present application are shown in the accompanying drawings, it should be understood that the present application can be implemented in various forms and should not be limited by the embodiments described herein. On the contrary, these embodiments are provided in order to enable a more thorough understanding of the present application and to fully convey the scope of the present application to those skilled in the art.

It should be noted that, unless otherwise specified, the technical terms or scientific terms used in this application should have the common meanings understood by technicians in the field to which this application belongs.

At present, in order to obtain the context information of the target mailbox, analysts generally obtain the context information of the target mailbox manually or through existing mailbox reputation services. However, the efficiency of obtaining the context information of the target mailbox manually is limited by the individual experience differences of analysts. The accuracy and comprehensiveness of the obtained context information are not only low. The context information obtained through the mailbox reputation service is also some relatively basic information, which cannot help analysts accurately track and trace the target mailbox. It can be seen that the current method of obtaining the context information of the mailbox and tracking and tracing based on the obtained context information will reduce the efficiency and accuracy of the analyst's tracking and tracing.

After in-depth research, the inventor found that the main reason for the low efficiency and accuracy of analysts' tracing and tracing is that the context information of the mailbox obtained is not rich enough, and the reason for the lack of rich context information of the mailbox is that the mailbox context information in the mailbox reputation intelligence library that provides the context information of the mailbox is not rich enough. If a mailbox reputation intelligence library can be provided, which contains a large amount of context information of various mailboxes, then based on the mailbox reputation intelligence library, it is possible to find rich context information of the target mailbox, and then based on this rich context information, it can help analysts track and trace the target mailbox more efficiently and accurately.

In view of this, the embodiments of the present application provide a method and device for obtaining mailbox context information, as well as a method and device for generating a mailbox reputation intelligence library. By establishing a mailbox reputation intelligence library that contains rich context information of various mailboxes, when an analyst needs to track and trace a certain mailbox, the rich context information of the mailbox can be obtained through the mailbox information intelligence library, and then based on the rich context information, the target mailbox can be tracked and traced quickly and accurately.

Next, the method for obtaining mailbox context information provided by the embodiment of the present application is first described in detail.

FIG. 1 is a flow chart of a method for obtaining mailbox context information in an embodiment of the present application. Referring to FIG. 1 , the method may include:

S101: Obtain a mailbox entity to be identified.

The mailbox entity to be identified is actually the mailbox entity that the analyst needs to trace and trace, that is, the mailbox entity whose context information needs to be obtained. The mailbox entity is actually an email account, such as zhangsan@163.com, or an email.

S102: Match the mailbox entity to be identified with the mailbox entity in the mailbox reputation intelligence database. If the match is successful, execute step S103; if the match fails, execute step S104.

The mailbox reputation intelligence database contains various mailbox entities and their context information. The content of the context information of one mailbox entity in the mailbox reputation intelligence database is greater than the content of the context information extracted from one mailbox entity alone.

In order to obtain rich contextual information of the above-mentioned mailbox entity, which is difficult to obtain comprehensively based on the mailbox entity alone, the contextual information of the above-mentioned mailbox entity can be obtained from the mailbox reputation intelligence library containing various mailbox entities and their rich contextual information, and the obtained contextual information is very rich.

The reason why rich context information of the above-mentioned mailbox entities can be obtained from the mailbox reputation intelligence database is mainly because: the mailbox reputation intelligence database stores mailbox entities collected from various information sources, and the context information extracted from these mailbox entities is relatively rich. For example, suppose that mailbox entity 1 and mailbox entity 2 are collected from information source A, context information a and context information b are extracted from mailbox entity 1, and context information c is extracted from mailbox entity 2. Mailbox entity 1 is collected from information source B, and context information d is extracted from mailbox entity 1. Then, the mailbox reputation intelligence database stores context information a, context information b and context information d of mailbox entity 1, and context information c of mailbox entity 2. When an analyst needs to track and trace the source of mailbox entity 1, if he only obtains its context information based on the mailbox entity 1 at hand, he may only be able to obtain context information a and context information b. However, if the mailbox entity 1 at hand is matched with each mailbox entity in the mailbox reputation intelligence database, not only context information a and context information b can be obtained, but also context information c can be obtained. In this way, the analyst obtains richer context information of the mailbox entity 1, and can track and trace the source more efficiently and accurately. The specific method of obtaining the above-mentioned mailbox reputation intelligence library can be to integrate the existing mailbox information intelligence library or to create it again (the specific creation method will be described in detail later), which is not limited here.

In the process of matching the mailbox entity to be identified with the mailbox entity in the mailbox reputation intelligence library, the mailbox entity to be identified can be compared with each mailbox entity in the mailbox reputation intelligence library in turn. If it is found that the mailbox entity to be identified is the same as a mailbox entity in the mailbox reputation intelligence library, it is considered that the mailbox entity to be identified is successfully matched with the mailbox entity in the mailbox reputation intelligence library, and then the mailbox entity behind the mailbox entity is no longer matched. This can improve the matching efficiency, and then improve the efficiency of obtaining mailbox context information, and improve the efficiency of analyst tracking and tracing. If there is no successful match with the mailbox entity to be identified until the last mailbox entity in the mailbox reputation intelligence library, it is considered that there is no mailbox entity in the mailbox reputation intelligence library that matches the mailbox entity to be identified, and then the mailbox reputation intelligence library will not have rich context information of the mailbox entity to be identified, and the analyst can only obtain the context information of the mailbox entity through other means.

S103: Outputting the mailbox entity and its context information that matches the mailbox entity to be identified in the mailbox reputation intelligence database.

When the mailbox entity to be identified successfully matches with a mailbox entity in the mailbox reputation intelligence library, the context information of this mailbox entity in the mailbox reputation intelligence library is output to the analyst as the context information of the mailbox entity to be identified. Since the context information of this mailbox entity in the mailbox reputation intelligence library is more comprehensive and rich than the context information extracted from the mailbox entity to be identified, the analyst can track and trace the mailbox to be identified more efficiently and accurately based on the context information of the mailbox entity in the mailbox reputation intelligence library that matches the mailbox entity to be identified.

S104: The output is empty.

When the mailbox entity to be identified does not successfully match any mailbox entity in the mailbox reputation intelligence library, it means that the mailbox reputation intelligence library is currently unable to provide rich context information for the mailbox entity, and therefore, can only output empty.

At the same time, in order to make up for the lack of mailbox reputation intelligence database, new mailbox reputation intelligence needs to be produced in the future. When new mailbox reputation intelligence is produced in the mailbox reputation intelligence database, the mailbox entity that was previously output as empty can be matched again in the mailbox reputation intelligence database. If the match is successful, a prompt message can be sent to the analyst who previously searched for the mailbox entity to prompt the analyst that the mailbox reputation intelligence database already has the context information corresponding to the mailbox entity he queried.

It should be noted that the above context information may refer to all information related to the mailbox entity, including not only the sender, subject, etc., but also the reputation evaluation result of the mailbox. The specific content of the above context information is not limited here.

From the above content, it can be seen that the method for obtaining mailbox context information provided in the embodiment of the present application, when it is necessary to obtain the context information of the mailbox entity to be identified, can match the mailbox entity that is the same as the mailbox entity to be identified from the mailbox reputation intelligence library through the mailbox reputation intelligence library that contains various mailbox entities and their rich context information, and then use the context information of the mailbox entity as the context information of the mailbox entity to be identified, and provide it to the analyst, so that the analyst can obtain richer context information of the mailbox entity to be identified, and then based on this rich context information, can efficiently and accurately track and trace the mailbox entity to be identified.

Furthermore, as a refinement and extension of the above-mentioned mailbox reputation intelligence database, the creation process of the mailbox reputation intelligence database is described in detail below.

Prior to this, the production and processing architecture of each mailbox reputation intelligence in the mailbox reputation intelligence library is described. Figure 2 is a schematic diagram of the production and processing architecture of mailbox reputation intelligence in an embodiment of the present application. As shown in Figure 2, the architecture may include: data access layer, data storage layer, data processing layer and application layer.

1. Data access layer: access multiple types of information sources. At this time, each information source is not yet the mailbox reputation intelligence, but the object of comprehensive research and analysis, that is, the object entity to be extracted. Multiple types of information sources can include but are not limited to: open source data, domain name query protocol (Whois) records, indicator of compromise (IOC) information, threat intelligence (TI) data, large web crawler data and black/white list information.

The data access layer may specifically include: Whois information module, open source information module, crawler information module, IOC information module, black/white list module and file identification information module.

(1) Whois information module: used to receive Whois records.

(2) Open source information module: used to receive open source data.

(3) Crawler information module: used to receive large-scale crawler data.

(4) IOC information module: used to receive IOC information.

(5) Black/white list module: used to receive the black/white list of mailboxes.

(6) File identification information module: used to receive identification information of files in the mailbox.

2. Data storage layer: Store various context information of mailbox entities into the warehouse, associate various information and enter the production process, and specifically process them through cache queue tasks and then put them into the warehouse.

The data storage layer may specifically include: a data storage module, a mailbox reputation rating evaluation module, and a dynamic reputation data implementation module.

(1) Data storage module: used to store various context information of mailbox entities.

(2) Mailbox reputation rating evaluation module: used to evaluate the reputation level of the mailbox entity based on various context information of the mailbox entity.

(3) Real-time dynamic reputation data module: used to dynamically update the reputation level of the mailbox entity in real time.

3. Data processing layer: extract data of different types and sources according to entity extraction rules for integration, association, warehousing and other operations.

Data processing can specifically include: task scheduling module, data analysis module, data extraction module, data conversion module and rule definition module.

(1) Task scheduling module: used to implement the scheduling among data parsing module, data extraction module and data conversion module.

(2) Data parsing module: used to parse data of different types and sources.

(3) Data extraction module: used to extract the context information of the mailbox entity from data of different types and sources according to the entity extraction rules.

(4) Data conversion module: used to convert the context information of the extracted mailbox entity into a preset format.

(5) Rule definition module: used to define entity extraction rules.

4. Application layer: Verify the mailbox analysis results through the preset mailbox whitelist, conduct mailbox entity reputation profiling, and provide reputation query services. Complete the data interface field encapsulation and application program interface (API) interface provision, and provide API or application calls to the outside world to realize the value of threat analysis.

The application layer may specifically include: a whitelist pre-module, an email reputation profiling module, an email reputation query module, and an email reputation service module.

(1) Whitelist pre-module: used to store the preset whitelist and verify the mailbox analysis results based on the preset whitelist.

(2) Email reputation profiling module: used to profile the email based on the email entity’s contextual information and reputation assessment results.

(3) Mailbox reputation query module: used to query and output all relevant information of the mailbox entity based on the mailbox entity input by the user.

(4) Mailbox reputation service module: used to provide other services for mailbox reputation query.

The above is a schematic diagram of the production architecture of each mailbox reputation intelligence in the mailbox reputation intelligence library. Next, the creation process of the mailbox reputation intelligence library is described in detail. Figure 3 is a flow chart of the method for generating the mailbox reputation intelligence library in an embodiment of the present application. Referring to Figure 3, the method may include:

S301: Collect multiple mailbox entities through multiple information sources.

In order to build a mailbox reputation intelligence database, make the mailbox entities in the mailbox reputation intelligence database richer, and make the context information corresponding to the mailbox entities richer, it is necessary to collect all information related to the mailbox entities from multiple parties.

Specifically, the above step S301 may include:

Step A: Collect multiple mailbox entities from open source data, domain name query protocol Whois records, compromised attack indicators (IOC) information, threat intelligence (TI) data, large-scale web crawler data, and black/white lists.

Open source data generally refers to data sets that are publicly available on the Internet and can be directly accessed by anyone through the terminal they use.

Domain name query protocol Whois record, Whois is a database used to query whether a domain name has been registered and detailed information about the registered domain name. Through Whois records, the relevant data of the mailbox entity can also be obtained.

The IOC information of the attack indicators is lost. IOC is one of the most effective methods to detect threats. Various entities that can be used to detect threats through IOC include but are not limited to: Internet Protocol (IP) addresses, domain names, file hashes, email addresses, etc. IOC can provide threat analysis indicators to discover various signs of attack activities. Therefore, various information about mailbox entities can also be obtained through IOC information.

Threat intelligence TI data includes various mailbox reputation intelligence. Therefore, various information about mailbox entities can also be obtained through TI data.

The big web crawler data can obtain various data on the Internet through crawlers. Therefore, various information related to the mailbox entity can also be crawled through crawlers.

Blacklist/whitelist, that is, the blacklist/whitelist of the mailbox, is also a kind of information of the mailbox entity.

Of course, the mailbox entity can also be obtained through other information sources other than the above information sources, such as: a mailbox entity provided by an individual, etc. The specific information source for collecting multiple mailbox entities is not limited here.

From the above content, it can be seen that collecting mailbox entities through multiple information sources can maximize the acquisition of mailbox entities, thereby ultimately enriching the mailbox intelligence in the mailbox reputation intelligence library and providing richer context information.

S302: extracting context information from multiple mailbox entities respectively.

Among them, the context information is related to the reputation assessment of the mailbox entity.

After collecting multiple mailbox entities, it is necessary to extract information related to the mailbox entity that can be used in the mailbox reputation evaluation, that is, to extract context information, so as to maximize the richness of the relevant information of the mailbox entity in the mailbox reputation intelligence library.

Specifically, the above step S302 may include:

Step B: extract at least one of the sender, email label, IP address, email subject list, associated samples, email entity Whois registration information reverse query results, malicious label, domain name and active time attributes from multiple mailbox entities as the context information corresponding to the multiple mailbox entities respectively.

That is to say, for each mailbox entity, it is necessary to extract at least one of its sender, email label, IP address, email subject list, associated samples, mailbox entity Whois registration information reverse query results, malicious labels, domain name and active time attributes as the context information of the corresponding mailbox entity.

The sender can refer to the subject who sends the email, for example: Zhang San.

Mail labels may specifically include: mailbox suffix (i.e. free public mail service, such as: 163.com), recipients (specifically, it may be a list of recipient units, a list of industries, etc.), etc.

IP address, which may include: mail server IP address and sender's real IP address, etc.

Email subject list, that is, a collection of email subject names.

Related samples are samples with content that is consistent with a certain content of the email. Specifically, they may include: samples of the sender’s mailbox, samples of the recipient’s mailbox, attachments in the sender’s sample, and samples of the mailbox where the stealing Trojan is embedded.

The result of reverse query of the mailbox entity Whois registration information, that is, the relevant information of the email found in Whois.

Malicious tags are tags that indicate the nature of the email, including SPAM, phish, fraud, advertising, APT, and hacked.

Domain name, specifically can include: the domain name's main mx server, unit, industry.

Active time attributes may specifically include: first active time, most recent active time.

In order to more clearly see what context information has been extracted, a picture is used here for a vivid explanation. Figure 4 is a schematic diagram of the context information of the mailbox entity extracted in the embodiment of the present application. As shown in Figure 4, the extracted context information of the mailbox entity is the email intelligence enrichment information, and the major aspects mainly include: sender, email label, IP address, email subject list, associated samples, Whois registration information reverse query results, malicious labels, domain names and active time attributes. Some subcategories are also listed under some major categories, which are clearly given in Figure 4 and will not be repeated here.

From the above content, it can be seen that by extracting contextual information related to mailbox reputation assessment from the mailbox entity, the mailbox entity can be subsequently evaluated for reputation based on the contextual information and saved in the mailbox reputation intelligence library, making the intelligence in the mailbox reputation intelligence library richer, providing richer intelligence data for subsequent mailbox entities to be identified, and improving the efficiency and accuracy of analysts in tracking and tracing mailbox entities.

The forms of mailbox entities obtained from different information sources are different. In order to extract the corresponding senders, labels, IP addresses, email subject lists, associated samples, Whois registration information reverse query results, malicious labels, domain names and active time attributes from these mailbox entities, an information extraction method provided in an embodiment of the present application can be adopted.

Specifically, the above step B may include:

Step B1: extract mail_info, target, file, and type fields from the original data of the identification reports of multiple mailbox entities respectively, and obtain the first sub-information corresponding to the multiple mailbox entities respectively.

In other words, extract the original data field mail_info.sender in the report related to all emails in the file identification process, the field information is list, filter the items with the 'mail_info' field, and extract the target, file, type and other fields at the same time, and process the email and msg parts separately.

Step B2: extracting Message Digest Algorithm (MD5) information of multiple mailbox entities respectively, and obtaining second sub-information corresponding to the multiple mailbox entities respectively.

By extracting the MD5 information of the mailbox entity, it is possible to quickly analyze and judge based on the content of the email itself, making the information in the mailbox reputation intelligence database more accurate.

Step B3: extract the relevant information of the emails in the sandbox data messages of the multiple mailbox entities respectively, and obtain the third sub-information corresponding to the multiple mailbox entities respectively.

Sandbox, or report packet, is a virtual system program that allows email to run browsers or other programs in a sandbox environment. In this way, the actual running results of the email can be obtained, so that the email can be analyzed and judged, making the information in the mailbox reputation intelligence database more accurate.

Step B4: Extract the Mail Exchanger (MX) records, Sender Policy Framework (SPF) protocol information, and DMARC (Domain-based Message Authentication, Reporting, and Conformance) information of multiple mailbox entities respectively, and obtain the fourth sub-information corresponding to the multiple mailbox entities respectively.

MX, which points to a mail server, is used by the email system to locate the mail server based on the recipient's address suffix when sending mail. SPF, which can provide a kind of verification for the recipient of the mail. DMARC, which stands for Domain-based Message Authentication, is a DNS TXT record that can be published to a domain to control what happens when the message authentication fails. By obtaining the MX record, SPF protocol information, and DMARC information of the mailbox entity, richer contextual information of the mailbox entity can be obtained, thereby enriching the mailbox reputation intelligence library.

Step B5: The first sub-information, the second sub-information, the third sub-information and the fourth sub-information are detected by the loss detection module to obtain detection results corresponding to the multiple mailbox entities respectively.

That is to say, the mailbox field information is connected to the compromise detection interface, and the information is associated and converted according to the obtained IOC, malicious family (malicious_family), activity (campaign) and other information, and mapped to field information such as email, portraits (portraits), tags (tag), malicious activity (malicious_activity), etc.

The compromise detection module here is a tool that can detect malicious intent in entity information, such as various existing compromise detection tools. By connecting entity information with the compromise detection interface, malicious intent detection can be achieved.

Step B6: Based on the first sub-information, the second sub-information, the third sub-information, the fourth sub-information and the detection results, determine the senders, labels, IP addresses, email subject lists, associated samples, reverse query results of the mailbox entity Whois registration information, malicious labels, domain names and active time attributes corresponding to the multiple mailbox entities respectively, and use them as the context information corresponding to the multiple mailbox entities respectively.

After extracting the above sub-information, they are classified into sender, label, IP address, email subject list, associated samples, mailbox entity Whois registration information reverse query results, malicious labels, domain names and active time attributes according to the corresponding categories. Finally, the context information of the mailbox entity is obtained.

From the above content, it can be seen that the above information extraction method can obtain various contextual information related to the mailbox entity to the greatest extent, thereby enriching the intelligence content in the mailbox reputation intelligence library and improving the efficiency and accuracy of analysts' tracking and tracing.

When new extraction rules are generated later, a new extraction method can be added on the basis of the above information extraction method to extract the context information of the subsequent mailbox entity, and the previously collected mailbox entity can be subjected to the context information extraction according to the newly added extraction method. In this way, the content in the mailbox reputation intelligence database can be continuously updated and further enriched.

Specifically, after the last completion of storing the context information of the mailbox entity, the method may further include:

Step C1: Receive newly added extraction rules.

Here, the newly added extraction rules generally refer to the extraction rules for some mailbox entity context information that were not summarized in the early stage but were thought of later.

Step C2: extract context information from multiple mailbox entities respectively according to the newly added extraction rules.

That is to say, in the mailbox entity already in the mailbox reputation intelligence database, in addition to extracting context information according to the above steps B1-B6, it is necessary to extract context information again according to the newly added extraction rules. Then, after integration and judgment, it is stored in the corresponding mailbox entity in the mailbox reputation intelligence database.

From the above content, it can be seen that by adding new extraction rules and using the new extraction rules to re-extract the context information of the mailbox entities already existing in the mailbox reputation intelligence library, the context information of the mailbox entities in the mailbox reputation intelligence library can be continuously enriched.

A specific new extraction rule is given below. The above step C2 may specifically include:

Step C21: extracting domain names from multiple mailbox entities respectively.

Domain name, that is, domain. It can be extracted through the email field. The "domain" domain part in the email field can be extracted through regular expression. Of course, other methods can also be used to extract the "domain" domain part, such as scanning extraction. The specific method for extracting the "domain" domain part is not limited here.

Step C22: Determine whether the domain name is associated with a known malicious domain name. If yes, execute step C23; if no, execute step C24.

Step C23: Using the same domain name and the known malicious domain name as context information of the corresponding mailbox entity;

Step C24: Use the extracted domain name as context information of the corresponding mailbox entity.

If the "domain" domain name extracted from the email field is associated with a known malicious domain name, it means that there is a problem with the mailbox entity corresponding to the domain name. In this case, the known malicious domain name needs to be added to the extracted context information so that when the context information of the mailbox entity is subsequently output, the related malicious domain name can also be provided to alert the analyst, thereby improving the efficiency and accuracy of the analyst's tracking and tracing.

If the "domain" domain name extracted from the email field has no correlation with the known malicious domain name, it means that there is no abnormality in the email entity corresponding to the domain name. In this case, the extracted context information will only contain the context information extracted from the email entity, which will be provided to the analyst for tracking and tracing.

From the above content, we can see that by extracting the "domain" domain name part in the email field and performing correlation analysis with known malicious domain names, the associated malicious domain names are added to the context information of the corresponding mailbox entity, so that when the context information of the mailbox entity is subsequently output, the related malicious domain names are also provided to remind analysts, thereby improving the efficiency and accuracy of analysts' tracking and tracing.

S303: Integrate the context information of the same mailbox entity.

After extracting the context information of each mailbox entity, since the mailboxes collected from different information sources may be the same mailbox, in order to avoid duplicate context information corresponding to the same mailbox entity in the mailbox reputation intelligence library, the context information of the same mailbox entity needs to be integrated, that is, merged and deduplicated.

For example, the context information of mailbox entity 1 collected from information source A is a, b, c, and the context information of mailbox entity 1 collected from information source B is b, c, d. Among them, b and c are repeated in the context information of mailbox entities collected from the two information sources, so they need to be integrated to obtain the context information a, b, c, d of mailbox entity 1.

S304: Conduct reputation assessment on the integrated context information to generate assessment results for each mailbox entity.

After obtaining the non-repetitive context information of each mailbox entity, it is necessary to further conduct credibility analysis on this context information to obtain the analysis results of each mailbox entity, so that the analyst can be provided with the context information of the mailbox entity and the comprehensive analysis results of the mailbox entity in the future, so that the analyst can have a holistic understanding of the mailbox entity to be identified.

Specifically, the above step S304 may include:

Step D1: Determine whether there is a whitelist, tag information, compromise detection level score, advanced persistent threat APT family, abnormal field, and historical record score in the integrated upper and lower information. If at least one exists, execute step D2; if none of them exists, execute step D3.

Step D2: Add the score corresponding to the content determined to exist to the reputation score corresponding to the corresponding mailbox entity.

Step D3: Determine that the reputation score of the corresponding mailbox entity is 0.

That is to say, the context information after integration of a certain mailbox entity is judged in sequence, that is, first determine whether the context information exists in the whitelist, then determine whether there is a label in the context information, then determine whether there is an IOC score in the context information, then determine whether there is an APT logo in the context information, then determine whether there are other abnormal fields in the context information (for example: abnormal IP address behavior, abnormal activity range, etc.), and finally determine whether there are any previously analyzed results in the context information.

In the above judgment process, if a judgment result is yes, then the score corresponding to the "yes" item will be increased on the basis of the basic score. If there is no "yes" judgment result from beginning to end, then the final score is the basic score. The basic score can be 0.

For example, for different mailbox entities, threat intelligence interfaces will be associated for query and the types will be extracted, such as phishing, fraud, APT, etc. The score calculation logic is entered according to different marking results.

The code is as follows:

In actual applications, different mailbox entities can be classified into different reputation levels according to the reputation scores obtained by different mailbox entities. For example:

The reputation score is 0-30, indicating safety. The reputation of this mailbox is judged to be low, and possible threat information and mailbox portrait information are provided, and it is judged to be a safe mailbox.

A reputation score of 30-40 indicates unknown. More information is needed to determine whether the email is malicious based on the email profile information and detail fields.

A reputation score of 40-80 indicates suspiciousness. It may be a malicious threat and may be a malicious mailbox based on the context.

A reputation score of 80-100 indicates malicious intent. A high reputation provides a basis for judgment and contextual information, and is often a malicious email address.

From the above content, it can be seen that on the basis of standard reputation scoring, the use of dynamic evaluation methods can continuously update the reputation analysis results of email entities, improve the accuracy of email reputation evaluation, make the intelligence in the email reputation intelligence library more accurate, and improve analysts' effective and accurate tracing and positioning based on the contextual information of email entities provided by the email reputation intelligence library.

S305: Add the analysis results of each mailbox entity to the corresponding integrated context information and store it in the mailbox reputation intelligence library.

After obtaining the analysis results, i.e., reputation evaluation, of each mailbox entity, the analysis results and the context information of the corresponding mailbox can be stored in the mailbox reputation intelligence library together, so that when subsequent analysts need to obtain relevant information of the mailbox entity, the analysis results and context information of the mailbox entity can be directly provided to the analysts.

Specifically, the above step S305 may include:

Step E: Add the analysis results of each mailbox entity to the corresponding integrated context information and store it in the mailbox reputation intelligence library according to the classification method of reputation level, basic information, malicious activity identification and mailbox behavior portrait.

That is to say, for each mailbox entity, it needs to be stored in the mailbox reputation intelligence database according to the classification method of reputation level, basic information, malicious activity identification and mailbox behavior portrait. In the future, when analysts need to obtain relevant information about mailbox entities, the output will also be information classified according to the reputation level, basic information, malicious activity identification and mailbox behavior portrait.

The reputation level, or reputation evaluation, can be divided into: malicious, suspicious, unknown, and safe.

Basic information refers to some information in the mailbox that is relatively easy to obtain, including: mailbox type (whether it is a corporate mailbox, which can be obtained based on the ICP filing information, such as: info@reddit.com, info@qianxin.com. Whether it is a public/free mailbox, such as: person@yahoo.com), MX record (whether the mailbox domain has a valid MX record), DMARC record (the data source needs to be confirmed with the research institute), earliest seen time (the farthest registration action/sending and receiving email time), and most recent active time (the most recent registration action/sending and receiving email time).

Malicious activity identification may include: spam, forged emails, malicious labels of domain names associated with Whois information (for example: APT, CS), and custom operation labels.

Email behavior profiles can include: application app, whether it has been leaked (yes or no), and others (for example, whether it has appeared on a public website). Among them, application app can include: detecting whether there is a registration/access record in the application app, such as: JD.com, Taobao, etc., social account (detecting whether there is a registration record in a certain social account, such as: Twitter, Weibo and other mainstream social websites), main site registration information (whether the account is registered on a mainstream site, such as: gmail, google).

In order to more clearly see what specific information is output, a picture is used here for a vivid explanation. Figure 5 is a schematic diagram of the context information of the mailbox entity output in the embodiment of the present application. As shown in Figure 5, the context information of the mailbox entity output is the email intelligence enrichment information, which mainly includes: reputation rating, basic information, malicious activity identification and mailbox behavior portrait. Some subcategories are also listed under some major categories, which are clearly given in Figure 5 and will not be repeated here.

The code for field extraction and production of enriched content of processed mailbox reputation intelligence is as follows:

From the above content, it can be seen that by outputting the relevant information of the mailbox entity in the form of reputation level, basic information, malicious activity identification and mailbox behavior portrait, the enriched context information can be made clearer and easier for analysts to view. The mailbox reputation intelligence library established by the above method can provide analysts with richer context information of the mailbox entity, allowing analysts to efficiently and accurately trace the source based on the enriched context information.

Finally, two specific examples are used to further illustrate the production of the mailbox reputation intelligence database and the deployment process of the mailbox reputation intelligence database in the embodiment of the present application.

Figure 6 is a schematic diagram of the production process of the mailbox reputation intelligence library in the embodiment of the present application. As shown in Figure 6, mailbox entities are collected through open source data, Whois records, IOC information, TI data, crawler data, black/white lists, and other information sources, and the collected mailboxes are processed in real time, that is, they are parsed/extracted/converted/formatted in real time, and then processed through kafka, and then put into storage for processing, and finally stored in the db.

FIG7 is a schematic diagram of the deployment process of the mailbox reputation intelligence library in the embodiment of the present application. Referring to FIG7, a unified interface is provided to external analysts, namely, api.xxx.com. The received data entities are distributed to different gateways such as kong1, kong2 or kong3 through lvs load balancing. Then, they are distributed to different mailbox reputation services, namely, email-reputation-service calls and outputs corresponding context information from the mailbox reputation intelligence library.

Based on the same inventive concept, as an implementation of the above acquisition method, the present application embodiment also provides a device for acquiring mailbox context information. FIG8 is a schematic diagram of the structure of the device for acquiring mailbox context information in the present application embodiment. Referring to FIG8 , the device may include:

The receiving module 801 is used to obtain the mailbox entity to be identified;

A matching module 802 is used to match the mailbox entity to be identified with a mailbox entity in a mailbox reputation intelligence database, wherein the mailbox reputation intelligence database contains various mailbox entities and their context information, and the content of the context information of one mailbox entity in the mailbox reputation intelligence database is greater than the content of the context information extracted from the one mailbox entity alone;

If the match is successful, the process enters the first output module 803, which is used to output the mailbox entity and its context information that matches the mailbox entity to be identified in the mailbox reputation intelligence database;

If the match fails, the second output module 804 is entered, and the second output module 804 is used to extract the context information in the mailbox entity to be identified, and store the extracted context information and the mailbox entity to be identified in the mailbox reputation intelligence library.

Further, the refinement and expansion of the above-mentioned mailbox reputation intelligence database also includes a device for generating the mailbox reputation intelligence database. FIG9 is a schematic diagram of the structure of the device for generating the mailbox reputation intelligence database in an embodiment of the present application. Referring to FIG9 , the device may include:

A collection module 901 is used to collect multiple mailbox entities through multiple information sources;

An extraction module 902, configured to extract context information from the plurality of mailbox entities respectively, wherein the context information is related to the reputation assessment of the mailbox entity;

An integration module 903, used to integrate the context information of the same mailbox entity;

The evaluation module 904 is used to perform reputation evaluation on the integrated context information and generate evaluation results for each mailbox entity;

The storage module 905 is used to add the analysis results of each mailbox entity to the corresponding integrated context information and store it in the mailbox reputation intelligence library.

In other embodiments of the present application, the extraction module is specifically used to extract at least one of the senders, email labels, Internet Protocol IP addresses, email subject lists, associated samples, email entity Whois registration information reverse lookup results, malicious labels, domain names, and active time attributes from the multiple mailbox entities as context information corresponding to the multiple mailbox entities respectively.

In other embodiments of the present application, the extraction module is specifically used to extract the mail_info, target, file, and type fields in the original data of the identification reports of the multiple mailbox entities, respectively, to obtain the first sub-information corresponding to the multiple mailbox entities; extract the information digest algorithm MD5 information of the multiple mailbox entities, respectively, to obtain the second sub-information corresponding to the multiple mailbox entities; extract the relevant information of the email in the sandbox data message of the multiple mailbox entities, respectively, to obtain the third sub-information corresponding to the multiple mailbox entities; extract the mail exchange MX record, sender policy framework SPF protocol information, and DMARC information of the multiple mailbox entities, respectively, to obtain the fourth sub-information corresponding to the multiple mailbox entities; detect the first sub-information, the second sub-information, the third sub-information, and the fourth sub-information through the loss detection module to obtain the detection results corresponding to the multiple mailbox entities; based on the first sub-information, the second sub-information, the third sub-information, the fourth sub-information and the detection results, determine the senders, labels, Internet Protocol IP addresses, email subject lists, associated samples, mailbox entity Whois registration information reverse query results, malicious labels, domain names, and active time attributes corresponding to the multiple mailbox entities, and use them as the context information corresponding to the multiple mailbox entities.

In other embodiments of the present application, the generating device further includes: a dynamic updating module; the dynamic updating module is used to receive a newly added extraction rule; and extract context information from the multiple mailbox entities respectively according to the newly added extraction rule.

In other embodiments of the present application, the dynamic update module is specifically used to extract the domain names in the multiple mailbox entities respectively; determine whether the domain names are associated with known malicious domain names; if so, use the same domain names and the known malicious domain names as context information of the corresponding mailbox entity; if not, use the extracted domain names as context information of the corresponding mailbox entity.

In other embodiments of the present application, the analysis and judgment module is specifically used to determine whether there is a whitelist, whether there is label information, whether there is a compromise detection determination level score, whether there is an advanced persistent threat APT family, whether there is an abnormal field, and whether there is a historical record score in the integrated upper and lower information; if at least one exists, the score corresponding to the content determined to exist is added to the reputation score corresponding to the corresponding mailbox entity; if none of them exist, the reputation score of the corresponding mailbox entity is determined to be 0.

In other embodiments of the present application, the storage module is specifically used to add the analysis and judgment results of each mailbox entity to the corresponding integrated context information and store it in the mailbox reputation intelligence library according to the classification method of reputation level, basic information, malicious activity identification and mailbox behavior portrait.

In other embodiments of the present application, the receiving module is specifically used to collect multiple mailbox entities from open source data, domain name query protocol Whois records, compromised attack indicator IOC information, threat intelligence TI data, large-scale web crawler data and black/white lists.

It should be noted here that the description of the above acquisition device and generation device embodiments is similar to the description of the above acquisition method and generation method embodiments, and has similar beneficial effects as the acquisition method and generation method embodiments. For technical details not disclosed in the acquisition device and generation device embodiments of this application, please refer to the description of the acquisition method and generation method embodiments of this application for understanding.

Based on the same inventive concept, as an implementation of the above method, the embodiment of the present application further provides a computer storage medium on which a computer program is stored, and when the program is executed by a processor, the above method can be implemented.

It should be noted here that the description of the above computer storage medium embodiment is similar to the description of the above method embodiment, and has similar beneficial effects as the method embodiment. For technical details not disclosed in the computer storage medium embodiment of this application, please refer to the description of the method embodiment of this application for understanding.

Based on the same inventive concept, as an implementation of the above method, an embodiment of the present application further provides an electronic device. The electronic device may include a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor may implement the above method when executing the program.

It should be noted that the description of the above electronic device embodiment is similar to the description of the above method embodiment, and has similar beneficial effects as the method embodiment. For technical details not disclosed in the electronic device embodiment of this application, please refer to the description of the method embodiment of this application for understanding.

The above is only a specific implementation of the present application, but the protection scope of the present application is not limited thereto. Any person skilled in the art who is familiar with the present technical field can easily think of changes or substitutions within the technical scope disclosed in the present application, which should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (14)

1. A method for acquiring context information of a mailbox, the method comprising:

acquiring a mailbox entity to be identified;

matching the mailbox entity to be identified with mailbox entities in a mailbox reputation information library, wherein the mailbox reputation information library comprises various mailbox entities and context information thereof, and the content of the context information of one mailbox entity in the mailbox reputation information library is more than that of the context information extracted from the one mailbox entity independently;

if the matching is successful, outputting a mailbox entity matched with the mailbox entity to be identified and the context information thereof in the mailbox reputation information library;

if the match fails, the output is null.

2. The method of claim 1, wherein prior to obtaining the mailbox entity to be identified, the method further comprises:

collecting a plurality of mailbox entities through a plurality of information sources;

extracting context information from the mailbox entities respectively, wherein the context information is related to mailbox entity reputation research;

integrating the context information of the same mailbox entity;

reputation research and judgment are carried out on the integrated context information, and research and judgment results of all mailbox entities are generated;

And adding the research and judgment results of each mailbox entity into the corresponding integrated context information and storing the integrated context information in a mailbox reputation information library.

3. The method of claim 2, wherein the extracting context information from the plurality of mailbox entities, respectively, comprises:

and extracting at least one of a sender, a mail label, an Internet Protocol (IP) address, a mail subject list, a correlation sample, a mail box entity Whois registration information back check result, a malicious label, a domain name and an active time attribute in the plurality of mail box entities as context information respectively corresponding to the plurality of mail box entities.

4. The method of claim 3, wherein extracting at least one of a sender, a tag, an internet protocol IP address, a mail subject list, a correlation sample, a mail box entity Whois registration information review result, a malicious tag, a domain name, and an active time attribute in the plurality of mail box entities as the context information respectively corresponding to the plurality of mail box entities includes:

extracting the mail_ info, target, file, type fields in the original data of the identification reports of the mailbox entities respectively to obtain first sub-information corresponding to the mailbox entities respectively;

Respectively extracting information summary algorithm MD5 information of the mailbox entities to obtain second sub-information corresponding to the mailbox entities respectively;

respectively extracting the related information of the mails in the sandboxed data messages of the mailbox entities to obtain third sub-information corresponding to the mailbox entities respectively;

respectively extracting mail exchange MX records of the mailbox entities, sender policy framework SPF protocol information and DMARC information to obtain fourth sub-information respectively corresponding to the mailbox entities;

detecting the first sub-information, the second sub-information, the third sub-information and the fourth sub-information through a collapse detection module to obtain detection results respectively corresponding to a plurality of mailbox entities;

based on the first sub-information, the second sub-information, the third sub-information, the fourth sub-information and the detection result, determining a sender, a label, an Internet Protocol (IP) address, a mail topic list, a correlation sample, a mail box entity Whois registration information back check result, a malicious label, a domain name and an active time attribute which are respectively corresponding to a plurality of mail box entities, and using the same as context information respectively corresponding to the plurality of mail box entities.

5. The method of claim 2, wherein after adding the grinding results for each mailbox entity to the corresponding integrated context information and storing in the mailbox reputation information repository, the method further comprises:

receiving a new extraction rule;

and respectively extracting the context information from the mailbox entities according to the newly added extraction rule.

6. The method of claim 5, wherein extracting context information from the plurality of mailbox entities according to the new extraction rule, respectively, comprises:

extracting domain names in the mailbox entities respectively;

judging whether the domain name has an association relationship with a known malicious domain name or not;

if yes, the same domain name and the known malicious domain name are used as the context information of the corresponding mailbox entity;

if not, the extracted domain name is used as the context information of the corresponding mailbox entity.

7. The method of claim 2, wherein reputation research of the integrated context information generates a research result of each mailbox entity, comprising:

judging whether a white list exists in the integrated upper and lower information, label information exists, a collapse detection judgment level score exists, an advanced persistent threat APT family exists, an abnormal field exists and a history score exists;

If at least one exists, adding the score corresponding to the content judged to exist into the credit score corresponding to the corresponding mailbox entity;

and if none exists, determining that the credit score of the corresponding mailbox entity is 0.

8. The method of claim 2, wherein adding the grinding results of each mailbox entity to the corresponding integrated context information and storing in the mailbox reputation information repository comprises:

and adding the research and judgment results of each mailbox entity into the corresponding integrated context information and storing the results in a mailbox reputation information library according to the reputation level, the basic information, the malicious activity identification and the classification mode of mailbox behavior portraits.

9. The method of claim 2, wherein the collecting a plurality of mailbox entities via a plurality of information sources comprises:

and acquiring a plurality of mailbox entities from the open source data, the domain name query protocol Whois records, the collapse attack index IOC information, the threat information TI data, the large-net crawler data and the black/white list.

10. A method for generating a mailbox reputation information base, the method comprising:

collecting a plurality of mailbox entities through a plurality of information sources;

Extracting context information from the mailbox entities respectively, wherein the context information is related to mailbox entity reputation research;

integrating the context information of the same mailbox entity;

reputation research and judgment are carried out on the integrated context information, and research and judgment results of all mailbox entities are generated;

and adding the research and judgment results of each mailbox entity into the corresponding integrated context information and storing the integrated context information in a mailbox reputation information library.

11. An apparatus for acquiring context information of a mailbox, the apparatus comprising:

the receiving module is used for acquiring a mailbox entity to be identified;

the matching module is used for matching the mailbox entity to be identified with the mailbox entity in the mailbox reputation information library, wherein the mailbox reputation information library comprises various mailbox entities and context information thereof, and the content of the context information of one mailbox entity in the mailbox reputation information library is more than that of the context information extracted from the one mailbox entity independently;

if the matching is successful, a first output module is entered, wherein the first output module is used for outputting mailbox entities and context information thereof matched with the mailbox entities to be identified in the mailbox reputation information library;

If the matching fails, a second output module is entered, wherein the second output module is used for extracting the context information in the mailbox entity to be identified and storing the extracted context information and the mailbox entity to be identified in the mailbox reputation information library.

12. A device for generating a mailbox reputation information base, the device comprising:

the acquisition module is used for acquiring a plurality of mailbox entities through a plurality of information sources;

the extraction module is used for respectively extracting context information from the mailbox entities, and the context information is related to the reputation research and judgment of the mailbox entities;

the integrating module is used for integrating the context information of the same mailbox entity;

the judging module is used for carrying out reputation judgment on the integrated context information and generating judging results of all mailbox entities;

and the storage module is used for adding the research and judgment results of each mailbox entity into the corresponding integrated context information and storing the integrated context information in the mailbox reputation information library.

13. A computer storage medium having stored thereon a computer program, which when executed by a processor, is adapted to carry out the method of any of claims 1-10.

14. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor is operable to implement a method as claimed in any one of claims 1 to 10 when the program is executed by the processor.

Images