CN116708019A - A cloud mailbox security monitoring method, device, equipment and storage medium - Google Patents

Abstract

The application discloses a cloud mailbox security monitoring method, a device, equipment and a storage medium, which relate to the technical field of network security and comprise the following steps: backing up the mail of the account to be monitored to a pre-established monitoring account based on a mail backup rule; the monitoring account is a mailbox account for monitoring the service; pulling a mail of an account to be monitored from a monitoring account according to an Internet mail access protocol and mailbox information configured for the monitoring account in advance to obtain a pulled mail; analyzing the pulled mails to obtain a plurality of corresponding mail data, and analyzing each mail data based on stream analysis and offline analysis by utilizing a preset characteristic algorithm and a preset behavior algorithm to generate corresponding alarm information; and marking the confidence coefficient of the alarm information based on a preset marking algorithm, and performing corresponding automatic pushing operation or manual analysis operation on the alarm information based on the confidence coefficient. Therefore, the application can identify malicious mails and report alarms. And timely risk discovery and centralized risk management and control are realized.

Description

A cloud mailbox security monitoring method, device, equipment and storage medium

technical field

The present invention relates to the technical field of network security, in particular to a cloud mailbox security monitoring method, device, equipment and storage medium.

Background technique

Phishing attacks using mail as the medium seriously threaten the information security of enterprises. In the past, protection solutions based on mail security gateways can filter part of spam, phishing emails and virus mails to a certain extent. The network security devices in the link can identify spam, virus, and phishing emails through features and algorithms, and implement blocking and warning according to policies. Because it is a series of devices, in order to reduce false positives, the detection threshold of the email security gateway is usually relatively strict, and a small amount of spam, virus emails or phishing emails will pass through the email security gateway and reach the user's mailbox. At the same time, as a series device, the email security gateway is more for streaming analysis of a single email, and will not analyze the offline statistical correlation behavior of multiple emails and multiple accounts within a period of time. However, some malicious emails will still be delivered to recipient folders, and such phishing emails can often be monitored by traffic monitoring equipment. However, in the current cloud mailbox scenario, malicious emails that miss the recipient folder cannot be monitored due to the inability to divert traffic, forming a blind spot for security monitoring and bringing huge risks.

Contents of the invention

In view of this, the purpose of the present invention is to provide a cloud mailbox security monitoring method, device, equipment and storage medium, which can solve the problem that the email security gateway cannot 100% protect phishing emails, and cannot monitor missed phishing emails, and the current email Gateways or other security devices are unable to monitor account abnormalities, and in the cloud mailbox environment, email monitoring cannot be carried out due to the inability to obtain email communication traffic. The specific plan is as follows:

In the first aspect, the present application discloses a cloud mailbox security monitoring method, including:

Backup the mail of the account to be monitored to a pre-created monitoring account based on the email backup rule; the monitoring account is an email account for monitoring business;

Pulling the mail of the account to be monitored from the monitoring account according to the Internet mail access protocol and the mailbox information pre-configured for the monitoring account to obtain the pulled mail;

Analyzing the pulled emails to obtain corresponding email data, and analyzing the email data based on stream analysis and offline analysis by using preset feature algorithms and preset behavior algorithms to generate corresponding alarms information;

The alarm information is marked with a confidence level based on a preset marking algorithm, and a corresponding automatic push operation or manual analysis operation is performed on the alarm information based on the confidence level.

Optionally, after the email of the account to be monitored is backed up to the pre-created monitoring account based on the email backup rule, it also includes:

Judging whether the number of mails in the current monitoring account exceeds the preset number of mails;

If yes, delete all read emails based on preset deletion rules;

If not, all the read emails before the preset deletion time are deleted based on the preset deletion time.

Optionally, the said extracted mail is parsed to obtain a corresponding number of mail data, including:

Reading the key value of each mail header in the extracted mail based on the email transmission protocol, extracting the preset key information in the key value, and analyzing the mail attachment and the mail text of the pulled mail , to obtain the several mail data; the several mail data include the sender, recipient, actual sender, sender IP, attachment name, attachment hash value, uniform resource locator in the attachment, text in the Any one or combination of several of the Uniform Resource Locator, QQ number, mobile phone number, and sensitive words.

Optionally, the use of preset feature algorithms and preset behavior algorithms to analyze each of the email data based on streaming analysis and offline analysis, so as to generate corresponding alarm information, including:

matching each of the email data with a preset intelligence database;

If the matching is successful, a corresponding alarm message is generated;

If the matching fails, it is determined whether there is a target behavior in each of the email data based on a preset phishing behavior detection algorithm, and if there is the target behavior, then corresponding alarm information is generated; the target behavior includes fake domain names, fake user names and Counterfeiting any one or combination of several types of user services;

Determine the user name in each of the mail data based on a preset account forgery identification algorithm, and determine the abnormal user name in the user name, so as to determine whether in each of the mail data based on the abnormal user name and the preset domain name query tool If there is a fake account, if so, a corresponding alarm message will be generated;

Match each of the email data with the preset intelligence database based on a preset abnormal link extraction algorithm, determine whether there is an abnormal link in each of the email data based on the matching result, and generate corresponding alarm information if there is;

Based on the preset behavior baseline matching algorithm, the data that has not been detected in the current email data is analyzed offline to determine whether the sending and receiving behavior baseline of the account to be monitored deviates from the preset benchmark, and if so, then determine the pending Monitor account abnormalities and generate corresponding alarm information.

Optionally, before the offline analysis of the undetected data in the email data based on the preset behavioral baseline matching algorithm, the method further includes:

The account behavior baseline of the monitored account is learned based on a preset period to determine the behavior baseline of the monitored account to obtain the preset baseline.

Optionally, the method also includes:

Alarm information generated after analyzing each email data based on the preset phishing behavior detection algorithm, the preset account forgery identification algorithm, the preset abnormal link extraction algorithm and the preset behavior baseline matching algorithm Extract target field information from

The preset intelligence library is updated based on the target field information.

Optionally, marking the alarm information with confidence based on a preset marking algorithm includes:

Marking the confidence level of the alarm information generated after the email data is successfully matched with the preset intelligence database as credible;

Correspondingly, performing a corresponding automatic push operation or manual analysis operation on the alarm information based on the confidence level includes:

An automatic push operation is performed on the alarm information whose confidence level is marked as credible, and a manual analysis operation is performed on the other alarm information, so as to manually mark the alarm information accordingly.

In a second aspect, the present application discloses a cloud mailbox security monitoring device, including:

The email backup module is used to back up the emails of the account to be monitored to the pre-created monitoring account based on the email backup rule; the monitoring account is the email account for monitoring the business;

The mail pulling module is used to pull the mail of the account to be monitored from the monitoring account according to the Internet mail access protocol and the mailbox information configured in advance for the monitoring account, so as to obtain the mail after pulling;

The data analysis module is used to analyze the pulled emails to obtain a corresponding number of email data, and analyze each of the email data based on stream analysis and offline analysis by using preset feature algorithms and preset behavior algorithms , to generate corresponding alarm information;

A confidence marking module, configured to mark the alarm information with confidence based on a preset marking algorithm;

The alarm information processing module is configured to perform a corresponding automatic push operation or manual analysis operation on the alarm information based on the confidence level.

In a third aspect, the present application discloses an electronic device, comprising:

memory for storing computer programs;

The processor is configured to execute the computer program to implement the steps of the cloud mailbox security monitoring method disclosed above.

In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, the steps of the cloud mailbox security monitoring method disclosed above are implemented.

As can be seen from the above, when the application performs security monitoring on the cloud mailbox, first, based on the email backup rules, the emails of the account to be monitored are backed up to the pre-created monitoring account; the monitoring account is the email account used to monitor the business; The access protocol and the mailbox information pre-configured for the monitoring account pull the email of the account to be monitored from the monitoring account to obtain the pulled email; analyze the pulled email to obtain the corresponding A number of mail data, and use preset feature algorithms and preset behavior algorithms to analyze each of the mail data based on streaming analysis and offline analysis to generate corresponding alarm information; finally, based on preset marking algorithms, the alarm information is processed Confidence mark, and perform a corresponding automatic push operation or manual analysis operation on the alarm information based on the confidence degree. It can be seen that this application first implements email metadata collection through email backup, and uses behavioral algorithms and streaming and offline analysis methods to detect phishing emails, and selects automatic alarms based on the confidence level to achieve timely alarms, and then can pass emails. The backup/filtering function of the system backs up the emails that need to be monitored to a monitoring business account, and then uses the Internet mail access protocol to pull all the emails in the monitoring business account to parse, analyze, identify malicious emails, report to the police, and finally Realize timely discovery of risks and centralized risk management and control.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.

Fig. 1 is a flow chart of a cloud mailbox security monitoring method disclosed in the present application;

Fig. 2 is a flow chart of a specific cloud mailbox security monitoring method disclosed in the present application;

FIG. 3 is a schematic structural diagram of a specific cloud mailbox security monitoring device disclosed in the present application;

FIG. 4 is a schematic structural diagram of a cloud mailbox security monitoring device disclosed in the present application;

FIG. 5 is a structural diagram of an electronic device disclosed in the present application.

Detailed ways

The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

At present, phishing emails are mainly identified based on the domain name in the email header, IP (Internet Protocol, Internet Protocol) and the link blacklist in the email content; according to the MIME (Multipurpose Internet MailExtensions, Multipurpose Internet Mail Extensions) field and MIME type of the email attachment Wait for a mismatch to identify malicious attachments. Usually, phishing emails are likely to originate from a credible domain name and IP, because in order to bypass detection, phishing attackers usually purchase on the black market or directly steal accounts of normal units to send phishing emails; On the one hand, the existing technology mainly solves a detection method after the individual user receives the mail, which cannot realize centralized management and control. In terms of alarm display, the existing technology is mainly to set up a message sharing group in advance, and share it with other users after a user finds a phishing email. Under normal circumstances, this kind of sharing is unsustainable. To carry out the corresponding work in the form of service, the service provider should accurately push it to the recipient after discovering the phishing email. In order to solve the above technical problems, the present application discloses a cloud mailbox security monitoring method capable of identifying malicious emails in time and giving an alarm in time.

Referring to Fig. 1, the embodiment of the present invention discloses a cloud mailbox security monitoring method, including:

Step S11 , based on the email backup rules, back up the emails of the account to be monitored to a pre-created monitoring account; the monitoring account is an email account for monitoring business.

In this embodiment, before performing email backup, one must first create or select an email service account exclusively used for monitoring services, which is called a monitoring account, and determine the scope of monitoring, email accounts or departments that need to be monitored, and then you can Backup rules, backup all account emails to be monitored to the monitoring account, so as to realize the unified management of accounts.

Step S12, pull the email of the account to be monitored from the monitoring account according to the Internet mail access protocol and the mailbox information pre-configured for the monitoring account, so as to obtain the pulled email.

In this embodiment, at first configure the mailbox account number, password, mailbox domain name of described monitoring account number, start collection engine, such collection engine uses IMAP (Internet Mail Access Protocol, Internet Mail Access Protocol) account number of agreement and configuration to pull mail, by This enables centralized management and control, and there is no need to configure other accounts in the enterprise. It should be pointed out that after backing up the emails of the account to be monitored to the pre-created monitoring account based on the email backup rules, it is necessary to determine whether the number of emails in the current monitoring account exceeds the preset number of emails; if so, delete the emails based on the preset The rule deletes all the read emails; if not, deletes all the read emails before the preset deletion time based on the preset deletion time. The mailbox storage of each account has an upper limit. Enterprise emails are all backed up to the account, and the account folder is easy to fill up, so adaptive file deletion is required. Here, the application discloses a mail marking and deletion algorithm. First, the mails from N days ago are deleted by default, or the maximum number of mails in a folder is M; the specific process is: first, obtain the number n of unread mails in the current mailbox; 2. Read the n mails and set them as read; 3. Obtain the number m of the read mailboxes of the current mailbox; 4. If (m+n)>m, immediately start the mail deletion operation and enter step 4; Fifth, get the number k of emails N days ago, and delete this batch of emails, and determine whether the current (m+n-k)>m is true. If it is true, then continue to delete the emails N-1 days ago, and then judge until the current The number of read mails m<=M of the mailbox where i is located.

Step S13: Parse the pulled emails to obtain corresponding email data, and analyze each email data based on streaming analysis and offline analysis using preset feature algorithms and preset behavior algorithms to generate corresponding warning information.

In this embodiment, the key value of each mail header in the mail after being pulled is read based on the email transmission protocol, and the preset key information in the key value is extracted, and the mail attachment of the mail after being pulled is extracted. and the text of the mail are analyzed to obtain the plurality of mail data; the plurality of mail data includes the sender, recipient, actual sender, sending IP, attachment name, attachment hash value, uniform resource in the attachment Locators, uniform resource locators in the text, QQ numbers, mobile phone numbers, and sensitive words, any one or a combination of several. It is to first read the key values of the mail header according to the email transmission protocol, and extract the key keys in the key values of the mail header, such as: sender, recipient, actual sender, sender IP, etc., and identify email attachments, including attachment name, attachment HASH, and URL (Universal Resource Locator, Uniform Resource Locator) in the attachment; then identify URL, QQ number, mobile phone number, sensitive words, etc. in the email body. In this way, corresponding pieces of mail data are obtained. Afterwards, based on the preset characteristic algorithm, that is, according to the various fields analyzed from the data, the intelligence module interface is called to match, and the emails in the intelligence are matched to prove that there is a problem with the email, and the corresponding alarm is sent. It should be pointed out that the confidence level of the alarm information generated after the email data is successfully matched with the preset intelligence database needs to be marked as credible; if the email detection hits, this stage can be skipped, otherwise the preset behavior will be adopted Algorithm detection, analyze the mail after pulling, call the preset phishing behavior detection algorithm, preset account forgery identification algorithm, preset abnormal link extraction algorithm, identify abnormal account behavior, and send corresponding alarm information, and here includes Streaming analysis and offline analysis, for the undetected data, offline analysis is performed to analyze whether the baseline of the account's letter sending behavior deviates from the baseline, and if any abnormality is found, corresponding alarm information will be sent.

Step S14: Mark the alarm information with a confidence level based on a preset marking algorithm, and perform a corresponding automatic push operation or manual analysis operation on the alarm information based on the confidence level.

In this embodiment, the confidence degree of the alarm information generated after the mail data is successfully matched with the preset intelligence database is marked as credible; and the alarm information marked as credible with the confidence degree is automatically pushed. , and perform a manual analysis operation on the other alarm information, so as to manually mark the alarm information accordingly, and mark whether the alarm information is a real alarm or a false alarm after the manual analysis. Therefore, the present application realizes the automatic push alarm of the machine through the confidence mark, so as to ensure the invalidity.

As can be seen from the above, when the application performs security monitoring on the cloud mailbox, first, based on the email backup rules, the emails of the account to be monitored are backed up to the pre-created monitoring account; the monitoring account is the email account used to monitor the business; The access protocol and the mailbox information pre-configured for the monitoring account pull the email of the account to be monitored from the monitoring account to obtain the pulled email; analyze the pulled email to obtain the corresponding A number of mail data, and use preset feature algorithms and preset behavior algorithms to analyze each of the mail data based on streaming analysis and offline analysis to generate corresponding alarm information; finally, based on preset marking algorithms, the alarm information is processed Confidence mark, and perform a corresponding automatic push operation or manual analysis operation on the alarm information based on the confidence degree. It can be seen that this application first implements email metadata collection through email backup, and uses behavioral algorithms and streaming and offline analysis methods to detect phishing emails, and selects automatic alarms based on the confidence level to achieve timely alarms, and then can pass emails. The backup and filtering functions of the system back up the emails that need to be monitored to a monitoring business account, and then use the Internet mail access protocol to pull all the emails in the monitoring business account to analyze, analyze, and identify malicious emails, report to the police, and finally Realize timely discovery of risks and centralized risk management and control.

Referring to Fig. 2, the embodiment of the present invention discloses a specific cloud mailbox security monitoring method, including:

Step S21, matching each email data with a preset information database.

In this embodiment, the preset intelligence library includes information provided based on historical experience, and at the same time, it is necessary to analyze each Extracting target field information from the alarm information generated after the email data is analyzed; and updating the preset intelligence database based on the target field information, and matching each email data with the preset intelligence database.

Step S22, if the matching is successful, generate corresponding alarm information.

In this embodiment, if each email data is successfully matched with the preset intelligence database, it indicates that there is a problem with the current email, and corresponding alarm information needs to be generated, and it should be pointed out that the alarm information generated by intelligence matching can directly send it The confidence level of the alarm is marked as credible, and then it can be automatically output to improve the timeliness of alarm output.

Step S23. If the matching fails, determine whether there is a target behavior in each of the email data based on the preset phishing behavior detection algorithm, and if there is the target behavior, generate corresponding alarm information; the target behavior includes counterfeiting domain names, counterfeiting Any one or a combination of user names and counterfeit user services.

In this embodiment, if each email data fails to match with the preset intelligence database, it is necessary to determine whether there is a target behavior in each email data based on a preset phishing behavior detection algorithm. Since the actual intelligence database cannot contain all phishing emails in the world, it needs to be detected based on the behavior of phishing attackers in phishing emails, and phishing attackers will have the following behaviors: counterfeiting domain names or counterfeiting user names or counterfeiting user services. First use the database to record the domain names of all normal communication parties in the user history; extract the current sender’s mailbox suffix domain name, calculate the similarity with the historical domain name one by one according to the edit distance, set the threshold to A, and A is set according to the experience value. If the calculated edit distance a<A, then it is determined that the domain names are similar, and there is a possibility of counterfeiting domain names; after that, the email user name is extracted, and if the user name contains keywords such as IT, finance, administrator, etc., then it is determined that the user name is a suspicious user name; if there are keywords such as modification, account number, and payment in the body of the email, then the email may be marked as a key email, and if the domain name registration time is less than N, N is usually less than 1 year. If any two or more of the behaviors described above appear, it is determined to be a phishing behavior, and a corresponding alarm message needs to be generated.

Step S24: Determine the user name in each of the email data based on the preset account forgery identification algorithm, and determine the abnormal user name in the user name, so as to determine each of the emails based on the abnormal user name and the preset domain name query tool Whether there is a fake account in the data, if so, generate corresponding alarm information.

In the present embodiment, the mail account number is taken out by the from header of the mail, and the part before the @ character is extracted, which is the user name; the abnormal user name is identified through the following steps (the identification character string is abnormally arranged):

1. Convert all characters of the user name to ascii encoding to form an integer array array with a length of k;

2. Calculate the string array[i]-array[i-1], i<k-1, and store the result in the array newarray;

3. Calculate the variance of all values in the newarray array as smoothness;

4. Set the threshold. The threshold is calculated based on the actual collected samples and is set to 10 based on experience;

5. The smoothness > 10 is an abnormal user name;

If it is an abnormal user name, extract the email account, the part after the @ character, this part is the domain name; use the nslookup (domain name query) tool to obtain the txt record of the domain name, if the spf (Sender Policy Framework) record of the txt is not If it exists, or the sending ip is not within the allowed range of spf, then any email account is forged, the sending account is invalid, and an alarm needs to be generated.

Step S25: Match each of the email data with the preset intelligence database based on a preset abnormal link extraction algorithm, determine whether there is an abnormal link in each of the email data based on the matching result, and if so, generate corresponding alarm information .

In this embodiment, it is matched with the target intelligence database, where the target intelligence database is based on the preset phishing behavior detection algorithm, the preset account forgery identification algorithm, the preset abnormal link extraction algorithm and the preset behavior baseline matching algorithm for each email The target field information is extracted from the alarm information generated after data analysis; and the intelligence base is obtained by updating the preset intelligence base based on the target field information. If it directly matches the domain name and path in the URL, then identify the abnormal link; if there is no hit information, then identify the behavior characteristics of the link and extract the parameters of the link. If the link is in the form of http://test.com/? Param; if the Param contains the recipient account, such as mail=test@test.com, and ends with #, and the & character does not exceed 1, then it is considered abnormal; if the Param is base64 encoded, then decode it directly , if the decoded string contains the recipient account, such as mail=test@test.com, and there is no more than one & character, then it is considered abnormal and a corresponding alarm message needs to be generated.

Step S26, based on the preset behavior baseline matching algorithm, perform offline analysis on the undetected data in the current email data to determine whether the sending and receiving behavior baseline of the account to be monitored deviates from the preset benchmark, and if so, determine The account to be monitored is abnormal, and corresponding alarm information is generated.

In this embodiment, before performing offline analysis on the undetected data in the current mail data based on the preset behavior baseline matching algorithm, it also includes: learning the account behavior baseline of the monitoring account based on the preset period to A behavior baseline of the monitored account is determined to obtain the preset baseline. For example:

The range of the normal number of letters sent by the account within the period is [M1, N1];

The range of the normal number of received letters for an account within a period is [M2, N2];

The number of normal sending communication accounts within the period is [M3, N3];

The number of receiving communication accounts with normal accounts in the period is [M4, N4];

The number of CC accounts that are normally sent by the account within the period is [M5, N5];

The set of normal sending IP addresses of the accounts within the period is IP[ip1, ip2...ipn];

The set of sending clients with normal accounts in the period is UA[UA1, UA2...UAN];

Then conduct offline analysis, that is, first define the period as K, which is consistent with the learning period; calculate the data statistics from K days ago to the present, including the number of sent letters p1, the number of received letters p2, the number of sending communication accounts p3, and the number of receiving communication accounts p4 , sending cc account number p5, sending IP set A, sending client set B; and setting allowable errors δ1, δ2, δ3, δ4, δ5 corresponding to the learning statistics; finally if p1>N1+δ, p2>N2+δ, p3>N3+δ, p4>N4+δ, p5>N5+δ, If any one of them is true, it is determined that the account has abnormal behavior, and corresponding alarm information needs to be generated. It should be pointed out that if the behavior of the same account is detected as abnormal by three or more algorithms, the confidence level of the corresponding alarm information will be directly marked as credible.

It can be seen that this application can accurately determine the existence of malicious emails by using stream analysis and offline analysis to analyze the comprehensive behavior characteristics of emails, thereby solving the problem that the email security gateway cannot 100% protect phishing emails, and for missed phishing emails Problems that cannot be monitored, and solve the problem that current mail gateways or other security devices cannot monitor abnormal accounts. In order to realize the timely discovery of risks and centralized risk management and control.

Based on the foregoing embodiments, it can be seen that the present application discloses a method for monitoring security of cloud mailboxes, which can detect risks existing in mailboxes in time. Next, a specific description will be given for the corresponding device based on the cloud mailbox security monitoring method. Referring to Figure 3, the embodiment of the present application discloses a specific cloud mailbox security monitoring device, including:

In this embodiment, the device includes two main modules and four sub-modules, among which the engine module is responsible for data input and processing, including collection and analysis of phishing emails, characteristic and behavior analysis, analysis and generation of corresponding alarms, and confidence based on algorithms The corresponding alarms are marked with credible and general confidence labels. In the analysis work, the feature matching algorithm will rely on the data of the intelligence module. At the same time, the entire device adopts a bypass deployment method. The engine module supports multiple engine serial connections, and supports two modes of streaming analysis and offline analysis. Among them, streaming analysis carries out email routing and content anomaly analysis:

1. Use the from, to, reply-to, sender, x-sender, and x-sender-ip fields in the email header to identify abnormal behaviors such as proxy delivery and account forgery;

2. Identify malicious emails based on link features and intelligence matching by extracting links in email content, links in attachments, and links converted from image QR codes.

On the other hand, offline analysis conducts abnormal account behavior analysis:

1. Periodic statistical study of account behavior in weekly units, learning the baseline of sending and receiving letters of accounts, which includes a list of sending accounts, a list of receiving accounts, a list of CC accounts, the number of sent emails, the number of received emails, and the number of emails sent. IP address, receiving IP address, sending email client;

2. Rolling statistical analysis on a daily basis to analyze baseline deviations, such as the number of contact accounts in the past week, the number of incoming mail, the number of outgoing mail, and the number of new sending IPs.

The operation module is mainly responsible for the output and operation of data. Automatic output alarms can be set for data whose confidence level is credible. For data with a general confidence level, alarms can be output after manual research and judgment. For the output alarm, extract the key fields in the alarm and generate corresponding intelligence, which includes domain name information, IP information, URL information, QQ number information, mobile phone number information, attachment HASH information, account information, etc.

The collection module is to start the collection engine after configuring the email account, password, and email domain name of the monitoring account. The collection engine uses the IMAP protocol and the configured account to pull emails from the monitoring account to obtain the emails after pulling. Next, the analysis module analyzes the pulled emails, including: parsing the pulled emails to obtain corresponding email data, and using preset feature algorithms and preset behavior algorithms based on stream analysis and offline Analyzing and analyzing each of the mail data to generate corresponding alarm information, the alarm module is to mark the alarm information with a confidence degree based on a preset marking algorithm, and perform a corresponding response to the alarm information based on the confidence degree. Automatic push operation or manual analysis operation. The intelligence module is the first to query the alarms that have not extracted intelligence. Afterwards, the operator selects one or more of the sending account, sending domain name, URL, IP, QQ number, mobile phone number, and attachment HASH fields in the alarm that has not extracted intelligence as intelligence based on experience.

As can be seen from the above, the present application provides a security monitoring device for cloud mailbox emails and accounts, which provides email security monitoring capabilities for users who use cloud mailboxes. Through the backup and filtering functions of the mailbox system, back up the emails that need to be monitored to a monitoring business account, and then use the IMAP protocol to pull all the emails in the monitoring business account, parse, analyze, identify malicious emails, and report to the police to realize the risk Timely detection and centralized risk management and control.

Referring to Figure 4, the embodiment of the present invention discloses a cloud mailbox security monitoring device, including:

Mail backup module 11 is used for backing up the mail of the account to be monitored to a pre-created monitoring account based on the mail backup rule; the monitoring account is a mailbox account for monitoring business;

The mail pulling module 12 is used to pull the mail of the account to be monitored from the monitoring account according to the Internet mail access protocol and the mailbox information configured in advance for the monitoring account, so as to obtain the mail after pulling;

The data analysis module 13 is used to analyze the emails after pulling to obtain a corresponding number of email data, and use preset feature algorithms and preset behavior algorithms to analyze each of the email data based on streaming analysis and offline analysis. Analyze to generate corresponding alarm information;

Confidence marking module 14, configured to mark the alarm information with confidence based on a preset marking algorithm;

The alarm information processing module 15 is configured to perform a corresponding automatic push operation or manual analysis operation on the alarm information based on the confidence level.

As can be seen from the above, when the application performs security monitoring on the cloud mailbox, first, based on the email backup rules, the emails of the account to be monitored are backed up to the pre-created monitoring account; the monitoring account is the email account used to monitor the business; The access protocol and the mailbox information pre-configured for the monitoring account pull the email of the account to be monitored from the monitoring account to obtain the pulled email; analyze the pulled email to obtain the corresponding A number of mail data, and use preset feature algorithms and preset behavior algorithms to analyze each of the mail data based on streaming analysis and offline analysis to generate corresponding alarm information; finally, based on preset marking algorithms, the alarm information is processed Confidence mark, and perform a corresponding automatic push operation or manual analysis operation on the alarm information based on the confidence degree. It can be seen that this application first implements email metadata collection through email backup, and uses behavioral algorithms and streaming and offline analysis methods to detect phishing emails, and selects automatic alarms based on the confidence level to achieve timely alarms, and then can pass emails. The backup and filtering functions of the system back up the emails that need to be monitored to a monitoring business account, and then use the Internet mail access protocol to pull all the emails in the monitoring business account to analyze, analyze, and identify malicious emails, report to the police, and finally Realize timely discovery of risks and centralized risk management and control.

In some specific embodiments, the mail backup module 11 may also include:

The number of mails judging unit is used to judge whether the number of mails in the current monitoring account exceeds the preset number of mails;

The first deletion unit is used to delete all the read mails based on the preset deletion rules if yes;

The second deleting unit is configured to, if not, delete all the read emails before the preset deletion time based on the preset deletion time.

In some specific embodiments, the data analysis module 13 may specifically include:

The data analysis unit is used to read the key value of each mail header in the pulled mail based on the email transmission protocol, and extract the preset key information in the key value and analyze the mail of the pulled mail Attachments and email texts are analyzed to obtain the email data; the email data includes the sender, recipient, actual sender, sending IP, attachment name, attachment hash value, and unified Any one or a combination of resource locators, uniform resource locators in the text, QQ numbers, mobile phone numbers, and sensitive words.

In some specific embodiments, the data analysis module 13 may specifically include:

A data matching unit, configured to match each of the mail data with a preset intelligence database;

The first alarm generating unit is configured to generate corresponding alarm information if the matching is successful;

The second alarm generation unit is used to determine whether there is a target behavior in each of the email data based on a preset phishing behavior detection algorithm based on a preset phishing behavior detection algorithm, and if the target behavior exists, generate corresponding alarm information; the target behavior Including any one or a combination of counterfeit domain names, counterfeit user names and counterfeit user services;

The third alarm generation unit is used to determine the user name in each of the email data based on the preset account forgery recognition algorithm, determine the abnormal user name in the user name, and use the abnormal user name and the preset domain name query tool Determine whether there is a forged account in each of the mail data, if so, generate corresponding alarm information;

The fourth alarm generating unit is configured to match each of the email data with the preset intelligence database based on a preset abnormal link extraction algorithm, determine whether there is an abnormal link in each of the email data based on the matching result, and if so, then Generate corresponding alarm information;

The fifth alarm generation unit is configured to perform offline analysis on the undetected data in the current mail data based on the preset behavior baseline matching algorithm, so as to determine whether the sending and receiving behavior baseline of the account to be monitored deviates from the preset benchmark , if yes, it is determined that the account to be monitored is abnormal, and corresponding alarm information is generated.

In some specific embodiments, the data analysis module 13 may also include:

The behavior baseline learning unit is configured to learn the account behavior baseline of the monitored account based on a preset period to determine the behavior baseline of the monitored account and obtain the preset baseline.

In some specific embodiments, the device may also include:

The target field information extraction module is used to analyze each of the emails based on the preset phishing behavior detection algorithm, the preset account forgery identification algorithm, the preset abnormal link extraction algorithm and the preset behavior baseline matching algorithm. Extract the target field information from the alarm information generated after data analysis;

An update module, configured to update the preset intelligence library based on the target field information.

In some specific embodiments, the confidence marking module 14 may specifically include:

a confidence marking unit, configured to mark the confidence of the alarm information generated after the mail data is successfully matched with the preset intelligence database as credible;

Correspondingly, the alarm information processing module 15 may specifically include:

The alarm information processing unit is configured to automatically push the alarm information whose confidence level is marked as credible, and manually analyze the other alarm information, so as to manually mark the alarm information accordingly.

Further, the embodiment of this application also discloses an electronic device. FIG. 5 is a structural diagram of an electronic device 20 according to an exemplary embodiment. The content in the figure should not be regarded as any limitation on the application scope of this application.

FIG. 5 is a schematic structural diagram of an electronic device 20 provided in an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21 , at least one memory 22 , a power supply 23 , a communication interface 24 , an input/output interface 25 and a communication bus 26 . Wherein, the memory 22 is used to store a computer program, and the computer program is loaded and executed by the processor 21 to implement relevant steps in the cloud mailbox security monitoring method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in this embodiment may specifically be an electronic computer.

In this embodiment, the power supply 23 is used to provide working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and external devices, and the communication protocol it follows is applicable Any communication protocol in the technical solution of the present application is not specifically limited here; the input and output interface 25 is used to obtain external input data or output data to the external, and its specific interface type can be selected according to specific application needs, here Not specifically limited.

In addition, the memory 22, as a resource storage carrier, can be a read-only memory, random access memory, magnetic disk or optical disk, etc., and the resources stored thereon can include operating system 221, computer program 222, etc., and the storage method can be temporary storage or permanent storage. .

Wherein, the operating system 221 is used to manage and control various hardware devices and computer programs 222 on the electronic device 20 , which may be Windows Server, Netware, Unix, Linux, etc. In addition to the computer program 222 that can be used to complete the cloud mailbox security monitoring method performed by the electronic device 20 disclosed in any of the foregoing embodiments, the computer program 222 can further include a computer program that can be used to complete other specific tasks.

Further, the present application also discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, the aforementioned disclosed cloud mailbox security monitoring method is realized. Regarding the specific steps of the method, reference may be made to the corresponding content disclosed in the foregoing embodiments, and details are not repeated here.

Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same or similar parts of each embodiment can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for relevant details, please refer to the description of the method part.

Professionals can further realize that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, computer software or a combination of the two. In order to clearly illustrate the possible For interchangeability, in the above description, the composition and steps of each example have been generally described according to their functions. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

The steps of the methods or algorithms described in connection with the embodiments disclosed herein may be directly implemented by hardware, software modules executed by a processor, or a combination of both. Software modules can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other Any other known storage medium.

Finally, it should also be noted that in this text, relational terms such as first and second etc. are only used to distinguish one entity or operation from another, and do not necessarily require or imply that these entities or operations, any such actual relationship or order exists. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

The technical solution provided by this application has been introduced in detail above, and specific examples have been used in this paper to illustrate the principle and implementation of this application. The description of the above embodiments is only used to help understand the method and core idea of this application; At the same time, for those skilled in the art, based on the idea of this application, there will be changes in the specific implementation and application scope. In summary, the content of this specification should not be construed as limiting the application.

Claims (10)

1. A cloud mailbox security monitoring method, is characterized in that, comprises: Backup the mail of the account to be monitored to a pre-created monitoring account based on the email backup rule; the monitoring account is an email account for monitoring business; Pulling the mail of the account to be monitored from the monitoring account according to the Internet mail access protocol and the mailbox information pre-configured for the monitoring account to obtain the pulled mail; Analyzing the pulled emails to obtain corresponding email data, and analyzing the email data based on stream analysis and offline analysis by using preset feature algorithms and preset behavior algorithms to generate corresponding alarms information; The alarm information is marked with a confidence level based on a preset marking algorithm, and a corresponding automatic push operation or manual analysis operation is performed on the alarm information based on the confidence level. 2. The cloud mailbox security monitoring method according to claim 1, characterized in that, after the email of the account to be monitored is backed up to the pre-created monitoring account based on the email backup rule, the method also includes: Judging whether the number of mails in the current monitoring account exceeds the preset number of mails; If yes, delete all read emails based on preset deletion rules; If not, all the read emails before the preset deletion time are deleted based on the preset deletion time. 3. The cloud mailbox security monitoring method according to claim 1, characterized in that, analyzing the mail after the pulling is performed to obtain a corresponding number of mail data, including: Reading the key value of each mail header in the extracted mail based on the email transmission protocol, extracting the preset key information in the key value, and analyzing the mail attachment and the mail text of the pulled mail , to obtain the several mail data; the several mail data include the sender, recipient, actual sender, sender IP, attachment name, attachment hash value, uniform resource locator in the attachment, text in the Any one or combination of several of the Uniform Resource Locator, QQ number, mobile phone number, and sensitive words. 4. The cloud mailbox security monitoring method according to any one of claims 1 to 3, wherein the use of preset feature algorithms and preset behavior algorithms is based on stream analysis and offline analysis for each of the mail data Analysis to generate corresponding alarm information, including: matching each of the email data with a preset intelligence database; If the matching is successful, a corresponding alarm message is generated; If the matching fails, it is determined whether there is a target behavior in each of the email data based on a preset phishing behavior detection algorithm, and if there is the target behavior, then corresponding alarm information is generated; the target behavior includes fake domain names, fake user names and Counterfeiting any one or combination of several types of user services; Determine the user name in each of the mail data based on a preset account forgery identification algorithm, and determine the abnormal user name in the user name, so as to determine whether in each of the mail data based on the abnormal user name and the preset domain name query tool If there is a fake account, if so, a corresponding alarm message will be generated; Match each of the email data with the preset intelligence database based on a preset abnormal link extraction algorithm, determine whether there is an abnormal link in each of the email data based on the matching result, and generate corresponding alarm information if there is; Based on the preset behavior baseline matching algorithm, the data that has not been detected in the current email data is analyzed offline to determine whether the sending and receiving behavior baseline of the account to be monitored deviates from the preset benchmark, and if so, then determine the pending Monitor account abnormalities and generate corresponding alarm information. 5. The cloud mailbox security monitoring method according to claim 4, characterized in that, before the offline analysis of the data that has not been detected in the current mail data based on the preset behavioral baseline matching algorithm, it also includes: The account behavior baseline of the monitored account is learned based on a preset period to determine the behavior baseline of the monitored account to obtain the preset baseline. 6. The cloud mailbox security monitoring method according to claim 4, further comprising: Alarm information generated after analyzing each email data based on the preset phishing behavior detection algorithm, the preset account forgery identification algorithm, the preset abnormal link extraction algorithm and the preset behavior baseline matching algorithm Extract target field information from The preset intelligence library is updated based on the target field information. 7. The cloud mailbox security monitoring method according to claim 4, characterized in that, said warning information is marked with confidence based on a preset marking algorithm, comprising: Marking the confidence level of the alarm information generated after the email data is successfully matched with the preset intelligence database as credible; Correspondingly, performing a corresponding automatic push operation or manual analysis operation on the alarm information based on the confidence level includes: An automatic push operation is performed on the alarm information whose confidence level is marked as credible, and a manual analysis operation is performed on the other alarm information, so as to manually mark the alarm information accordingly. 8. A cloud mailbox security monitoring device, characterized in that it comprises: The email backup module is used to back up the emails of the account to be monitored to the pre-created monitoring account based on the email backup rule; the monitoring account is the email account for monitoring the business; The mail pulling module is used to pull the mail of the account to be monitored from the monitoring account according to the Internet mail access protocol and the mailbox information configured in advance for the monitoring account, so as to obtain the mail after pulling; The data analysis module is used to analyze the pulled emails to obtain a corresponding number of email data, and analyze each of the email data based on stream analysis and offline analysis by using preset feature algorithms and preset behavior algorithms , to generate corresponding alarm information; A confidence marking module, configured to mark the alarm information with confidence based on a preset marking algorithm; The alarm information processing module is configured to perform a corresponding automatic push operation or manual analysis operation on the alarm information based on the confidence level. 9. An electronic device, characterized in that it comprises: memory for storing computer programs; A processor, configured to execute the computer program, so as to realize the steps of the cloud mailbox security monitoring method according to any one of claims 1 to 7. 10. A computer-readable storage medium, characterized in that it is used to store a computer program; wherein, when the computer program is executed by a processor, the cloud mailbox security monitoring method according to any one of claims 1 to 7 is implemented step.