CN117201208B - Malicious mail identification method, malicious mail identification device, electronic equipment and storage medium - Google Patents
Malicious mail identification method, malicious mail identification device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117201208B CN117201208B CN202311480302.9A CN202311480302A CN117201208B CN 117201208 B CN117201208 B CN 117201208B CN 202311480302 A CN202311480302 A CN 202311480302A CN 117201208 B CN117201208 B CN 117201208B
- Authority
- CN
- China
- Prior art keywords
- user operation
- simulated user
- target
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 77
- 238000001514 detection method Methods 0.000 claims abstract description 118
- 230000008569 process Effects 0.000 claims abstract description 21
- 230000006399 behavior Effects 0.000 claims description 28
- 238000009877 rendering Methods 0.000 claims description 13
- 238000012549 training Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 9
- 230000009471 action Effects 0.000 claims description 6
- 238000000605 extraction Methods 0.000 claims description 6
- 230000001960 triggered effect Effects 0.000 abstract description 9
- 230000003993 interaction Effects 0.000 abstract description 5
- 244000035744 Hura crepitans Species 0.000 description 26
- 238000012545 processing Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000005422 blasting Methods 0.000 description 4
- 230000006835 compression Effects 0.000 description 3
- 238000007906 compression Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000002411 adverse Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The disclosure provides a malicious mail identification method, a malicious mail identification device, electronic equipment and a storage medium, and relates to the technical field of Internet. The method comprises the following steps: extracting information contained in a target mail, wherein the information comprises at least one triggerable element, and the at least one triggerable element refers to an entry for acquiring data; executing simulated user operation on the at least one triggerable element, and recording the data generated in the process of the simulated user operation; detecting the data according to a preset detection rule, wherein the detection result is a target detection result; and identifying whether the target mail is malicious mail according to the target detection result. The method and the device can perform simulated user operation, so that automatic identification of malicious mails can be realized without real human interaction. In addition, the triggerable elements are triggered in real time, the generated data is recorded, and further, the result of identifying the malicious mail is obtained through the data, so that more accurate identification results can be obtained.
Description
Technical Field
The disclosure relates to the technical field of internet, and in particular relates to a malicious mail identification method, a malicious mail identification device, electronic equipment and a storage medium.
Background
With the development of internet technology and the popularization of electronic commerce, people work more on networks, and electronic mail becomes an important communication mode in work.
By adopting the communication mode, although the office process of the user can be more convenient, the received e-mail can be malicious mail, and the harm is brought to the user equipment or the user. In view of this, how to identify malicious mail in a large number of mails is a problem to be solved in the art.
Disclosure of Invention
In view of the above, an object of the present disclosure is to provide a method, an apparatus, an electronic device, and a storage medium for identifying malicious mail, which can solve the existing problems in a targeted manner.
Based on the above object, in a first aspect, the present disclosure proposes a malicious mail identification method, including: extracting information contained in a target mail, wherein the information comprises at least one triggerable element, and the at least one triggerable element refers to an entry for acquiring data; executing simulated user operation on the at least one triggerable element, and recording the data generated in the process of the simulated user operation; detecting the data according to a preset detection rule, wherein the detection result is a target detection result; and identifying whether the target mail is malicious mail according to the target detection result.
Optionally, the at least one triggerable element includes an encoded bundle of files and a collection of files in the encoded bundle of files; said performing a simulated user operation on said at least one triggerable element, recording said data generated during said simulated user operation, comprising: decoding the encoded file packet to obtain a file set in the encoded file packet; if the malicious behavior exists in the decoding process, recording malicious behavior data indicating the malicious behavior; executing a file in the file set, and executing a simulated user operation indicated by the file, wherein the simulated user operation indicated by the file is a first simulated user operation; recording operation data of the file, and recording operation data indicating the first simulated user operation.
Optionally, the at least one triggerable element comprises a graphic code; said performing a simulated user operation on said at least one triggerable element, recording said data generated during said simulated user operation, comprising: if the target mail is determined to comprise the graphic code, analyzing the graphic code to obtain an access entry indicated by the graphic code; accessing a corresponding webpage through the access entrance, and executing the simulated user operation indicated by the webpage, wherein the simulated user operation indicated by the webpage is a second simulated user operation; recording the accessed relevant data and recording operation data indicating the second simulated user operation, wherein the relevant data comprises rendering data of the web page.
Optionally, the at least one triggerable element comprises an access portal to a web page; said performing a simulated user operation on said at least one triggerable element, recording said data generated during said simulated user operation, comprising: accessing a corresponding webpage through an access entry of the webpage, and executing a simulated user operation indicated by the webpage, wherein the simulated user operation indicated by the webpage is a third simulated user operation; recording related data of a target access, and recording operation data indicating the third simulated user operation, wherein the target access is an access through an access portal of the web page, and the related data comprises rendering data of the web page.
Optionally, the performing the simulated user operation indicated by the web page includes the following access operations: accessing a webpage indicated by the access entry, wherein the webpage indicated by the access entry is a target webpage, and the target webpage is provided with a frame to be input; invoking a pre-training model, and analyzing the webpage content of the target webpage to obtain characters to be input of the frame to be input; and inputting the character to be input in the box to be input.
Optionally, the executing the simulated user operation indicated by the web page further includes: and before any action of the access operation is executed, the target webpage is subjected to screenshot, a screenshot result is obtained, and the data comprise the screenshot result.
Optionally, the detection rule includes a plurality of items to be detected; the detecting the data according to the preset detection rule comprises the following steps: generating an information set to be detected for the target mail, wherein the information set comprises the data; and detecting the information set to generate detection results corresponding to the multiple items to be detected respectively, wherein each detection result is used for indicating the probability that the target mail is malicious mail.
Optionally, the identifying whether the target mail is a malicious mail according to the target detection result includes: and judging that the target mail is malicious mail if the detection results corresponding to the plurality of items to be detected respectively comprise preset detection results of target items to be detected, wherein the target items to be detected are single items or item combinations, and when the target items to be detected are the preset item combinations, the occurrence sequence of the items to be detected in the preset item combinations is a preset sequence.
Optionally, the detection results respectively corresponding to the plurality of items to be detected are numerical values; the identifying whether the target mail is a malicious mail according to the target detection result includes: calculating the numerical values corresponding to the multiple items to be detected respectively to obtain the total number value of the target mail; and if the total number value is larger than a preset threshold value, judging that the target mail is a malicious mail.
Optionally, the performing a simulated user operation on the at least one triggerable element includes: determining preset operation environments corresponding to the at least one triggerable element respectively, wherein the preset operation environments are isolated operation environments; and calling each determined preset running environment, and executing the simulated user operation on the corresponding triggerable element.
Optionally, each preset running environment is used for executing a simulated user operation in an operating system; the determining the preset operation environments corresponding to the at least one triggerable element respectively comprises the following steps: if the simulated user operation of the at least one triggerable element needs to be executed in at least one operating system, determining the preset running environments corresponding to the at least one operating system respectively.
In a second aspect, there is also provided a malicious mail recognition apparatus, including: an extraction unit configured to extract information contained in a target mail, the information including at least one triggerable element, the at least one triggerable element being an entry for acquiring data; a recording unit configured to perform a simulated user operation on the at least one triggerable element, recording the data generated during the simulated user operation; the detection unit is configured to detect the data according to a preset detection rule, and the detection result is a target detection result; and the identifying unit is configured to identify whether the target mail is malicious mail or not according to the target detection result.
Optionally, the at least one triggerable element includes an encoded bundle of files and a collection of files in the encoded bundle of files; the recording unit is further configured to perform the performing of the simulated user operation on the at least one triggerable element, and record the data generated during the simulated user operation in the following manner: decoding the encoded file packet to obtain a file set in the encoded file packet; if the malicious behavior exists in the decoding process, recording malicious behavior data indicating the malicious behavior; executing a file in the file set, and executing a simulated user operation indicated by the file, wherein the simulated user operation indicated by the file is a first simulated user operation; recording operation data of the file, and recording operation data indicating the first simulated user operation.
Optionally, the at least one triggerable element comprises a graphic code; the recording unit is further configured to perform the performing of the simulated user operation on the at least one triggerable element, and record the data generated during the simulated user operation in the following manner: if the target mail is determined to comprise the graphic code, analyzing the graphic code to obtain an access entry indicated by the graphic code; accessing a corresponding webpage through the access entrance, and executing the simulated user operation indicated by the webpage, wherein the simulated user operation indicated by the webpage is a second simulated user operation; recording the accessed relevant data and recording operation data indicating the second simulated user operation, wherein the relevant data comprises rendering data of the web page.
Optionally, the at least one triggerable element comprises an access portal to a web page; the recording unit is further configured to perform the performing of the simulated user operation on the at least one triggerable element, and record the data generated during the simulated user operation in the following manner: accessing a corresponding webpage through an access entry of the webpage, and executing a simulated user operation indicated by the webpage, wherein the simulated user operation indicated by the webpage is a third simulated user operation; recording related data of a target access, and recording operation data indicating the third simulated user operation, wherein the target access is an access through an access portal of the web page, and the related data comprises rendering data of the web page.
Optionally, the recording unit is further configured to perform the following access operation to perform the simulated user operation indicated by the web page: accessing a webpage indicated by the access entry, wherein the webpage indicated by the access entry is a target webpage, and the target webpage is provided with a frame to be input; invoking a pre-training model, and analyzing the webpage content of the target webpage to obtain characters to be input of the frame to be input; and inputting the character to be input in the box to be input.
Optionally, the recording unit is further configured to perform the simulated user operation indicated by the web page as follows: and before any action of the access operation is executed, the target webpage is subjected to screenshot, a screenshot result is obtained, and the data comprise the screenshot result.
Optionally, the detection rule includes a plurality of items to be detected; the detection unit is further configured to perform the detecting of the data according to a preset detection rule as follows: generating an information set to be detected for the target mail, wherein the information set comprises the data; and detecting the information set to generate detection results corresponding to the multiple items to be detected respectively, wherein each detection result is used for indicating the probability that the target mail is malicious mail.
Optionally, the identifying unit is further configured to perform the identifying, according to the target detection result, whether the target mail is a malicious mail in the following manner: and judging that the target mail is malicious mail if the detection results corresponding to the plurality of items to be detected respectively comprise preset detection results of target items to be detected, wherein the target items to be detected are single items or item combinations, and when the target items to be detected are the preset item combinations, the occurrence sequence of the items to be detected in the preset item combinations is a preset sequence.
Optionally, the detection results respectively corresponding to the plurality of items to be detected are numerical values; the identifying unit is further configured to perform the identifying, according to the target detection result, whether the target mail is a malicious mail or not as follows: calculating the numerical values corresponding to the multiple items to be detected respectively to obtain the total number value of the target mail; and if the total number value is larger than a preset threshold value, judging that the target mail is a malicious mail.
Optionally, the recording unit is further configured to perform the performing of the simulated user operation on the at least one triggerable element as follows: determining preset operation environments corresponding to the at least one triggerable element respectively, wherein the preset operation environments are isolated operation environments; and calling each determined preset running environment, and executing the simulated user operation on the corresponding triggerable element.
Optionally, each preset running environment is used for executing a simulated user operation in an operating system; the recording unit is further configured to perform the determining the preset running environments respectively corresponding to the at least one triggerable element according to the following manner: if the simulated user operation of the at least one triggerable element needs to be executed in at least one operating system, determining the preset running environments corresponding to the at least one operating system respectively.
In a third aspect, there is also provided an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor runs the computer program to implement the method of the first aspect.
In a fourth aspect, there is also provided a computer readable storage medium having stored thereon a computer program for execution by a processor to perform the method of any of the first aspects.
Overall, the present disclosure has at least the following benefits: the simulated user operation can be performed, so that the automatic identification of malicious mails can be realized without the need of real human interaction. In addition, the triggerable elements are triggered in real time, the generated data is recorded, and further, the result of identifying the malicious mail is obtained through the data, so that more accurate identification results can be obtained.
Drawings
In the drawings, the same reference numerals refer to the same or similar parts or elements throughout the several views unless otherwise specified. The figures are not necessarily drawn to scale. It is appreciated that these drawings depict only some embodiments according to the disclosure and are not to be considered limiting of its scope.
FIG. 1 illustrates a flow chart of a method of malicious mail identification in accordance with an embodiment of the present disclosure;
FIG. 2 illustrates another flow chart of a method of malicious mail identification in accordance with an embodiment of the present disclosure;
FIG. 3 shows a schematic diagram of various modules interacting with a sandbox in accordance with an embodiment of the present disclosure;
FIG. 4 shows a schematic diagram of a malicious mail identification device according to an embodiment of the present disclosure;
FIG. 5 is a schematic diagram of an electronic device according to an embodiment of the disclosure;
fig. 6 shows a schematic diagram of a storage medium according to an embodiment of the present disclosure.
Detailed Description
The present disclosure is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings.
It should be noted that, without conflict, the embodiments of the present disclosure and features of the embodiments may be combined with each other. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Fig. 1 illustrates a malicious mail identification method of the present disclosure. In an embodiment of the present disclosure, the method comprises the steps of:
step S101, extracting information contained in the target mail, where the information includes triggerable elements, and the triggerable elements are entries for acquiring data.
In this embodiment, the execution body (such as a network security device, a terminal device, etc.) of the malicious mail identification method may extract information contained in the target mail. The information here includes triggerable elements. In addition, the information may also include non-triggerable elements in the target mail, e.g., the non-triggerable elements may include at least one of: recipient, sender mailbox, sender domain name, mail subject.
Specifically, the triggerable element refers to mail content triggered by a trigger operation such as clicking, double clicking, scanning identification, or the like. Each triggerable element is an entry, and the entry has a corresponding trigger result, for example, a link is triggered by clicking, and the obtained trigger result is a webpage. By triggering the result, data can be obtained. For example, in the case where the trigger is a web page, the data may include relevant data for accessing the web page.
The related data may include various data related to the web page. For example, the data needed for rendering the web page, and the plaintext traffic packet corresponding to the traffic generated by accessing the web page. In particular, the rendering data may include a hypertext markup language (Hyper Text Markup Language, HTML) file, a cascading style sheet (Cascading Style Sheets, CSS) file, JS (JavaScript) script file.
Step S102, executing the simulated user operation on the triggerable elements, and recording the data generated in the process of the simulated user operation.
In this embodiment, the executing body may perform the simulated user operation on the triggerable element, and record the data generated during the operation. And executing triggering operation on the triggerable elements to obtain a triggering result, and obtaining the data through the triggering result. Specifically, the trigger operation performed on the triggerable element is a simulated user operation. In practice, the data may include operational behavior information simulating a user operation, and in addition, the data may include various files generated during the operation, such as a jason file. The operation behavior information may include, for example, behavior information of a process operation and behavior information of a file operation.
The simulated user operation is an operation for simulating user interface interaction, such as operations of accessing a webpage, opening a compression package, filling out a form, and the like.
In general, the simulated user operation is an operation performed by a user, and in the present disclosure, the simulated user operation for the triggerable element is performed by the execution subject described above.
Step S103, detecting the data according to a preset detection rule, wherein the detection result is a target detection result.
In this embodiment, the execution body may detect the data according to a preset detection rule, so as to obtain a detection result. The preset detection rule may be, for example, to call a preset detection model to detect the data, so as to obtain a result of the detection model, where the result is a detection result.
Step S104, according to the target detection result, identifying whether the target mail is malicious mail.
In this embodiment, the execution body may use various ways according to the target detection result. Identifying whether the target mail is a malicious mail. The target detection result may directly indicate whether the target mail is a malicious mail, or the target detection result may indirectly indicate whether the target mail is a malicious mail. In the case of indirect indication, the execution body may perform preset processing on the detection result, and use the preset processing result as an identification result for identifying whether the target mail is a malicious mail. For example, the preset processing may be to input the detection result into a preset formula or an identification model, and output the result of the preset formula or the identification model as the preset processing result.
Specifically, the executing body may further detect the extracted information according to a preset detection rule, and obtain a detection result. The detection result is a specified detection result. For example, the detection may be to detect whether the mail subject includes a "winning" typeface. The execution body may identify whether the target mail is a malicious mail based on both the target detection result and the specified detection result.
The embodiment can execute the simulated user operation, so that the automatic identification of the malicious mails can be realized without the need of real human interaction. In addition, the triggerable elements are triggered in real time, the generated data is recorded, and further, the result of identifying the malicious mail is obtained through the data, so that more accurate identification results can be obtained.
Fig. 2 illustrates a malicious mail identification method according to an embodiment of the present disclosure. As shown in fig. 2, the method includes:
in step S201, information included in the target mail is extracted, where the information includes at least one triggerable element, and the at least one triggerable element is an entry for acquiring data.
Step S202, detecting the plurality of items to be detected on the target data including the data, generating detection results corresponding to the plurality of items to be detected respectively, and recording the data generated in the operation process of the simulated user, wherein each detection result is used for indicating the probability that the target mail is a malicious mail.
In this embodiment, in these optional implementations, the execution body may execute detection corresponding to each item to be detected, where each detection result indicates whether the mail is malicious. The detection result here may be a probability for indicating that the target mail is a malicious mail, for example, the probability may be a numerical value, and the larger the probability, the larger the numerical value. Alternatively, the probability may be a "1" indicating a malicious mail or a "0" indicating a not malicious mail.
Specifically, the target data may include the above data, that is, the data generated during the simulated user operation, and further, the target data may include information of the extracted target mail. The information detected by the item to be detected may include a sender, and the item to be detected may specifically be whether the sender includes a preset sender.
The execution body may determine the target detection result according to the detection results corresponding to the plurality of items to be detected in various manners. For example, the execution body may input a plurality of items to be detected into a preset detection model corresponding to detection results, and obtain target detection results output from the detection model. The detection model may be a trained neural network model.
Specifically, the item to be detected may comprise at least one of: whether the domain name in the URL is a dynamic domain name, whether the webpage is provided with a bank, whether the bank mentioned in the webpage is matched with the domain name in the URL, whether the form needs to be filled with a bank card number, whether the form needs to be filled with a bank card password, whether the executable file has external connection behavior, and whether the executable file performs lateral movement attempt.
The number of items to be detected may be preset, such as 50. Each item to be detected may correspond to a detection result.
Step S203, detecting the data according to a preset detection rule, where the detected result is a target detection result.
Step S204, according to the target detection result, whether the target mail is malicious mail is identified.
The embodiment can detect a plurality of items to be detected, thereby realizing the refinement of various indexes of data and improving the accuracy of identifying malicious mails.
In some optional implementations of this embodiment, the identifying, according to the target detection result, whether the target mail is a malicious mail may include: and judging that the target mail is malicious mail according to the detection results respectively corresponding to the plurality of items to be detected, wherein the target mail is a single item or a combination of items, and the occurrence sequence of the items to be detected in the combination of preset items is a preset sequence if the target items to be detected are the combination of preset items.
In these optional implementations, the executing body may determine that the target mail is a malicious mail when a detection result of a target item to be detected among the items to be detected is a first detection result. If the target to-be-detected items are the preset item combinations, and the target mail is a malicious mail under the condition that the appearance sequence of the to-be-detected items in the preset item combinations is the preset sequence and the detection result is the first detection result. Specifically, the appearance sequence here refers to the appearance sequence in the mail or in the accessed web page.
For example, the target items to be detected may include an item to be detected a and an item to be detected B. The to-be-detected item A is whether the bank mentioned in the webpage is matched with the domain name in the URL, and the to-be-detected item B is whether the bank card password needs to be filled in to the to-be-input box. Also, the order of appearance of the two items to be detected may be that the item to be detected a is preceding, and that the item to be detected B is following. In this scenario, the first detection results of both the item to be detected a and the item to be detected B indicate "yes".
The implementation method can rapidly judge whether the target mail is the malicious mail through the specific items to be detected, and the accuracy of judging the malicious mail can be further improved through the appearance sequence of the items to be detected in the preset item combination.
In some optional implementations of this embodiment, the identifying, according to the target detection result, whether the target mail is a malicious mail may include: calculating the numerical values corresponding to the multiple items to be detected respectively to obtain the total number value of the target mail; and if the total number value is larger than a preset threshold value, judging that the target mail is a malicious mail.
In these alternative implementations, the test results may be numerical values, with corresponding numerical values being different when the test results are different. For example, if the detection result is "yes", the value may be 1 or 3, and if the detection result is "no", the value may be 0.
The execution body may calculate the values corresponding to the plurality of items to be detected in various manners, for example, the execution body may directly add the values corresponding to the plurality of items to be detected, and use the added result as the total value of the target mail.
Alternatively, the execution body may set a corresponding value for each item to be detectedI.e. +.>、/>、……、/>A final value S (Score) is calculated, an example of the calculation formula is as follows:
and giving a numerical threshold, and judging that the target mail is a malicious mail when S is larger than or equal to the numerical threshold. Indicating whether the data obtained by simulating the user operation comprises the data detected by the single item to be detected, in particular +.>,/>…/>If->The indication includes 1 if ++>The indication is not included and is 0.
Specifically, a batch of data labeled with the detection results may be set, each labeled with both: whether the mail is malicious or not, and whether the data comprise data detected by all items to be detected or not. The executing body or other electronic devices may use a machine learning supervision algorithm to calculate each detection result with accuracy greater than a preset threshold without overfitting, where the detection result may be an index value.
The execution body or other electronic devices can check whether the identification result of the malicious mail is correct according to the mode of full-scale check or sampling check. In addition, the correctness of the identification result can be judged according to false alarm feedback information and missing alarm feedback information of the user. And then, according to the judging result, the item to be detected can be adjusted. In particular, the adjustment may comprise increasing, decreasing or modifying the item to be detected. And, the machine learning model may be optimized and the detection result, that is, the numerical value may be adjusted according to the determination result.
The implementation modes can quantify each detection result through numerical values, and are helpful for improving the accuracy of identifying malicious mails.
In some optional implementations of any of the embodiments of the disclosure, the at least one triggerable element comprises a graphical code; said performing a simulated user operation on said at least one triggerable element, recording said data generated during said simulated user operation, comprising: if the target mail is determined to comprise the graphic code, analyzing the graphic code to obtain an access entry indicated by the graphic code; accessing a corresponding webpage through the access entrance, and executing the simulated user operation indicated by the webpage, wherein the simulated user operation indicated by the webpage is a second simulated user operation; recording the accessed relevant data and recording operation data indicating the second simulated user operation, wherein the relevant data comprises rendering data of the web page.
In these implementations, the graphical code may be a two-dimensional code, a bar code, or the like. The graphic code may be presented at various content locations of the target mail. For example, the respective content location may be in the body of the mail, a picture attachment presenting a graphic code, or a mail attachment file.
The execution subject can identify the graphic code through a preset model, so that an access entry corresponding to the graphic code is obtained. In particular, the access entry may be a URL. The execution body may access the web page through an access portal. The web page indicates that the user performed the operation as a second simulated user operation. And executing the data obtained by the second simulated user operation, namely the data generated in the process of simulating the user operation.
The implementation methods can determine the access entry corresponding to the graphic code and determine the preset running environment corresponding to the access entry under the condition that the mail comprises the graphic code, so that the preset running environment for accessing the webpage corresponding to the graphic code can be accurately determined.
In some optional implementations of any of the embodiments of the disclosure, performing the simulated user operation on the at least one triggerable element may include: determining preset operation environments corresponding to the at least one triggerable element respectively, wherein the preset operation environments are isolated operation environments; and calling each determined preset running environment, and executing the simulated user operation on the corresponding triggerable element.
In these alternative implementations, the isolated operating environment may be a sandbox, and in addition, the isolated operating environment may be a container other than a sandbox. In this embodiment, a sandbox is taken as an example to define a preset operation environment. In particular, the sandboxes may correspond to triggerable elements. In some scenarios, if the triggerable element is an element triggered by a mobile phone, the sandbox may be a sandbox that performs an intelligent interaction function corresponding to the mobile phone. For example, the element triggered by the mobile phone may be a two-dimensional code. In other scenarios, if the triggerable element is an element triggered using a personal computer, the sandbox may be a sandbox that performs the corresponding function of the personal computer. For example, the personal computer triggered element may be a uniform resource locator (uniform resource locator, URL).
The execution body may call the preset operation environment for each preset operation environment in the determined preset operation environments, and execute the simulated user operation on the triggerable element corresponding to the preset operation environment.
These implementations employ an isolated running environment that performs simulated user operations for identifying malicious mail. The method can effectively avoid the generation of files with adverse effects on hardware or software in the execution process, and improves the security of identifying malicious mails.
In some optional application scenarios of these implementations, each preset runtime environment is used to perform simulated user operations in one operating system; the determining the preset operation environments corresponding to the at least one triggerable element respectively comprises the following steps: if the simulated user operation of the at least one triggerable element needs to be executed in at least one operating system, determining the preset running environments corresponding to the at least one operating system respectively.
In these optional application scenarios, different preset running environments may correspond to different operating systems, for example, a sandbox may be a sandbox corresponding to a Windows system, a sandbox corresponding to an android system, or a sandbox corresponding to a Linux system. Each triggerable element is associated with more than one operating system, i.e., the triggerable element may be trigged at the more than one operating system.
For example, if the triggerable element includes an elf file, the elf file is associated with a Linux system, and the preset operating environment is a sandbox corresponding to the Linux system. If the triggerable element comprises a pdf file, the pdf file is associated with a Windows system or an android system, and the preset operating environment is a sandbox corresponding to the Windows system or a sandbox corresponding to the android system. If the triggerable element comprises an apk file, the preset operating environment adopted is a sandbox corresponding to the android system. If the triggerable element comprises an exe file or an Office file, the adopted preset running environment is a sandbox corresponding to the Windows system.
In the case that the target mail includes the encoded file package, the execution body may determine a preset running environment for the encoded file package and the files therein, respectively. Specifically, the execution body may determine an operating system for decoding the encoded file package, and an operating system for running the file therein, so as to determine preset running environments corresponding to the operating systems, respectively.
The triggerable elements may include not only elements directly presented in the target mail, such as elements in the mail body or encoded package of documents, but also elements obtained by simulating user operations, such as documents obtained by decoding the encoded package of documents described above. In particular, the encoded file packet may be a compressed packet.
Specifically, the compressed package may be provided with a password or not, i.e. the compressed package may need a password to be opened or may need a password to be opened directly. In the case where the compression package is provided with a password, the execution body may invoke a pre-training model to preferentially extract the password from the body of the target mail. If the password extraction fails, the execution main body can perform password blasting, and the password blasting is stopped until the password is obtained or the process is finished.
Specifically, the Pre-training model may be a model capable of natural language processing and image content understanding, such as a Generative Pre-trained Transformer (GPT) model.
Simulating the user operation may include decoding the encoded package of files and, in addition, running the files in the encoded package of files, i.e., the target file.
The application scenes can be accurately positioned from the triggerable elements to the running environment through the operating system, so that the accuracy of determining the preset running environment is improved.
In some optional implementations of any of the embodiments of the disclosure, the at least one triggerable element includes an encoded bundle of files and a collection of files in the encoded bundle of files; said performing a simulated user operation on said at least one triggerable element, recording said data generated during said simulated user operation, comprising: decoding the encoded file packet to obtain a file set in the encoded file packet; if the malicious behavior exists in the decoding process, recording malicious behavior data indicating the malicious behavior; executing a file in the file set, and executing a simulated user operation indicated by the file, wherein the simulated user operation indicated by the file is a first simulated user operation; recording operation data of the file, and recording operation data indicating the first simulated user operation.
In these implementations, the execution body may decompress the encoded file package, and the recorded data may include malicious behavior data indicating malicious behavior. Malicious behavior can be, for example, intrusion into the device by utilizing a vulnerability in the decompression process. The recorded data may also include the operational data at the time of the operational file. In addition, the file may further indicate that a first simulated user operation is performed, and the execution body may execute the first simulated user operation. Thus, the recorded data may also include operation data of the first simulated user operation.
The operation data may include various data generated when the file is operated. The operation data may include various data generated when the first analog user operation is performed.
The triggerable elements may include not only elements directly presented in the target mail, such as elements in the mail body or encoded package of documents, but also elements obtained by simulating user operations, such as documents obtained by decoding the encoded package of documents described above. In particular, the encoded file packet may be a compressed packet.
Specifically, the compressed package may be provided with a password or not, i.e. the compressed package may need a password to be opened or may need a password to be opened directly. In the case where the compression package is provided with a password, the execution body may invoke a pre-training model to preferentially extract the password from the body of the target mail. If the password extraction fails, the execution main body can perform password blasting, and the password blasting is stopped until the password is obtained or the process is finished.
The simulated user operation may be decoding the encoded package, and may be running a file in the encoded package, i.e., the target file. The target file refers to a file that can be run in the second operating system.
These implementations may determine and record corresponding data for the encoded package and the files therein, respectively, in the case where the target mail includes the encoded package, thereby ensuring detection of the respective items to be detected.
In some optional implementations of any of the embodiments of the disclosure, the at least one triggerable element includes an access portal to the web page; said performing a simulated user operation on said at least one triggerable element, recording said data generated during said simulated user operation, comprising: accessing a corresponding webpage through an access entry of the webpage, and executing a simulated user operation indicated by the webpage, wherein the simulated user operation indicated by the webpage is a third simulated user operation; recording related data of a target access, and recording operation data indicating the third simulated user operation, wherein the target access is an access through an access portal of the web page, and the related data comprises rendering data of the web page.
In these alternative implementations, the executing body may execute the third simulated user operation indicated by the web page by accessing the corresponding web page through the access portal of the web page in the case where the triggerable element of the target mail includes the access portal of the web page. Thereafter, the execution subject may record the accessed related data and record operation data indicating the operation of the third simulation user.
In addition, the execution body may determine a third operating system accessed through the access portal, and use an operating environment corresponding to the operating system as the accessed operating environment. In particular, the access entry of a web page may refer to a URL.
The access entry may be present in the body of the target mail or in the encoded package.
The implementation methods can determine the operating system capable of executing the access operation and determine the corresponding running environment under the condition that the target mail comprises the access entrance, so that the preset running environment of the access webpage can be accurately determined.
In some optional implementations of any of the embodiments of the disclosure, the at least one triggerable element comprises a graphical code; said performing a simulated user operation on said at least one triggerable element, recording said data generated during said simulated user operation, comprising: if the target mail is determined to comprise the graphic code, analyzing the graphic code to obtain an access entry indicated by the graphic code; accessing a corresponding webpage through the access entrance, and executing the simulated user operation indicated by the webpage, wherein the simulated user operation indicated by the webpage is a second simulated user operation; recording the accessed relevant data and recording operation data indicating the second simulated user operation, wherein the relevant data comprises rendering data of the web page.
In these alternative implementations, the graphical code may be a two-dimensional code or a bar code or the like. The graphic code may be presented at various content locations of the target mail. For example, the respective content location may be in the body of the mail, a picture attachment presenting a graphic code, or a mail attachment file.
The execution body may analyze the graphic code to obtain an access entry indicated by the graphic code when the target mail includes the graphic code. And then, the execution body accesses the webpage through the access entrance and executes the simulated user operation indicated by the webpage. The simulated user operation indicated by the web page is a second simulated user operation. The execution subject may record the accessed related data and record operation data indicating the operation of the second simulation user.
In addition, the execution body may determine a second operating system for executing the graphics access portal, and determine a preset operating environment corresponding to the operating system. The execution subject can identify the graphic code through a preset model, so that an access entry corresponding to the graphic code is obtained. In particular, the access entry may be a URL.
In the case that the mail comprises the graphic code, the implementation manner can determine the access entry corresponding to the graphic code, so that the access can be performed through the access entry, and the triggerable elements, which usually require people to perform operations, of the graphic code can be smoothly and automatically processed and data can be recorded.
In some optional application scenarios of these implementations, the performing the simulated user operation indicated by the web page includes the following access operations: accessing a webpage indicated by the access entry, wherein the webpage indicated by the access entry is a target webpage, and the target webpage is provided with a frame to be input; invoking a pre-training model, and analyzing the webpage content of the target webpage to obtain characters to be input of the frame to be input; and inputting the character to be input in the box to be input.
In these application scenarios, the executing body may access a web page and invoke a content analysis model to analyze the web page content of the accessed web page. And then, the execution body executes the input of the character to be input in the preset operation environment.
For example, web page content may refer to various files and data required to render a web page. An input requirement of a box to be input can be included in the web content, for example, the input requirement can be presented as a field beside the input box, such as a name, an identification card number, a mobile phone number, a mailbox password, and the like.
The pre-training model may have an analysis function for web page content.
The execution main body in the application scenes can replace manual execution to input contents in a frame to be input of the webpage in a preset running environment. In addition, through the pre-training model, accurate analysis of webpage content can be realized, and accuracy of simulating user operation is improved.
Optionally, the executing the simulated user operation indicated by the web page further includes: and before any action of the access operation is executed, the target webpage is subjected to screenshot, a screenshot result is obtained, and the data comprise the screenshot result.
The execution body may perform the screenshot before any action is performed on the target web page, for example, before each box to be input is filled in. The execution body can collect screenshot results and webpage files in a preset running environment, and determine the collected content as the data generated in the process of simulating the user operation.
In these optional cases, the execution body may record various behaviors during the access operation and data obtained by the behaviors, which is helpful for accurately identifying malicious mails.
As shown in fig. 3, the various modules that the execution body may include are shown. The execution body may include an API (Application Programming Interface ) service module, an information extraction module, a mail type determination module, a sandbox scheduling module, a result determination module, a report output module, and a result pushing module. The sandbox scheduling module can interact with each sandbox, so that the sandboxes can simulate user operation.
Specifically, the API service module may receive the mail delivered by the gateway. The gateway is a safe mail gateway for acquiring and transmitting mails, and the safe mail gateway means that the mails transmitted by the gateway are stable and safe before being opened.
The API service module may then transmit the received mail to an information extraction module, which may extract information of the mail, which may include, for example, a recipient, a sender, and a sender mailbox.
And the mail type judging module can judge and select the corresponding sandbox to execute the simulated user operation according to the mail content and the file type of the attachment of the mail. In some scenarios, the mail content may include text content, such as a URL. In addition, the mail content may also include attachment content, such as files.
And then, the sandbox scheduling module can schedule the corresponding sandbox to simulate user operation according to the URL, the file and the sandbox type acquired by the judging module so as to acquire data.
And then, the result judging module can process the extracted information, the data and the behavior information and judge whether the received mail is a malicious mail or not according to the processing result. The behavior information may include various behavior information generated by performing the simulated user operation.
And then, the report output module can output analysis reports with different file formats according to the configuration file.
And finally, the result pushing module can push the judgment result and the analysis report to the secure mail gateway and the manager.
An embodiment of the present disclosure provides a malicious mail identifying apparatus, which is configured to execute the malicious mail identifying method described in the foregoing embodiment, as shown in fig. 4, where the apparatus includes: an extracting unit 401 configured to extract information contained in the target mail, the information including at least one triggerable element, the at least one triggerable element being an entry for acquiring data; a recording unit 402 configured to perform a simulated user operation on the at least one triggerable element, recording the data generated during the simulated user operation; a detection unit 403 configured to detect the data according to a preset detection rule, where the detected result is a target detection result; an identifying unit 404 configured to identify whether the target mail is a malicious mail according to the target detection result.
Optionally, the at least one triggerable element includes an encoded bundle of files and a collection of files in the encoded bundle of files; the recording unit 402 is further configured to perform the performing of the simulated user operation on the at least one triggerable element, recording the data generated during the simulated user operation, as follows: decoding the encoded file packet to obtain a file set in the encoded file packet; if the malicious behavior exists in the decoding process, recording malicious behavior data indicating the malicious behavior; executing a file in the file set, and executing a simulated user operation indicated by the file, wherein the simulated user operation indicated by the file is a first simulated user operation; recording operation data of the file, and recording operation data indicating the first simulated user operation.
Optionally, the at least one triggerable element comprises a graphic code; the recording unit 402 is further configured to perform the performing of the simulated user operation on the at least one triggerable element, recording the data generated during the simulated user operation, as follows: if the target mail is determined to comprise the graphic code, analyzing the graphic code to obtain an access entry indicated by the graphic code; accessing a corresponding webpage through the access entrance, and executing the simulated user operation indicated by the webpage, wherein the simulated user operation indicated by the webpage is a second simulated user operation; recording the accessed relevant data and recording operation data indicating the second simulated user operation, wherein the relevant data comprises rendering data of the web page.
Optionally, the at least one triggerable element comprises an access portal to a web page; the recording unit 402 is further configured to perform the performing of the simulated user operation on the at least one triggerable element, recording the data generated during the simulated user operation, as follows: accessing a corresponding webpage through an access entry of the webpage, and executing a simulated user operation indicated by the webpage, wherein the simulated user operation indicated by the webpage is a third simulated user operation; recording related data of a target access, and recording operation data indicating the third simulated user operation, wherein the target access is an access through an access portal of the web page, and the related data comprises rendering data of the web page.
Optionally, the recording unit 402 is further configured to perform the following access operation to perform the simulated user operation indicated by the execution of the web page: accessing a webpage indicated by the access entry, wherein the webpage indicated by the access entry is a target webpage, and the target webpage is provided with a frame to be input; invoking a pre-training model, and analyzing the webpage content of the target webpage to obtain characters to be input of the frame to be input; and inputting the character to be input in the box to be input.
Optionally, the recording unit 402 is further configured to perform the performing the simulated user operation indicated by the web page as follows: and before any action of the access operation is executed, the target webpage is subjected to screenshot, a screenshot result is obtained, and the data comprise the screenshot result.
Optionally, the detection rule includes a plurality of items to be detected; the detection unit 403 is further configured to perform the detecting the data according to a preset detection rule as follows: generating an information set to be detected for the target mail, wherein the information set comprises the data; and detecting the information set to generate detection results corresponding to the multiple items to be detected respectively, wherein each detection result is used for indicating the probability that the target mail is malicious mail.
Optionally, the identifying unit 404 is further configured to perform the identifying, according to the target detection result, whether the target mail is a malicious mail in the following manner: and judging that the target mail is malicious mail if the detection results corresponding to the plurality of items to be detected respectively comprise preset detection results of target items to be detected, wherein the target items to be detected are single items or item combinations, and when the target items to be detected are the preset item combinations, the occurrence sequence of the items to be detected in the preset item combinations is a preset sequence.
Optionally, the detection results respectively corresponding to the plurality of items to be detected are numerical values; the identifying unit 404 is further configured to perform the identifying, according to the target detection result, whether the target mail is a malicious mail as follows: calculating the numerical values corresponding to the multiple items to be detected respectively to obtain the total number value of the target mail; and if the total number value is larger than a preset threshold value, judging that the target mail is a malicious mail.
Optionally, the recording unit 402 is further configured to perform the performing of the simulated user operation on the at least one triggerable element as follows: determining preset operation environments corresponding to the at least one triggerable element respectively, wherein the preset operation environments are isolated operation environments; and calling each determined preset running environment, and executing the simulated user operation on the corresponding triggerable element.
Optionally, each preset running environment is used for executing a simulated user operation in an operating system; the recording unit 402 is further configured to perform the determining the preset operating environments respectively corresponding to the at least one triggerable element as follows: if the simulated user operation of the at least one triggerable element needs to be executed in at least one operating system, determining the preset running environments corresponding to the at least one operating system respectively.
The malicious mail recognition device provided by the above embodiment of the present disclosure and the malicious mail recognition method provided by the embodiment of the present disclosure have the same beneficial effects as the method adopted, operated or implemented by the application program stored therein, because of the same inventive concept.
The embodiment of the disclosure also provides an electronic device corresponding to the malicious mail identification method provided by the embodiment, so as to execute the malicious mail identification method. The embodiments of the present disclosure are not limited.
Referring to fig. 5, a schematic diagram of an electronic device according to some embodiments of the present disclosure is shown. As shown in fig. 5, the electronic device 50 includes: a processor 500, a memory 501, a bus 502 and a communication interface 503, the processor 500, the communication interface 503 and the memory 501 being connected by the bus 502; the memory 501 has stored therein a computer program executable on the processor 500, which when executed by the processor 500 performs the method provided by any of the foregoing embodiments of the present disclosure.
The memory 501 may include a high-speed random access memory (RAM: random Access Memory), and may further include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. The communication connection between the system network element and at least one other network element is implemented via at least one communication interface 503 (which may be wired or wireless), the internet, a wide area network, a local network, a metropolitan area network, etc. may be used.
Bus 502 may be an ISA bus, a PCI bus, an EISA bus, or the like. The buses may be classified as address buses, data buses, control buses, etc. The memory 501 is configured to store a program, and the processor 500 executes the program after receiving an execution instruction, and the malicious mail identifying method disclosed in any of the foregoing embodiments of the disclosure may be applied to the processor 500 or implemented by the processor 500.
The processor 500 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware or instructions in software in the processor 500. The processor 500 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The various methods, steps and logic blocks of the disclosure in the embodiments of the disclosure may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present disclosure may be embodied directly in hardware, in a decoded processor, or in a combination of hardware and software modules in a decoded processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in the memory 501, and the processor 500 reads the information in the memory 501, and in combination with its hardware, performs the steps of the method described above.
The electronic device provided by the embodiment of the present disclosure and the malicious mail identification method provided by the embodiment of the present disclosure are the same inventive concept, and have the same beneficial effects as the method adopted, operated or implemented by the electronic device.
The present disclosure further provides a computer readable storage medium corresponding to the method for identifying malicious mails provided in the foregoing embodiments, referring to fig. 6, the computer readable storage medium is shown as an optical disc 60, on which a computer program (i.e. a program product) is stored, where the computer program, when executed by a processor, performs the method for identifying malicious mails provided in any of the foregoing embodiments.
It should be noted that examples of the computer readable storage medium may also include, but are not limited to, a phase change memory (PRAM), a Static Random Access Memory (SRAM), a Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a flash memory, or other optical or magnetic storage medium, which will not be described in detail herein.
The computer-readable storage medium provided by the above-described embodiments of the present disclosure has the same advantageous effects as the method adopted, operated or implemented by the application program stored therein, for the same inventive concept as the method for identifying malicious mail provided by the embodiments of the present disclosure.
It should be noted that:
in the above text, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Furthermore, it should be noted that the scope of the methods and apparatus in the embodiments of the present disclosure is not limited to performing the functions in the order shown or discussed, but may also include performing the functions in a substantially simultaneous manner or in an opposite order depending on the functions involved, e.g., the described methods may be performed in an order different from that described, and various steps may also be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present disclosure may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk), including several instructions for causing a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method described in the embodiments of the present disclosure.
The embodiments of the present disclosure have been described above with reference to the accompanying drawings, which are merely specific embodiments of the present disclosure, but the present disclosure is not limited to the above-described embodiments, which are merely illustrative, not restrictive, and many forms may be made by those of ordinary skill in the art without departing from the spirit of the disclosure and the scope of the claims, which are also within the protection of the present disclosure.
Claims (12)
1. A malicious mail recognition method, characterized by comprising:
extracting information contained in a target mail, wherein the information comprises at least one triggerable element, and the at least one triggerable element refers to an entry for acquiring data;
executing simulated user operation on the at least one triggerable element, and recording the data generated in the process of the simulated user operation;
detecting the data according to a preset detection rule, wherein the detection result is a target detection result;
identifying whether the target mail is malicious mail according to the target detection result;
the performing simulated user operations on the at least one triggerable element includes:
determining preset operation environments corresponding to the at least one triggerable element respectively, wherein the preset operation environments are isolated operation environments; invoking each determined preset operation environment, and executing simulated user operation on the corresponding triggerable elements;
Each preset running environment is used for executing a simulated user operation in an operating system; the determining the preset operation environments corresponding to the at least one triggerable element respectively comprises the following steps:
if the simulated user operation of the at least one triggerable element needs to be executed in at least one operating system, determining the preset running environments corresponding to the at least one operating system respectively.
2. The method of claim 1, wherein the at least one triggerable element comprises an encoded bundle of files and a collection of files in the encoded bundle of files;
said performing a simulated user operation on said at least one triggerable element, recording said data generated during said simulated user operation, comprising:
decoding the encoded file packet to obtain a file set in the encoded file packet;
if the malicious behavior exists in the decoding process, recording malicious behavior data indicating the malicious behavior;
executing a file in the file set, and executing a simulated user operation indicated by the file, wherein the simulated user operation indicated by the file is a first simulated user operation;
recording operation data of the file, and recording operation data indicating the first simulated user operation.
3. The method of claim 1, wherein the at least one triggerable element comprises a graphical code;
said performing a simulated user operation on said at least one triggerable element, recording said data generated during said simulated user operation, comprising:
if the target mail is determined to comprise the graphic code, analyzing the graphic code to obtain an access entry indicated by the graphic code;
accessing a corresponding webpage through the access entrance, and executing the simulated user operation indicated by the webpage, wherein the simulated user operation indicated by the webpage is a second simulated user operation;
recording the accessed relevant data and recording operation data indicating the second simulated user operation, wherein the relevant data comprises rendering data of the web page.
4. The method of claim 1, wherein the at least one triggerable element comprises an access portal to a web page;
said performing a simulated user operation on said at least one triggerable element, recording said data generated during said simulated user operation, comprising:
accessing a corresponding webpage through an access entry of the webpage, and executing a simulated user operation indicated by the webpage, wherein the simulated user operation indicated by the webpage is a third simulated user operation;
Recording related data of a target access, and recording operation data indicating the third simulated user operation, wherein the target access is an access through an access portal of the web page, and the related data comprises rendering data of the web page.
5. The method according to claim 3 or 4, wherein said performing simulated user operations indicated by said web page comprises the following access operations:
accessing a webpage indicated by the access entry, wherein the webpage indicated by the access entry is a target webpage, and the target webpage is provided with a frame to be input;
invoking a pre-training model, and analyzing the webpage content of the target webpage to obtain characters to be input of the frame to be input;
and inputting the character to be input in the box to be input.
6. The method of claim 5, wherein the performing the simulated user operation indicated by the web page further comprises:
and before any action of the access operation is executed, the target webpage is subjected to screenshot, a screenshot result is obtained, and the data comprise the screenshot result.
7. The method of claim 1, wherein the detection rule comprises a plurality of items to be detected; the detecting the data according to the preset detection rule comprises the following steps:
Generating an information set to be detected for the target mail, wherein the information set comprises the data;
and detecting the information set to generate detection results corresponding to the multiple items to be detected respectively, wherein each detection result is used for indicating the probability that the target mail is malicious mail.
8. The method of claim 7, wherein the identifying whether the target mail is a malicious mail according to the target detection result comprises:
and judging that the target mail is malicious mail if the detection results corresponding to the plurality of items to be detected respectively comprise preset detection results of target items to be detected, wherein the target items to be detected are single items or item combinations, and when the target items to be detected are the preset item combinations, the occurrence sequence of the items to be detected in the preset item combinations is a preset sequence.
9. The method of claim 7, wherein the detection results corresponding to the plurality of items to be detected are numerical values;
the identifying whether the target mail is a malicious mail according to the target detection result includes:
calculating the numerical values corresponding to the multiple items to be detected respectively to obtain the total number value of the target mail;
And if the total number value is larger than a preset threshold value, judging that the target mail is a malicious mail.
10. A malicious mail recognition apparatus, characterized by comprising:
an extraction unit configured to extract information contained in a target mail, the information including at least one triggerable element, the at least one triggerable element being an entry for acquiring data;
a recording unit configured to perform a simulated user operation on the at least one triggerable element, recording the data generated during the simulated user operation;
the detection unit is configured to detect the data according to a preset detection rule, and the detection result is a target detection result;
an identifying unit configured to identify whether the target mail is a malicious mail according to the target detection result;
the recording unit is further configured to perform the performing of the simulated user operation on the at least one triggerable element as follows: determining preset operation environments corresponding to the at least one triggerable element respectively, wherein the preset operation environments are isolated operation environments; invoking each determined preset operation environment, and executing simulated user operation on the corresponding triggerable elements;
Each preset running environment is used for executing a simulated user operation in an operating system; the recording unit is further configured to perform the determining the preset running environments respectively corresponding to the at least one triggerable element according to the following manner: if the simulated user operation of the at least one triggerable element needs to be executed in at least one operating system, determining the preset running environments corresponding to the at least one operating system respectively.
11. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor runs the computer program to implement the method of any one of claims 1-9.
12. A computer readable storage medium having stored thereon a computer program, wherein the program is executed by a processor to implement the method of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311480302.9A CN117201208B (en) | 2023-11-08 | 2023-11-08 | Malicious mail identification method, malicious mail identification device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311480302.9A CN117201208B (en) | 2023-11-08 | 2023-11-08 | Malicious mail identification method, malicious mail identification device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117201208A CN117201208A (en) | 2023-12-08 |
| CN117201208B true CN117201208B (en) | 2024-02-23 |
Family
ID=88990997
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311480302.9A Active CN117201208B (en) | 2023-11-08 | 2023-11-08 | Malicious mail identification method, malicious mail identification device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117201208B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117455751B (en) * | 2023-12-22 | 2024-03-26 | 新华三网络信息安全软件有限公司 | Road section image processing system and method |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102160048A (en) * | 2008-09-22 | 2011-08-17 | 微软公司 | Collect and analyze malware data |
| CN105337993A (en) * | 2015-11-27 | 2016-02-17 | 厦门安胜网络科技有限公司 | Dynamic and static combination-based mail security detection device and method |
| JP2017129893A (en) * | 2016-01-18 | 2017-07-27 | 株式会社日立製作所 | Malware detection method and system |
| CN114465780A (en) * | 2022-01-14 | 2022-05-10 | 广东盈世计算机科技有限公司 | A method and system for detecting phishing emails based on feature extraction |
| CN114826633A (en) * | 2021-01-28 | 2022-07-29 | 奇安信科技集团股份有限公司 | Mail threat detection method, system, device and computer readable storage medium |
| CN115603926A (en) * | 2021-06-28 | 2023-01-13 | 深信服科技股份有限公司(Cn) | Phishing mail identification method, system, device and storage medium |
| CN116074278A (en) * | 2022-12-30 | 2023-05-05 | 北京斗象信息科技有限公司 | Method, system, electronic equipment and storage medium for identifying malicious mail |
| CN116389031A (en) * | 2022-12-29 | 2023-07-04 | 北京安天网络安全技术有限公司 | Malicious mail detection method and device, storage medium and electronic equipment |
| CN116436663A (en) * | 2023-04-07 | 2023-07-14 | 华能信息技术有限公司 | Mail attack detection method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11431738B2 (en) * | 2018-12-19 | 2022-08-30 | Abnormal Security Corporation | Multistage analysis of emails to identify security threats |
-
2023
- 2023-11-08 CN CN202311480302.9A patent/CN117201208B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102160048A (en) * | 2008-09-22 | 2011-08-17 | 微软公司 | Collect and analyze malware data |
| CN105337993A (en) * | 2015-11-27 | 2016-02-17 | 厦门安胜网络科技有限公司 | Dynamic and static combination-based mail security detection device and method |
| JP2017129893A (en) * | 2016-01-18 | 2017-07-27 | 株式会社日立製作所 | Malware detection method and system |
| CN114826633A (en) * | 2021-01-28 | 2022-07-29 | 奇安信科技集团股份有限公司 | Mail threat detection method, system, device and computer readable storage medium |
| CN115603926A (en) * | 2021-06-28 | 2023-01-13 | 深信服科技股份有限公司(Cn) | Phishing mail identification method, system, device and storage medium |
| CN114465780A (en) * | 2022-01-14 | 2022-05-10 | 广东盈世计算机科技有限公司 | A method and system for detecting phishing emails based on feature extraction |
| CN116389031A (en) * | 2022-12-29 | 2023-07-04 | 北京安天网络安全技术有限公司 | Malicious mail detection method and device, storage medium and electronic equipment |
| CN116074278A (en) * | 2022-12-30 | 2023-05-05 | 北京斗象信息科技有限公司 | Method, system, electronic equipment and storage medium for identifying malicious mail |
| CN116436663A (en) * | 2023-04-07 | 2023-07-14 | 华能信息技术有限公司 | Mail attack detection method |
Non-Patent Citations (1)
| Title |
|---|
| 电子邮件诈骗手段及防范措施探讨;张全安;;网络安全技术与应用(10);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117201208A (en) | 2023-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104766014B (en) | Method and system for detecting malicious website | |
| CN112565250B (en) | A website identification method, device, equipment and storage medium | |
| US20190236490A1 (en) | Methods and apparatus for identifying an impact of a portion of a file on machine learning classification of malicious content | |
| CN111311136A (en) | Wind control decision method, computer equipment and storage medium | |
| CN108134784A (en) | web page classification method and device, storage medium and electronic equipment | |
| CN111737692A (en) | Application program risk detection method and device, equipment and storage medium | |
| CN104079559B (en) | A kind of website safety detection method, device and server | |
| CN111753302B (en) | Method, device, computer readable medium and electronic equipment for detecting code loopholes | |
| CN105426759A (en) | URL legality determining method and apparatus | |
| CN117201208B (en) | Malicious mail identification method, malicious mail identification device, electronic equipment and storage medium | |
| CN116015772B (en) | Malicious website processing method, device, equipment and storage medium | |
| CN113347177A (en) | Phishing website detection method, phishing website detection system, electronic device and readable storage medium | |
| CN113869789A (en) | Risk monitoring method and device, computer equipment and storage medium | |
| CN113568841A (en) | Risk detection method, device and equipment for applet | |
| CN113420295A (en) | Malicious software detection method and device | |
| CN104080058A (en) | Information processing method and device | |
| CN112148603A (en) | Applet risk identification method and device | |
| CN116361793A (en) | Code detection method, device, electronic equipment and storage medium | |
| CN111125704B (en) | Webpage Trojan horse recognition method and system | |
| CN111104618A (en) | Webpage skipping method and device | |
| CN109684844B (en) | Webshell detection method and device, computing equipment and computer-readable storage medium | |
| CN111414525A (en) | Data acquisition method and device for small program, computer equipment and storage medium | |
| CN110598115A (en) | Sensitive webpage identification method and system based on artificial intelligence multi-engine | |
| CN104038391B (en) | A kind of method and apparatus of spam detection | |
| CN114021064A (en) | Website classification method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |