KR102296861B1 - System for detecting sms phishing - Google Patents

Abstract

According to an embodiment of the present invention, the smishing detection system includes: transmitting a URL among text messages received in a receiver terminal to a smishing detection server; accessing the URL through the smishing detection server, analyzing access information for a connection result, and analyzing whether the smishing vocabulary stored in a database is included in the access information in a first step; and displaying the analysis result on the receiver terminal.

Description

SYSTEM FOR DETECTING SMS PHISHING

The present invention relates to a smishing detection system, and more particularly, it is possible to detect smishing by accessing a uniform resource locator (URL) included in a text message through a smishing detection server and analyzing access information about the connection result. It's about the system.

In recent years, user terminals such as mobile phones and smart phones are indispensable to modern people and are used by people of all ages and genders. is being developed with

Such a user terminal is a multimedia device capable of a phone book, a game, a message, an e-mail, a morning call, an MP3 (MPEG Layer 3), a digital camera, and a wireless Internet service. We are evolving to provide a variety of services.

On the other hand, among the functions of the user terminal as described above, the message function is widely used by users because it is relatively inexpensive compared to voice calls. Such a message may be, for example, a short messaging service (SMS), a multimedia messaging service (MMS), a packet-based message, and the like. SMS may refer to a message that can transmit a simple text, and MMS may refer to a message that can be transmitted by adding a video, photo, music file, etc. beyond a simple text message. In addition, a packet-based message is a message transmitted through a packet exchange method using a data network. Like MMS, files such as videos, photos, and music files can be attached, and messages can also be exchanged between users. have.

However, recently, many companies or unspecified individuals are using the above SMS/MMS message function for corporate announcements, promotions, and advertisements. In addition, there was a problem of experiencing inconvenience due to spam messages such as speculative advertising messages and obscene messages from abnormal companies.

In addition, in messages such as SMS, MMS, or packet-based messages transmitted from the message sending entity such as companies or individuals to multiple user terminals targeted for announcements, promotions, and advertisements, a malicious URL is inserted in the message for malicious purposes. There may also exist spam messages that realize phishing, and smishing is a compound word combining short message service (SMS) and phishing.

At this time, if the user who received the message clicks on the URL, the message containing the above malicious URL may cause damage to the user by installing an application containing malicious code or connecting to an overseas smishing company. can

Therefore, among messages transmitted to the user's mobile communication terminal, etc., for a message containing a malicious URL, the transmission of the message is blocked, or when the message is transmitted to the user terminal, the danger of the URL included in the message is warned. It is necessary to develop a technology that can reduce the damage caused by URLs.

Korean Patent Publication No. 0482538 (2005.04.14.)

It is an object of the present invention to provide a method for detecting smishing by accessing a URL included in a text message through a smishing detection server and analyzing access information on a connection result.

Other objects of the present invention will become more apparent from the following detailed description and accompanying drawings.

According to an embodiment of the present invention, the smishing detection system includes: transmitting a URL among text messages received in a receiver terminal to a smishing detection server; accessing the URL through the smishing detection server, analyzing access information for a connection result, and analyzing whether the smishing vocabulary stored in a database is included in the access information in a first step; and displaying the analysis result on the receiver terminal.

The smishing detection system may include: calculating a probability that the text message corresponds to smishing based on the smishing vocabularies included in the access information; The method may further include transmitting an alarm message to the receiver terminal when the probability is greater than or equal to a preset probability.

In the first analyzing step, text may be extracted from the image included in the access information, and whether the smishing vocabulary is included in the text may be analyzed.

Before the first analysis step, a domain included in the access information is extracted, and whether the domain corresponds to a normal domain stored in the database is analyzed in step 0, and if it corresponds to a normal domain, a normal message is sent to the receiver terminal It may further include the step of transmitting.

The method may further include, before or after the first analyzing, whether the output text included in the access information includes the received text included in the text message.

The receiver terminal receives the phone number of the sender terminal that has transmitted the text message, checks whether the received caller terminal phone number is stored in the receiver terminal, and if the phone number of the sender terminal is not stored The URL may be transmitted to the smishing detection server.

According to an embodiment of the present invention, a URL is included among various messages sent from a message sender such as a plurality of companies or unspecified individuals to the recipient terminal for the purpose of announcement, publicity, advertisement, etc. of the company or for the purpose of personal information leakage. With respect to the message, without accessing the URL through the recipient terminal, it is determined whether the URL is a malicious URL, and a warning message is transmitted to the recipient terminal, thereby preventing damage due to the malicious URL.

1 is a diagram schematically illustrating an environment in which a smishing detection system according to an embodiment of the present invention is set.
FIG. 2 is a diagram schematically showing the structure of the smishing detection server shown in FIG. 1 .
FIG. 3 is a diagram schematically showing the structure of the receiver terminal shown in FIG. 1 .
4 is a flowchart of a smishing detection process according to an embodiment of the present invention.
5 is a diagram illustrating a mobile wedding invitation including link information according to an embodiment of the present invention.
6 is a diagram illustrating a plurality of text messages including link information according to another embodiment of the present invention.
7 is a modified example of the smishing detection process shown in FIG.

Hereinafter, preferred embodiments of the present invention will be described in more detail with reference to the accompanying FIGS. 1 to 7 . Embodiments of the present invention may be modified in various forms, and the scope of the present invention should not be construed as being limited to the embodiments described below. These examples are provided to explain the present invention in more detail to those of ordinary skill in the art to which the present invention pertains. Accordingly, the shape of each element shown in the drawings may be exaggerated to emphasize a clearer description.

1 is a diagram schematically illustrating an environment in which a smishing detection system according to an embodiment of the present invention is set. As shown in FIG. 1 , the smishing detection server interworks with the receiver terminal, and checks or manages whether or not smishing is performed based on the URL transmitted from the receiver terminal.

The sender terminal refers to a subject that transmits a message such as a short message service (SMS), multimedia message service (MMS) message, or packet-based message to a receiver terminal connected to a wired/wireless communication network including a mobile communication network. In this case, the recipient terminal may include, for example, a mobile communication terminal such as a mobile phone, a smart phone, or a general wired/wireless phone having a display window capable of receiving a message, and the above message is an MMS message, an SMS It can be a message or a packet-based message or the like.

In addition, the sender terminal may be, for example, a company such as a financial company, a manufacturer, an open market, or an unspecified individual, and the message sent may be, for example, a message that is intended to be announced, promoted or advertised to the user in relation to the company. can be a message.

As described above, messages containing malicious URLs among messages transmitted from the message sending entity, such as a company or unspecified individual, to the recipient terminals of multiple target users, are installed so that applications containing malicious code are installed when the malicious URL included in the message is clicked. Alternatively, there is a problem in causing damage by connecting to an overseas smishing server.

Therefore, in the present invention, for a message containing a URL, the smishing detection server that checks whether the URL is malicious is used to determine whether the URL is malicious, and then warning information indicating that a message containing a malicious URL is a dangerous message is provided. By displaying it on the receiver's terminal, damage can be prevented.

That is, the receiver terminal checks whether the received caller number is a number stored in the phone number list, and if not stored, transmits the URL included in the received text message to the smishing detection server to start the smishing detection process. and check whether it is smishing or not.

FIG. 2 is a diagram schematically showing the structure of the smishing detection server shown in FIG. 1 . First, the communication unit performs data transmission/reception with a message transmission server (not shown), and is connected to a communication network such as the Internet to perform data transmission/reception with a web server on the communication network.

The URL extraction unit checks whether the URL is included in the message transmitted from the receiver terminal, and if the URL is included, extracts the URL. The pre-filtering unit performs pre-filtering on the URL extracted from the URL extraction unit by comparing it with the malicious URL list to determine whether the URL extracted from the message is a malicious URL. provided to the control unit. Accordingly, the control unit provides malicious URL determination information to the receiver terminal. In this case, the malicious URL list refers to the list information of URLs determined to be malicious URLs as previously scanned by the smishing detection server. This list of malicious URLs can be stored in a database, URL information determined to be . may be periodically updated.

The analysis unit may analyze the access information on the access result after accessing the URL to check whether it is malicious. That is, the analysis unit accesses the URL based on the emulator and obtains access information on the access result, and the access information may be screen information on an access page provided from the accessed URL.

The analysis unit extracts text from the access information and checks whether there are smishing words stored in the database among the extracted texts and words included in the message. If it is determined that there are smishing vocabularies or that there are no smishing vocabularies, the determination result is transmitted to the receiver terminal. The database stores a plurality of smishing vocabularies, and among the vocabularies not stored in the database from the terminal or the outside, vocabularies newly appearing as the smishing vocabulary may be received and stored.

Meanwhile, before the above analysis, the analysis unit may extract a domain included in the access information and check whether the extracted domain corresponds to a normal domain stored in the database. If it is determined that the domain corresponds to the normal domain, the determination result is transmitted to the receiver terminal. The database stores a plurality of normal domains, and domains newly determined to be normal domains may be received and stored. For example, a normal domain may be a domain that is not easily accessible by the public, such as a public institution, a government office, or an organization whose public trust is recognized, because in this case, the possibility of a malicious URL is significantly low.

When the URL included in the message is identified as a malicious URL through the URL analysis as described above, the processing unit generates URL verification information notifying that it is a malicious URL, and the generated URL verification information is transmitted to the receiver terminal by the control unit and the communication unit. .

The memory unit stores an operation control program for the overall operation of the smishing detection server, and the controller controls the overall operation of the smishing detection server according to the operation control program stored in the memory unit.

FIG. 3 is a diagram schematically showing the structure of the receiver terminal shown in FIG. 1 . The key input unit may be composed of a plurality of numeric keys and function keys for requesting various operations of the mobile communication terminal, and when a user presses a predetermined key, corresponding key data is generated and output to the control unit. The above key input unit has a different character arrangement for each manufacturer and country. In addition, the key input unit may be displayed in the form of a touch screen on the display unit whenever necessary in a software manner instead of a physical keypad in a smart phone, a tablet PC, or the like.

The audio unit modulates the audio signal input through the microphone (MIC) into a wireless signal under the control of the controller, demodulates the received wireless signal, and transmits it to the speaker (SPK) as an audio signal. In addition, the audio unit 310 may further include a codec unit for processing voice signals in various voice qualities set by the control unit during a voice call.

The communication unit receives the message sent from the sender terminal through the communication network. In this case, the above message may be a message generated by a request of a company such as a financial company, a manufacturer, an open market, etc., which is the sender, and may be a message including the contents of a notice, publicity, advertisement, etc. related to the company.

The display unit displays various types of information of the mobile communication terminal under the control of the control unit, and receives and displays key data generated from the key input unit and various information signals from the control unit. In addition, according to an embodiment of the present invention, information indicating the danger of the received URL is received from the smishing detection server and displayed as a preset mark, picture, or character.

The control unit controls the overall operation of the mobile communication terminal according to the operation program stored in the memory unit. The above operation program connects not only the basic operating system necessary for the operation of the mobile communication terminal, but also the display unit and the key input unit, manages the input/output of data, and operates the internal application of the mobile communication terminal. It refers to software that is pre-programmed at the time of manufacture to operate.

In addition, when messages such as various SMS, MMS messages, or packet-based messages are received according to an embodiment of the present invention, for a message including a URL, a risk to the URL included in the message is displayed on the message reception screen.

That is, the control unit checks whether the received caller number is a number stored in the phone number list of the memory unit, and if not stored, transmits the URL included in the text message received through the communication unit to the smishing detection server You can start the detection process and check whether it's smishing or not.

At this time, for example, if the control unit determines that the URL included in the received message is a malicious URL using the URL verification information, the controller displays information indicating that the received message is an abnormal message in text or picture on the screen or by sound. It can be printed out so that the user is aware of the danger of the message.

4 is a flowchart of a smishing detection process according to an embodiment of the present invention. 5 is a diagram illustrating a mobile wedding invitation including link information according to an embodiment of the present invention, and FIG. 6 is a diagram illustrating a plurality of text messages including link information according to another embodiment of the present invention.

First, the receiver terminal receives the message sent from the sender terminal, and if the received caller number is not stored in the phone number list of the memory unit, the URL included in the received text message is transmitted to the smishing detection server to detect smishing. Initiate the process. Such a process may be performed according to the operation program stored in the memory unit of the receiver terminal, and the operation program may be executed based on an input according to the operation of the receiver. 5 and 6 show a message including a URL which is link information.

The control unit of the smishing detection server extracts the URL included in the message from the received message, and checks whether the extracted URL is a malicious URL through pre-filtering. At this time, the URL extracted from the message is compared with the malicious URL list, and if the extracted URL exists in the malicious URL list, it is determined as a malicious URL. Be warned about the dangers of URLs. In this case, the malicious URL list as above may refer to list information of URLs determined to be malicious URLs by being previously inspected by the smishing detection server, and URL information determined to be malicious URLs during the inspection process may be periodically updated. .

Next, the control unit determines whether the URL is a malicious URL through a smishing vocabulary check, a domain check, and the like through the analysis unit, for a URL that is not accurately determined as a malicious URL through the above-mentioned pre-filtering.

In this case, the analysis unit may determine whether the URL is malicious by running the emulator, accessing a web server (not shown) linked to the corresponding URL address through a wired/wireless communication network, and analyzing the access information on the connection result. That is, the analysis unit extracts the text from the access information and checks whether there are smishing words stored in the database among the vocabulary included in the extracted text, or extracts the domain from the access information and determines if the extracted domain is stored in the database. A malicious URL can be determined by checking whether it corresponds to a domain.

Specifically, the analyzer may analyze the access information on the connection result after accessing the URL to check whether the URL is malicious. That is, the analysis unit accesses the URL based on the emulator and obtains access information on the access result, and the access information may be screen information on an access page provided from the accessed URL.

The analysis unit extracts text from the access information and checks whether there are smishing words stored in the database among the extracted texts and words included in the message. If it is determined that there are smishing vocabularies or there are no smishing vocabularies, the determination result is transmitted to the receiver terminal. The database stores a plurality of smishing vocabularies, and among vocabularies not stored in the database from the terminal or the outside, vocabularies newly appearing as smishing vocabularies may be received and stored.

Specifically, the analysis unit may determine whether the smishing is through the Bayesian technique based on the extracted text and the smishing vocabulary included in the message. The Bayesian technique is a technique derived from Bayes' Theorem, and calculates the probability corresponding to smishing through learning using a probability model. A message indicating that it is smishing may be provided to the receiver terminal.

The Bayesian technique is divided into a naive-Bayesian technique and a Paul Graham's Bayesian technique, and since the Bayesian technique is known content, a detailed description thereof will be omitted. Hereinafter, only briefly describing Paul Graham's Bayesian technique, when the smishing vocabulary a exists, a probability value corresponding to smishing is calculated, and the calculated probability value and a predetermined reference value (for example, an intermediate value between 0 and 1) 0.5) and the difference (d) is calculated, and the combination probability is calculated only for n (eg, 15) probability values having a large difference (d) among the probability values calculated for a plurality of dangerous words. Thereafter, when the value of the combination probability is equal to or greater than a threshold value (predetermined probability), it is determined as smishing, and a message indicating that it is smishing may be additionally provided. The message may be provided in the form of 'Smishing Confirmation' or 'Smishing Suspect' depending on the combination probability itself or the size of the combination probability.

On the other hand, the embodiment described above has been described as determining whether the analysis unit is smishing through a Bayesian technique, but unlike this, the analysis unit determines the type of smishing through learning (eg, BERT) such as deep learning. As a result of learning, it can be determined whether or not it is smishing.

Prior to the above analysis, the analysis unit may extract a domain included in the access information and check whether the extracted domain corresponds to a normal domain stored in the database. If it is determined that the domain corresponds to the normal domain, the determination result is transmitted to the receiver terminal. The database stores a plurality of normal domains, and domains newly determined to be normal domains may be received and stored. For example, a normal domain may be a domain that is not easily accessible by the public, such as a public institution, a government office, or an organization whose public trust is recognized, because in this case, the possibility of a malicious URL is significantly low.

Then, when the URL included in the message is determined to be a malicious URL through the method described above, the control unit notifies the receiver that the message is an abnormal message containing a dangerous malicious URL, so that damage caused by the abnormal message is prevented. to be prevented.

According to the embodiment described above, among various messages sent from a message provider such as a plurality of companies or unspecified individuals to the user terminal for the purpose of announcement, promotion, advertisement, etc. of the corresponding company or for the purpose of personal information leakage, In case of a malicious URL, it is checked whether the URL is a malicious URL, and if it is a malicious URL, a message containing the URL is judged as an abnormal message, and damage caused by the malicious URL is prevented by warning of the danger of the URL.

7 is a modified example of the smishing detection process shown in FIG. That is, unlike the embodiment described in FIG. 4 , before accessing a web server linked to the extracted URL address, the analysis unit extracts a domain from the URL address and checks whether the extracted domain corresponds to a normal domain stored in the database. can If it is determined that the domain corresponds to the normal domain, the determination result is transmitted to the receiver terminal. The database stores a plurality of normal domains, and domains newly determined to be normal domains may be received and stored. For example, a normal domain may be a domain that is not easily accessible by the public, such as a public institution, a government office, or an organization whose public trust is recognized, because in this case, the possibility of a malicious URL is significantly low.

Thereafter, the analysis unit executes the emulator, accesses a web server (not shown) linked to the URL address through a wired/wireless communication network, etc., and analyzes the access information on the connection result to determine whether the URL is malicious. That is, the analysis unit may determine the malicious URL by extracting text from the access information and checking whether there are smishing words stored in the database among the vocabulary included in the extracted text.

Then, when the URL included in the message is determined to be a malicious URL through the method described above, the control unit notifies the receiver that the message is an abnormal message containing a dangerous malicious URL, so that damage caused by the abnormal message is prevented. to be prevented.

Although the present invention has been described in detail through preferred embodiments, other types of embodiments are also possible. Therefore, the spirit and scope of the claims set forth below are not limited to the preferred embodiments.

Claims (6)

transmitting a URL among the text messages received to the receiver terminal to a smishing detection server;
analyzing whether the URL is a malicious URL;
extracting a domain from the URL and analyzing whether the domain corresponds to a normal domain stored in a database; and
If the domain does not correspond to a normal domain, access the URL through the emulator of the smishing detection server and analyze the access information for the connection result, whether the smishing vocabulary stored in the database is included in the access information A smishing detection system comprising the step of analyzing. According to claim 1,
The smishing detection system,
calculating a probability that the text message corresponds to smishing based on the smishing vocabulary included in the access information; and
When the probability is greater than or equal to a preset probability, the method further comprising the step of transmitting an alarm message to the receiver terminal, the smishing detection system. According to claim 1,
A smishing detection system that extracts text from an image included in the access information and analyzes whether the text includes the smishing vocabulary. According to claim 1,
When the domain corresponds to the normal domain, further comprising the step of transmitting a normal message to the receiver terminal, the smishing detection system. According to claim 1,
Further comprising the step of analyzing whether the output text included in the access information includes the received text included in the text message, the smishing detection system. According to claim 1,
The receiver terminal receives the phone number of the sender terminal that has transmitted the text message and checks whether the received phone number of the sender terminal is stored in the receiver terminal,
When the phone number of the caller terminal is not stored, transmitting the URL to the smishing detection server.

Images