KR102847939B1 - A method and an appratus for mail security firewall - Google Patents

Abstract

A mail security firewall device provided in a security network front-end of a mail access security system according to an embodiment of the present invention includes a mail packet monitoring unit that detects a connection path of an incoming mail packet or an outgoing mail packet transmitted or received through the mail access security system by passing through a network firewall of the security network; a firewall setting unit that sets mail security firewall information based on mail security inspection information of the mail access security system; and a connection blocking processing unit that determines whether to block a connection path corresponding to the incoming mail packet or the outgoing mail packet based on the mail security firewall information.

Description

{A method and an appratus for mail security firewall}

The present invention relates to a firewall device and its operating method. More specifically, the present invention relates to a mail security firewall device and its operating method.

Recently, with the surge in email fraud, secure email reception and transmission has become a critical issue.

In particular, a method for verifying the safety of mail by verifying the sender of the mail has been proposed as a method for blocking the reception of spam mail containing content unwanted by the recipient or harmful mail causing various damages to the recipient, and reference can be made to Patent Publication No. 2003-55817 (Title: Mail management method and mail client terminal for selectively receiving/deleting mail using mail header). Here, a configuration is disclosed in which a mail client connects to a mail server and first receives only the header information of the mail, and a user operating the mail client can check the sender's address included in the header information of the mail and select to receive or delete the body of the mail.

However, due to the development of artificial intelligence systems and research on hacking attack paths, mail firewall devices are being proposed to prepare for intelligent attacks, which have become much more complex and diverse than in the past.

Accordingly, firewall systems have been proposed that primarily filter out malicious emails, etc., by equipping separate spam filtering equipment and connecting to firewall devices connected to the network.

However, current spam filtering equipment has resource limitations in performing spam analysis and malware analysis on mail, and is vulnerable to attacks such as temporary receipt of more mail than the permitted number.

Additionally, it is possible to consider setting up the network firewall to block these temporary receiving attacks, but since the network firewall typically controls the sending and receiving of all packets, not just mail, and only determines whether the port itself is physically or logically blocked, it is virtually impossible to set up the firewall to block only specific malware or spam mail.

Accordingly, the currently known mail security system relies on the resource limits of the spam filtering equipment, and has the problem that it cannot block in real time mail attacks exceeding the threshold that exceeds the resource limits of the equipment, and there is also the problem that the spam filtering equipment may cause errors due to the system limitations.

In addition, even if a network firewall is used on a physical or logical system, it is only possible to control ports or bandwidth, so it is only possible to block or delay the reception of all mail, not just spam, so it is realistically inevitable that mail system failures will occur.

The present invention has been made to solve the problems described above, and the purpose of the present invention is to provide a mail security firewall device and an operating method thereof that can minimize the computational resources required for filtering malicious mail and spam mail processed within the security system by performing a separate mail security firewall process using a mail security firewall device equipped at the front end of a mail security system in response to mail packets passing through a network firewall, and can prevent system failures caused by attacks such as temporary receipt of more than a permitted number of mails by preventing resource limit situations in advance.

In order to solve the above-described problem, an embodiment of the present invention provides a device for a mail security firewall device provided in a security network front-end of a mail access security system, the device including: a mail packet monitoring unit for detecting a connection path of an incoming mail packet or an outgoing mail packet transmitted or received through the mail access security system through a network firewall of the security network; a firewall setting unit for setting mail security firewall information based on mail security inspection information of the mail access security system; and a connection blocking processing unit for determining whether to block a connection path corresponding to the incoming mail packet or the outgoing mail packet based on the mail security firewall information.

In addition, a method according to an embodiment of the present invention for solving the above-described problem includes a method for operating a mail security firewall device provided in a security network front-end of a mail access security system, the method comprising: detecting a connection path of an incoming mail packet or an outgoing mail packet transmitted or received through the mail access security system through a network firewall of the security network; setting mail security firewall information based on mail security inspection information of the mail access security system; and determining whether to block a connection path corresponding to the incoming mail packet or the outgoing mail packet based on the mail security firewall information.

According to an embodiment of the present invention, in response to the connection path of an incoming mail packet or an outgoing mail packet transmitted or received through the mail access security system through the network firewall of the security network, it is possible to determine whether to block the packet based on mail security inspection information of the mail access security system and based on mail security firewall information set.

Accordingly, according to an embodiment of the present invention, by performing a separate mail security firewall process using a mail security firewall device equipped at the front end of a mail security system in response to mail packets passing through a network firewall, the computational resources required for filtering malicious mail and spam mail processed within the security system can be minimized, and by preventing the occurrence of a resource limit situation in advance, system failures caused by attacks such as temporary receipt of more than the permitted number of mails can be prevented in advance.

Figure 1 is a conceptual diagram schematically illustrating the entire system according to an embodiment of the present invention.
FIG. 2 and FIG. 3 are block diagrams for more specifically explaining a mail security device according to an embodiment of the present invention.
FIG. 4 is a block diagram for more specifically explaining a mail security firewall device according to an embodiment of the present invention.
FIG. 5 is a flowchart for explaining the operation of a mail security firewall device according to an embodiment of the present invention.

The following merely illustrates the principles of the present invention. Therefore, those skilled in the art will be able to implement the principles of the present invention and invent various devices and methods within the scope and spirit of the present invention, even if not explicitly described or illustrated herein. Furthermore, all conditional terms and embodiments listed herein are expressly intended, in principle, to facilitate understanding of the concepts of the present invention, and should be understood as being in no way limiting to the specifically listed embodiments and conditions.

Furthermore, it should be understood that all detailed descriptions of the principles, aspects, and embodiments of the present invention, as well as specific embodiments, are intended to encompass structural and functional equivalents thereof. Furthermore, it should be understood that such equivalents encompass not only currently known equivalents but also equivalents developed in the future, i.e., all devices invented to perform the same function, regardless of structure.

Thus, for example, the block diagrams herein should be understood as representing conceptual views of exemplary circuits embodying the principles of the present invention. Similarly, all flowcharts, state transition diagrams, pseudocode, and the like, which may be substantially represented on a computer-readable medium, should be understood as representing various processes performed by a computer or processor, regardless of whether a computer or processor is explicitly depicted.

Furthermore, any explicit use of terms such as processor, controller, or similar concepts should not be construed as exclusively referring to hardware capable of executing software, but should be understood to implicitly include, without limitation, digital signal processor (DSP) hardware, read-only memory (ROM), random access memory (RAM), and non-volatile memory for storing software. Other commonly used hardware may also be included.

The above-described purposes, features, and advantages will become more apparent through the following detailed description, taken in conjunction with the accompanying drawings. Accordingly, those skilled in the art will be able to readily implement the technical concepts of the present invention. Furthermore, if a detailed description of known technologies related to the present invention is deemed to unnecessarily obscure the gist of the invention, such detailed description will be omitted.

The terminology used in this application is only used to describe specific embodiments and is not intended to limit the present invention. The singular expression includes the plural expression unless the context clearly indicates otherwise. In this application, it should be understood that the terms "comprise" or "have" indicate the presence of a feature, number, step, operation, component, part, or combination thereof described in the specification, but do not preclude the possibility of the presence or addition of one or more other features, numbers, steps, operations, components, parts, or combinations thereof.

Hereinafter, with reference to the attached drawings, preferred embodiments of the present invention will be described in more detail. In order to facilitate an overall understanding in describing the present invention, identical reference numerals are used for identical components in the drawings, and redundant descriptions of identical components are omitted.

The term 'mail' used in this specification can be used collectively to refer to electronic mail, web mail, electronic mail, electronic mail, etc. that users send and receive through a computer network via a terminal device and a client program installed on the terminal or a website.

Figure 1 is a conceptual diagram schematically illustrating the entire system according to an embodiment of the present invention.

Referring to FIG. 1, a system according to one embodiment of the present invention includes a user terminal (10), a receiving mail security device (100), an sending mail security device (200), a mail server (300), an external mail access device (400), a mail security firewall device (500), and a network firewall device (600).

More specifically, a receiving mail security device (100), an outgoing mail security device (200), a mail server (300), a mail security firewall device (500), and a network firewall device (600) can constitute a separate secured mail security network system. The secured network system is a mail security network in which mail transmission with the mail server (300) is possible only through the receiving mail security device (100) and the outgoing mail security device (200), and each device can be equipped with secured internal networks and security devices based on various network interface environments for this purpose.

Here, each device that constitutes the network can be connected to each other through a wired/wireless network, and the devices or terminals connected to each network can communicate with each other through a mutually secured network channel.

Here, each of the above networks can be implemented as various types of wired/wireless networks, such as a local area network (LAN), a wide area network (WAN), a value-added network (VAN), a personal area network (PAN), a mobile radio communication network, or a satellite communication network.

In addition, the user terminal (10) and external mail access device (400) described in this specification may include a personal computer (PC), a laptop computer, a mobile phone, a tablet PC, a personal digital assistant (PDA), a portable multimedia player (PMP), etc., but the present invention is not limited thereto, and various devices capable of connecting to a mail server (300) or a receiving mail security device (100) through an internal network, a public network, a private network, etc. may be exemplified. In addition, the user terminal (10) and the external mail access device (400) may be various devices capable of inputting and outputting information through application execution or web browsing.

In addition, the receiving mail security device (100) and the sending mail security device (200) can perform a security threat inspection on email packet data that passes through the network firewall device (600) and the mail security firewall device (500) in the external mail access device (400) and is sent and received from the user terminal (10) account through the mail server (300), and can configure a mail security system that blocks or allows the sending and receiving of emails for which the security threat inspection has been completed.

In FIG. 1, the receiving mail security device (100) and the sending mail security device (200) are shown as being configured separately, but according to an embodiment of the present invention, the receiving mail security device (100) and the sending mail security device (200) may also be configured and referred to as a single mail security device or mail security system.

Unlike the operation of such mail security network systems, external mail access devices (400) located in external networks can transmit and receive data by being connected to one or more wired or wireless networks through a connection to a public network. The public network is a communication network constructed and managed by a country or a communication infrastructure operator, and generally includes telephone networks, data networks, CATV networks, and mobile communication networks, etc., and can provide connection services so that an unspecified number of ordinary people can access other communication networks or the Internet.

According to the background technology described above, an external mail access device (400) or a user terminal (10) may attempt to connect to send and receive mail packets using an IP band and port that can pass through a network firewall device (600) in order to attempt to connect to send and receive malicious code or spam mail.

However, according to an embodiment of the present invention, a mail security firewall device (500) can be provided at a security network front-end of a mail access security system, and can set mail security firewall information based on mail security inspection information of incoming and outgoing mail security devices (100, 200), detect a connection path of an incoming mail packet or an outgoing mail packet transmitted or received through the mail access security system through a network firewall of the security network, and determine whether to block the connection path of the incoming mail packet or the outgoing mail packet based on the mail security firewall information.

More specifically, the mail security firewall device (500) can, in the case of transmission and reception of packets identified as mail packets, physically or logically block the connection itself in advance through comparison with the separate mail security firewall information, even if the packets are transmitted and received through ports and IP bands allowed by the existing network firewall device (600).

Such access blocking can be determined in response to the IP address of a malicious distribution site determined based on mail security inspection information. Such malicious distribution site IP address information may, for example, be IP address information where malicious packets exceeding a preset step-by-step threshold were transmitted and received during a preset period of time. Such malicious distribution site IP address information can be generated or changed in real time in response to external attacks.

Accordingly, even if a malicious external mail access device (400) disables the network firewall device (600) and forces an email attack exceeding a threshold that has limitations in filtering in the sending and receiving mail security device (100, 200), real-time blocking processing is possible according to the IP band information setting of the malicious distribution site in the mail security firewall device (500), which can minimize resource consumption of the sending and receiving mail security device (100, 200) that must perform malicious inspection on all packets, and thus has the effect of preventing occurrence of failures due to malicious mail attacks.

Furthermore, the malicious distribution site IP band information may include selective blocking information for specific IP bands and ports that cannot realistically be set in bulk in a network firewall device (600), thereby improving system security by blocking packet transmission itself from the distribution site for malicious mail attacks.

Here, the malicious distribution site IP band information may include learning-based IP band information that is variably configured according to learning data from mail security inspection information, and the learning data may include at least one of mail user identification information, device identification information, connection IP information, connection port information, connection location information, connection time information, and communication protocol identification information for a mail engine.

Accordingly, the sender/receiver mail security device (100, 200) can transmit abnormal notification information to the mail security firewall device (500) when the port information learned in response to specific mail user identification information is different from the transmission/reception port information of the current packet, and the mail security firewall device (500) can block the transmission/reception of mail packets of IPs that use unlearned port information by configuring the malicious distribution site IP band information based on the abnormal notification information.

In addition, the mail security firewall device (500) processes bypass for mail packets that are not blocked based on the decision on whether to block access, thereby enabling access to permitted IPs and ports and sending and receiving mail packet data.

Figures 2 and 3 are block diagrams for more specifically explaining a receiving mail security device (100) according to one embodiment of the present invention.

Referring to FIGS. 2 and 3, first, a receiving mail security device (100) according to an embodiment of the present invention may include a control unit (110), a collection unit (120), a security threat inspection unit (130), a relationship analysis unit (140), a mail processing unit (150), a user information management unit (160), a record management unit (170), a vulnerability testing unit (180), a communication unit (125), and a mail security firewall device setting unit (190).

The control unit (110) may be implemented as one or more processors for overall control of the operation of each component of the receiving mail security device (100).

In addition, the control unit (110) is equipped with a communication protocol processing module for the mail engine, and can enable data processing for communication protocol packets for the mail engine by decrypting, encrypting, or modifying data based on the email communication protocol processed in each component.

The communication unit (125) may be equipped with one or more communication modules for communicating with a network where a user terminal (10) or a mail server (300) is located, or with an external mail access device (400).

In addition, the collection unit (120) can recover the communication protocol packets for the mail engine sent and received from the mail server (300) or the external mail access device (400), thereby collecting mail information of the email packet data being sent and received. The mail information may include email header information, email subject, email content body, number of receptions during a certain period, etc.

Specifically, the email header information may include a mail sending server IP address, mail sending server host name information, sender mail domain information, sender mail address, mail receiving server IP address, mail receiving server host name information, recipient mail domain information, recipient mail address, mail protocol information, mail receiving time information, mail sending time information, etc.

Additionally, the above email header may include network path information required during the process of sending and receiving email, information on protocols used between email service systems for email exchange, etc.

Additionally, the above mail information may include the extension of the attached file, hash information of the attached file, the attached file name, the body of the attached file content, URL (Uniform Resource Locator) information, etc. The above attached file may include additional content to convey additional information in addition to the body of the mail that the sender wishes to convey to the recipient or to request a response to information.

The above content can include text, images, videos, and more. Recipients can view the content by launching the corresponding application attached to the email. Recipients can also download, store, and manage the attached files on their local storage.

The extension of the above attached file can distinguish the file format or type. The extension of the above attached file can be distinguished by a string that generally indicates the file's properties or the application that created the file. For example, text files can be distinguished by the extension [file name].txt, MS Word files by the extension [file name].doc (docx), and Hangul files by the extension [file name].hwp. Additionally, image files can be distinguished by the extension [gif], [jpg], [png], and [tif].

Additionally, executable files, which are computer files that perform directed tasks according to coded commands, can be classified as [file name].com, [file name].exe, [file name].bat, [file name].dll, [file name].sys, [file name].scr, etc.

The hash information in the attached file can protect against falsification and ensure information integrity. Hash information, or hash values, can be mapped to a bit string of a fixed length for any data of any length using a hash function.

Through this, the hash information output through the hash function for the initially created attachment has a unique value. The output hash information or hash value has a one-way property that cannot be used to extract the data input to the function in reverse. In addition, the hash function can guarantee collision avoidance, which makes it computationally impossible for another input data to provide the same output as the output hash information or hash value for a given input data. Accordingly, if the data of the above-mentioned attached file is modified or added, the output value of the hash function will be returned differently.

In this way, the unique hash information of the attached file can be compared with the hash information or hash value of files exchanged via email to determine whether the file has been modified or tampered with. Furthermore, because the hash information is fixed as a unique value, it can utilize reputation information, a database of past history of files created with malicious intent, enabling proactive quarantine measures. Additionally, the hash function can be utilized in technologies and versions that ensure one-way access and collision avoidance.

The security threat inspection unit (130) processes step-by-step matching of the mail security process corresponding to the mail information according to a preset security threat architecture, inspects the mail information by the matched mail security process, and stores and manages mail security inspection information according to the inspection results.

Here, the above mail security inspection information is used to configure abnormal notification information through the mail security firewall device setting unit (190), and the abnormal notification information can be transmitted to the mail security firewall device (500).

The above security threat architecture can be categorized into spam email security threats, malware security threats, social engineering security threats, and internal information leak security threats. The security threat type/level/process/priority/processing order can be set by the above security threat architecture.

Mail security processes that respond according to the above security threat architecture may include a spam mail security process, a malware security process, a phishing mail security process, and a mail export security process.

The above mail security process can determine different mail security processes for incoming or outgoing mail based on the security threat architecture. Furthermore, the inspection order or level of the mail security process can be determined by preset security steps and architecture.

The above mail security process, when mail information for receiving or sending is transmitted from a user terminal (200), an independently distinguished process is allocated as a resource and can be immediately executed in the inspection area allocated from the mail information. This dynamic resource allocation method can be explained using the concept of virtual space. In the method of allocating resources to the virtual space, the mail security process can immediately process tasks in the inspection area allocated from the sequentially incoming mail information upon completion of processing.

In contrast, environments like virtual environments and virtual machines, where processing is limited to a single resource and a specific process is allocated, may have idle time while processing a requested task, while other processes wait for a specific process to complete. In this process-based analysis approach, dynamic resources can offer advantages in processing speed and performance compared to fixed resources.

The security threat inspection unit (130) can classify emails for receiving or sending purposes based on the email information collected by the collection unit (120). Thereafter, the security threat inspection unit (130) can acquire email security inspection information for each email by sequentially matching and analyzing the email security processes or based on a set priority.

As shown in Figure 3(a), the security threat inspection unit (130) includes a spam mail inspection unit (131), a malicious code inspection unit (132), a phishing mail inspection unit (133), and a mail export inspection unit (134).

First, spam email security threats can include emails that are indiscriminately distributed to unspecified individuals, often in bulk, for purposes such as advertising or promotional purposes, between unrelated senders and recipients. Furthermore, large volumes of spam emails can overwhelm the data processing capabilities of email systems, potentially slowing down their processing capabilities. Furthermore, spam emails carry the risk of users unintentionally linking to indiscriminate information contained within the body of the email, potentially disguised as information for phishing scams.

In order to detect and filter such spam mails, the security threat inspection unit (130) may include a spam mail inspection unit (131). If the mail security process is a spam mail security process, the spam mail inspection unit (131) may match the mail information including mail header information, mail subject, mail content body, number of receptions during a certain period, etc., with preset spam indicators in stages.

The spam mail inspection unit (131) can use spam indicators as inspection items by inspecting certain patterns that can distinguish mail information, including mail header information, mail subject, and mail content body, to distinguish it from spam mail. Through this, the spam mail inspection unit (131) can acquire, store, and manage spam mail inspection information by matching the spam indicators step by step.

The above spam indicator can be configured with inspection items and level values based on items included in the mail information at each stage. According to one embodiment of the present invention, the spam indicator can be configured in a subdivided and step-by-step manner, such as Level 1, Level 2, Level 3, ..., Level [n].

The above spam indicator Level 1 can match the mail title data included in the mail information based on big data and reputation information. Through this, the spam indicator Level 1 can obtain an evaluated level value as the inspection information of the spam indicator Level 1. The level value can be set as information that can be quantitatively measured. For example, the inspection information of the spam indicator Level 1 can be evaluated as '1' from the level value distinguished between 0 and 1 when the mail title, which is the inspection item, contains phrases such as 'advertisement' or 'promotion' and matches the information defined as spam mail in the big data and reputation information. Through this, the inspection information of the spam indicator Level 1 can be obtained as '1'.

Additionally, the spam indicator Level 2 can match data included in mail information based on user-specified keywords. Through this, the spam indicator Level 2 can obtain an evaluated level value as inspection information of the spam indicator Level 2. For example, if the inspection information of the spam indicator Level 2 contains keywords such as 'special price', 'super special price', 'sale', 'sale', 'out of stock', etc. in the mail content body, which is an inspection item, and if it matches the information defined as spam mail in the user-specified keywords, it can be evaluated as '1' from the level value distinguished between 0 and 1. Through this, the inspection information of the spam indicator Level 2 can be obtained as '1'.

In the next step, the spam indicator Level 3 can match data included in mail information based on image analysis. Through this, the spam indicator Level 3 can obtain an evaluated level value as the inspection information of the spam indicator Level 3. For example, if the inspection information of the spam indicator Level 3 includes a phone number starting with '080' in the data extracted by analyzing the image included in the body of the mail content, which is the inspection item, and if it matches the information defined as spam mail through the image analysis, it can be evaluated as '1' from the level value distinguished between 0 and 1. Through this, the inspection information of the spam indicator Level 3 can be obtained as '1'.

In this way, the inspection information acquired at each spam indicator level through the above spam mail security process can be ultimately aggregated ('3') and stored and managed as spam mail inspection information. This aggregated spam mail inspection information can be included in the mail security inspection information and managed, and can be utilized as security threat identification information in the mail processing unit (150).

The above security threat inspection unit (130) may further include a malware inspection unit (132). If the mail security process is a malware security process, the malware inspection unit (132) may match the mail information, which further includes the extension of the attached file, hash information of the attached file, name of the attached file, body of the attached file content, URL (Uniform Resource Locator) information, etc., with preset malware indicators in stages.

The above malware inspection unit (132) can use the attached file's extension, attached file's hash information, attached file name, etc., which can be verified as attribute values of the attached file, along with the attached file's content body and the URL (Uniform Resource Locator) information included in the content body, as malware indicator inspection items. Through this, the malware inspection unit (132) can acquire, store, and manage malware inspection information by matching the above malware indicators step by step according to the items.

The above malware indicators can be configured with inspection items and level values based on items included in mail information at each stage. According to one embodiment of the present invention, the malware indicators can be configured in a subdivided and step-by-step manner, such as Level 1, Level 2, Level 3, ..., Level [n].

The above malware indicator Level 1 can match the attachment file name and attachment file extension included in the mail information based on big data and reputation information. Through this, the malware indicator Level 1 can obtain the evaluated level value as the malware indicator Level 1 inspection information. For example, if the inspection information of the malware indicator Level 1 includes the attachment file name, which is a inspection item, as 'Trojan' and the attachment file extension as 'exe', and if it matches the information defined as malware in the big data and reputation information, it can be evaluated as '1' in the level value distinguished between 0 and 1. Through this, the inspection information of the malware indicator Level 1 can be obtained as '1'.

Additionally, the malware indicator Level 2 can match the hash information of an email attachment based on big data and reputation information. Through this, the evaluated level value can be obtained as the malware indicator Level 2 inspection information. For example, when the inspection information of the malware indicator Level 2 analyzes the attached file hash information, which is an inspection item, as 'a1b2c3d4', if it matches the information defined as malware in the reputation information, it can be evaluated as '1' in the level value distinguished between 0 and 1. Through this, the malware indicator Level 2 inspection information can be obtained as '1'.

In the next step, the malware indicator Level 3 can match the URL (Uniform Resource Locator) information included in the attached file or the body of the email content based on the URL reputation information. Through this, the evaluated level value can be obtained as the malware indicator Level 3 inspection information. For example, when the inspection item URL information is confirmed as 'www.malicious-code.com', if it matches the information defined as a harmful site that includes a malware file in the URL reputation information, the inspection information of the malware indicator Level 3 can be evaluated as '1' in the level value distinguished between 0 and 1. Through this, the malware indicator Level 3 inspection information can be obtained as '1'. In addition, the malware inspection unit (132) can respond to zero-day attacks that may be omitted from the URL reputation information. The malware inspection unit (132) can change the link IP address for a URL without reputation information to the IP address of a specific system and provide the changed IP address to the user terminal (200). When the user terminal (200) attempts to access the URL, it may be connected to the IP address of a specific system changed by the malware inspection unit (132). The specific system whose link IP address for the URL has previously been changed can continuously check for malware up to the URL's endpoint.

In this way, the inspection information acquired at each malware indicator level through the above malware security process can be ultimately aggregated ('3') and stored and managed as malware inspection information. The aggregated malware inspection information can be included in the mail security inspection information and managed, and can be utilized as security threat identification information in the mail processing unit (150).

The security threat inspection unit (130) may further include a phishing email inspection unit (133). The phishing email inspection unit (133) may, in the case where the mail security process is a phishing email security process, match the relationship analysis information obtained through the relationship analysis unit (140) with preset relationship analysis indicators in stages. The relationship analysis information may be obtained through mail information analysis, including mail information and attribute information of mails confirmed to be normal.

The above-mentioned phishing email inspection unit (133) can utilize the following information, which can be extracted from emails determined to be normal: recipient email domain, sender email domain, recipient email address, sender email address, email routing, and email content body information, as relationship analysis indicator inspection items. Through this, the above-mentioned phishing email inspection unit (133) can acquire, store, and manage phishing email inspection information by matching the above-mentioned relationship analysis indicators step by step according to the items. Through this, the above-mentioned phishing email inspection unit (133) can detect similar domains and filter out emails that may pose a security threat by tracking or verifying the email sending path.

The above relationship analysis indicator can be configured with test items and level values based on the relationship analysis information for each step. According to one embodiment of the present invention, the relationship analysis indicator can be configured in a subdivided and step-by-step manner, such as Level 1, Level 2, Level 3, ..., Level [n].

The above relationship analysis index Level 1 can match the domain of the sender's email, the address of the sender's email, etc. based on reputation information. Through this, the relationship analysis index Level 1 can obtain the evaluated level value as the inspection information of the relationship analysis index Level 1. For example, if the inspection information of the relationship analysis index Level 1 is that the domain of the sent email, which is the inspection item, is '@impersonation.com' and the address of the sender's email contains 'impersonation@', if it matches the information defined as malware in the reputation information, it can be evaluated as '1' in the level value distinguished between 0 and 1.

Additionally, the relationship analysis index Level 2 can match the domain of the sender's email, the address of the sender's email, etc. based on the relationship analysis information. Through this, the relationship analysis index Level 2 can obtain the evaluated level value as the inspection information of the relationship analysis index Level 2. For example, if the inspection information of the relationship analysis index Level 2 is that the domain of the sent email, which is the inspection item, is '@impersonation.com' and the address of the sender's email contains 'impersonation@', and if it does not match the information defined as the attribute information of the normal email in the relationship analysis information, it can be evaluated as '1' from the level value distinguished between 0 and 1. Through this, the inspection information of the relationship analysis index Level 3 can be obtained as '1'.

In the next step, the relationship analysis index Level 3 can match mail routing information, etc. based on the relationship analysis information. Through this, the relationship analysis index Level 3 can obtain the evaluated level value as the inspection information of the relationship analysis index Level 3. For example, when the inspection information of the relationship analysis index Level 3 confirms that the mail routing information, which is an inspection item, is '1.1.1.1', '2.2.2.2', '3.3.3.3', if the routing information, which is the transmission path of the mail, does not match the information defined as the attribute information of a normal mail in the relationship analysis information, it can be evaluated as '1' from the level value distinguished between 0 and 1. Through this, the inspection information of the relationship analysis index Level 3 can be obtained as '1'.

In this way, the inspection information acquired at the relationship analysis index level level through the aforementioned phishing email security process can be ultimately aggregated ('3') and stored and managed as phishing email inspection information. The aggregated phishing email inspection information can be included in the aforementioned mail security inspection information and managed, and utilized as security threat identification information in the aforementioned mail processing unit (150).

The above security threat inspection unit (130) may include a mail export inspection unit (134) to respond to internal information leak security threats. If the mail security process is a mail export security process, the mail export inspection unit (134) may match preset mail export management indicators based on the mail information step by step.

The above mail export inspection unit (134) can utilize the attribute information of the above mail information as a mail export management indicator inspection item. In addition, the management indicator inspection item can utilize the allocated IP information of the internally managed user terminal (200).

The above mail export management indicators may be configured with preset inspection items and level values determined by inspection for each stage. According to one embodiment of the present invention, the mail export management indicators may be configured in a subdivided and step-by-step manner, such as Level 1, Level 2, Level 3, ..., Level [n].

The above-mentioned mail export management indicator may include an item that controls the registration of mail information only from IP addresses allowed among the IP addresses assigned to user terminals (200) for sending environment inspection. Since unauthenticated user terminals are relatively more likely to leak internal information and also pose a security threat through mail, management indicators that can block this in advance can be managed.

Furthermore, the mail export inspection unit (134) can utilize the mail export management indicators by dividing them into inspection items such as IP address information and number of transmissions. Furthermore, the mail export inspection unit (134) can further reduce the threat of internal information leakage by additionally providing a control unit such as an approval process as an inspection item for the mail sending environment. Through this, the mail export inspection unit (134) can store and manage the level values calculated by matching the inspection items through the mail export process as mail export inspection information.

The relationship analysis unit (140) can store and manage relationship analysis information obtained based on the analysis of the mail information and trust authentication log. The trust authentication log can include record information including the recipient mail domain, sender mail domain, recipient mail address, sender mail address, mail routing, mail content body information, etc. when the record management unit (170) processes mail information as normal mail based on security threat identification information.

The mail processing unit (150) can process the mail status according to the above mail security inspection information and the security threat determination information obtained through the above mail information analysis.

The mail processing unit (150) can perform the mail security process according to a preset priority. If the security threat identification information through the mail security process determines an abnormal mail, the mail processing unit (150) can determine whether to suspend subsequent mail security processes and process the mail status. Accordingly, if a problem is discovered during the initial inspection step according to priority, the mail processing unit (150) can perform only the necessary processing at that step and determine whether to terminate the inspection, thereby terminating the subsequent inspection step without performing any further processing. This can secure the efficiency of the mail security service, reduce system complexity, and improve processing efficiency.

The above mail security inspection information may utilize information obtained by synthesizing the spam mail inspection information, malware inspection information, phishing mail inspection information, and mail export inspection information produced by the security threat inspection unit (130). For example, if the security threat inspection unit (130) performs a process on mail information and the score produced by the spam mail inspection information is '3', the score produced by the malware inspection information is '2', the score produced by the phishing mail inspection information is '1', and the score produced by the mail export inspection information is '0', the score combined as the mail security inspection information may be obtained as '7'. At this time, based on the preset security threat determination information, a mail may be classified as normal if the comprehensive score is in the range of 0-3, as gray mail if it is in the range of 4-6, and as abnormal mail if it is in the range of 7-12. Accordingly, a mail with the mail security inspection information of '7' may be determined as an abnormal mail. And the result value of each inspection information item included in the above mail information inspection information may be assigned an absolute priority according to the item or may be assigned a priority according to information based on weight.

Accordingly, as shown in Fig. 3(b), the mail processing unit (150) includes a mail distribution processing unit (151), a mail disposal processing unit (152), and a mail detoxification processing unit (153).

The above mail processing unit (150) may include a mail distribution processing unit (151) that processes mail determined to be normal mail based on the security threat determination information into a receiving or sending status that can be processed by the user terminal.

In addition, the mail processing unit (150) may further include a mail disposal processing unit (152) that processes mails determined to be abnormal mails based on the security threat determination information in a state where access by the user terminal is impossible.

Additionally, the mail processing unit (150) may further include a mail neutralization processing unit (153) that converts mail determined to be graymail based on the security threat determination information into non-executable file content and provides the user terminal with the ability to selectively process the mail status.

In general, the gray mail can be classified as spam or junk mail, or conversely, as normal mail. In the present invention, the gray mail can be defined as a mail type that is classified when the security threat identification information is calculated as an intermediate value within a certain range that cannot be determined as normal or abnormal. The mail sanitization processing unit (153) can convert the gray mail including the body of the suspicious content, etc., into an image file and provide it in a mail state that can be checked by the user terminal (200). In addition, the mail sanitization processing unit (153) can remove or modify a section suspected of being a malicious code in an attached file and provide it to the user terminal (200).

Meanwhile, the user information management unit (160) can store and manage user information of the user terminal (10), and the user information can include at least one of, for example, user name information, email account information, access IP information, phone number information, access device information, MAC information, etc.

In addition, the record management unit (170) can store and manage the mail information processed according to the security threat determination information as record information. The record management unit (170) may further include a relationship information management unit (171) that stores and manages the record information including the recipient mail domain, sender mail domain, recipient mail address, sender mail address, mail routing, mail content body information, etc. as a trust authentication log when the mail is processed as a normal mail according to the security threat determination information. Through this, the trust authentication log can be utilized for reliable relationship information analysis for the recipient and sender mail information. In addition, the reliability of the information included in the trust authentication log can be guaranteed as data is continuously accumulated through mutual information exchange.

In addition, when the record management unit (170) processes an abnormal email according to the security threat determination information, the record information including the receiving email domain, sending email domain, receiving email address, sending email address, email routing, email content body information, etc. can be used as an abnormal email determination indicator when performing the email security process.

The vulnerability testing unit (180) may convert an abnormal email determined to be an abnormal email based on the security threat determination information into non-executable file content and provide it so that it can be received or sent from the user terminal. The vulnerability testing unit (180) may include a vulnerability information management unit (181) that obtains identification information of the user terminal that received or sent the abnormal email and stores and manages it as vulnerability information by type.

Meanwhile, the mail security firewall device setting unit (190) processes the device setting of the mail security firewall device (500) provided in the mail access security system front end and the transmission of abnormality notification information based on mail security inspection information through the communication unit (125).

More specifically, the mail security firewall device setting unit (190) can perform access information corresponding to the mail security firewall device (500), mail security firewall information setting of the mail security firewall device (500), abnormality notification criteria setting and log monitoring service, and can output the performance results through a separate administrator terminal.

By means of this mail security firewall device setting section (190), the device information and mail security firewall information settings of the mail security firewall device (500) can be processed. Accordingly, the mail security firewall device (500) installed accordingly will be described in more detail through FIG. 4.

FIG. 4 is a block diagram for more specifically explaining a mail security firewall device according to an embodiment of the present invention.

Referring to FIG. 4, the mail security firewall device (500) includes a mail packet monitoring unit (510), a mail security firewall setting unit (520), an access blocking processing unit (530), and a log analysis unit (540).

First, the mail packet monitoring unit (510) detects the connection path of an incoming mail packet or an outgoing mail packet transmitted or received through the mail access security system through the network firewall of the security network.

Here, the connection path may include at least one of the IP address information, IP band information, and port information through which the packet is sent or received or passed.

And, the mail security firewall setting unit (520) sets mail security firewall information based on mail security inspection information of the mail access security system.

More specifically, the mail security firewall information may include malicious distribution site IP band information determined based on the mail security inspection information.

Here, the mail security inspection information may include security threat inspection information processed by each of the sending and receiving mail security devices (100, 200). For example, the security threat inspection information may include at least one of spam mail inspection information, malware inspection information, and phishing mail inspection information. Furthermore, the phishing mail inspection information may further include similar domain inspection information and account hijacking inspection information.

In addition, the mail security inspection information may include at least one of IP address information, IP band information, and port information of a sender or receiver or transit point obtained from header information in response to a mail packet in which security threat inspection information is detected.

Accordingly, the mail security firewall setting unit (520) can set at least one of the IP address information, IP band information, and port information of the sender or receiver or transit point, which can selectively determine whether to block, as the IP band information of the malicious distribution site, as mail security firewall information based on mail security inspection information.

And, when the malicious distribution site IP band information is detected from the connection path of the received mail packet or the sent mail packet, the connection blocking processing unit (530) performs IP or port connection blocking processing corresponding to the received mail packet or the sent mail packet.

Here, the malicious distribution site IP band information can be monitored and changed according to real-time updates of mail security inspection information, and therefore, the access blocking processing unit (530) can perform variable processing according to the passage of time in IP or port access blocking processing.

More specifically, for example, the malicious distribution site IP band information may include IP band information in which malicious packets exceeding a preset step threshold are transmitted and received during a preset period of time, and the access blocking processing unit (530) may perform, in real time, blocking processing of transmission and reception of mail packets corresponding to the malicious distribution site IP band information.

In addition, the connection blocking processing unit (530) can perform the IP connection blocking processing for a certain period of time set for each step threshold, and when the certain period of time has elapsed, it can also perform a recovery process to lift the blocking.

That is, the mail security firewall device (500) according to an embodiment of the present invention can detect in real time, through the operation of the access blocking processing unit (530), if an attack exceeding a preset resource limit is attempted, even if it is a packet on an IP and port passing through the network firewall device (600), and perform separate blocking and release for mail security, thereby minimizing the occurrence of failures in the mail security system.

In order to efficiently perform such real-time processing, the mail security firewall setting unit (190) of the mail security device (100) can analyze IP band and port information that can extract malicious distribution site IP band information from mail security inspection information. It is preferable that such IP band and port information be configured from the sending IP and port traceback information of packets in which malicious code, spam, or malicious URL is detected.

In addition, such mail security firewall information can be configured variably in real time based on analysis of learning data so as to determine whether to block a malicious access attack using the mail security inspection information according to a preset access blocking algorithm.

For example, mail security firewall information may be configured according to pre-configured firewall policy information corresponding to mail user identification information and learning data corresponding to at least one of connection device identification information, connection IP information, connection port information, connection location information, connection time information, and communication protocol identification information for a mail engine, and the connection blocking processing unit (530) may determine whether to block the connection if an abnormal connection path different from the connection path information corresponding to the learning data of the mail security firewall information is identified.

Such firewall policy information may include learning-based firewall policy information that is variably configured according to learning data of activity information collected in advance in response to mail user identification information, and the activity information may include at least one of device identification information, connection IP information, connection port information, connection location information, connection time information, and communication protocol identification information for a mail engine corresponding to the mail user identification information.

Here, learning-based firewall policy information variably configured according to the learning data may be configured by a machine learning model that performs deep learning-based associative learning on device identification information, connection IP information, connection port information, connection location information, connection time information, and mail engine communication protocol identification information corresponding to the mail user identification information and the learning data of preset attack cases. Here, the deep learning-based associative learning technology may utilize various well-known machine learning technologies such as CNN, RNN, DNN, LSTM, and regression analysis.

For example, the mail security firewall setting unit (520) according to an embodiment of the present invention can set a blocking policy to block the first IP band and the first port information for a certain period of time when the first IP band and the first port information of the path information obtained from the repeated connection request information for sending and receiving email packets of the external mail access device (400) exceeding a threshold are different from the second IP band and the second port information that are learned in advance or specified in the firewall policy information, and the connection blocking processing unit (530) can physically or logically block the packet transmission and reception of the first IP band and the first port information corresponding to the external mail access device (400) for the certain period of time.

Additionally, the mail security firewall configuration unit (520) can preset specific time and frequency conditions for such blocking. For example, if a mail packet is transmitted or received a certain number of times within a certain period of time via a connection path deemed to have a high attack probability exceeding a threshold, the connection can be blocked for a certain period of time. These time and frequency settings can be processed differently for each type and type of connection path information.

Meanwhile, the log analysis unit (540) can provide mail security firewall log analysis information generated in response to the blocking and permission details of the access blocking processing unit (530) to one or more devices constituting the mail access security system (100, 200, or 300).

Accordingly, communication with the mail security system using the IP or port is blocked in the external mail access device (400) determined to be an attacker, and normal mail data transmission and reception can be made possible only when unblocking, such as through identity verification, is performed through a separate path.

Accordingly, the access blocking processing unit (530) can allow the transmission and reception of mail packet data passing through normal IPs and ports that are not access blocked, and subsequent sent and received mail data is protected and processed through the security threat inspection unit (130) and the mail processing unit (150), thereby eliminating system vulnerabilities due to resource limitations and providing a safe mail security system.

In the embodiment of the present invention, the operation of the receiving mail security device (100) has been mainly described, but the blocking function and operation of mail server connection request information based on the mail engine protocol can be configured in the same manner in the case of the sending mail security device (200). Therefore, the mail server connection security authentication processing unit (190) according to the embodiment of the present invention can operate in the same manner even when linked with the sending mail security device (200). That is, as described above, the receiving mail security device (100) and the sending mail security device (200) according to the embodiment of the present invention can form a single mail security device that commonly includes the mail server connection security authentication processing unit (190), and are not limited by their names.

FIG. 5 is a flowchart for explaining the operation of a mail security firewall device according to an embodiment of the present invention.

Referring to FIG. 5, a mail security firewall device (500) according to an embodiment of the present invention sets mail security firewall information based on mail security inspection information of a sending and receiving mail security system (100, 200) (S101).

And, the mail security firewall device (500) detects the connection path of the incoming mail packet or the outgoing mail packet transmitted or received through the mail access security system (100, 200) by passing through the network firewall configured by the network firewall device (600) provided in the security network of the mail security system (S103).

Thereafter, the mail security firewall device (500) determines whether to block the connection path of the received mail packet or the sent mail packet based on the mail security firewall information (S105).

And, depending on whether it is blocked, the mail security firewall device (500) allows (S109) or blocks (S107) the transmission and reception of mail packets corresponding to the connection path.

Thereafter, the mail security firewall device (500) can perform log analysis corresponding to blocking and allowing records and provide a corresponding monitoring service to each sending and receiving mail security system (100, 200) or a separate administrator terminal (S111).

The method according to the present invention described above can be produced as a program to be executed on a computer and stored in a computer-readable recording medium. Examples of the computer-readable recording medium include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.

Computer-readable recording media can be distributed across network-connected computer systems, allowing computer-readable code to be stored and executed in a distributed manner. Furthermore, functional programs, codes, and code segments for implementing the above method can be readily inferred by programmers skilled in the art to which the present invention pertains.

In addition, although the preferred embodiments of the present invention have been illustrated and described above, the present invention is not limited to the specific embodiments described above, and various modifications can be made by a person having ordinary skill in the art to which the invention pertains without departing from the gist of the present invention claimed in the claims, and such modifications should not be understood individually from the technical idea or prospect of the present invention.

Claims (16)

A mail security firewall device located between a network firewall and a mail security device of a security network, for blocking mail packets transmitted and received with the outside through the network firewall,
A mail packet monitoring unit that identifies mail packets among packets received internally through the network firewall and detects IP addresses for received mail packets;
A firewall setting unit that sets mail security firewall information including a malicious distribution site IP band based on mail security inspection information received from the mail security device; and
It includes an access blocking processing unit that determines whether to block the received mail packet by using the IP address of the received mail packet and the IP band of the malicious distribution site included in the mail security firewall information;
The above mail security inspection information includes security threat inspection information obtained by performing at least one of spam mail inspection, malware inspection, and phishing mail inspection on incoming or outgoing mail in the mail security device, and IP address information for mail packets determined to be malicious packets according to the security threat inspection information.
The above firewall settings section
Based on the security threat inspection information and the IP address information received from the mail security device, the malicious distribution site IP band is set according to the IP address through which malicious packets are sent and received,
A mail security firewall device characterized in that the above mail security firewall information can be changed according to the update of the mail security inspection information received from the mail security device. delete In the first paragraph,
The above connection blocking processing unit is,
If the IT address of the above-mentioned received mail packet corresponds to the IP range of the malicious distribution site, the transmission of the above-mentioned received mail packet to the above-mentioned mail security device is blocked.
Mail security firewall device. In the first paragraph,
The above malicious distribution site IP range is:
During a preset period of time, the IP bands are set to include those in which malicious packets exceeding a preset threshold are transmitted and received.
Mail security firewall device. In the first paragraph,
The above connection blocking processing unit is,
For mail packets transmitted and received to and from the mail security device through the network firewall, IP access corresponding to the IP range of the malicious distribution site is blocked.
Mail security firewall device. In paragraph 5,
Blocking of the above IP access is as follows:
It is performed for a certain period of time, and the blocking is lifted when the certain period of time has elapsed.
Mail security firewall device. In the first paragraph,
The above mail security firewall information is:
Further including malicious port information determined based on the above mail security inspection information,
The above mail security inspection information further includes port traceback information for the port where the malicious packet was detected.
Mail security firewall device. In the first paragraph,
A log analysis unit that generates mail security firewall log analysis information based on the blocking and permission details of the above access blocking processing unit;
Mail security firewall device. In a mail security firewall device located between a network firewall of a security network and a mail security device, an operation method for blocking mail packets transmitted and received with the outside through the network firewall,
A step of identifying mail packets among packets received internally through the network firewall and detecting IP addresses for received mail packets;
A step of setting mail security firewall information including a malicious distribution site IP band based on mail security inspection information received from the mail security device; and
A step of determining whether to block the received mail packet by using the IP address of the received mail packet and the IP band of the malicious distribution site included in the mail security firewall information;
The above mail security inspection information includes security threat inspection information obtained by performing at least one of spam mail inspection, malware inspection, and phishing mail inspection on incoming or outgoing mail in the mail security device, and IP address information for mail packets determined to be malicious packets according to the security threat inspection information.
The above malicious distribution site IP band is set according to the IP address through which malicious packets are sent and received, based on the security threat inspection information and the IP address information received from the mail security device.
A method for operating a mail security firewall device, characterized in that the mail security firewall information can be changed according to an update of the mail security inspection information received from the mail security device. delete In paragraph 9,
A step of blocking transmission of the received mail packet to the mail security device when the IT address of the received mail packet corresponds to the IP band of the malicious distribution site; further comprising;
How Mail Security Firewall Devices Work In paragraph 9,
The above malicious distribution site IP range is:
During a preset period of time, the IP bands are set to include those in which malicious packets exceeding a preset threshold are transmitted and received.
How the Mail Security Firewall Device Works. In paragraph 9,
A step of blocking IP access corresponding to the IP band of the malicious distribution site for mail packets transmitted and received to and from the mail security device through the network firewall is further included.
How the Mail Security Firewall Device Works. In Article 13,
Blocking of the above IP access is as follows:
It is performed for a certain period of time, and the blocking is lifted when the certain period of time has elapsed.
How the Mail Security Firewall Device Works. In paragraph 9,
The above mail security firewall information is:
Further including malicious port information determined based on the above mail security inspection information,
The above mail security inspection information further includes port traceback information for the port where the malicious packet was detected.
How the Mail Security Firewall Device Works. delete