[go: up one dir, main page]

CN114726603B - Mail detection method and device - Google Patents

Mail detection method and device Download PDF

Info

Publication number
CN114726603B
CN114726603B CN202210326753.6A CN202210326753A CN114726603B CN 114726603 B CN114726603 B CN 114726603B CN 202210326753 A CN202210326753 A CN 202210326753A CN 114726603 B CN114726603 B CN 114726603B
Authority
CN
China
Prior art keywords
mail
preset
historical
updated
sensitive information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210326753.6A
Other languages
Chinese (zh)
Other versions
CN114726603A (en
Inventor
谢少飞
蒋维
喻波
王志海
安鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wondersoft Technology Co Ltd
Original Assignee
Beijing Wondersoft Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wondersoft Technology Co Ltd filed Critical Beijing Wondersoft Technology Co Ltd
Priority to CN202210326753.6A priority Critical patent/CN114726603B/en
Publication of CN114726603A publication Critical patent/CN114726603A/en
Application granted granted Critical
Publication of CN114726603B publication Critical patent/CN114726603B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the invention provides a mail detection method and device, and relates to the technical field of information security. The mail detection method comprises the following steps: under the condition that the sensitive information detection strategy is updated, acquiring a historical mail in a preset range; detecting whether the history mail hits the updated sensitive information detection strategy; marking the historical mail hit with the updated sensitive information detection strategy as abnormal mail; and displaying the mail information of the abnormal mail. The technical scheme provided by the embodiment of the invention solves the problem that in the prior art, when the sensitive information detection strategy is updated, the information leakage risk possibly exists in the historical mail which passes the original sensitive information detection strategy.

Description

Mail detection method and device
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method and an apparatus for detecting mail.
Background
Among the existing communication methods, email is a commonly used electronic communication method, and a user can economically and quickly interact with other users through email.
With the advent of the information age, information security has received increasing attention from multiple users. When users communicate through email, some sensitive information of users do not want to be leaked out, especially for enterprises, the information leakage may seriously affect the information security of the enterprises, so some sensitive information detection technologies (such as data leakage protection technologies) are generated. The method and the device can detect the current sent mail by the sensitive information detection technology and block the mail comprising the sensitive information so as to prevent the mail from being sent out and causing information leakage.
However, the sensitive information detection policy may be updated according to different needs of the user, and at this time, for some historical mails that have passed the previous sensitive information detection policy, there may be a risk of information leakage, which affects information security.
Disclosure of Invention
The embodiment of the invention provides a mail detection method and device, which are used for solving the problem that in the prior art, when a sensitive information detection strategy is updated, historical mails passing through the original sensitive information detection strategy possibly have information leakage risks.
In a first aspect, an embodiment of the present invention provides a mail detection method, including:
under the condition that the sensitive information detection strategy is updated, acquiring a historical mail in a preset range;
detecting whether the history mail hits the updated sensitive information detection strategy;
marking the historical mail hit with the updated sensitive information detection strategy as abnormal mail;
and displaying the mail information of the abnormal mail.
In a second aspect, an embodiment of the present invention further provides a mail detection apparatus, including:
the acquisition module is used for acquiring historical mails in a preset range under the condition that the sensitive information detection strategy is updated;
The detection module is used for detecting whether the historical mail hits the updated sensitive information detection strategy;
the marking module is used for marking the historical mail hit with the updated sensitive information detection strategy as abnormal mail;
and the display module is used for displaying the mail information of the abnormal mail.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes a processor and a memory, where the memory stores a program or instructions executable on the processor, and where the program or instructions implement the steps of the mail detection method according to the first aspect when executed by the processor.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium having stored thereon a program or instructions which, when executed by a processor, implement the steps in the mail detection method according to the first aspect.
In the embodiment of the invention, under the condition that the sensitive information detection strategy is updated, the historical mails can be detected based on the updated sensitive information detection strategy, the mails possibly comprising the sensitive information are screened in the historical mails, and the information of the mails hitting the updated sensitive information detection strategy is displayed for the user to check, so that the user can take processing measures for the mails, and the risk of further information leakage is reduced.
Drawings
FIG. 1 is a flow chart of steps of a mail detection method according to an embodiment of the present invention;
FIG. 2 is a schematic block diagram of a system provided by an embodiment of the present invention;
FIG. 3 is one of the flow charts provided in the embodiments of the present invention;
FIG. 4 is a second flow chart of the embodiment of the present invention;
FIG. 5 is a third flow chart of an embodiment of the present invention;
FIG. 6 is a fourth flow chart of an embodiment of the present invention;
FIG. 7 is a topology diagram of a system architecture according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of a system device deployment provided in an embodiment of the present invention;
fig. 9 is a block diagram of a mail detection apparatus according to an embodiment of the present invention;
fig. 10 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
In various embodiments of the present invention, it should be understood that the sequence numbers of the following processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
The embodiment of the invention provides a mail detection method, which can be applied to an information security system, in particular to a data leakage protection (Data leakage prevention, DLP) system based on mail scanning.
As shown in fig. 1, the method may include the steps of:
step 101: and under the condition that the sensitive information detection strategy is updated, acquiring the historical mails in a preset range.
In the case of updating the sensitive information detection policy, there is a high probability that some historical mails have a risk of information leakage for the new detection policy, so in the embodiment of the present invention, the historical mails may be acquired under the condition, so as to detect the historical mails based on the new detection policy.
In the embodiment of the present invention, the acquiring range of the historical mail may be preset, and the acquiring range may be a time range, an organization structure range, a combination of the two, etc., so the preset range may include, but is not limited to: at least one of a preset time range (hereinafter may be referred to as a second preset time range) and a preset organization structure range. For example, the mail within the preset range may be mail generated within the period of time from 10 months 1 to 31 days 12 months 2021, mail of the xx company or yy department of the xx company within the time range from 1 month 1 to 31 days 12 months 2021.
Alternatively, the historical mail described herein may be at least one of a sent mail and a received mail. In the embodiment of the invention, in order to reduce the risk of information leakage, the sent mail is more easy to generate information leakage, so that the history mail can be preferably the sent mail. Of course, in some cases, since the sent mail may be deleted, but the received mail includes the contents of both the incoming and outgoing mails, the history mail may also include the received mail in order to avoid omission.
Step 102: detecting whether the historical mail hits the updated sensitive information detection strategy.
In the embodiment of the invention, after the historical mail with the preset range is obtained, the historical mail can be detected based on the updated detection strategy, and the mail possibly comprising sensitive information can be screened from the historical mail.
Step 103: and marking the historical mail hit with the updated sensitive information detection strategy as abnormal mail.
For the historical mail hitting the updated sensitive information detection strategy, the historical mail is indicated to have sensitive information which is more likely to be unsuitable to leak, namely, the risk of information leakage exists on a larger probability, so that the historical mail can be marked as an abnormal mail, and a user can conveniently and specifically treat the historical mail.
Step 104: and displaying the mail information of the abnormal mail.
In the embodiment of the invention, after the historical mail possibly comprising the sensitive information is marked as the abnormal mail, the mail information of the historical mail can be displayed for the user to check, so that the user can determine whether the mail needs to be further processed. For example, after the mail is sent and the user checks the mail, if the mail includes sensitive information which is not suitable for leakage, the receiver can be notified to delete the mail and request the receiver to keep the content of the mail secret, so that the risk of further leakage of the information is reduced. Specifically, the mail information of the abnormal mail may be displayed by a terminal device in the information detection system.
Alternatively, since the sent mail is more prone to information leakage, whether the history mail is a sent mail or a received mail, the sender content of the sender at the home terminal can be mainly detected, so as to reduce the data processing amount. For example, when detecting a history mail of yy department of xx company, the delivery content of staff of the department is mainly detected.
As an alternative embodiment, the information detection system may further include: and the management platform and the file analysis platform. The management platform can provide a sensitive information detection strategy and manage the backtracking task of the historical mails (namely the detection task of the historical mails). The file analysis platform can analyze the historical mails and report the mail information of the historical mails hitting the sensitive strategy to the management platform.
As shown in FIG. 2, the management platform can manage the backtracking task of the historical mail, such as initializing system parameters, initializing working threads and initializing thread pools through a system initialization module in the platform, so as to prepare for mail backtracking. In the process of executing the backtracking task, the management platform can inquire the historical mail information and add the inquired historical mail information into the file blocking queue to be analyzed.
The management platform may also send sensitive information detection policies to the file parsing platform. And after receiving the sensitive information detection strategy, the file analysis platform sends a successful receiving identification to the management platform.
The file analysis platform can obtain the backtracking task thread from the thread pool through an interactive interface with the management platform, and execute the corresponding thread, for example: starting a scanning thread (namely a detection thread), acquiring mail information from a file blocking queue to be analyzed, analyzing the mail information, detecting the mail information according to a sensitive information detection strategy, and reporting a detection result to a management platform. The purpose of parsing is to convert different file types into the same format, so that subsequent business processing is facilitated, for example, file contents of docx, pptx and other types are extracted into a text file for processing.
When the management platform and the file analysis platform are respectively deployed on different devices, the interaction interface between the management platform and the file analysis platform can be an http interface, and of course, the interaction interface can also be other available interfaces.
The management platform can also manage a visual interface on the terminal equipment in the information detection system in a background mode. The visual interface can display policy configuration information, backtracking task information, mail scanning results and the like. Communication connection is established between the terminal equipment and the management platform.
As an alternative embodiment, step 101: under the condition that the sensitive information detection strategy is updated, acquiring the historical mails in the preset range can comprise the following steps:
step A1: and displaying prompt information under the condition that the sensitive information detection strategy is updated.
Specifically, the prompt information can be displayed by a terminal device in the information detection system for the user to view.
The prompt message is used for prompting the update of the sensitive message detection strategy, and can further prompt the specific updated message. In addition, the user can be prompted whether to initiate a task of detecting historical mail.
Step A2: and receiving a starting instruction input by a user according to the prompt information, and acquiring a historical mail in a preset range according to the starting instruction.
The starting instruction is used for starting a detection task of the historical mail based on the updated sensitive information detection strategy.
As shown in fig. 3, the user may start the backtracking task of the historical mail or close the backtracking task of the historical mail through the management platform.
Optionally, in the embodiment of the present invention, user rights may be set for the startup operation and the shutdown operation of the backtracking task, that is, the corresponding operations may be performed only with corresponding rights. And when the user does not have the corresponding right, returning page prompt information to remind the user that the user does not have the corresponding operation right. For the rights judgment (i.e. "whether there is a right") shown in the figure, the judgment may be made based on biometric information (such as fingerprint, sound, face, iris, etc.), password information, or a combination of both.
Optionally, after the detection task is started, page notification information may be fed back to the terminal device to inform the user of the file acquisition process task status (i.e., the detection task status of the historical mail).
Alternatively, the user may input the start instruction through a terminal device in the information detection system. For example, a control page of the information detection system is displayed in a display screen of the terminal device, and a control button is displayed in the control page, and by triggering the button, a detection task can be started.
Optionally, in an embodiment of the present invention, the updating of the sensitive information detection policy may include: newly added sensitive information detection strategies, modified content of the original sensitive information detection strategies and the like.
Wherein, step A1 and step A2 may be implemented by a management platform.
As an alternative embodiment, as shown in fig. 3, the user may set the trace task information, such as setting a mail scanning range (i.e., a preset range), setting a scanning policy (i.e., a sensitive information detection policy), setting a task execution period, setting advanced options (e.g., a CPU (central processing unit, central processing unit) use rate upper limit, a hard disk occupancy upper limit, a memory occupancy upper limit, etc.), setting hardware resource limitation conditions (e.g., monitoring hardware information such as CPU, hard disk, memory, etc.), and setting backup scanning settings (i.e., setting a root directory of backup mail). After the setup is completed, the setup information may be saved to a management Platform database (e.g., platform database). After the backtracking task is started, the setting information stored in the management platform database can be stored in the redis so as to be used in the execution process of the backtracking task.
After the setting is completed, the user can also add back trace setting information, modify back trace setting information or delete back trace setting information according to the requirements. When the setting information is edited, the user authority can be set, that is, the user with the authority can edit the setting information. The rights determination (i.e., "whether there is a right") described in the figures may be based on biometric information (e.g., fingerprint, voice, face, iris, etc.), password information, or a combination of both.
Optionally, step 101: under the condition that the sensitive information detection strategy is updated, acquiring the historical mails in the preset range can comprise the following steps:
and under the condition that the sensitive information detection strategy is updated and the preset acquisition condition is met, acquiring the historical mails in the preset range.
Wherein, the preset acquisition condition may include at least one of: the current moment is in a first preset time range (namely a task execution period), the currently executed mail detection tasks are larger than or equal to the preset number, and preset hardware information meets preset conditions.
In order to better execute the detection task of the historical mail and also to reduce the influence of the detection task of the historical mail on other processing tasks (such as the detection task of the actual mail), the execution condition of the detection task of the historical mail can be set.
For example, a limit is imposed on the mail detection task amount. When the current mail detection task amount reaches the preset amount, the detection task is not suitable to be executed any more, so that the processor is not excessively stressed. As shown in fig. 4, the user triggers the task start instruction through the information system control page displayed on the terminal device, that is, the terminal device receives the task start instruction. The terminal device may then determine whether the number of currently initiated detection tasks is greater than or equal to a preset number (e.g., 3). If yes, the task starting instruction is not responded, and the response failure reason can be displayed. If not, a task starting instruction is sent to the management platform. Among these, the initiated detection tasks (i.e., the detection tasks currently being performed) include, but are not limited to: at least one of a detection task for historical mail and a detection task for real-time mail.
As shown in fig. 5, after receiving an instruction, the management platform may analyze the instruction, determine specific instruction content, and change the task state according to the specific instruction content. For example, when the instruction is a start instruction, the task state is updated from the off state to the start state; when the instruction is a closing instruction, the task state is updated from the starting state to the closing state. After the task state is updated, the management platform detects the task state and changes the related information according to the current task state.
For another example, the task execution time is limited, that is, the task execution period is set as shown in fig. 3, and the task execution period may be set in a period in which the system is idle, for example, 10 pm to 5 am the next day, etc., so as not to increase the burden on the system. For example, as shown in fig. 5, after the local scanning task is started, it is first determined whether the current time is within a preset task execution period. If not, continuing to judge. If yes, executing the subsequent steps. It will be appreciated that the specific time range may be set according to the actual situation.
For another example, restrictions are made on hardware information, such as CPU usage, hard disk occupancy, memory occupancy, etc., i.e., setting hardware resource restrictions and setting advanced options as described in fig. 3. For example, as shown in FIG. 5, in polling archive mail query results, it may be determined whether the advanced option set limit is exceeded. If yes, no subsequent steps are performed. If not, the following steps are continued.
Wherein, the preset hardware information meeting the preset condition may include: at least one of the CPU usage rate is smaller than or equal to a first preset value, the hard disk occupancy rate is smaller than or equal to a second preset value and the memory occupancy rate is smaller than or equal to a third preset value. The first preset value, the second preset value and the third preset value may be set according to actual requirements, which is not limited in the embodiment of the present invention.
As an alternative embodiment, step 101: the obtaining the historical mail in the preset range may include:
step B1: and inquiring the storage catalogue of the historical mails generated in the preset range according to the preset inquiry rule.
The preset query rule may include: the mail is divided into inquiry tasks of years, months, days and hours in sequence.
For example, as shown in fig. 5, when querying a mail within a preset mail scanning range, the mail can be split into a query task of year, month, day and hour, and then the query is performed according to the split query task. For example, split year by year, split into annual tasks, and record the current query year; splitting the annual tasks into monthly tasks again by months, and recording the current inquiry month; splitting the monthly tasks into daily tasks according to days, and recording the current query days; for each task, splitting the task into tasks per hour according to the hour, and recording the current query hour. For the queried mail, the security identifier (Security Identifiers, SID) of the mail, i.e. the unique identifier of the mail, is recorded at the same time.
The specific query process may be: the time range (namely a second preset time range) of the query task and the historical query page number are obtained, the query is performed according to the time ascending order, the storage directory of the mail is calculated and queried, and the query page number is updated. The number of pages referred to herein refers to the number of mail pages.
When inquiring, the local mail can be inquired, and the network file, such as the mail stored in the network disk, can also be inquired. As shown in fig. 5, the scanning task for local archive mail may be initiated first.
Step B2: and acquiring the historical mails according to the storage catalogue.
After the storage directory is obtained, the corresponding historical mails can be obtained under the storage directory.
Wherein steps B1 and B2 may be performed by the management platform.
Optionally, step B1: according to a preset query rule, querying a storage catalog of historical mails generated in a preset range can comprise:
step B11: and judging whether the corresponding historical mails are stored in the inquired storage directory.
As shown in fig. 5, after obtaining the query result of the archive mail (i.e., the queried storage directory), the query result of the archive mail may be polled to determine whether the archive file exists, i.e., whether the corresponding historical mail is stored under the queried storage directory.
Step B12: and under the condition that the corresponding historical mails are not stored in the storage directory, judging whether the historical mails have backup mails or not.
As shown in fig. 5, in the embodiment of the present invention, when the corresponding historical mail is not stored in the storage directory, it may be determined whether the archive backup file of the historical mail exists.
Step B13: and under the condition that the historical mail has the backup mail, acquiring a storage catalog of the backup mail.
As shown in fig. 5, in the case where the archive backup file of the history mail exists, the storage path (i.e., the storage directory) of the backup file may be determined according to the backup scan setting information (i.e., the preset root directory information of the backup mail), the version information (i.e., the number information corresponding to the intermediate storage path of the backup file), and the backup file information (i.e., the name information of the backup file).
For example, the preset root directory information is D disc, and the intermediate storage path (such as file clip path) indicated by the version information is sequentially from the upper level to the lower level: folder A > text folder B, the name of the backup file is backup a, and the storage path of the backup file can be obtained according to the information as follows: d disc > folder a > text folder B > backup a.
In the embodiment of the present invention, version information is associated with an intermediate storage path, and a number replaces the same intermediate storage path to be stored in the database, and the number is smaller than the data amount of the specific path information, so that the data storage amount can be greatly reduced compared with the direct storage path information.
Because the storage paths of the backup files may change, the storage path numbers corresponding to the same backup file in different periods may be different, namely: version information corresponding to the same backup file at different times may be different.
As shown in fig. 5, in the case where the archive backup file of the history mail does not exist, it is determined whether the storage directory does not exist, that is, whether the storage directory is detected continuously for a preset number of times: in the event that the archive backup file of the historical mail does not exist, then it is again determined whether a storage directory of the historical mail exists. And if the existence of the storage catalogue of the historical mail is determined within the preset times, polling is conducted again. If the continuous preset times determine that the storage catalog of the historical mail does not exist, recording the detection task state of the historical mail as abnormal stop.
When the corresponding historical mails are stored under the storage directory or the corresponding historical mails are not stored but backup mails are stored, if the archived mails are stored in an encrypted mode, the encrypted compressed mails can be decompressed to the temporary directory through the passwords of the archived data records.
When the mail scanning range not only comprises a preset time range but also comprises a preset organization structure range, stored mails can be obtained from the temporary directory, and whether the mails are in the preset organization structure range or not is judged according to the information of the sender and the receiver in the mails. If not, acquiring the next historical mail for judgment. If yes, judging whether the scanning queue (namely the file cache queue to be analyzed) exceeds the limit. If the threshold is exceeded, continuing to judge. If the result is not exceeded, judging whether the archive mail is scanned, and if so, polling the next query result. If not, the mail information of the archived mail is assembled, and the assembled mail information is sent to a scanning queue cache. Wherein, the mail information is assembled by: the mail information is spliced together according to a specified message format, such as information of a sender, a theme, an attachment name, an attachment file path and the like of the mail.
In the polling process, as shown in fig. 5, it may also be determined whether the traversal (i.e. polling) is completed, if so, the detection task buffer is cleared, and an interface response message is returned to the terminal device to inform the user of the task execution status. When the detection task is stopped, the detection task buffer memory is cleaned, and interface response information is returned, namely the user is informed of the task execution state.
As an alternative embodiment, step B1: according to a preset query rule, querying a storage catalog of historical mails generated in a preset range can comprise:
step B14: in the process of inquiring the storage catalogue according to the preset inquiry rule, the current inquiry progress and the inquiry rule are recorded.
Step B15: and under the condition that the restart is detected, continuously inquiring the storage catalogue according to the recorded inquiry rules under the recorded inquiry progress.
In the embodiment of the invention, in the inquiring process of the historical mail storage catalog, the inquiring progress can be recorded in real time, for example, the inquiring progress is recorded as a certain mail of a certain time and a certain score of a certain day of a certain month. In addition, the current query rule and the execution state of the detection task can also be recorded. Thus, as shown in fig. 5, when servicing the reload of the task that is very restarted and backtracking, the task state of the cache may be read first, and whether the task state is the start state before restarting may be determined according to the task state of the cache. If the task is in the starting state, the cached task query rule information is read, and the query rule is added with the cached sid information to continue the query, so that repeated query of the queried mails can be avoided.
As an alternative embodiment, step 102: detecting whether the history mail hits the updated sensitive information detection policy may include:
and determining a sensitive information detection strategy after hit updating under the condition that mail contents in the historical mail comprise preset keyword information, mail contents in the historical mail are matched with a preset regular expression, and/or file attribute information of attachments in the historical mail is matched with preset file attribute information.
The file attribute information may include: at least one of file size, file creation time, file modification time, file author.
Optionally, the sensitive information detection policies corresponding to different detection tasks may be different, so that a correspondence between the detection tasks and the sensitive information detection policies may be pre-established, and when the detection tasks are executed, the sensitive information detection policies corresponding to the executed detection tasks may be obtained.
In order to better understand the above detection process, the file parsing process by the file parsing platform will be further explained by taking fig. 6 as an example.
The file parsing platform may include: and the file scanning process module and the strategy matching module.
As shown in fig. 6, the file scanning process module may read the scanning queue, obtain the file to be scanned, parse the result of the scanned file, disassemble the parsed packet, add the scan task number, and send the detection policy and the data of the file scanning result to the policy matching module. After the file scanning process module obtains the file to be scanned, the file scanning process module can firstly judge whether the size of the file to be scanned exceeds a threshold value, and if so, the file to be scanned is added into a common file analysis queue; if the threshold value is not exceeded, the file to be scanned is added into a large file analysis queue. And then, the file scanning process module can call a file analysis thread to analyze the file to be scanned to obtain analysis file information, and generate an analysis result message according to the analysis file information. Optionally, the file analysis platform may have a timeout judgment mechanism, and the timeout thread may obtain a timeout analysis request, and when the timeout analysis request is for the historical mail, directly delete the timeout information record in the analysis queue, without sending a notification mail to the user.
And the strategy matching module receives the detection strategy and file scanning result data sent by the file scanning process module. And reading a detection strategy corresponding to the current scanning task according to the task number of the current scanning task. And detecting the file to be scanned according to the read detection strategy. And then returning the detection result to the file scanning process module. The file content of the hit detection policy in the mail can be written into JSON (JavaScript Object Notation, JS object numbered musical notation), and then the JSON is written into the detection result.
And the file scanning process module receives the detection result and sends the detection result to the management platform as event information. The embodiment of the invention detects the historical mails, so that when the historical mail hit detection strategy is detected, the detection result is only required to be reported to the management platform, and the detection result is not required to be sent to the local sender of the historical mail.
The event receiving module in the management platform receives the event information, then judges whether to start the evidence file storage function, and stores the event evidence file if the evidence file storage function is started. And then judging whether to start the evidence file backup function, if so, adding an evidence file backup queue to backup the evidence file. The event receiving module in the management Platform can also store event information to the Platform database and delete the corresponding mail under the temporary directory.
Because not all file scans must be handled in time, if a trace-back task is determined to be a trace-back task, the trace-back task that has timed out will not send notification of the timed out
Finally, the embodiment of the invention also provides an optional topological diagram and an implementation deployment diagram of the information security system, which are respectively shown in fig. 7 and 8.
FIG. 7 illustrates an alternative implementation topology of an information security system. The DLP control console corresponds to the management platform and comprises a background management system. The configuration center corresponds to information middleware such as a database and redis for storing information. The file analysis platform can obtain the mail storage catalog from the configuration center, and obtain corresponding mails from local files and/or network files in the file server according to the mail storage catalog. The network file may be a file stored in a disk, network attached storage (Network Attached Storage, NAS), or the like.
FIG. 8 illustrates an alternative embodiment deployment diagram of an information security system. As shown in fig. 8, the user may trigger a backtracking detection task of the historical mail through the terminal device. The backtracking detection task is first sent to the responsible equalizer. When the trace-back detection tasks are multiple, the load balancer can be distributed to different management platforms to realize load balancing, for example, when the detection tasks are 4, the 4 detection tasks can be respectively distributed to 4 management platforms in the figure. Wherein the load balancer may be an F5 load balancer.
And after receiving the backtracking detection task sent by the load balancer, the management platform executes the backtracking detection task. Some data information generated in the process of executing the backtracking detection task, such as queried mail storage directory information, may be stored in Mysql equipment, where the Mysql equipment in the figure includes: mysql master, mysql slave, and Mysql standby. In addition, the generated data information can be stored in the redis device, wherein the diagram comprises 6 redis master devices.
The management platform can send the detection task to the file analysis platform, after receiving the detection task sent by the management platform, the file analysis platform reads the required mail from the file server (namely the getfile server), analyzes and detects the read mail, reports the detection result to the corresponding management platform, and then sends the detection result to the corresponding terminal equipment by the corresponding management platform for the user to check.
The external mail of the system can be sent to the getfile client (i.e. a component with a file storage receiving function), and then uploaded to the getfile server by the getfile client.
When the mail in the getfile server is used outside the system, the getfile client may acquire the mail from the getfile server and send the acquired mail to the desensitization system (non-DLP system). The desensitization system processes sensitive information in the mail after desensitizing the mail.
Mail passing through the desensitization system can also be sent to a file analysis platform, the file analysis platform detects sensitive information of the mail, and the detection result is reported to a corresponding management platform. Wherein the desensitization system may send detection tasks to the load balancer. And the file is sent to the file analysis platform by the load balancer. When the number of the desensitization tasks is multiple, the load balancer can be distributed to different file analysis platforms for execution so as to realize load balancing, for example, when the number of the desensitization tasks is 4, the 4 desensitization tasks can be respectively distributed to the 4 file analysis platforms in the figure. Wherein the load balancer may be an nginx load balancer.
Among them, in order to avoid server abnormality, file security, file loss, file corruption, and the like, the file server needs to perform highly available cluster deployment, as shown in fig. 8.
The above is a description of the mail detection method provided by the embodiment of the application.
In summary, in the embodiment of the present application, when the sensitive information detection policy is updated, the historical mail may be detected based on the updated sensitive information detection policy, the mail that may include the sensitive information may be screened from the historical mail, and the information of the mail that hits the updated sensitive information detection policy may be displayed for the user to view, so that the user may take a processing measure for the mail, thereby reducing the risk of further information leakage.
Having described the mail detection method provided by the embodiment of the present invention, the mail detection device provided by the embodiment of the present invention will be described below with reference to the accompanying drawings.
The embodiment of the invention also provides a mail detection device which can be applied to an information security system, in particular to a data leakage protection system based on mail scanning.
As shown in fig. 9, the apparatus may include:
the acquiring module 901 is configured to acquire a historical mail in a preset range when the sensitive information detection policy is updated.
A detecting module 902, configured to detect whether the updated sensitive information detection policy is hit by the historical mail.
The marking module 903 is configured to mark the historical mail hitting the updated sensitive information detection policy as an abnormal mail.
And the display module 904 is used for displaying the mail information of the abnormal mail.
Optionally, the acquiring module 901 includes:
the first acquisition unit is used for acquiring the historical mails in the preset range under the condition that the sensitive information detection strategy is updated and a preset acquisition condition is met.
Wherein the preset acquisition conditions include at least one of the following: the current moment is in a first preset time range, the quantity of detection tasks executed at the current moment is greater than or equal to the preset quantity, and preset hardware information meets preset conditions.
Wherein the preset hardware information satisfies a preset condition includes: at least one of the CPU usage rate is smaller than or equal to a first preset value, the hard disk occupancy rate is smaller than or equal to a second preset value and the memory occupancy rate is smaller than or equal to a third preset value.
Optionally, the acquiring module 901 includes:
and the inquiring unit is used for inquiring the storage catalogue of the historical mails generated in the preset range according to a preset inquiring rule.
Wherein, the preset query rule comprises: the mails are divided and inquired in the order of year, month, day and hour.
And the second acquisition unit is used for acquiring the historical mails according to the storage catalogue.
Optionally, the query unit includes:
and the recording subunit is used for recording the current query progress and the query rule in the process of querying the storage catalogue according to the preset query rule.
And the query subunit is used for continuing to query according to the recorded query rules under the recorded query progress under the condition that the occurrence of restarting is detected.
Optionally, the query unit includes:
and the first judging subunit is used for judging whether the corresponding historical mails are stored in the inquired storage directory.
And the second judging subunit is used for judging whether the historical mail has backup mail or not under the condition that the corresponding historical mail is not stored in the storage directory.
And the acquisition subunit is used for acquiring the storage directory of the backup mail under the condition that the backup mail exists in the historical mail.
Optionally, the preset range includes: at least one of a second preset time range and a mail range corresponding to a preset organization structure.
Optionally, the detecting module 902 includes:
the detecting unit is used for determining the sensitive information detecting strategy after hit updating when the mail content in the historical mail comprises preset keyword information, the mail content in the historical mail is matched with a preset regular expression, and/or the file attribute information of the attachment in the historical mail is matched with the preset file attribute information.
Wherein the file attribute information includes: at least one of file size, file creation time, file modification time, file author.
The mail detection device provided by the embodiment of the present invention can implement each process implemented by the mail detection method in the embodiment of the method shown in fig. 1, and in order to avoid repetition, a detailed description is omitted here.
The mail detection device provided by the embodiment of the invention can detect the historical mails based on the updated sensitive information detection strategy under the condition that the sensitive information detection strategy is updated, screen the mails possibly comprising the sensitive information in the historical mails, and display the information of the mails hitting the updated sensitive information detection strategy for the user to check, so that the user can take processing measures for the mails, and the risk of further information leakage is reduced
The embodiment of the invention also provides electronic equipment which comprises a memory, a processor and a bus. The memory stores thereon a program or instructions executable on the processor which when executed by the processor perform the steps of the mail detection method as described above.
For example, fig. 10 shows a schematic diagram of the physical structure of an electronic device.
As shown in fig. 10, the electronic device may include: a processor 1010, a communication interface (Communications Interface) 1020, a memory 1030, and a communication bus 1040, wherein the processor 1010, the communication interface 1020, and the memory 1030 communicate with each other via the communication bus 1040. Processor 1010 may invoke logic instructions in memory 1030 to perform the methods described below:
Under the condition that the sensitive information detection strategy is updated, acquiring a historical mail in a preset range;
detecting whether the history mail hits the updated sensitive information detection strategy;
marking the historical mail hit with the updated sensitive information detection strategy as abnormal mail;
and displaying the mail information of the abnormal mail.
Further, the logic instructions in the memory 1030 described above may be implemented in the form of software functional units and stored in a computer readable storage medium when sold or used as a stand alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The embodiments of the present invention also provide a computer-readable storage medium having stored thereon a program or instructions that when executed by a processor are implemented to perform the mail detection method provided in the above embodiments, for example, the following method may be performed:
under the condition that the sensitive information detection strategy is updated, acquiring a historical mail in a preset range;
detecting whether the history mail hits the updated sensitive information detection strategy;
marking the historical mail hit with the updated sensitive information detection strategy as abnormal mail;
and displaying the mail information of the abnormal mail.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM, RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (9)

1. A mail detection method, characterized in that the method comprises:
under the condition that the sensitive information detection strategy is updated, acquiring historical mails in a preset range, wherein the preset range comprises: at least one of a second preset time range and a mail range corresponding to a preset organization structure, wherein the historical mail comprises: at least one of a sent mail and a received mail;
detecting whether the history mail hits the updated sensitive information detection strategy;
marking the historical mail hit with the updated sensitive information detection strategy as abnormal mail;
displaying mail information of the abnormal mail;
under the condition that the sensitive information detection strategy is updated, acquiring the historical mails in a preset range comprises the following steps: displaying prompt information under the condition that the sensitive information detection strategy is updated; and receiving a starting instruction input by a user according to the prompt information, and acquiring the historical mail in the preset range according to the starting instruction when the user has the operation right.
2. The mail detection method according to claim 1, wherein the step of acquiring the historical mail within the preset range in the case where the sensitive information detection policy is updated includes:
Acquiring the historical mails in the preset range under the condition that the sensitive information detection strategy is updated and a preset acquisition condition is met;
wherein the preset acquisition conditions include at least one of the following: the current moment is in a first preset time range, the quantity of mail detection tasks executed at the current moment is greater than or equal to the preset quantity, and preset hardware information meets preset conditions;
wherein the preset hardware information satisfies a preset condition includes: at least one of the CPU usage rate is smaller than or equal to a first preset value, the hard disk occupancy rate is smaller than or equal to a second preset value and the memory occupancy rate is smaller than or equal to a third preset value.
3. The mail detection method according to claim 1, wherein the acquiring the history mail within the preset range includes:
inquiring a storage catalog of the historical mails generated in the preset range according to a preset inquiry rule; wherein, the preset query rule comprises: dividing the mail into inquiry tasks of year, month, day and hour in turn;
and acquiring the historical mails according to the storage catalogue.
4. The mail detection method as claimed in claim 3, wherein said querying the storage directory of the history mails generated in the preset range according to the preset query rule comprises:
Recording the current query progress and query rules in the process of querying the storage catalogue according to the preset query rules;
and under the condition that the restart is detected, continuing to inquire according to the recorded inquiry rules under the recorded inquiry progress.
5. The mail detection method as claimed in claim 3, wherein said querying a stored directory of historical mails generated within said predetermined range comprises:
judging whether the corresponding historical mails are stored in the inquired storage directory;
judging whether the historical mails are backup mails or not under the condition that the corresponding historical mails are not stored in the storage directory;
and under the condition that the historical mail has the backup mail, acquiring a storage catalog of the backup mail.
6. The mail detection method according to claim 1, wherein the detecting whether the history mail hits the updated sensitive information detection policy comprises:
determining the sensitive information detection strategy after hit updating under the condition that mail content in the historical mail comprises preset keyword information, mail content in the historical mail is matched with a preset regular expression, and/or file attribute information of an attachment in the historical mail is matched with preset file attribute information;
Wherein the file attribute information includes: at least one of file size, file creation time, file modification time, file author.
7. A mail detection device, characterized in that the device comprises:
the acquisition module is used for acquiring historical mails in a preset range under the condition that the sensitive information detection strategy is updated, and the preset range comprises: at least one of a second preset time range and a mail range corresponding to a preset organization structure, wherein the historical mail comprises: at least one of a sent mail and a received mail;
the detection module is used for detecting whether the historical mail hits the updated sensitive information detection strategy;
the marking module is used for marking the historical mail hit with the updated sensitive information detection strategy as abnormal mail;
the display module is used for displaying mail information of the abnormal mails;
the historical mail is acquired by a module for executing the following process in the acquisition module:
under the condition that the sensitive information detection strategy is updated, acquiring the historical mails in a preset range comprises the following steps: displaying prompt information under the condition that the sensitive information detection strategy is updated; and receiving a starting instruction input by a user according to the prompt information, and acquiring the historical mail in the preset range according to the starting instruction when the user has the operation right.
8. An electronic device comprising a processor and a memory, the memory storing a program or instructions executable on the processor, which when executed by the processor, implement the steps of the mail detection method of any one of claims 1 to 6.
9. A computer-readable storage medium, wherein a program or instructions is stored on the computer-readable storage medium, which when executed by a processor, implements the steps of the mail detection method according to any one of claims 1 to 6.
CN202210326753.6A 2022-03-30 2022-03-30 Mail detection method and device Active CN114726603B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210326753.6A CN114726603B (en) 2022-03-30 2022-03-30 Mail detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210326753.6A CN114726603B (en) 2022-03-30 2022-03-30 Mail detection method and device

Publications (2)

Publication Number Publication Date
CN114726603A CN114726603A (en) 2022-07-08
CN114726603B true CN114726603B (en) 2023-09-01

Family

ID=82240567

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210326753.6A Active CN114726603B (en) 2022-03-30 2022-03-30 Mail detection method and device

Country Status (1)

Country Link
CN (1) CN114726603B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101316246A (en) * 2008-07-18 2008-12-03 北京大学 A spam detection method and system based on classifier dynamic update
JP2010128761A (en) * 2008-11-27 2010-06-10 Fuji Xerox Co Ltd Information processor and program
US8572184B1 (en) * 2007-10-04 2013-10-29 Bitdefender IPR Management Ltd. Systems and methods for dynamically integrating heterogeneous anti-spam filters
CN108418777A (en) * 2017-02-09 2018-08-17 中国移动通信有限公司研究院 Method, device and system for detecting phishing emails
CN112258137A (en) * 2020-09-06 2021-01-22 厦门天锐科技股份有限公司 Mail blocking method and device
CN113489734A (en) * 2021-07-13 2021-10-08 杭州安恒信息技术股份有限公司 Phishing mail detection method and device and electronic device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5061917B2 (en) * 2008-01-23 2012-10-31 富士通株式会社 Mail transmission / reception program, mail transmission / reception device, and mail transmission / reception method
US7865561B2 (en) * 2008-04-01 2011-01-04 Mcafee, Inc. Increasing spam scanning accuracy by rescanning with updated detection rules
US20100251372A1 (en) * 2009-03-24 2010-09-30 Barracuda Networks, Inc Demand scheduled email virus afterburner apparatus, method, and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8572184B1 (en) * 2007-10-04 2013-10-29 Bitdefender IPR Management Ltd. Systems and methods for dynamically integrating heterogeneous anti-spam filters
CN101316246A (en) * 2008-07-18 2008-12-03 北京大学 A spam detection method and system based on classifier dynamic update
JP2010128761A (en) * 2008-11-27 2010-06-10 Fuji Xerox Co Ltd Information processor and program
CN108418777A (en) * 2017-02-09 2018-08-17 中国移动通信有限公司研究院 Method, device and system for detecting phishing emails
CN112258137A (en) * 2020-09-06 2021-01-22 厦门天锐科技股份有限公司 Mail blocking method and device
CN113489734A (en) * 2021-07-13 2021-10-08 杭州安恒信息技术股份有限公司 Phishing mail detection method and device and electronic device

Also Published As

Publication number Publication date
CN114726603A (en) 2022-07-08

Similar Documents

Publication Publication Date Title
JP4152108B2 (en) Vulnerability monitoring method and system
US8443448B2 (en) System and method for detection of non-compliant software installation
CN112217817B (en) Network asset risk monitoring method and device and related equipment
CN106100902A (en) High in the clouds index monitoring method and apparatus
JP5697917B2 (en) Business management system and business management program
CN109669835B (en) MySQL database monitoring method, device, equipment and readable storage medium
US20080059123A1 (en) Management of host compliance evaluation
US7805630B2 (en) Detection and mitigation of disk failures
US20200175177A1 (en) Auto-injection of security protocols
CN110737639A (en) Audit log method, device, computer equipment and storage medium
JP2009217637A (en) Security state display, security state display method, and computer program
CN111782481B (en) Universal data interface monitoring system and monitoring method
CN110231921B (en) Log printing method, device, equipment and computer readable storage medium
CN114726603B (en) Mail detection method and device
CN112380478A (en) Webpage screenshot method and device, computer equipment and computer-readable storage medium
CN120631956A (en) Data stream display method, device, non-volatile storage medium and electronic device
CN111818097A (en) Traffic monitoring method and device based on behaviors
CN113920698B (en) An early warning method, device, equipment and medium for interface abnormal call
CN113298423B (en) A method, device, computer equipment and storage medium for reviewing works
JP4786392B2 (en) Event information management system
US20210350024A1 (en) Providing transparency in private-user-data access
JP5224935B2 (en) Information processing apparatus, information processing method, and program
CN114461293B (en) Configuration file type open data acquisition method, device and electronic device
CN115883317B (en) Log data processing method, device, electronic device and storage medium
CN119646892A (en) Task access system, method, device and electronic equipment for big data platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant