CN117040877A - Identification and interception system for defending 25-port attack based on behavior identification technology - Google Patents

Abstract

The invention discloses a 25-port attack-oriented identification and interception method based on a behavior identification technology, and belongs to the technical field of mail security. The behavior recognition technology starts from the principle of mail transmission and judges whether the mail is legal or not according to the sending behavior characteristics of the mail. The system comprises a data mining-based behavior recognition attack mail filtering system framework, wherein a probability statistics mathematical model is utilized to carry out classification analysis statistics on the attack mail, and a theory and a method for realizing pattern recognition by a computer are utilized. The behavior features mainly include SMTP routing, SMTP session, server features, attack features, frequency, signaling address, protocol declaration features, content features, etc. and give them appropriate thresholds for directly rejecting the connection of the source beyond the threshold. The system can effectively prevent and eliminate the threat of attacking mails, reduce the information security risk, effectively utilize network bandwidth resources, reduce loss and play a good role in protecting a mail system.

Description

Identification and interception system for defending 25-port attack based on behavior identification technology

Technical Field

The invention particularly relates to a 25-port-oriented attack and interception system based on behavior recognition technology, and belongs to the technical field of information security.

Background

Enterprises are generating a large number of mails to and from each other at any time, but the wide popularization of open application-based e-mails also brings about a number of challenges: junk mail, virus mail, phishing mail and spy mail are abused, so that not only is an email system, but also normal development and application of the Internet are endangered, and normal work, study and life of people are invaded. Mail users and system administrators spend much time cleaning up junk mail, and take more and complex measures to prevent attack programs such as viruses, trojans, spy systems and the like carried in the junk mail, so as to prevent internal computers from being remotely controlled by hackers. For enterprises, the overflow of junk mails may cause serious loss, and when a certain employee receives a virus mail, the network of the whole enterprise is paralyzed, so that the employee needs to spend extra effort to process the mail. Besides causing unnecessary resource waste, the breakdown of the whole server of the enterprise and the leakage of confidential data are more likely to be caused.

Illegal attack: mail service is blocked, unstable, and even downed virus mail: the virus is transmitted by the junk mail, and the junk mail of the network and the mail server is blocked: consuming system resources, wasting time of users, and spreading illegal information on network mails, such as 'financial crisis', 'house property breakdown', and the like, which causes social disorder sensitive content, aiming at the problems of enterprises, the recognition and interception system for 25 ports based on behavior recognition and defense is provided, and the following attack types to mail servers can be prevented from a network layer and an application layer respectively: dictionary algorithm attack, directory tree attack, multi-threaded attack, DHA attack, empty file attack, multiple virus infection attack, multiple compression attack. Thereby avoiding the problems and better protecting the mail system.

Disclosure of Invention

Aiming at the defects and shortcomings in the background technology, the invention provides a behavior recognition attack mail filtering system framework based on data mining, which utilizes a probability statistics mathematical model to carry out classification analysis statistics on the attack mails, and utilizes a computer to realize the theory and method of pattern recognition. The behavior recognition features mainly comprise SMTP routing, SMTP session, server features, attack features, frequency, signaling address, protocol statement features, content features and other factors. The system can effectively prevent and eliminate the threat of attacking mails, reduce the information security risk, effectively utilize network bandwidth resources, reduce loss and play a good role in protecting a mail system.

The invention provides a 25 port attack oriented identification and interception system process based on a behavior identification technology, which comprises a technology for judging whether a mail is legal or not according to the sending behavior characteristics of the mail. The system frame for filtering the attack mail based on the behavior identification of the data mining utilizes a probability statistics mathematical model to carry out classification analysis statistics on the attack mail, and can prevent the attack on 25 ports of a mail server from a network layer and an application layer respectively. Behavior features mainly include SMTP sessions, server features, attack features (frequency, originating address), protocol declaration features, content features, etc. Behavior recognition technology may be said to be the most effective means of currently defending against 25 port attacks.

2. The invention also provides a network layer-based precaution means, which comprises

A dynamic intelligent mail firewall technology is adopted to detect and timely release defense features. Reputation checking may be performed on the source IP and domain name of each email. Reputation analysis is comprehensively carried out through means such as a system black-and-white list, a RBL real-time black list and the like, and mail with low reputation is directly blocked or intercepted, so that attacks on the 25 ports of the mail server are resisted

DOS defense

The method can perform security defense against a large number of mail attacks and a large number of online attacks, limit the number of online times of instant online of a certain IP source, automatically break the source of a large number of sent mails so as to avoid attack by spammers or hackers with a large number of online mails, and set DOS defense to exclude the trust IP.

Bad domain blocking

The source IP of bad signaling can be locked, and the mail sent by the network domain is discarded, so that the bandwidth wasted by the mail server for receiving the junk mail is saved.

3. The invention also provides a SMTP session feature recognition method based on the application layer, which comprises the following steps of

The SMTP session attack characteristic identification comprises the identification of the connection frequency, IP address, sender, receiver address and other signaling characteristics of the attack mail in the SMTP session stage, so that the delivery attempt of the attack mail is refused before the BODY of the attack mail is sent by the receiving server, the mail filtering speed is greatly improved, the network delay is reduced, and the network bandwidth is saved. The detailed step M1 is as follows:

m11: the HELO command and the feature identification of the EHLO command, the SMTP protocol specifies that the mail server must be provided with the domain name of the connection after the connection is successful, i.e. from which server the mail will be sent. The technology is realized by a DNS mode, and whether the record A of an IP address exists or not is searched by a query mode to judge whether the record A of the IP address is listed in the real-time blacklist or not. The authority and reliability of the list is dependent on the donor. Most providers are typically organizations that have a relatively international reputation and thus may be trusted for this list.

M12: MAIL FROM command: the protocol specifies that the command is to provide the MAIL server with its sender identity, and filtering the MAIL's MAIL FROM address can prevent the problem of falsifying the sender. The technical means is that DNS, reverse DNS, SPF and the like are adopted to authenticate the host name recorded in M11 and the address of MAIL FROM.

M13: RCPT TO command, filtering the RCPT TO address of the mail, can effectively solve the three problems

Filtering extraneous backscatter mail

Springboard for preventing mail system from being a producer of junk mail from launching back scattering mail attack

Rejecting addresses where the recipient does not exist

4. The invention also provides an SMTP attack frequency characteristic recognition method based on the application layer, which comprises the following steps of

Recording log information of connection established between all external IP and the system, including all connection data information such as authentication attack, IP attack, etc., specifically comprising the following steps:

m21: collecting SMTP logs: first, log data related to the SMTP server is collected. These logs typically contain information about the recipient, sender, mail subject, timestamp, IP address and type of operation (e.g., connect, authenticate, send mail), etc.

M22: filtering abnormal activities: abnormal activity is screened out using a query language or script based on specific fields in the SMTP log. This includes a large number of connection attempts, frequently failed authentication attempts, abnormal mail size or content, etc. This activity may focus on potential attack events.

M23: IP address analysis: an abnormal IP address associated with the attack is identified. The connection frequency, connection duration, and number of mail sent are tracked using the source IP address field in the SMTP log. Whether there is an attack can be determined by analyzing the activity pattern of the IP address.

M24: identifying an abnormal pattern: patterns and behavior anomalies in SMTP logs are analyzed, such as abnormal mail size, abnormal mail sending frequency, a large number of invalid mail addresses, etc. This method defines the metrics of the attack.

M25: authentication failure analysis: the authentication attempts in the SMTP log are checked and frequent authentication failures are identified. As a person may attempt to acquire credentials of a legitimate user using brute force or dictionary attacks.

M26: threat intelligence matching: and matching the IP address in the SMTP log with the public threat information database. These databases may contain known attack IP addresses, black lists, domain names, and the like. Activities that are known to be threat-related may be determined.

M27: timeline analysis: by performing a timeline analysis on the SMTP log, the duration, frequency and pattern of changes of the attack activity are known. The method is helpful for knowing the behavior mode of the attacker and the evolution process of the attack.

By integrating the data, statistical data can be formed, and corresponding defense means such as:

the parameters of the same IP address maximum connection number, the same IP address maximum connection frequency, the same IP address maximum mail sending frequency, the same IP address mail receiving number, the same sender address maximum sending frequency, the mail sending number of each SMTP session and the like can be set. 5. The invention also provides a content characteristic identification method based on the application layer, which comprises the following steps of

The mail content rule provides a full text information recognition function for the received mail. The method comprises a receiving and sending part, a copying part, a secret sending part, a mail title, a full text, an attachment type, an attachment name, an attachment type, attachment content, an attachment size, a mail size, a number of recipients and other characteristic rules, and provides absolute black characteristics (fake sender checking, abnormal mail title, theme entrainment disorder checking, picture link non-content checking) and fuzzy gray characteristics (hyperlink detection analysis, dial-up type floating IP address) and other detection and filtering mechanisms according to the behavior characteristics of the junk mail, and whether a sender continuously changes the theme, whether the sender continuously changes abnormal behaviors such as the sender or not is subjected to statistical analysis and detection. The method specifically comprises the following identification features:

keyword filtering: the system may use a predefined list of keywords to detect whether the mail body contains spam feature words. These feature words may include words such as promotions, advertisements, earnings, etc. common to spam. If these keywords are contained in the mail body, they may be marked as spam.

Text classification algorithm: using machine learning algorithms and models, the mail body can be text-classified as spam or not. Common text classification algorithms include naive bayes, support vector machines, deep learning, and the like. These algorithms can learn through training data sets and make classification predictions based on the characteristics and patterns of the text.

Spell and grammar checking: spam typically contains misspellings, grammatical errors, and unfavorable sentences. The system may use spell checking and grammar checking techniques to detect errors and non-norms in the mail body. These errors and irregularities may be one of the features of spam.

Content analysis: the system may analyze the content of the mail body using natural language processing techniques and text analysis techniques. This includes identifying patterns, formats, and structures common to spam such as overuse of capital letters, multiple exclamation marks or question marks, repeated text paragraphs, and the like.

Image and media analysis: some spam may contain pictures, embedded media, or links. The system may analyze these images and media to determine if they are related to spam. This includes identifying advertising images that are common in spam, identifying suspicious links or embedded content, etc.

All mails flowing through the gateway are recorded based on the characteristics, particularly addresses identified as junk mails, and the actions of the attacking mails are classified, analyzed and counted according to a probability statistic mathematical model, and a dynamic policy module is informed of sources exceeding a set threshold to limit the attacks mails.

Drawings

For a clearer description of embodiments of the invention or of the prior art, the drawings that are necessary for the embodiments will be briefly described, it being apparent that the drawings in the following description are only some embodiments of the invention, from which, without inventive faculty, other drawings can be obtained for a person skilled in the art

FIG. 1 is a flow chart of a 25 port attack and interception oriented method based on behavior recognition and defense in the invention

Detailed Description

All of the features disclosed in all of the embodiments of this specification, or all of the steps in any method or process disclosed implicitly, except for the mutually exclusive features and/or steps, may be combined and/or expanded and substituted in any way. The technical conception, the working principle, the efficacy and the working procedure of the present invention are described in further detail below with reference to the accompanying drawings. Aiming at the potential safety hazard problem caused by the attack on 25 ports in the using process of the mail system by enterprises and personal users, the invention discloses a system for defending against the 25 port attack and interception based on behavior identification.

As shown in fig. one: the flow of defending against 25 port oriented attacks based on behavior recognition is as follows: the network attack layer defends, the application layer defends based on SMTP session characteristics, the application layer defends based on SMTP attack frequency characteristics, the application layer defends based on mail content characteristics, and the corresponding limiting strategies.

For network attack layer defense, the method comprises the following steps:

and acquiring an IP address of the connection server, and adopting a dynamic intelligent mail firewall technology to detect and timely release the defending characteristics. Reputation checking may be performed on the source IP and domain name of each email. And comprehensively performing reputation analysis by means of a system black-and-white list, an RBL real-time black list and the like.

For SMTP session feature defense, comprising the steps of:

step 1: the HELO command and the feature identification of the EHLO command, the SMTP protocol specifies that the mail server must be provided with the domain name of the connection after the connection is successful, i.e. from which server the mail will be sent. The technology is realized by a DNS mode, and whether the record A of an IP address exists or not is searched by a query mode to judge whether the record A of the IP address is listed in the real-time blacklist or not.

Step 2: MAIL FROM command: the protocol specifies that the command is to provide the MAIL server with its sender identity, and filtering the MAIL's MAIL FROM address can prevent the problem of falsifying the sender. The technical means is that DNS, reverse DNS, SPF and the like are adopted to authenticate the host name recorded in M11 and the address of MAIL FROM.

Step 3: the RCPT TO command is TO filter the RCPT TO address of the mail, so that the problems in three aspects can be effectively solved, external back scattering mail can be filtered, the mail system is prevented from being a springboard for a spammer TO launch back scattering mail attack, and the address which does not exist by a receiver is refused.

The SMTP attack frequency characteristic defense module comprises the following steps:

step 1: collecting SMTP logs: first, log data related to the SMTP server is collected. These logs typically contain information about the recipient, sender, mail subject, timestamp, IP address and type of operation (e.g., connect, authenticate, send mail), etc.

Step 2: filtering abnormal activities: abnormal activity is screened out using a query language or script based on specific fields in the SMTP log. This includes a large number of connection attempts, frequently failed authentication attempts, abnormal mail size or content, etc. This activity may focus on potential attack events.

Step 3: IP address analysis: an abnormal IP address associated with the attack is identified. The connection frequency, connection duration, and number of mail sent are tracked using the source IP address field in the SMTP log. Whether there is an attack can be determined by analyzing the activity pattern of the IP address.

Step 4: identifying an abnormal pattern: patterns and behavior anomalies in SMTP logs are analyzed, such as abnormal mail size, abnormal mail sending frequency, a large number of invalid mail addresses, etc. This method defines the metrics of the attack. Step 5: authentication failure analysis: the authentication attempts in the SMTP log are checked and frequent authentication failures are identified. As a person may attempt to acquire credentials of a legitimate user using brute force or dictionary attacks.

Step 6: threat intelligence matching: and matching the IP address in the SMTP log with the public threat information database. These databases may contain known attack IP addresses, black lists, domain names, and the like. Activities that are known to be threat-related may be determined.

Step 7: timeline analysis: by performing a timeline analysis on the SMTP log, the duration, frequency and pattern of changes of the attack activity are known. The method is helpful for knowing the behavior mode of the attacker and the evolution process of the attack. For the mail content based feature defense module, the method comprises the following steps:

step 1: the content of the mail is acquired.

Step 2: whether the mail is junk mail is judged by means of keyword filtering, text classification algorithm, spelling and grammar checking, content analysis, image and media analysis and the like.

Step 3: if the mail is junk mail, the information is recorded in a log, which comprises an originating source IP, an originating sender, a receiving sender, a copy, a secret transfer, a mail title, a full text, an attachment type, an attachment name, an attachment type, an attachment content, an attachment size, a mail size, a recipient number and the like.

Step 4: and (3) calculating the characteristic value of the mail by a mathematical statistics module based on data mining through cleaning analysis, and synchronizing a characteristic library of the junk mail.

Claims (5)

1. A defending 25 port attack-oriented recognition and interception system based on a behavior recognition technology comprises the following steps: and judging whether the mail is legal or not according to the sending behavior characteristics of the mail. The system frame for filtering the attack mail based on the behavior identification of the data mining utilizes a probability statistics mathematical model to carry out classification analysis statistics on the attack mail, and can prevent the attack on 25 ports of a mail server from a network layer and an application layer respectively. Behavior features mainly include SMTP sessions, server features, attack features (frequency, originating address), protocol declaration features, content features, etc. Behavior recognition technology may be said to be the most effective means of currently defending against 25 port attacks.

2. A network layer precaution means comprising

A dynamic intelligent mail firewall technology is adopted to detect and timely release defense features. Reputation checking may be performed on the source IP and domain name of each email. Reputation analysis is comprehensively carried out through means such as a system black-and-white list, a RBL real-time black list and the like, and mail with low reputation is directly blocked or intercepted, so that attacks on the 25 ports of the mail server are resisted

DOS defense

The method can perform security defense against a large number of mail attacks and a large number of online attacks, limit the number of online times of instant online of a certain IP source, automatically break the source of a large number of sent mails so as to avoid attack by spammers or hackers with a large number of online mails, and set DOS defense to exclude the trust IP.

Bad domain blocking

The source IP of bad signaling can be locked, and the mail sent by the network domain is discarded, so that the bandwidth wasted by the mail server for receiving the junk mail is saved.

3. An application layer SMTP session feature identification comprising

The SMTP session attack characteristic identification comprises the identification of the connection frequency, IP address, sender, receiver address and other signaling characteristics of the attack mail in the SMTP session stage, so that the delivery attempt of the attack mail is refused before the BODY of the attack mail is sent by the receiving server, the mail filtering speed is greatly improved, the network delay is reduced, and the network bandwidth is saved. The detailed step M1 is as follows:

m11: the HELO command and the feature identification of the EHLO command, the SMTP protocol specifies that the mail server must be provided with the domain name of the connection after the connection is successful, i.e. from which server the mail will be sent. The technology is realized by a DNS mode, and whether the record A of an IP address exists or not is searched by a query mode to judge whether the record A of the IP address is listed in the real-time blacklist or not. The authority and reliability of the list is dependent on the donor. Most providers are typically organizations that have a relatively international reputation and thus may be trusted for this list.

M12: MAIL FROM command: the protocol specifies that the command is to provide the MAIL server with its sender identity, and filtering the MAIL's MAIL FROM address can prevent the problem of falsifying the sender. The technical means is that DNS, reverse DNS, SPF and the like are adopted to authenticate the host name recorded in M11 and the address of MAIL FROM.

M13: RCPT TO command, filtering the RCPT TO address of the mail, can effectively solve the three problems

Filtering extraneous backscatter mail

Springboard for preventing mail system from being a producer of junk mail from launching back scattering mail attack

Reject addresses where the recipient does not exist.

4. An application layer SMTP attack frequency feature recognition, comprising

Recording log information of connection established between all external IP and the system, including all connection data information such as authentication attack, IP attack, etc., specifically comprising the following steps:

m21: collecting SMTP logs: first, log data related to the SMTP server is collected. These logs typically contain information about the recipient, sender, mail subject, timestamp, IP address and type of operation (e.g., connect, authenticate, send mail), etc.

M22: filtering abnormal activities: abnormal activity is screened out using a query language or script based on specific fields in the SMTP log. This includes a large number of connection attempts, frequently failed authentication attempts, abnormal mail size or content, etc. This activity may focus on potential attack events.

M23: IP address analysis: an abnormal IP address associated with the attack is identified. The connection frequency, connection duration, and number of mail sent are tracked using the source IP address field in the SMTP log. Whether there is an attack can be determined by analyzing the activity pattern of the IP address.

M24: identifying an abnormal pattern: patterns and behavior anomalies in SMTP logs are analyzed, such as abnormal mail size, abnormal mail sending frequency, a large number of invalid mail addresses, etc. This method defines the metrics of the attack.

M25: authentication failure analysis: the authentication attempts in the SMTP log are checked and frequent authentication failures are identified. As a person may attempt to acquire credentials of a legitimate user using brute force or dictionary attacks.

M26: threat intelligence matching: and matching the IP address in the SMTP log with the public threat information database. These databases may contain known attack IP addresses, black lists, domain names, and the like. Activities that are known to be threat-related may be determined.

M27: timeline analysis: by performing a timeline analysis on the SMTP log, the duration, frequency and pattern of changes of the attack activity are known. The method is helpful for knowing the behavior mode of the attacker and the evolution process of the attack.

By integrating the data, statistical data can be formed, and corresponding defense means such as:

the parameters of the same IP address maximum connection number, the same IP address maximum connection frequency, the same IP address maximum mail sending frequency, the same IP address mail receiving number, the same sender address maximum sending frequency, the mail sending number of each SMTP session and the like can be set.

5. An application layer content feature identification comprising

The mail content rule provides a full text information recognition function for the received mail. The method comprises a receiving and sending part, a copying part, a secret sending part, a mail title, a full text, an attachment type, an attachment name, an attachment type, attachment content, an attachment size, a mail size, a number of recipients and other characteristic rules, and provides absolute black characteristics (fake sender checking, abnormal mail title, theme entrainment disorder checking, picture link non-content checking) and fuzzy gray characteristics (hyperlink detection analysis, dial-up type floating IP address) and other detection and filtering mechanisms according to the behavior characteristics of the junk mail, and whether a sender continuously changes the theme, whether the sender continuously changes abnormal behaviors such as the sender or not is subjected to statistical analysis and detection. The method specifically comprises the following identification features:

keyword filtering: the system may use a predefined list of keywords to detect whether the mail body contains spam feature words. These feature words may include words such as promotions, advertisements, earnings, etc. common to spam. If these keywords are contained in the mail body, they may be marked as spam.

Text classification algorithm: using machine learning algorithms and models, the mail body can be text-classified as spam or not. Common text classification algorithms include naive bayes, support vector machines, deep learning, and the like. These algorithms can learn through training data sets and make classification predictions based on the characteristics and patterns of the text.

Spell and grammar checking: spam typically contains misspellings, grammatical errors, and unfavorable sentences. The system may use spell checking and grammar checking techniques to detect errors and non-norms in the mail body. These errors and irregularities may be one of the features of spam.

Content analysis: the system may analyze the content of the mail body using natural language processing techniques and text analysis techniques. This includes identifying patterns, formats, and structures common to spam such as overuse of capital letters, multiple exclamation marks or question marks, repeated text paragraphs, and the like.

Image and media analysis: some spam may contain pictures, embedded media, or links. The system may analyze these images and media to determine if they are related to spam. This includes identifying advertising images that are common in spam, identifying suspicious links or embedded content, etc.

All mails flowing through the gateway are recorded based on the characteristics, particularly addresses identified as junk mails, and the actions of the attacking mails are classified, analyzed and counted according to a probability statistic mathematical model, and a dynamic policy module is informed of sources exceeding a set threshold to limit the attacks mails.