Method, apparatus, and device for detecting e-mail attack
First Claim
1. A method implemented by a network device for detecting an electronic mail (E-mail) attack, the method comprising:
- receiving data flows that flow through the network device during at least two statistic periods;
obtaining an E-mail traffic parameter of each statistic period according to a protocol type of the data flows that are received in each of the statistic periods;
determining that the E-mail attack is detected when the E-mail traffic parameter of each statistic period matches a first threshold;
obtaining recipient E-mail addresses of E-mails received in each of the statistic periods after the E-mail attack is detected by searching monitoring entries, wherein a monitoring entry is created in each of the statistic periods, a first Hash node in a monitoring entry created in a first period corresponding to a first recipient E-mail address of E-mails received in the first period, and the first Hash node is used to store a number of occurrences of the first recipient E-mail address in the first detection period;
collecting statistics on a number of occurrences of each obtained recipient E-mail address in each of the statistic periods by searching Hash nodes in the monitoring entries; and
determining the first recipient E-mail address, of which the number of occurrences in each of the statistic periods exceeds a second threshold, as a target address of the E-mail attack, wherein the number of occurrences of the first recipient E-mail address in each of the statistic periods in obtained from the stored Hash nodes corresponding to the first recipient E-mail address in each of the monitoring entries.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, an apparatus, and a device for detecting an E-mail attack. The device receives a data flow; obtains an E-mail traffic parameter of each statistic period within a predetermined number of statistic periods, where within each statistic period, the E-mail traffic parameter of each of the statistic periods is determined according to a protocol type of the received data flow; and determines that an E-mail attack is detected when the E-mail traffic parameter of each statistic period within the predetermined number of statistic periods matches a first threshold. By applying the disclosed embodiments, a detection result of the E-mail attack is more accurate.
24 Citations
20 Claims
-
1. A method implemented by a network device for detecting an electronic mail (E-mail) attack, the method comprising:
-
receiving data flows that flow through the network device during at least two statistic periods; obtaining an E-mail traffic parameter of each statistic period according to a protocol type of the data flows that are received in each of the statistic periods; determining that the E-mail attack is detected when the E-mail traffic parameter of each statistic period matches a first threshold; obtaining recipient E-mail addresses of E-mails received in each of the statistic periods after the E-mail attack is detected by searching monitoring entries, wherein a monitoring entry is created in each of the statistic periods, a first Hash node in a monitoring entry created in a first period corresponding to a first recipient E-mail address of E-mails received in the first period, and the first Hash node is used to store a number of occurrences of the first recipient E-mail address in the first detection period; collecting statistics on a number of occurrences of each obtained recipient E-mail address in each of the statistic periods by searching Hash nodes in the monitoring entries; and determining the first recipient E-mail address, of which the number of occurrences in each of the statistic periods exceeds a second threshold, as a target address of the E-mail attack, wherein the number of occurrences of the first recipient E-mail address in each of the statistic periods in obtained from the stored Hash nodes corresponding to the first recipient E-mail address in each of the monitoring entries. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A device for detecting an electronic mail (E-mail) attack, comprising:
-
a network interface configured to receive data flows that flow through the network device during at least two statistic periods; and a processor coupled to the network interface and configured to; obtain an E-mail traffic parameter of each statistic period according to a protocol type of the data flows that are received in each of the statistic periods; determine, when the E-mail traffic parameter of each statistic period matches a first threshold, that the E-mail attack is detected; obtain recipient E-mail addresses of E-mails received in each of the statistic periods after the E-mail attack is detected by searching monitoring entries, wherein a monitoring entry is created in each of the statistic periods, a first Hash node in a monitoring entry created in a first period corresponding to a first recipient E-mail address of E-mails received in the first period, and the first Hash node is used to store a number of occurrences of the first recipient E-mail address in the first detection period; collect statistics on the occurrences number of each obtained recipient E-mail address in each of the statistic periods by searching Hash nodes in the monitoring entries; and determine a recipient E-mail address, of which the number of occurrences in each of the statistic periods exceeds a second threshold, as a target address of the E-mail attack, wherein the number of occurrences of the first recipient E-mail address in each of the statistic periods in obtained from the stored Hash nodes corresponding to the first recipient E-mail address in each of the monitoring entries. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification