Method, apparatus, and device for detecting e-mail attack

US 10,135,844 B2
Filed: 10/13/2014
Issued: 11/20/2018
Est. Priority Date: 12/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a network device for detecting an electronic mail (E-mail) attack, the method comprising:

receiving data flows that flow through the network device during at least two statistic periods;

obtaining an E-mail traffic parameter of each statistic period according to a protocol type of the data flows that are received in each of the statistic periods;

determining that the E-mail attack is detected when the E-mail traffic parameter of each statistic period matches a first threshold;

obtaining recipient E-mail addresses of E-mails received in each of the statistic periods after the E-mail attack is detected by searching monitoring entries, wherein a monitoring entry is created in each of the statistic periods, a first Hash node in a monitoring entry created in a first period corresponding to a first recipient E-mail address of E-mails received in the first period, and the first Hash node is used to store a number of occurrences of the first recipient E-mail address in the first detection period;

collecting statistics on a number of occurrences of each obtained recipient E-mail address in each of the statistic periods by searching Hash nodes in the monitoring entries; and

determining the first recipient E-mail address, of which the number of occurrences in each of the statistic periods exceeds a second threshold, as a target address of the E-mail attack, wherein the number of occurrences of the first recipient E-mail address in each of the statistic periods in obtained from the stored Hash nodes corresponding to the first recipient E-mail address in each of the monitoring entries.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, an apparatus, and a device for detecting an E-mail attack. The device receives a data flow; obtains an E-mail traffic parameter of each statistic period within a predetermined number of statistic periods, where within each statistic period, the E-mail traffic parameter of each of the statistic periods is determined according to a protocol type of the received data flow; and determines that an E-mail attack is detected when the E-mail traffic parameter of each statistic period within the predetermined number of statistic periods matches a first threshold. By applying the disclosed embodiments, a detection result of the E-mail attack is more accurate.

24 Citations

View as Search Results

20 Claims

1. A method implemented by a network device for detecting an electronic mail (E-mail) attack, the method comprising:
- receiving data flows that flow through the network device during at least two statistic periods;
  
  obtaining an E-mail traffic parameter of each statistic period according to a protocol type of the data flows that are received in each of the statistic periods;
  
  determining that the E-mail attack is detected when the E-mail traffic parameter of each statistic period matches a first threshold;
  
  obtaining recipient E-mail addresses of E-mails received in each of the statistic periods after the E-mail attack is detected by searching monitoring entries, wherein a monitoring entry is created in each of the statistic periods, a first Hash node in a monitoring entry created in a first period corresponding to a first recipient E-mail address of E-mails received in the first period, and the first Hash node is used to store a number of occurrences of the first recipient E-mail address in the first detection period;
  
  collecting statistics on a number of occurrences of each obtained recipient E-mail address in each of the statistic periods by searching Hash nodes in the monitoring entries; and
  
  determining the first recipient E-mail address, of which the number of occurrences in each of the statistic periods exceeds a second threshold, as a target address of the E-mail attack, wherein the number of occurrences of the first recipient E-mail address in each of the statistic periods in obtained from the stored Hash nodes corresponding to the first recipient E-mail address in each of the monitoring entries.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, wherein obtaining the E-mail traffic parameter of each of the statistic periods according to the protocol type of the received data flows that are received in each of the statistic periods comprises:
    - analyzing a protocol type of a data flow received in each of the statistic periods;
      
      determining that a payload of the data flow is an E-mail when the protocol type is an E-mail protocol type; and
      
      obtaining the E-mail traffic parameter of each of the statistic periods according to the determined E-mail.
  - 3. The method according to claim 2, further comprising:
    - obtaining sender Internet Protocol (IP) addresses of the E-mails at a same time of the obtaining recipient E-mail addresses of E-mails received in each of the statistic periods;
      
      establishing the monitor entry for recording a correspondence between the recipient E-mail addresses and the sender IP addresses of the E-mails received during each of the statistic periods, wherein a second hash node of the monitor entry stores number of occurrences of each sender IP address which appears together with the first recipient E-mail address in the E-mail received in the first statistic period;
      
      collecting, according to the correspondence, statistics on the number of occurrences of each sender IP address corresponding to the target address; and
      
      determining a sender IP address, of which the number of occurrences exceeds a third threshold, as an attacker IP address of the E-mail attack.
  - 4. The method according to claim 1, further comprising:
    - obtaining sender Internet Protocol (IP) addresses of the E-mails at a same time as the obtaining recipient E-mail addresses of E-mails received in each of the statistic periods;
      
      establishing the monitor entry for recording a correspondence between the recipient E-mail addresses and the sender IP addresses of the E-mails received for each of the statistic periods, wherein a second hash node of the monitor entry stores the number of occurrences of each sender IP address which appears together with the first recipient E-mail address in the E-mail received in the first statistic period;
      
      collecting, according to the correspondence, statistics on the number of occurrences of each sender IP address corresponding to the target address; and
      
      determining a sender IP address, of which the number of occurrences exceeds a third threshold, as an attacker IP address of the E-mail attack.
  - 5. The method according to claim 1, wherein the E-mail traffic parameter comprises the number of E-mails.
  - 6. The method according to claim 1, wherein the E-mail traffic parameter comprises the number of newly created simple mail transfer protocol (SMTP) connections for transferring an E-mail.
  - 7. The method according to claim 1, wherein the E-mail traffic parameter comprises the number of added simple mail transfer protocol (SMTP) concurrent connections for transferring an E-mail.

8. A device for detecting an electronic mail (E-mail) attack, comprising:
- a network interface configured to receive data flows that flow through the network device during at least two statistic periods; and
  
  a processor coupled to the network interface and configured to;
  
  obtain an E-mail traffic parameter of each statistic period according to a protocol type of the data flows that are received in each of the statistic periods;
  
  determine, when the E-mail traffic parameter of each statistic period matches a first threshold, that the E-mail attack is detected;
  
  obtain recipient E-mail addresses of E-mails received in each of the statistic periods after the E-mail attack is detected by searching monitoring entries, wherein a monitoring entry is created in each of the statistic periods, a first Hash node in a monitoring entry created in a first period corresponding to a first recipient E-mail address of E-mails received in the first period, and the first Hash node is used to store a number of occurrences of the first recipient E-mail address in the first detection period;
  
  collect statistics on the occurrences number of each obtained recipient E-mail address in each of the statistic periods by searching Hash nodes in the monitoring entries; and
  
  determine a recipient E-mail address, of which the number of occurrences in each of the statistic periods exceeds a second threshold, as a target address of the E-mail attack, wherein the number of occurrences of the first recipient E-mail address in each of the statistic periods in obtained from the stored Hash nodes corresponding to the first recipient E-mail address in each of the monitoring entries.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 9. The device according to claim 8, wherein the processor is configured to obtain the recipient E-mail addresses of E-mails received in each of the statistic periods after the E-mail attack is detected comprises the processor being further configured to:
    - analyze, within each statistic period, a protocol type of a data flow received by the network interface within each of the statistic periods;
      
      determine that a payload of the data flow is an E-mail when the protocol type of the data flow is an E-mail protocol type; and
      
      obtain the E-mail traffic parameter of each of the statistic periods according to the determined E-mail.
  - 10. The device according to claim 9, wherein the processor is further configured to:
    - obtain sender Internet Protocol (IP) addresses of the E-mails at a same time as the obtaining recipient E-mail addresses of E-mails received by the network interface in each of the statistic periods;
      
      establish the monitor entry for recording a correspondence between the recipient E-mail addresses and the sender IP addresses of the E-mails received for each of the statistic periods, wherein a second hash node of the monitor entry stores number of occurrences of each sender IP address which appears together with the first recipient E-mail address in a E-mail received in the first statistic period;
      
      collect, according to the correspondence, statistics on the number of occurrences of each sender IP address corresponding to the target address; and
      
      determine a sender IP address, of which the number of occurrences exceeds a third threshold, as an attacker IP address of the E-mail attack.
  - 11. The device according to claim 10, wherein the E-mail traffic parameter comprises the number of E-mails.
  - 12. The device according to claim 10, wherein the E-mail traffic parameter comprises the number of newly created simple mail transfer protocol (SMTP) connections for transferring an E-mail.
  - 13. The device according to claim 10, wherein the E-mail traffic parameter comprises the number of added simple mail transfer protocol (SMTP) concurrent connections for transferring an E-mail.
  - 14. The device according to claim 9, wherein the E-mail traffic parameter comprises the number of E-mails.
  - 15. The device according to claim 9, wherein the E-mail traffic parameter comprises the number of newly created simple mail transfer protocol (SMTP) connections for transferring an E-mail.
  - 16. The device according to claim 9, wherein the E-mail traffic parameter comprises the number of added simple mail transfer protocol (SMTP) concurrent connections for transferring an E-mail.
  - 17. The device according to claim 8, wherein the processor is further configured to:
    - obtain sender Internet Protocol (IP) addresses of the E-mails at a same time as the obtaining recipient E-mail addresses of E-mails received by the network interface in each of the statistic periods;
      
      establish the monitor entry for recording a correspondence between the recipient E-mail addresses and the sender IP addresses of the E-mails received for each of the statistic periods, wherein a second hash node of the monitor entry stores number of occurrences of each sender IP address which appears together with the first recipient E-mail address in a E-mail received in the first statistic period;
      
      collect, according to the correspondence, statistics on the number of occurrences of each sender IP address corresponding to the target address; and
      
      determine a sender IP address, of which the number of occurrences exceeds a third threshold, as an attacker IP address of the E-mail attack.
  - 18. The device according to claim 17, wherein the E-mail traffic parameter comprises the number of E-mails.
  - 19. The device according to claim 17, wherein the E-mail traffic parameter comprises the number of newly created simple mail transfer protocol (SMTP) connections for transferring an E-mail.
  - 20. The device according to claim 17, wherein the E-mail traffic parameter comprises the number of added simple mail transfer protocol (SMTP) concurrent connections for transferring an E-mail.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Jiang, Wu, Dong, Xingshui
Primary Examiner(s)
Armouche, Hadi S
Assistant Examiner(s)
Gao, Shu C

Application Number

US14/512,777
Publication Number

US 20150033343A1
Time in Patent Office

1,499 Days
Field of Search
US Class Current
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 69/28   Timers or timing mechanisms...

Method, apparatus, and device for detecting e-mail attack

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus, and device for detecting e-mail attack

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links