Method, Apparatus, and Device for Detecting E-Mail Attack

US 20150033343A1
Filed: 10/13/2014
Published: 01/29/2015
Est. Priority Date: 12/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a network device for detecting an electronic mail (E-mail) attack, comprising:

receiving a data flow;

obtaining an E-mail traffic parameter of each statistic period within a predetermined number of statistic periods;

determining, within each statistic period, the E-mail traffic parameter of each of the statistic periods according to a protocol type of the received data flow; and

determining that an E-mail attack is detected when the E-mail traffic parameter of each statistic period within the predetermined number of statistic periods matches a first threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, an apparatus, and a device for detecting an E-mail attack. The device receives a data flow; obtains an E-mail traffic parameter of each statistic period within a predetermined number of statistic periods, where within each statistic period, the E-mail traffic parameter of each of the statistic periods is determined according to a protocol type of the received data flow; and determines that an E-mail attack is detected when the E-mail traffic parameter of each statistic period within the predetermined number of statistic periods matches a first threshold. By applying the disclosed embodiments, a detection result of the E-mail attack is more accurate.

Citations

15 Claims

1. A method implemented by a network device for detecting an electronic mail (E-mail) attack, comprising:
- receiving a data flow;
  
  obtaining an E-mail traffic parameter of each statistic period within a predetermined number of statistic periods;
  
  determining, within each statistic period, the E-mail traffic parameter of each of the statistic periods according to a protocol type of the received data flow; and
  
  determining that an E-mail attack is detected when the E-mail traffic parameter of each statistic period within the predetermined number of statistic periods matches a first threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein determining the E-mail traffic parameter of each of the statistic periods according to a protocol type of the received data flow comprises:
    - analyzing a protocol type of a data flow received in each of the statistic periods;
      
      determining that the data flow is an E-mail when the protocol type is an E-mail protocol type; and
      
      obtaining the E-mail traffic parameter of each of the statistic periods according to the determined E-mail.
  - 3. The method according to claim 2, wherein after determining that the E-mail attack is detected, the method further comprises:
    - obtaining recipient E-mail addresses of E-mails received in each detection period within a predetermined number of detection periods;
      
      collecting statistics on the number of occurrences of each obtained recipient E-mail address in each of the detection periods; and
      
      determining a recipient E-mail address, of which the number of occurrences in any detection period within the predetermined number of detection periods exceeds a second threshold, as a target address of the E-mail attack.
  - 4. The method according to claim 3, further comprising:
    - obtaining sender Internet Protocol (IP) addresses of the E-mails at the same time as the obtaining recipient E-mail addresses of E-mails received in each detection period within a predetermined number of detection periods;
      
      establishing a correspondence between the recipient E-mail addresses and the sender IP addresses of the E-mails received in each of the detection periods;
      
      collecting statistics, according to the correspondence, on the number of occurrences of each sender IP address corresponding to the target address, after determining the recipient E-mail address, of which the number of occurrences in any detection period within the predetermined number of detection periods exceeds a second threshold, as a target address of the E-mail attack; and
      
      determining a sender IP address, of which the number of occurrences exceeds a third threshold, as an attacker IP address of the E-mail attack.
  - 5. The method according to claim 1, wherein the E-mail traffic parameter comprises the number of E-mails.
  - 6. The method according to claim 1, wherein the E-mail traffic parameter comprises the number of newly created simple mail transfer protocol (SMTP) connections for transferring an E-mail.
  - 7. The method according to claim 1, wherein the E-mail traffic parameter comprises the number of added SMTP concurrent connections for transferring an E-mail.
  - 8. The method according to claim 1, wherein after determining that the E-mail attack is detected, the method further comprises:
    - obtaining recipient E-mail addresses of E-mails received in each detection period within a predetermined number of detection periods;
      
      collecting statistics on the number of occurrences of each obtained recipient E-mail address in each of the detection periods; and
      
      determining a recipient E-mail address, of which the number of occurrences in any detection period within the predetermined number of detection periods exceeds a second threshold, as a target address of the E-mail attack.
  - 9. The method according to claim 8, further comprising:
    - obtaining sender Internet Protocol (IP) addresses of the E-mails at the same time of the obtaining recipient E-mail addresses of E-mails received in each detection period within a predetermined number of detection periods;
      
      establishing a correspondence between the recipient E-mail addresses and the sender IP addresses of the E-mails received in each of the detection periods;
      
      collecting statistics, according to the correspondence, on the number of occurrences of each sender IP address corresponding to the target address after determining the recipient E-mail address, of which the number of occurrences in any detection period within the predetermined number of detection periods exceeds a second threshold, as a target address of the E-mail attack; and
      
      determining a sender IP address, of which the number of occurrences exceeds a third threshold, as an attacker IP address of the E-mail attack.

10. A device for detecting an E-mail attack, comprising:
- a network interface configured to receive a data flow; and
  
  a processor configured to;
  
  obtain an electronic mail (E-mail) traffic parameter of each statistic period within a predetermined number of statistic periods;
  
  determine, within each statistic period, the E-mail traffic parameter of each of the statistic periods according to a protocol type of the data flow received by the network interface; and
  
  determine, when the E-mail traffic parameter of each statistic period within the predetermined number of statistic periods matches a first threshold, that an E-mail attack is detected.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The device according to claim 10, wherein the processor is configured to:
    - analyze, within each statistic period, a protocol type of a data flow received by the network interface within each of the statistic periods;
      
      determine that the data flow is an E-mail when the protocol type of the data flow is an E-mail protocol type; and
      
      obtain the E-mail traffic parameter of each of the statistic periods according to the determined E-mail.
  - 12. The device according to claim 11, wherein the processor is further configured to:
    - obtain recipient E-mail addresses of E-mails received by the network interface in each detection period within a predetermined number of detection periods, after determining that the E-mail attack is detected;
      
      collect statistics on the number of occurrences of each obtained recipient E-mail address in each of the detection periods; and
      
      determine a recipient E-mail address, of which the number of occurrences in any detection period within the predetermined number of detection periods exceeds a second threshold, as a target address of the E-mail attack.
  - 13. The device according to claim 12, wherein the processor is further configured to:
    - obtain sender Internet Protocol (IP) addresses of the E-mails at the same time as the obtaining recipient E-mail addresses of E-mails received by the network interface in each detection period within a predetermined number of detection periods;
      
      establish a correspondence between the recipient E-mail addresses and the sender IP addresses of the E-mails received in each of the detection periods;
      
      collect statistics, according to the correspondence, on the number of occurrences of each sender IP address corresponding to the target address, after determining the recipient E-mail address, of which the number of occurrences in any detection period within the predetermined number of detection periods exceeds a second threshold, as a target address of the E-mail attack; and
      
      determine a sender IP address, of which the number of occurrences exceeds a third threshold, as an attacker IP address of the E-mail attack.
  - 14. The device according to claim 10, wherein the processor is further configured to:
    - obtain recipient E-mail addresses of E-mails received by the network interface in each detection period within a predetermined number of detection periods after determining that the E-mail attack is detected;
      
      collect statistics on the number of occurrences of each obtained recipient E-mail address in each of the detection periods; and
      
      determine a recipient E-mail address, of which the number of occurrences in any detection period within the predetermined number of detection periods exceeds a second threshold, as a target address of the E-mail attack.
  - 15. The device according to claim 14, wherein the processor is further configured to:
    - obtain sender Internet Protocol (IP) addresses of the E-mails at the same time as the obtaining recipient E-mail addresses of E-mails received by the network interface in each detection period within a predetermined number of detection periods;
      
      establish a correspondence between the recipient E-mail addresses and the sender IP addresses of the E-mails received in each of the detection periods;
      
      collect statistics, according to the correspondence, on the number of occurrences of each sender IP address corresponding to the target address, after determining the recipient E-mail address, of which the number of occurrences in any detection period within the predetermined number of detection periods exceeds a second threshold, as a target address of the E-mail attack; and
      
      determine a sender IP address, of which the number of occurrences exceeds a third threshold, as an attacker IP address of the E-mail attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Jiang, Wu, Dong, Xingshui

Granted Patent

US 10,135,844 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 69/28   Timers or timing mechanisms...

Method, Apparatus, and Device for Detecting E-Mail Attack

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method, Apparatus, and Device for Detecting E-Mail Attack

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links