CN-122027246-A - Phishing mail detection method and device, electronic equipment and storage medium

Abstract

The application discloses a phishing mail detection method, a device, electronic equipment and a storage medium, relates to the technical field of computers, and particularly relates to the field of artificial intelligence such as deep learning, large models and intelligent bodies. The method comprises the steps of performing risk identification on the mail to be detected to filter safe mails in the mail to be detected to obtain risk mails, analyzing the risk mails to obtain candidate mail elements contained in the risk mails, planning and executing sub-analysis tasks by adopting an agent according to the candidate mail elements to obtain analysis results of the sub-analysis tasks, and generating risk detection results of the risk mails according to the analysis results, wherein the risk detection results are used for indicating whether the risk mails are phishing mails or not.

Inventors

• WANG XINNAN
• LONG QUAN
• GAO LEI
• BAO CHENFU
• XU JIANXUN
• LI MINGQIAN
• ZHONG WUQIANG
• Gu Kongxi

Assignees

• 北京百度网讯科技有限公司

Dates

Publication Date

20260512

Application Date

20260123

Claims (16)

1. 1. A phishing mail detection method comprising: Performing risk identification on the mail to be detected to filter the safe mail in the mail to be detected to obtain a risk mail; analyzing the risk mail to obtain candidate mail elements contained in the risk mail; according to the candidate mail elements, adopting an agent to plan and execute sub-analysis tasks, and obtaining analysis results of the sub-analysis tasks; and generating a risk detection result of the risk mail according to the analysis result, wherein the risk detection result is used for indicating whether the risk mail is a phishing mail or not.
2. 2. The method of claim 1, wherein the generating the risk detection result of the risk mail according to the analysis result comprises: Determining a target result from the analysis result according to the risk information in the analysis result; Determining a logic association relation between the target results according to the risk information in the target results; according to the logic association relationship, a suspected attack path of the risk mail is constructed; And generating the risk detection result according to the suspected attack path.
3. 3. The method of claim 2, wherein the generating the risk detection result from the suspected attack path comprises: determining the attack type of the suspected attack path, wherein the attack type comprises effective attack or ineffective attack; According to the attack type, converting the suspected attack path into a natural language evidence chain matched with the attack type by adopting a first large model; And generating the risk detection result according to the natural language evidence chain and the attack type.
4. 4. The method of claim 3, wherein the determining the attack type of the suspected attack path comprises: Determining the path strength in the suspected attack path according to the confidence in the analysis result associated with the path node in the suspected attack path, wherein the confidence is used for representing the reliability of the analysis result, and the path strength is used for representing the attack reliability of the suspected attack path; and determining the attack type according to the path intensity.
5. 5. The method of claim 4, wherein the determining the path strength in the suspected attack path based on the confidence in the analysis results associated with the path nodes in the suspected attack path comprises: determining the integrity of the suspected attack path and the association weight of the path node; weighting the confidence coefficient corresponding to the path node according to the association weight to obtain a weighted result; And determining the path strength according to the weighted result and the integrity.
6. 6. The method of claim 1, wherein the plurality of candidate mail elements, the planning and performing sub-analysis tasks with an agent according to the candidate mail elements of the risk mail, and obtaining the analysis result of the sub-analysis tasks, comprises: Determining a target mail element with potential attack from a plurality of candidate mail elements by adopting the intelligent agent; and executing a corresponding sub-analysis task on the target mail element to acquire an analysis result of the target mail element.
7. 7. The method of claim 6, wherein the performing the corresponding sub-analysis task on the target mail element to obtain the analysis result of the target mail element comprises: determining a file type of the attachment in response to the target mail element including the attachment; And executing a sub-analysis task of security risk detection on the accessory by adopting a risk detection strategy matched with the file type, and obtaining an analysis result of the accessory.
8. 8. The method of claim 6, wherein the performing the corresponding sub-analysis task on the target mail element to obtain the analysis result of the target mail element comprises: Responding to the target mail element comprising a Uniform Resource Locator (URL), and acquiring a screenshot of a webpage of the URL; text recognition is carried out on the screenshot of the page to obtain text content of the URL; and executing a sub-analysis task of link risk detection on the URL according to the text content so as to acquire an analysis result of the URL.
9. 9. The method of claim 6, wherein the performing the corresponding sub-analysis task on the target mail element to obtain the analysis result of the target mail element comprises: Acquiring mailbox address information of a target organization in response to the target mail element comprising sender information; and executing a sub-analysis task of the credibility check on the sender information according to the mailbox address information, and acquiring an analysis result of the sender information.
10. 10. The method of claim 1, wherein the mail to be detected includes a first mail and a second mail, and the performing risk identification on the mail to be detected to filter the security mails in the mail to be detected includes: Determining a first hash vector of the first mail according to the text content of the first mail; Determining a second hash vector of the second mail according to the text content of the second mail; comparing any sub-vector in the first hash vector with sub-vectors in the same position in the second hash vector to determine the similarity between the first mail and the second mail; and carrying out similar filtering on the first mail and the second mail according to the similarity.
11. 11. The method of claim 10, wherein the determining a first hash vector of the first mail based on the body content of the first mail comprises: Dividing the text content of the first mail to obtain a plurality of continuous word sequences; Performing hash calculation on a plurality of continuous word sequences to obtain a hash matrix of the first mail; Determining a target hash value from each hash value of the hash matrix of the first mail; and obtaining the first hash vector based on the target hash value of each column.
12. 12. The method of claim 1, wherein the risk identification of the mail to be detected to filter the secure mail in the mail to be detected to obtain the risk mail includes: Acquiring mail risk characteristics in the target field; According to the mail risk characteristics, performing risk identification on mail content of the mail to be detected by adopting a second large model to obtain a content risk identification result, wherein the number of model parameters of the second large model is smaller than a preset number; And determining the mail to be detected as the risk mail in response to determining that the mail content has risk according to the content risk identification result.
13. 13. A phishing mail detecting apparatus comprising: The filtering module is used for carrying out risk identification on the mail to be detected so as to filter the safety mail in the mail to be detected and obtain risk mail; the analysis module is used for analyzing the risk mail and acquiring candidate mail elements contained in the risk mail; The analysis module is used for planning and executing sub-analysis tasks by adopting an agent according to the candidate mail elements and obtaining analysis results of the sub-analysis tasks; And the generation module is used for generating a risk detection result of the risk mail according to the analysis result, wherein the risk detection result is used for indicating whether the risk mail is a phishing mail or not.
14. 14. An electronic device, comprising: at least one processor, and A memory communicatively coupled to the at least one processor, wherein, The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-12.
15. 15. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1-12.
16. 16. A computer program product comprising a computer program which, when executed by a processor, implements the steps of the method of any of claims 1-12.

Description

Phishing mail detection method and device, electronic equipment and storage medium Technical Field The application relates to the technical field of computers, in particular to the field of artificial intelligence such as deep learning, large models, intelligent agents and the like, and particularly relates to a method and device for detecting phishing mails, electronic equipment and a storage medium. Background Phishing mails are malicious emails which take fraud as a means and take theft as a core target, and sensitive information is induced to be revealed or dangerous operation is carried out by disguising a trusted identity. With the wide application of email in government, finance, business office, personal communication, etc., phishing email has become an important means for network attackers to implement social engineering attacks. Disclosure of Invention The application provides a phishing mail detection method, a device, electronic equipment and a storage medium. The specific scheme is as follows: According to an aspect of the present application, there is provided a phishing mail detection method including: Performing risk identification on the mail to be detected to filter the safe mail in the mail to be detected to obtain a risk mail; analyzing the risk mail to obtain candidate mail elements contained in the risk mail; According to the candidate mail elements, adopting an agent to plan and execute sub-analysis tasks to obtain analysis results of the sub-analysis tasks; and generating a risk detection result of the risk mail according to the analysis result, wherein the risk detection result is used for indicating whether the risk mail is a phishing mail or not. According to another aspect of the present application, there is provided a phishing mail detection apparatus comprising: the filtering module is used for carrying out risk identification on the mail to be detected so as to filter the safe mail in the mail to be detected and obtain a risk mail; the analysis module is used for analyzing the risk mail and acquiring candidate mail elements contained in the risk mail; the analysis module is used for planning and executing sub-analysis tasks by adopting an agent according to the candidate mail elements and obtaining analysis results of the sub-analysis tasks; the generation module is used for generating a risk detection result of the risk mail according to the analysis result, wherein the risk detection result is used for indicating whether the risk mail is a phishing mail or not. According to another aspect of the present application, there is provided an electronic apparatus including: at least one processor, and A memory communicatively coupled to the at least one processor, wherein, The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of the above embodiments. According to another aspect of the present application, there is provided a non-transitory computer-readable storage medium storing computer instructions for causing the computer to perform the method according to the above-described embodiments. According to another aspect of the application, there is provided a computer program product comprising a computer program which, when executed by a processor, implements the steps of the method described in the above embodiments. It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the application or to delineate the scope of the application. Other features of the present application will become apparent from the description that follows. Drawings The drawings are included to provide a better understanding of the present application and are not to be construed as limiting the application. Wherein: FIG. 1 is a flowchart of a method for detecting phishing mails according to an embodiment of the application; FIG. 2 is a flowchart illustrating a method for detecting phishing mails according to another embodiment of the application; FIG. 3 is a flowchart illustrating a method for detecting phishing mails according to another embodiment of the application; FIG. 4 is a flowchart illustrating a method for detecting phishing mails according to another embodiment of the application; FIG. 5 is a schematic diagram of a fishing mail detecting device according to an embodiment of the present application; Fig. 6 is a block diagram of an electronic device for implementing a phishing mail detection method of an embodiment of the present application. Detailed Description Exemplary embodiments of the present application will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present application are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embod