Search

KR-102964116-B1 - A EMAIL SECURITY SYSTEM FOR PREVENTING TARGETED EMAIL ATTACKS PROCESSING A DETECTION OF SOCIAL ENGINEERING ATTACKS

KR102964116B1KR 102964116 B1KR102964116 B1KR 102964116B1KR-102964116-B1

Abstract

A method according to an embodiment of the present invention, in a method of operation of a service providing device using an email security system, comprises the steps of: configuring security threat information synchronization data by synchronizing targeted email security threat information configured according to the performance of a targeted email security threat check of a received email with targeted email security threat information configured according to the performance of a targeted email security threat check of an outgoing email; performing a targeted email security threat check corresponding to a new received email or a new outgoing email using the security threat information synchronization data; and performing a targeted email security threat response processing according to the targeted email security threat check of the new received email or the new outgoing email, wherein the targeted email security threat check performs a social engineering email attack threat check targeting a specific email account for social engineering attack threat check items extracted from emails determined to be normal in a malicious code check and a spam check using the security threat information synchronization data.

Inventors

  • 김충한

Assignees

  • (주)기원테크

Dates

Publication Date
20260513
Application Date
20241030
Priority Date
20220804

Claims (10)

  1. In the method of operation of an email security system, A step of configuring email security synchronization data including look-alike domain information and zero-day malware information not registered in the database by analyzing data collected based on the inspection of malicious files and account data for incoming emails and data collected based on the inspection of malicious files and account data for outgoing emails; and The method includes the step of processing user warnings or blocking for new incoming emails using the similar domain information and zero-day malware information analyzed for the outgoing email among the email security synchronization data. The above processing step A method of operation of an email security system characterized by including the step of accumulating sender domains of emails to form an accumulated email history, and calculating domain similarity by comparing the sender domain of the new received email with the accumulated email history.
  2. In paragraph 1, the processing step A method of operation of an email security system characterized by notifying the user of the risk similarity level and blocking the new received email when the sender domain of the new received email is detected as a similar domain based on the accumulated email history.
  3. In paragraph 1, the processing step A method of operation of an email security system characterized by blocking a new received email when the sender domain of the new received email is determined to be a similar domain containing three or fewer similar characters that are difficult to distinguish.
  4. In paragraph 1, the processing step A method of operation of an email security system characterized by blocking or delaying the reception of a new email when the top-level domain (TLD) of the sender domain of the new email is modified.
  5. In paragraph 1, the processing step A method of operation of an email security system characterized by blocking or delaying the reception of a new email when the string of the sender domain of the new email is rearranged or changed to some similar characters or other characters.
  6. A synchronization processing unit that analyzes data collected based on the inspection of malicious files and account data for incoming emails and data collected based on the inspection of malicious files and account data for outgoing emails to configure email security synchronization data including similar domain information and zero-day malware information not registered in the database; and A receiving mail processing unit that processes user warnings or blocking for new receiving mail using similar domain information and zero-day malware information analyzed for the outgoing mail among the email security synchronization data; The above-mentioned incoming mail processing unit An email security system characterized by accumulating sender domains of emails to form an accumulated email history, and calculating domain similarity by comparing the sender domain of a newly received email with the accumulated email history.
  7. In paragraph 6, the above-mentioned received mail processing unit An email security system characterized by notifying the user of the risk similarity level and blocking the new received email when the sender domain of the new received email is detected as a similar domain based on the accumulated email history.
  8. In paragraph 6, the above-mentioned received mail processing unit An email security system characterized by blocking a new received email when the sender domain of the new received email is determined to be a similar domain containing three or fewer similar characters that are difficult to distinguish.
  9. In paragraph 6, the above-mentioned received mail processing unit An email security system characterized by blocking or delaying the reception of a new email when the top-level domain (TLD) of the sender domain of the new email is modified.
  10. In paragraph 6, the above-mentioned received mail processing unit An email security system characterized by blocking or delaying the reception of a new email when the string of the sender domain of the new email is rearranged or changed to some similar characters or other characters.

Description

An email security system for blocking and responding to targeted email attacks that perform social engineering attack detection, and a method of operation thereof The present invention relates to an email security system for blocking and responding to targeted email attacks and a method of operation thereof. With the advancement of network attack technologies, cyber attacks via email are gradually evolving in modern society. As the activity of malicious emails targeting specific subjects—known as so-called targeted email attacks—increases through complex cyber attack tactics using malware and social engineering, active internet users and businesses worldwide are suffering damage. Unlike spam phishing attacks targeting an unspecified number of people, these targeted email attacks are configured to target individuals or companies and include attacks that damage or compromise the information assets of specific individuals. To carry out targeted email attacks, threat actors collect information to create personalized email messages that look realistic, persuading the target to respond and ultimately creating security vulnerabilities. Furthermore, targeted attacks on inbound and outbound emails employ sophisticated and unknown methods, such as header tampering, using fake email addresses or Account Takeover (ATO), attaching unknown sophisticated malware, or impersonating a legitimate sender trusted by the target. Consequently, victims respond to these emails by clicking on attachments intended by attackers to cause fraudulent transfers, data leaks, or computer system failures, or by sending replies containing personal information. This can pose a serious risk to the victim's information assets. However, despite the severity of such targeted email attacks, email security solutions proposed to date remain limited to fragmentary technologies such as simple inbound spam blocking and inbound domain blocking. Currently, solutions that comprehensively utilize known technologies to effectively prevent or block targeted email attacks have not yet been presented. In particular, targeted email attacks against the inbound side ultimately lead to security vulnerabilities in the outbound side, and since security vulnerabilities in the outbound side in turn lead to security vulnerabilities in the inbound side, a systematic security system is required to block targeted email attacks by comprehensively considering these factors; however, the current situation is that no appropriate solution has been proposed. FIG. 1 is a conceptual diagram schematically illustrating the entire system according to an embodiment of the present invention. FIG. 2 is a block diagram illustrating a service providing device according to an embodiment of the present invention. FIGS. 3 and 4 are block diagrams for more specifically explaining some configurations of a service providing device according to an embodiment of the present invention. FIGS. 5 and 6 are flowcharts for explaining a service process using a system according to an embodiment of the present invention. FIG. 7 is a diagram illustrating a large-capacity file leakage inspection process according to an embodiment of the present invention. FIG. 8 is a ladder diagram illustrating a policy-based approval process for large files according to an embodiment of the present invention. The following description merely illustrates the principles of the present invention. Therefore, those skilled in the art may invent various devices and methods that embody the principles of the present invention and are included within the concept and scope of the present invention, even though they are not explicitly described or illustrated in this specification. Furthermore, all conditional terms and embodiments listed in this specification are, in principle, explicitly intended only for the purpose of understanding the concept of the present invention and should be understood not as being limited to the embodiments and conditions specifically listed as such. Furthermore, it should be understood that all detailed descriptions enumerating specific embodiments, as well as the principles, aspects, and embodiments of the present invention, are intended to include structural and functional equivalents thereof. It should also be understood that such equivalents include not only currently known equivalents but also equivalents to be developed in the future, that is, all elements invented to perform the same function regardless of structure. Accordingly, for example, the block diagrams in this specification should be understood as representing a conceptual view of an exemplary circuit embodying the principles of the present invention. Similarly, all flowcharts, state transition diagrams, pseudocode, etc., should be understood as representing various processes that can be substantially represented on a computer-readable medium and performed by a computer or processor, regardless of whether the computer or processor is expl