Search

KR-102964117-B1 - Mail security-based zero-day URL attack defense service providing device and its operation method

KR102964117B1KR 102964117 B1KR102964117 B1KR 102964117B1KR-102964117-B1

Abstract

A method of operation of a mail security-based zero-day URL attack defense service provider according to an embodiment of the present invention comprises: a collection step of collecting mail information transmitted and received between one or more user terminals; a security threat inspection step of inspecting a URL (Uniform Resource Locator) by a mail security process and storing and managing URL inspection information based on the inspection result when the mail information includes a URL according to a pre-set security threat architecture; a zero-day URL conversion step of converting the zero-day URL into a pre-set security URL when the URL is determined to be a zero-day URL with a potential zero-day attack risk based on the URL inspection information; and a zero-day URL diagnosis step of periodically diagnosing whether the zero-day URL is a malicious URL.

Inventors

  • 김충한

Assignees

  • (주)기원테크

Dates

Publication Date
20260513
Application Date
20201229

Claims (2)

  1. In a service providing device, A collection unit that collects mail information transmitted and received between one or more user terminals; A security threat inspection unit that, according to a pre-configured security threat architecture, if the email information includes link information for connecting to a specific webpage, inspects the link information by an email security process and stores and manages inspection information based on the inspection result; and Based on the above inspection information, if the above link information is determined to have a potential risk of a zero-day attack, a zero-day diagnosis unit for performing a malicious code inspection on a webpage connected through the above link information is included. Depending on whether the above link information is registered in the database, it is determined whether there is a potential zero-day attack risk for the above link information, and The above zero-day diagnostic unit When the above user terminal accesses the above link information, it checks whether the above link information exists in the database, and then connects to or accesses the above webpage through the above link information to perform a behavior-based dynamic check, A service providing device characterized by the above behavior-based dynamic inspection including a plurality of inspections regarding whether the webpage is forged, whether there is access to the source code area, whether a file is downloaded, and whether a script is executed.
  2. In the method of operation of a service providing device, A collection step for collecting mail information transmitted and received between one or more user terminals; A security threat inspection step that, according to a pre-configured security threat architecture, if the email information includes link information for connecting to a specific webpage, inspects the link information by an email security process and stores and manages inspection information based on the inspection result; and Based on the above inspection information, if the above link information is determined to have a potential risk of a zero-day attack, a zero-day diagnosis step of performing a malicious code inspection on a webpage connected through the above link information is included; Depending on whether the above link information is registered in the database, it is determined whether there is a potential zero-day attack risk for the above link information, and The above zero-day diagnosis step is When the above user terminal accesses the above link information, it checks whether the above link information exists in the database, and then connects to or accesses the above webpage through the above link information to perform a behavior-based dynamic check, A method of operation of a service providing device characterized by the above-mentioned behavior-based dynamic inspection including a plurality of inspections regarding whether the webpage is forged, whether access to the source code area is accessed, whether a file is downloaded, and whether a script is executed.

Description

Mail security-based zero-day URL attack defense service providing device and its operation method The present invention relates to an apparatus for providing a mail security-based zero-day URL attack defense service and a method of operation thereof, and more specifically, to an apparatus for providing a mail security-based zero-day URL attack defense service and a method of operation thereof capable of detecting and blocking zero-day attacks that pose a security threat through URLs included in mail. Today's society is becoming increasingly dependent on cyber across all sectors of social life due to the global advancement of computers and information and communication technology, and this trend is accelerating. Recently, with the commercialization of 5G mobile communication featuring ultra-high speed, ultra-low latency, and ultra-connectivity, and the emergence of new services based on it, cybersecurity is becoming increasingly important. Technological fields such as the Internet of Things (IoT), cloud systems, big data, and artificial intelligence (AI) are combining with information and communication technology to provide new service environments. Systems providing such services can be connected to PCs or portable terminal devices via the internet or wireless networks and utilized in daily life. As information and communication technologies (ICT) connected to various terminal devices and communication equipment become increasingly integrated into daily life, cyber security threats driven by malicious intent are on the rise day by day. Sophisticated and advanced cyber security threats can cause damage by inducing human error through the malfunction of ICT terminal devices used by organizations, institutions, or individuals, or by falsifying or altering management information, thereby leading to the theft or destruction of information. Furthermore, information illegally stolen through cyber security threats can be used to commit financial fraud or other economic and social crimes. Information security systems that protect and manage systematized information and communication technologies can be utilized to block and respond to cyber security threats. To respond to various cyber threats, information security systems can be constructed according to the system type or technical characteristics of the information and communication technology and can be applied in stages. Email systems utilized in information and communication technology can provide electronic mail services that include a body of content, enabling users to exchange messages via communication lines through computer terminals. In this case, the email may attach an electronic file containing the content to be shared, or may include a website link (URL; Uniform Resource Locator) in the body or embed it within the attachment. As such, executable electronic files containing malicious code or URLs linking to specific websites can be attached with malicious intent through email systems. Through this, unintended information processing and theft of information may occur as the email recipient is caused to execute the malicious code or access a falsified website via the inserted URL. In order to respond to email security threats that can cause economic and social damage and be linked to various crimes, a 'system for controlling and blocking emails with attached malicious code' is disclosed as described in Korean Registered Patent No. 10-1595379. The aforementioned registered patent includes a function for receiving an email at a target system when the email sent from an external server or terminal passes through a firewall and a spam blocking device equipped with spam blocking software; a function for checking whether the target system has an attachment; if there is no attachment, the target system transmits the email to a mail server; if there is an attachment, the email is blocked except for the attachment types most frequently used for user business purposes (document, compressed, image) to prevent malware infection in advance; a function for transmitting a notification email from the target system to a user terminal via email, messenger, mobile, or KakaoTalk, selected as a single or multiple method, in which, if the attachment type is an image, malware infection is impossible because images cannot be converted, so the target system transmits the email to the mail server; and if the attachment type is a document, the document is converted into an uneditable PDF format to prevent the recipient from clicking on URLs containing malware within the document, thereby preventing malware infection of the user terminal; and if the attachment type is a compressed file, the file is first decompressed to analyze the file type. A target system having the function of processing images in the above manner, converting documents into PDF and processing them in the above manner, and in the case of executable files, performing malware infection scanning and treatment in a