Method and system for detecting abnormal IP of mail system

Abstract

The invention provides a mail system abnormal IP detection method and system, and the method comprises the steps: cleaning mail log data, and extracting useful information; performing statistics on operation behavior data of the IP corresponding to each piece of useful information on the mailbox account in a preset time window; determining the weight occupied by each piece of operation behavior data in the current time window; calculating an IP behavior abnormal value z according to each operation behavior data and the corresponding weight, comparing the IP behavior abnormal value z with a preset threshold value z0, and when z is greater than z0, judging that the IP is an abnormal IP; according to the method, factors such as the number of IP address operation accounts in a mail system, the number of login failures and the condition of operating mailbox accounts in an abnormal time period are comprehensively considered, various influence factors are weighted, and the weight of each influence factor is learned by using a linear regression algorithm; and meanwhile, whether the IP address is the malicious IP or not is comprehensively judged by comparing the attack source IP address involved in the IDS equipment alarm log in the same time window, so that the accuracy of abnormal IP detection is improved.

Description

technical field [0001] The invention belongs to the field of abnormality detection, and in particular relates to a detection method and detection system for an abnormal IP in a mail system. Background technique [0002] E-mail is an indispensable communication tool for daily life and office work. Users can log in to e-mail through computers and other methods. However, with the continuous development of the network, the security of e-mail accounts is particularly important. However, the mail system is often attacked by malicious IPs, for example, brute force cracking of the mailbox accounts in the system, or stealing the content of the mails in the accounts (that is, the accused mailbox accounts) that have mastered the user name and password. Therefore, when suspicious behaviors occur, it is necessary to find these abnormal IPs in time for key monitoring, and block the access and operation of abnormal IPs to accounts in the mail system if necessary. [0003] However, some e...

AI Technical Summary

Problems solved by technology

[0003] However, some existing literatures do not consider the information in the alarm log of security devices in the same time period when judging abnormal IPs. In fact, malicious IPs may also attack the mail system network while attacking the mail system; some literatures judge When abnormal IP, although several different characteristics of abnormal IP are considered, the impact of different characteristics in detecting abnormal IP is not considered as a whole. Therefore, the methods disclosed in the prior art cannot accurately detect Abnormal IP

Images