A novel mail attack detection analysis system
A novel email attack detection system employing recursive deep content parsing and hierarchical feature adaptive weighting addresses the shortcomings of existing systems in parsing complex nested content and feature processing, achieving efficient and adaptive email attack detection while reducing false negative rates and resource consumption.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SHANGHAI MARITIME UNIVERSITY
- Filing Date
- 2026-05-25
- Publication Date
- 2026-06-19
AI Technical Summary
Existing email attack detection systems are inefficient when parsing complex nested content, have limited feature processing methods, lack adaptability and bypass resistance, resulting in high false negative rates, high resource consumption, and difficulty in dealing with new attack methods.
A novel email attack detection and analysis system employs recursive deep content parsing and hierarchical feature adaptive weighting. Through a real-time detection module, it parses compressed packages, decrypts attachments, and parses QR codes layer by layer. Combined with a single feature classifier and a deep learning engine, it dynamically adjusts the weights of feature regions to achieve efficient detection and resource balancing.
It significantly reduced the false negative rate and false positive rate of covert attacks, enabled rapid response to new types of attacks and dynamic control of resources, and improved the adaptive and bypass resistance capabilities of the detection system.
Smart Images

Figure CN122247776A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, and in particular to a novel email attack detection and analysis system. Background Technology
[0002] With the continuous evolution of cyberattack methods, email has become a primary vector for the spread of advanced persistent threats, phishing attacks, ransomware, and other malicious activities. Existing email attack detection systems typically employ static rule matching, traditional machine learning, or deep learning models to extract and classify email content features. However, in practical applications, these technologies still have the following shortcomings:
[0003] First, the system has limited ability to parse complex nested content. Attackers often encapsulate malicious payloads in multi-layered compressed files, encrypted attachments, QR code images, or short links. Most existing systems only support single-layer decompression or simple link expansion, making it difficult to fully obtain threat information from deeply nested content. This results in a high false negative rate for covert attacks, and the resource consumption caused by deep parsing is also difficult to control.
[0004] Second, the feature processing methods are simplistic and lack differentiation in the value of features from different sources and types. Emails contain various heterogeneous data such as text, images, binary attachments, and links, and the ability of each dimension of features to indicate malicious behavior varies. Existing systems typically process all features uniformly or use a single model for overall classification, making it difficult to highlight the contribution of high-value features. Abnormal signals are easily masked by normal signals, limiting detection accuracy and efficiency.
[0005] Third, the detection system lacks runtime adaptability and a closed-loop feedback mechanism. After deployment, the detection parameters are often fixed and cannot be automatically optimized based on actual detection results; attack tracing and real-time detection are independent of each other, new attack patterns cannot be fed back to the detection module in a timely manner, and the overall defense capability of the system is difficult to continuously evolve.
[0006] Fourth, it lacks the ability to withstand dynamic attack strategies and bypass. Static and fixed password guessing strategies cannot adapt to the evolving patterns of attackers' password construction; static threshold judgments are easily bypassed by carefully crafted email features; and the parsing of multimodal payloads such as QR codes and short links only reaches the decoding or unfolding level, lacking in-depth analysis of the payload content, making it difficult to cope with new attack methods. Summary of the Invention
[0007] Based on the above problems, the purpose of this invention is to provide a novel email attack detection and analysis system, which achieves efficient detection of nested malicious payloads and dynamic balance of detection resources through recursive deep content parsing and hierarchical feature adaptive weighting.
[0008] The objective of this invention is achieved through the following solution.
[0009] A novel email attack detection and analysis system includes:
[0010] The real-time detection module is configured to acquire email traffic in real time through various deployment methods, and use a deep learning detection engine to perform multi-dimensional feature comprehensive analysis on each email and output classification results. The real-time detection module has recursive deep content parsing capabilities, including: decompressing compressed packages layer by layer, extracting embedded objects, obtaining passwords through intelligent recognition to decrypt protected attachments, parsing QR codes and barcodes, and performing obfuscation restoration and short link tracing on Uniform Resource Locators.
[0011] The real-time detection module is also configured to: divide feature regions according to recursive parsing depth and configure dynamic weights; obtain malicious tendency scores of each feature through a single feature classifier; and calculate the comprehensive risk coefficient by weighted calculation after adaptively adjusting the region weights through cluster analysis. If the weights exceed a preset threshold, deep parsing is triggered; otherwise, the region features are merged into a dynamic subset and input into the deep learning engine.
[0012] The attack attribution analysis module is configured to track the attack behavior of the same attacker against different targets by cross-organizational correlation analysis of attack resources, and combine attack organization profiles, attack script matching and dynamic behavior analysis of malicious samples to reconstruct the complete attack chain and conduct attribution analysis.
[0013] Preferably, the real-time detection module is configured to perform the following steps:
[0014] Based on the intermediate metadata generated during the recursive parsing process, the feature space is divided into shallow feature regions, medium feature regions, and deep feature regions according to the depth of recursive parsing, and each region is configured with an independent dynamic weight, wherein the initial weight of the deep feature region is higher than that of the shallow and medium feature regions; wherein, the intermediate metadata includes at least the number of decompression layers, the distribution of embedded object types, the QR code payload entropy value, and the short link jump chain length;
[0015] For each original feature and the recursively derived feature generated by statistical transformation of the intermediate metadata, a single feature classifier is trained to output the malicious tendency score of the feature for the current email.
[0016] Based on the statistical values of malicious tendency scores in each region and the corresponding weights of the regions, a weighted summation method is used to calculate the comprehensive risk coefficient.
[0017] Cluster analysis is performed on the malicious tendency scores in each region. The cluster analysis includes: calculating the sum of deviations from other scores with each score as the center in turn, selecting the score with the smallest sum of deviations as the cluster center, defining the mainstream interval with a predetermined percentage range of the cluster center, calculating the average score within the mainstream interval, and adjusting the weight of the region within a preset step size range in combination with the false positive and false negative statistics of the region.
[0018] If the overall risk coefficient exceeds a preset threshold, the email is marked as high-risk and deep analysis or an alarm is triggered; otherwise, the features of each region are merged into a dynamic feature subset, which is used as input to the deep learning detection engine.
[0019] Preferably, the intermediate metadata further includes at least one of the following: MIME type transfer entropy, number of changes in the short link jump autonomous system number, and minimum distance between the QR code and the main text edit:
[0020] Preferably, the real-time detection module is further configured to perform the following steps:
[0021] A lightweight feature set is extracted from the shallow feature region, and a lightweight classifier is used to output the preliminary malicious probability of the email.
[0022] The recursive parsing depth is dynamically determined based on the comparison results between the preliminary malicious probability and the first threshold and the second threshold: if the preliminary malicious probability is less than the first threshold, no recursive parsing is performed; if the preliminary malicious probability is between the first threshold and the second threshold, recursive parsing at a first preset depth is performed; if the preliminary malicious probability is greater than or equal to the second threshold, recursive parsing at a maximum preset depth is performed; wherein, the first threshold and the second threshold are both dynamically adjustable thresholds, and the first threshold is less than the second threshold.
[0023] Preferably, the real-time detection module is further configured to perform the following steps:
[0024] Based on the recursive parsing results, all features are extracted, and a deep learning detection engine is used for final classification. The actual computing resources consumed during the parsing process are weighted and summed, and added as a resource penalty factor to the loss function of the deep learning detection engine.
[0025] Record the average resource consumption and average detection accuracy within the historical sliding window. When the average resource consumption exceeds a preset upper limit threshold and the average detection accuracy does not increase by a preset amount, a threshold tightening event is triggered, and the first and second thresholds are adjusted upward according to a preset tightening rule. When the average detection accuracy is lower than a preset lower limit threshold, a threshold relaxation event is triggered, and the first and second thresholds are adjusted downward according to a preset relaxation rule.
[0026] Preferably, the function of obtaining the password through intelligent identification in the real-time detection module to decrypt the protected attachment is further configured to perform the following steps:
[0027] The password guessing strategy library is divided into common strategy area, variant strategy area and rare strategy area. Each area is assigned different guessing resource weights, and the initial weight of the deeper areas is higher than that of the shallower areas.
[0028] The system calculates the statistical distribution characteristics of the protected attachment passwords flowing into the system in real time and compares them with the dynamically updated historical baseline. When the difference between the distribution characteristics and the baseline exceeds the preset drift threshold, it determines that the attacker has changed the password strategy and encodes the current drift direction as a drift vector.
[0029] Based on the drift vector, the policy mapping network outputs several cryptographic construction rules most likely to be used by the attacker and their confidence levels, and dynamically adjusts the guessing resource weights of the three regions according to the confidence levels, with the single adjustment range limited to a preset step size.
[0030] By utilizing historical successful decryption cases, we classify cryptographic rules based on few-sample learning and assign guessing priorities to new emails.
[0031] Preferably, the function of obtaining the password through intelligent identification in the real-time detection module to decrypt the protected attachment is further configured to perform the following steps:
[0032] Identify new cryptographic patterns from failed decryption cases. When an unmatched unknown strategy is found, trigger a strategy evolution event. Add the new cryptographic pattern as a new learning prototype and use the following steps to determine the degree of anomalousness of the new prototype: calculate the sum of deviations from other scores with the corresponding score of the prototype as the center in turn, select the score with the smallest sum of deviations as the cluster center, define the mainstream interval with a predetermined percentage range of the cluster center, calculate the average score within the mainstream interval, and if the average score is higher than the preset high-risk threshold, it is judged as high-risk, and the weight of its region is increased by a preset amount on the original basis.
[0033] When a policy evolution event is triggered, the calculation weight of the historical baseline is updated according to the newly emerging cryptographic pattern, and the drift threshold is dynamically adjusted according to the frequency of recent drift events.
[0034] Preferably, the attack tracing and analysis module and the real-time detection module work together through a bidirectional weighted feedback mechanism and are configured to perform the following steps:
[0035] After reconstructing the complete attack chain, the attack tracing and analysis module extracts the common features of all email samples in the attack chain, forms an attack pattern signature, and assigns an initial confidence level to each signature.
[0036] The attack pattern signature and its confidence level are sent to the real-time detection module, which then updates the attention weight of its deep learning detection engine or adds corresponding pre-filtering rules accordingly.
[0037] The real-time detection module periodically counts the number of newly detected malicious emails due to the attack pattern signature and the number of false alarms, and calculates the actual effective confidence level.
[0038] The actual effective confidence level is fed back to the attack tracing and analysis module. The attack tracing and analysis module adjusts the retention weight of the signature based on the ratio of the actual effective confidence level to the initial confidence level: if the ratio is lower than the first discard threshold, the signature is automatically discarded; if the ratio is higher than the second enhancement threshold, the priority of the signature in subsequent association analysis is increased.
[0039] Preferably, the real-time detection module is further configured to perform multimodal semantic consistency detection based on the QR code and the main text, including the following steps:
[0040] Perform adversarial noise detection on QR code images; if human noise is detected, the risk level of the email is directly increased.
[0041] Obtain the deep semantic similarity, entity set similarity, and normalized edit distance between the QR code decoding string and the email body;
[0042] The semantic consistency score is determined based on the comparison between the normalized edit distance and the deep semantic similarity.
[0043] When the normalized edit distance is less than the first threshold and the deep semantic similarity is less than the second threshold, it is determined to be a homonymous phishing attack, and the semantic consistency score is set to the first low score.
[0044] When the normalized edit distance is greater than the third threshold, it is determined that there is no associated payload implantation, the semantic consistency score is set to the second lowest value, and the real-time detection module is triggered to perform deep recursive parsing of the email.
[0045] Otherwise, the weighted sum of the negative correlation value of the normalized edit distance, the deep semantic similarity, and the entity set similarity is used as the semantic consistency score.
[0046] Preferably, the real-time detection module is further configured to perform three-feature joint anti-bypass detection, including the following steps:
[0047] The isolated forest or single-class support vector machine model is used to detect outliers in the triplet features. The distance distribution from the features of historical normal emails to the cluster center is dynamically maintained, and the preset quantile of this distribution is used as the dynamic anomaly threshold. The dynamic anomaly threshold is updated using a time decay weighting method, and samples that are further away from the current time are assigned lower weights.
[0048] When the current email's features deviate from the historical cluster center by more than the dynamic anomaly threshold, the static threshold judgment in the real-time detection module is bypassed, the email is forcibly sent to deep recursive parsing, and the attack source analysis module is triggered to prioritize attack chain correlation analysis of the email.
[0049] The real-time detection module also collaborates with the attack source analysis module to perform semi-supervised incremental training and feature orthogonalization constraints on the outlier detection model using the malicious email features in the attack chain reconstructed by the attack source analysis module, and feeds back the type of the dominant deviation feature in the outlier detection to the attack source analysis module for attack script matching.
[0050] Compared with the prior art, the beneficial effects of the present invention include at least the following:
[0051] By using recursive deep content parsing technology, it can decompress compressed packages layer by layer, extract embedded objects, intelligently obtain passwords to decrypt protected attachments, parse QR codes and barcodes, and perform obfuscation restoration and short link tracing on URLs. This effectively obtains threat characteristics in deep nesting and significantly reduces the false negative rate of covert attacks.
[0052] The feature space is divided into different regions according to the recursive parsing depth, and each region is assigned a dynamically adjustable weight. A single feature classifier is used to output the malicious tendency score of each feature. The region weights are adaptively adjusted through cluster analysis. The comprehensive risk coefficient is calculated based on weighted summation. Deep parsing is triggered only when necessary, avoiding the waste of resources caused by unconditional extraction of all features. This ensures detection accuracy while controlling system overhead.
[0053] By training independent single-feature classifiers for each original feature and recursively derived feature, we can capture the independent anomalous contributions of features in each dimension and avoid anomalous signals being overwhelmed by normal features. By merging the features of each region into a dynamic feature subset and inputting it into the deep learning detection engine, we can balance local sensitivity and global discrimination ability and reduce the false alarm rate.
[0054] By incorporating resource consumption as a penalty factor into the loss function, the model considers computational costs during the training phase; the weights of each feature region are adjusted online based on the false positive and false negative statistics, allowing the model to adapt to changes in attack patterns without manual intervention.
[0055] The password guessing strategy library is partitioned and dynamically weighted. By analyzing real-time statistical characteristics of password distribution and drift detection against historical baselines, the most probable password construction rules are output using a policy mapping network. Based on few-sample learning, guessing priorities are assigned to new emails, and new password patterns can be identified from decryption failures, triggering strategy evolution to effectively address dynamic changes in attackers' password strategies. Attack pattern signatures and their confidence levels extracted after reconstructing the attack chain are sent to the real-time detection module. The real-time detection module updates the attention weights of the deep learning detection engine or adds pre-filtering rules accordingly, and feeds back the actual detection results to the source tracing module. The source tracing module dynamically adjusts the signature retention weights or priority levels, forming a self-optimizing collaborative defense system. Adversarial noise detection is performed on QR code images, calculating the deep semantic similarity, entity set similarity, and normalized edit distance between the QR code decoded string and the email body. Based on multi-segment rules, phishing attacks using homonyms or unrelated payload implantation are identified, effectively recognizing phishing attacks using QR codes.
[0056] Outlier detection is performed on triplet features using isolated forests or single-class support vector machines. The outlier threshold is dynamically updated using a time-decay weighted approach. When a feature deviates from the historical cluster center by more than the dynamic threshold, deep recursive parsing is forced and attack chain correlation analysis is triggered first. The outlier detection model is semi-supervised incrementally trained and feature orthogonalization is constrained using malicious email features in the attack chain. The dominant deviation feature type is fed back to the attack script matching, which significantly increases the difficulty for attackers to bypass detection by constructing edge samples. Attached Figure Description
[0057] Figure 1 This is a schematic diagram of a novel email attack detection and analysis system according to an embodiment of the present invention;
[0058] Figure 2 This is a schematic diagram illustrating the execution steps of the real-time detection module in an embodiment of the present invention. Detailed Implementation
[0059] Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, these exemplary embodiments can be implemented in many forms and should not be construed as limited to the embodiments set forth herein; rather, they are provided to make the invention more comprehensive and complete, and to fully convey the concept of the exemplary embodiments to those skilled in the art.
[0060] Example 1
[0061] See attached document Figure 1 This embodiment provides a novel email attack detection and analysis system, including: a real-time detection module and an attack tracing and analysis module.
[0062] The real-time detection module is configured to acquire email traffic in real time through various deployment methods, and use a deep learning detection engine to perform multi-dimensional feature comprehensive analysis on each email and output classification results. The real-time detection module also has recursive deep content parsing capabilities, which can decompress compressed packages layer by layer, extract embedded objects, obtain passwords through intelligent recognition to decrypt protected attachments, parse QR codes and barcodes, and perform obfuscation restoration and short link tracing on Uniform Resource Locators.
[0063] The attack attribution analysis module is configured to track the attack behavior of the same attacker against different targets by cross-organizational correlation analysis of attack resources, and combine attack organization profiles, attack script matching and dynamic behavior analysis of malicious samples to reconstruct the complete attack chain and conduct attribution analysis.
[0064] The real-time detection module is also configured to: divide feature regions according to recursive parsing depth and configure dynamic weights; obtain malicious tendency scores for each feature through a single feature classifier; adaptively adjust the region weights through cluster analysis and then calculate the comprehensive risk coefficient; if the weights exceed a preset threshold, deep parsing is triggered; otherwise, the region features are merged into a dynamic subset and input into the deep learning engine.
[0065] The various deployment methods include one or more of the following: traffic mirroring and restoration, MTA insemination, BCC copy, email archiving, or Office 365 API access.
[0066] The multi-dimensional feature comprehensive analysis includes real-time classification based on at least 80 feature dimensions, including email header information, sender characteristics, body language style, attachment characteristics, link characteristics, and sending patterns. The classification results include four levels: safe, suspicious, spam, or threat.
[0067] The module compares the overall risk coefficient with a preset threshold: if the threshold is exceeded, it is judged as a high-risk email, and deep analysis or an alarm is triggered immediately; if the threshold is not exceeded, the features of each region are merged into a dynamic feature subset, which is then input into the deep learning detection engine for final classification, and the classification result is output as one of four levels: safe, suspicious, spam, or threat.
[0068] The attack source tracing and analysis module runs continuously in the background: When the real-time detection module detects malicious emails, the attack source tracing and analysis module extracts attack resources (such as malicious domains, IP addresses, file hashes, sender emails, etc.), clusters the behavior of the same attacker through cross-organizational correlation analysis, and combines attack organization profiles, attack script matching, and dynamic behavior analysis of malicious samples to reconstruct the complete attack chain and output a source tracing and analysis report.
[0069] The effects of the above technical solution are as follows:
[0070] Recursive deep content parsing can fully extract threat features hidden behind multi-layered compressed files, encrypted attachments, QR codes, and short links, significantly reducing the false negative rate of covert attacks. Feature regions are divided according to recursive depth and dynamically weighted. Clustering analysis is used to adaptively adjust region weights, and a comprehensive risk coefficient threshold is used to decide whether to perform deep parsing, effectively controlling resource consumption while ensuring detection accuracy. A single-feature classifier obtains independent malicious tendency scores for each feature, avoiding the problem of normal features masking the overall classification model. The dynamic feature subset strategy balances local sensitivity and global discrimination ability, reducing the false positive rate. The attack attribution analysis module performs cross-organizational correlation analysis and attack chain reconstruction on malicious emails detected in real time, providing security operations personnel with a complete attack context for rapid response and evidence collection.
[0071] It supports multiple deployment methods, including traffic mirroring and restoration, MTA concatenation, BCC copy, email archiving, and Office 365 API access, and can be flexibly integrated into existing enterprise email infrastructure. It performs real-time classification based on more than 80 feature dimensions, outputting four-level classification results to facilitate users in adopting differentiated handling strategies according to risk levels.
[0072] In one possible implementation, the deep learning detection engine includes a multimodal fusion network consisting of a text encoder, a structural feature encoder, and a temporal encoder. The text encoder uses a pre-trained natural language processing model to extract semantic vectors from the email body. The structural feature encoder uses a fully connected network to process numerical and categorical email header features and attachment metadata. The temporal encoder uses a recurrent neural network to process email sending sequence features from the same sender. The outputs of the three encoders are weighted and fused through an attention mechanism and then input into a classification layer to output probability distributions for four levels: safe, suspicious, spam, or threatening.
[0073] The deep learning detection engine also includes a feature existence mask prospect, which generates a binary mask for each feature dimension of each email, indicating whether the feature is validly present. During model training and inference, the gradient or calculated value corresponding to the missing feature is set to zero. At the same time, the dependency relationship between features is modeled through a graph neural network, and the feature value of the associated dimension is used to predict and complete the missing dimension.
[0074] In this embodiment, the deep learning detection engine adopts a multimodal fusion network architecture, specifically including:
[0075] 1. Multimodal encoder
[0076] Text Encoder: Employing a pre-trained natural language processing model (e.g., BERT, RoBERTa, or DistilBERT), the email body is segmented, embedded, and then fed into the Transformer encoding layer. The output is a fixed-dimensional semantic vector representing the semantic content, linguistic style, and potential social engineering features of the email body. This pre-trained model can be trained on a large-scale general corpus and then fine-tuned using an email dataset to adapt to the linguistic characteristics of the email domain.
[0077] The structural feature encoder employs a multi-layer fully connected network (e.g., 3 hidden layers, 256 neurons per layer, ReLU activation function). Inputs include email header information (e.g., sender domain, reply address, Message-ID), attachment metadata (filename length, MIME type, file entropy, number of compressed layers, etc.), and numerical and categorical features from sending pattern characteristics (e.g., sending time, sending frequency). For categorical features, they are first converted into dense vectors through an embedding layer before being fed into the fully connected network. The encoder outputs a structural feature vector.
[0078] The temporal encoder employs a recurrent neural network (such as LSTM or GRU). The input is the email sending sequence features (e.g., sending time intervals, attachment change patterns, subject similarity, etc.) of the same sender within a historical sliding window (e.g., the previous 30 days). After the feature vector at each time step in the sequence is processed by the recurrent neural network, the hidden state of the last time step is used as the temporal feature vector to capture whether the sender's behavior pattern undergoes a sudden change (e.g., suddenly starting to send emails with encrypted attachments).
[0079] 2. Attention fusion mechanism
[0080] The text semantic vector, structural feature vector, and temporal feature vector output by the three encoders are first projected through a linear transformation layer to map them into the same feature space. Then, the system introduces a learnable context query vector and calculates the similarity score between this query vector and each projected feature vector. This score reflects the importance of the current modality feature to the final classification task. Next, the system uses a flexible maximum normalization method to convert all similarity scores into non-negative attention weights that sum to one. Finally, the feature vectors of the three modalities are weighted and summed according to their respective attention weights to obtain the fused comprehensive feature vector.
[0081] 3. Feature Existence Masking Unit
[0082] To address the potential issue of missing features in emails (such as emails lacking body, attachments, or a historical email sequence from the same sender), the system generates a binary mask for each feature dimension of each email. When a feature in a certain dimension is valid, its mask is marked as "present"; when the feature is missing, the mask is marked as "missing".
[0083] During the training and inference process of the model, for feature dimensions marked as "missing" in the mask, the system forces the corresponding calculated value of the dimension (such as the corresponding element in the embedding vector or the corresponding neuron in the output of the fully connected layer) to be zero. Furthermore, during the backpropagation process of the dimension, the corresponding gradient information will not be calculated or transmitted, thereby avoiding interference from missing features on the update of model parameters.
[0084] Meanwhile, to fully utilize the correlation information between features for missing value completion, the system employs a graph neural network (GNN) to model the dependencies between features. Specifically:
[0085] Construct a feature association graph G=(V,E), where the node set V corresponds to all feature dimensions, and the edge set E represents the statistical dependency between features (feature pairs exceeding the threshold can be connected by calculating the mutual information or correlation coefficient between features on the training set).
[0086] For each email, the known feature values are used as the initial features of the node. The node's hidden state is then updated iteratively by passing messages through a graph neural network (such as a graph convolutional network GCN or a graph attention network GAT) to aggregate the feature information of neighboring nodes.
[0087] After several layers of message passing, the output hidden state of each node is used to output the predicted completion value of the missing value of that dimension through a prediction head (e.g., a single-layer fully connected network), and the completion value replaces the original missing position (the position marked as 0 in the mask).
[0088] During training, the loss function consists of two parts: classification cross-entropy loss and completion loss (mean squared error between the completion value and the true value, calculated only for features that originally existed in the training set but were randomly masked).
[0089] 4. Classification Output Layer
[0090] After the fused feature vectors are passed through one or more fully connected layers (e.g., 2 layers with 128 and 4 neurons respectively), the probability distribution of four categories (safe, suspicious, spam, and threat) is output through the softmax function, and the category with the highest probability is taken as the final classification result.
[0091] By employing a multimodal fusion network, the system comprehensively utilizes the textual semantics, structural attributes, and sending sequence information of emails to capture malicious behavior features from multiple dimensions, thereby improving the accuracy and robustness of detection. The attention mechanism adaptively adjusts the contribution weights of different modal features based on the current email content, avoiding bias caused by fixed weighting. The feature existence masking unit effectively addresses the problem of incomplete email features (such as missing body or attachments), preventing noise introduced by missing features. Combined with the feature completion mechanism of graph neural networks, the system can reasonably predict missing dimensions using the correlations between features (e.g., the correlation between attachment encryption methods and sender's historical behavior), further enhancing the model's generalization ability in sparse feature scenarios. Overall, this deep learning detection engine, working in conjunction with the preceding recursive parsing and hierarchical weighting modules, constitutes an end-to-end high-precision, highly robust email attack detection system.
[0092] See attached document Figure 2 In one possible implementation, the real-time detection module is further configured to perform the following steps:
[0093] Based on the intermediate metadata generated during the recursive parsing process, the feature space is divided into shallow feature regions, medium feature regions, and deep feature regions according to the depth of recursive parsing, and each region is configured with an independent dynamic weight, wherein the initial weight of the deep feature region is higher than that of the shallow and medium feature regions; wherein, the intermediate metadata includes at least the number of decompression layers, the distribution of embedded object types, the QR code payload entropy value, and the short link jump chain length;
[0094] For each original feature and the recursively derived feature generated by statistical transformation of the intermediate metadata, a single feature classifier is trained to output the malicious tendency score of the feature for the current email.
[0095] Based on the statistical values of malicious tendency scores in each region and the corresponding weights of the regions, a weighted summation method is used to calculate the comprehensive risk coefficient.
[0096] Cluster analysis is performed on the malicious tendency scores in each region. The cluster analysis includes: calculating the sum of deviations from other scores with each score as the center in turn, selecting the score with the smallest sum of deviations as the cluster center, defining the mainstream interval with a predetermined percentage range of the cluster center, calculating the average score within the mainstream interval, and adjusting the weight of the region within a preset step size range in combination with the false positive and false negative statistics of the region.
[0097] If the overall risk coefficient exceeds a preset threshold, the email is marked as high-risk and deep analysis or an alarm is triggered; otherwise, the features of each region are merged into a dynamic feature subset, which is used as input to the deep learning detection engine.
[0098] In a specific implementation, for example, original features that do not rely on recursive parsing (such as email header information, sender domain name, etc.) are classified into the shallow feature area;
[0099] Recursive derived features generated at a recursive parsing depth of 1 to 2 layers (such as the filenames decompressed in the first layer, the domain name after the first short link jump, etc.) are classified into the middle layer feature area;
[0100] The recursive derived features generated by recursive parsing with a depth of ≥3 layers, as well as the deep payload features obtained through password decryption and QR code parsing, are classified into the deep feature region.
[0101] Each region is assigned an independent dynamic weight, with the initial weight ratio set at shallow region: middle region: deep region = 1:1:5. This means that the initial weight of the deep feature region is significantly higher than that of the shallow and middle regions, in order to reflect the higher value of deep features in judging malicious behavior.
[0102] For each original feature and recursively derived features generated from intermediate metadata through statistical transformations (such as mean, difference, ratio, logarithmic transformation, etc. within a sliding window), an independent single-feature decision stump classifier is trained. Each classifier uses only one feature dimension and outputs a malicious tendency score for that feature in the current email (the score ranges from 0 to 1, with a higher score indicating a greater likelihood of the feature being malicious).
[0103] For each region, a cluster analysis is performed on the malicious intent scores of all features within that region. The clustering methods include:
[0104] By taking each score in the score set of the region as a candidate center in turn, the absolute values of the differences between the candidate center and all other scores in the set are calculated to obtain the total deviation value.
[0105] The score with the smallest total deviation value is selected as the cluster center of the region;
[0106] Using the cluster centers as a benchmark, an upper limit of 150% and a lower limit of 50% of the cluster centers are set. Scores falling within this range are classified as mainstream scores, and the average of the mainstream scores is calculated. ;
[0107] Will Compare with the preset malicious tendency threshold Tz:
[0108] like If the value is greater than Tz and FPz+FNz is greater than the preset value, then the risk characterization ability of this area is determined to be abnormal and the weight needs to be increased.
[0109] like If the false negative rate is less than or equal to Tz, but the false negative rate is higher than the preset threshold, then the weight is reduced.
[0110] The weight adjustment range is limited to between 0.01 and 0.03 (absolute value) each time. Specifically, the adjustment step size is obtained by multiplying the sum of false positives and false negatives in the region to the total number of detections by a proportional coefficient, and then limiting it to a minimum of 0.01 and a maximum of 0.03. When the weight needs to be increased, the new weight = original weight × (1 + adjustment step size); when the weight needs to be decreased, the new weight = original weight × (1 - adjustment step size).
[0111] Specifically: if the weighting conditions are met (e.g., the average mainstream score is higher than the threshold and the error rate is high);
[0112] The weight adjustment formula is:
[0113]
[0114] If the conditions for weight reduction are met, then
[0115]
[0116]
[0117] The weights are adjusted for the z-region; The weights of the z-region before adjustment; This represents the total number of tests conducted in the region; among which... A preset proportionality constant greater than 0 and less than or equal to 1, with a preferred range of 0.05 ≤ a1 ≤ 0.3; the number of errors in this region within the statistical window. ; This represents the total number of checks performed within the window. To adjust the step size; FNz represents the number of false positives caused by each region feature within the past sliding window; FNz represents the number of false negatives caused by each region feature within the past sliding window; z=1 represents the shallow feature region, z=2 represents the medium feature region, and z=3 represents the deep feature region.
[0118] After each adjustment, the weights of the three regions are renormalized so that the sum of the three weights remains unchanged (e.g., the sum is 1 or the sum is 7, etc., the specific proportion remains unchanged).
[0119] The overall risk coefficient W of the current email is calculated using the following weighted summation formula:
[0120]
[0121] z=1,2,3 represent the shallow, middle and deep layers, respectively; Let z be the number of features in the z-th region; w represents the malicious intent score of the i-th feature in the region.z The weight of the z-th region;
[0122] The calculated overall risk coefficient is compared with a preset risk threshold:
[0123] If the overall risk coefficient exceeds the preset threshold, the email will be marked as a high-risk email and a deep analysis (such as further recursive decompression to a deeper level, enabling sandbox dynamic analysis) or an alarm will be generated immediately.
[0124] If the overall risk coefficient does not exceed the threshold, the features of each region after weight adjustment will be merged into a dynamic feature subset, which will be used as input to the deep learning detection engine. The deep learning detection engine will then perform the final classification and output a classification result of one of the four levels: safe, suspicious, spam, or threat.
[0125] The effects of the above technical solution are as follows:
[0126] The features are divided into three regions—shallow, medium, and deep—based on the depth of recursive parsing, and different initial weights are assigned (deep features have the highest weight). This allows the system to focus on the high-value features exposed by deep parsing and avoid shallow features dominating the detection results.
[0127] Cluster analysis automatically identifies the mainstream distribution of malicious intent scores within each region. Combined with historical false positive and false negative statistics, the weight of each region is dynamically adjusted. The adjustment step size is limited (0.01~0.03) to ensure the smooth evolution of weights. At the same time, normalization is used to maintain the relative relationship of weights between regions, enabling the system to adapt to changes in attack patterns online.
[0128] By training a classifier independently for each feature, it can capture independent anomalous signals in each dimension, avoiding the problem of normal features masking the overall model. Decision stumps are computationally simple, have fast inference speed, and are suitable for high-dimensional feature scenarios.
[0129] Deep analysis or alarms are triggered only when the overall risk coefficient exceeds the threshold; otherwise, a dynamic feature subset is input into the deep learning engine. This effectively controls the computational and storage overhead caused by recursive analysis and achieves a dynamic balance between detection accuracy and resource consumption.
[0130] In one possible implementation, the intermediate metadata also includes at least one of the following: MIME type transfer entropy, number of changes in the short link jump autonomous system number, and minimum distance between the QR code and the main text edit:
[0131] The MIME type transfer entropy is obtained in the following way: during the recursive decompression process, the MIME type of the object extracted from each layer is recorded to form a type sequence, the frequency of type transfer between adjacent layers is counted and a transfer probability matrix is constructed, and the conditional entropy of the next layer type is calculated based on the transfer probability matrix, given the current layer type. This conditional entropy is used to quantify the degree of anomaly in the type distribution.
[0132] The number of changes in the Autonomous System Number (ASN) of the short link redirection is obtained as follows: During the short link tracing process, the IP address corresponding to each level of redirection URL and its corresponding ASN number are queried in sequence, the number of times the ASN number changes is counted, and the number is divided by the total number of redirections to obtain the change rate.
[0133] The minimum edit distance between the QR code and the body text is obtained in the following way: the global edit distance is calculated between the string obtained after decoding the QR code and the email body, and then divided by the length of the QR code string to obtain the normalized edit distance. When an email contains multiple QR codes, the minimum value among all normalized edit distances is taken.
[0134] The recursive derived features are generated from the intermediate metadata through statistical transformations, including calculating the mean, difference, ratio, or logarithmic transformation within a sliding window.
[0135] (a) MIME type transfer entropy
[0136] During the recursive decompression process, the system identifies the MIME type (e.g., application / compressed file, application / PDF, image / PNG, plain text, etc.) of each extracted object (such as files within the compressed package, embedded attachments, etc.). These MIME types are recorded as a sequence according to the order in which they are parsed.
[0137] Subsequently, the system statistically analyzes the frequency of type transitions between adjacent layers. Specifically, for any two MIME types, it counts the number of transitions where the preceding layer is of that type and the following layer is of that type throughout the entire sequence. Based on these counts, a transition probability matrix is constructed, where each element represents the conditional probability of transitioning to another type in the next layer when the current layer is of a certain type.
[0138] Given the MIME type of the current layer, the system calculates the conditional entropy of the next layer type. This is done by multiplying the conditional probability of all possible next-layer types by the base-2 logarithm of the probability, taking the negative value, and then summing the results. The system calculates the conditional entropy for each occurrence of the current layer type and takes the average (or maximum) of all conditional entropies as the MIME type transition entropy for the email. A higher entropy value indicates a more random and irregular type transition pattern, potentially suggesting that an attacker intentionally obfuscates file types to bypass detection.
[0139] (ii) Number of changes in the short link jump autonomous system number
[0140] During the short link tracing process, the system sequentially obtains the IP address corresponding to each redirect URL (through domain name resolution) and then queries the Autonomous System Number (ASN) to which that IP address belongs. Assuming the short link involves multiple redirects, the system records the sequence of ASNs after each redirect.
[0141] The system counts the number of times the Autonomous System ID (AS ID) changes, i.e., the number of times the AS ID differs when navigating from one hop to the next. This number of changes is then divided by the total number of hops minus one (if the total number of hops is one, the change rate is defined as zero) to obtain the AS ID change rate. This rate reflects the frequency of network autonomous system switching during short link hops. Normal short links typically remain within the same AS, while malicious short links often use multiple cross-AS hops to hide the final destination address or bypass security checks.
[0142] (iii) Minimum distance between QR code and main text editing
[0143] When an email contains one or more QR codes, the system records the string obtained after decoding each QR code. Simultaneously, it retrieves the plain text body of the email (after removing Hypertext Markup Language tags and special characters).
[0144] For each QR code string, the system calculates its global edit distance from the main text, which is the minimum number of operations required to transform one string into another through insertion, deletion, and replacement. Then, this edit distance is divided by the length of the QR code string to obtain the normalized edit distance. A smaller normalized edit distance indicates a more similarity between the QR code content and the main text; a larger normalized edit distance indicates a greater difference between the two.
[0145] When an email contains multiple QR codes, the system takes the minimum normalized edit distance among all values as the minimum edit distance between the QR code and the email body. If this minimum value is very small (e.g., less than 0.1), it may indicate that the QR code content is highly similar to the body text, posing a phishing risk (e.g., the URL after decoding the QR code is similar to but different from the URL displayed in the body text). If this minimum value is very large (e.g., greater than 0.8), it may indicate that the QR code carries irrelevant payloads.
[0146] (iv) Statistical transformation of recursive derived features
[0147] Based on the aforementioned intermediate metadata (including but not limited to the number of decompression layers, the distribution of embedded object types, the QR code payload entropy value, the short link jump chain length, and the aforementioned MIME transfer entropy, autonomous system number change rate, minimum QR code edit distance, etc.), the system generates recursive derived features through statistical transformations. Statistical transformations include, but are not limited to, the following:
[0148] Mean within the sliding window: For numerical intermediate metadata that changes over time or depth (such as the entropy value of a file after decompression at each level), take the arithmetic mean of the most recent depths (e.g., the most recent five times) as the smoothing feature.
[0149] Difference: Calculate the difference in intermediate metadata between adjacent depths (first-order difference), such as the change in MIME type transfer entropy between two adjacent layers, used to capture mutations.
[0150] Ratio: Calculates the ratio of intermediate metadata at the current depth to the corresponding data in the shallow layer (such as the first layer). For example, the ratio of the QR code payload entropy value at the current depth to the surface payload entropy value is used to measure the degree of anomaly in the depth payload.
[0151] Logarithmic transformation: Take the natural logarithm of the intermediate metadata (such as jump chain length and file size) with long tails of distribution to make it closer to a normal distribution, which is convenient for subsequent classifier processing.
[0152] These recursively derived features, along with the original features, are input into the single-feature classifier for training and inference.
[0153] The effects of the above technical solution are as follows:
[0154] By introducing MIME type transfer entropy, the system can effectively identify abnormal patterns in type combinations during recursive decompression (e.g., normal emails rarely decompress compressed files directly into executable files and then into scripts—a high-risk transfer sequence), improving the sensitivity to detect nested malicious attachments. By analyzing the number of changes in the Autonomous System Number (ASN) during short link jumps, the system can detect malicious short links deliberately jumping across ASNs, enhancing its ability to identify phishing links. By analyzing the minimum distance between the QR code and the edited text, the system can detect phishing attacks where the QR code content is semantically inconsistent with the text (e.g., homonyms, irrelevant payload insertion). Furthermore, the statistical transformation of recursively derived features further enriches the feature representation, enabling the model to capture deep-seated trends and abrupt changes, improving the overall accuracy and robustness of detection.
[0155] In one possible implementation, the real-time detection module is further configured to perform the following steps:
[0156] A lightweight feature set is extracted from the shallow feature region, and a lightweight classifier is used to output the preliminary malicious probability of the email.
[0157] The recursive parsing depth is dynamically determined based on the comparison results between the preliminary malicious probability and the first threshold and the second threshold: if the preliminary malicious probability is less than the first threshold, no recursive parsing is performed; if the preliminary malicious probability is between the first threshold and the second threshold, recursive parsing at a first preset depth is performed; if the preliminary malicious probability is greater than or equal to the second threshold, recursive parsing at a maximum preset depth is performed; wherein, the first threshold and the second threshold are both dynamically adjustable thresholds, and the first threshold is less than the second threshold;
[0158] Based on the recursive parsing results, all features are extracted, and a deep learning detection engine is used for final classification. The actual computing resources consumed during the parsing process are weighted and summed, and added as a resource penalty factor to the loss function of the deep learning detection engine.
[0159] Record the average resource consumption and average detection accuracy within the historical sliding window. When the average resource consumption exceeds a preset upper limit threshold and the average detection accuracy does not increase by a preset amount, a threshold tightening event is triggered, and the first and second thresholds are adjusted upward according to a preset tightening rule. When the average detection accuracy is lower than a preset lower limit threshold, a threshold relaxation event is triggered, and the first and second thresholds are adjusted downward according to a preset relaxation rule.
[0160] In this embodiment, the real-time detection module performs the following steps to achieve dynamic control of recursive parsing depth and adaptive resource optimization.
[0161] The system first extracts only a lightweight feature set from the shallow feature region. This lightweight feature set refers to features that can be directly obtained from the email surface without any recursive parsing, including but not limited to: email byte length, whether the sender's domain name exists in a known malicious domain cache, whether there is an executable attachment identifier, whether it contains external resource link identifiers, and SMTP session round-trip latency. These features are simple to calculate and extract quickly, without involving resource-intensive operations such as compressed file decompression, short link tracing, or QR code parsing.
[0162] The system uses a lightweight classifier to make a preliminary judgment on the aforementioned lightweight features. The lightweight classifier can employ a computationally inefficient model such as logistic regression, decision tree, or Naive Bayes, and its output is a preliminary malicious probability value between 0 and 1, denoted as P0. The higher this probability value, the stronger the malicious tendency of the email at the shallow feature level.
[0163] The system presets two dynamically adjustable thresholds, denoted as θ1 and θ2, satisfying 0 < θ1 < θ2 < 1. Based on the comparison between the initial malicious probability P0 and these two thresholds, the system determines the recursive parsing depth D:
[0164] If P0 < θ1, it means that the email performs normally in terms of shallow features and there is no need to consume further resources for deep parsing. Therefore, the recursive parsing depth is set to D=0, that is, only the extracted shallow features are used for subsequent processing, and no recursive decompression or short link tracing is performed.
[0165] If θ1≤P0<θ2, it indicates that the email is somewhat suspicious and needs to be expanded to the middle-level feature area. Therefore, the recursive parsing depth is set to D=1, that is, the first preset depth is executed (e.g., decompressing a compressed package and tracing a short link jump).
[0166] If P0≥θ2, it indicates that the email has a high degree of malicious intent, and it is necessary to dig out the deep features to the greatest extent. Therefore, the recursive parsing depth is set to D=D_max (maximum preset depth, such as decompressing a three-layer compressed package, fully tracking all jumps in a short link, parsing all QR codes, etc.).
[0167] Based on the recursive parsing results, all features are extracted, and a deep learning detection engine is used for final classification. The actual CPU time, memory usage, and number of network requests consumed during the parsing process are weighted and summed as a resource penalty factor R_penalty, which is added to the loss function.
[0168] The system maintains a historical sliding window (e.g., the window size is the most recent 1000 emails), and records the average resource consumption R_avg and the average detection accuracy Acc_avg within the window.
[0169] The threshold tightening event is triggered when both of the following conditions are met:
[0170] R_avg exceeds the preset resource limit threshold R_limit (for example, R_limit is set to 200 milliseconds of CPU time, 200MB of memory, and 10 network requests, which are combined into a scalar after weighting).
[0171] Acc_avg did not increase by more than the preset amount (e.g., 2 percentage points), i.e., Acc_avg - historical baseline < 2%.
[0172] At this point, the system adjusts the first threshold θ1 and the second threshold θ2 upwards according to the following formula:
[0173] θ1_new=θ1_old+η×(R_avg-R_limit) / R_limit
[0174] θ2_new=θ2_old+η×(R_avg-R_limit) / R_limit
[0175] Where η is the step size coefficient (e.g., 0.05), with an optimal range of 0.01 ≤ η ≤ 0.05; (R_avg - R_limit) / R_limit is the relative proportion of resource exceeding the limit. After adjustment, both θ1 and θ2 increase, meaning a higher initial malicious probability is required to trigger recursive parsing, thereby reducing the frequency of deep parsing and lowering resource consumption.
[0176] When the average detection accuracy (Acc_avg) falls below the preset accuracy threshold (Acc_min) (e.g., Acc_min = 85%), a threshold relaxation event is triggered. At this time, the system adjusts the threshold using the same formula but with a subtraction method, i.e.:
[0177] θ1_new=θ1_old-η·(R_avg-R_limit) / R_limit
[0178] θ2_new=θ2_old-η·(R_avg-R_limit) / R_limit
[0179] After the adjustment, both θ1 and θ2 decrease, meaning more emails will enter recursive parsing to obtain richer features, thereby improving detection accuracy. After each adjustment, the system will renormalize to ensure that θ1 and θ2 are still within the (0,1) interval and θ1 < θ2.
[0180] The effects of the above technical solution are as follows:
[0181] By employing lightweight and rapid initial screening and dynamic threshold comparison, hierarchical control of recursive parsing depth is achieved, avoiding the resource waste caused by indiscriminate deep parsing of all emails. The design of embedding a resource penalty factor into the loss function allows the deep learning model to learn the balance between resource consumption and detection accuracy during training, automatically favoring feature combinations with low resource overhead during inference. Furthermore, the sliding window-based adaptive threshold adjustment mechanism dynamically tightens or loosens the triggering conditions for recursive parsing based on the actual resource consumption and detection accuracy during system operation. It automatically throttles resources when the system load is too high and automatically increases the parsing depth when accuracy decreases, achieving an intelligent dynamic balance between detection efficiency and resource consumption. These mechanisms collectively ensure the stable operation of the system under high-throughput email traffic while maintaining a high detection accuracy.
[0182] In one possible implementation, the function of the real-time detection module to obtain the password through intelligent identification to decrypt the protected attachment is further configured to perform the following steps:
[0183] The password guessing strategy library is divided into common strategy area, variant strategy area and rare strategy area. Each area is assigned different guessing resource weights, and the initial weight of the deeper areas is higher than that of the shallower areas.
[0184] The system calculates the statistical distribution characteristics of the protected attachment passwords flowing into the system in real time and compares them with the dynamically updated historical baseline. When the difference between the distribution characteristics and the baseline exceeds the preset drift threshold, it determines that the attacker has changed the password strategy and encodes the current drift direction as a drift vector.
[0185] Based on the drift vector, the policy mapping network outputs several cryptographic construction rules most likely to be used by the attacker and their confidence levels, and dynamically adjusts the guessing resource weights of the three regions according to the confidence levels, with the single adjustment range limited to a preset step size.
[0186] By utilizing historical successful decryption cases, we classify cryptographic rules based on few-sample learning and assign guessing priorities to new emails.
[0187] In one possible implementation, the function of the real-time detection module to obtain the password through intelligent identification to decrypt the protected attachment is further configured to perform the following steps:
[0188] Identify new cryptographic patterns from failed decryption cases. When an unmatched unknown strategy is found, trigger a strategy evolution event. Add the new cryptographic pattern as a new learning prototype and use the following steps to determine the degree of anomalousness of the new prototype: calculate the sum of deviations from other scores with the corresponding score of the prototype as the center in turn, select the score with the smallest sum of deviations as the cluster center, define the mainstream interval with a predetermined percentage range of the cluster center, calculate the average score within the mainstream interval, and if the average score is higher than the preset high-risk threshold, it is judged as high-risk, and the weight of its region is increased by a preset amount on the original basis.
[0189] When a policy evolution event is triggered, the calculation weight of the historical baseline is updated according to the newly emerging cryptographic pattern, and the drift threshold is dynamically adjusted according to the frequency of recent drift events.
[0190] In its implementation, the system divides the password guessing strategy library into three policy areas: common strategy area, variant strategy area, and rare / zero-day strategy area. The common strategy area contains the most commonly used weak passwords (such as "123456" or "password") and common combinations; the variant strategy area contains rules for simple transformations of common passwords (such as case conversion, adding numbers to the end, etc.); the rare / zero-day strategy area contains unconventional password construction patterns (such as passwords generated based on email body semantics, random strings, etc.). Each area is assigned different guessing resource weights, denoted as q1, q2, and q3 respectively, with an initial weight ratio of q1:q2:q3 = 1:1:5, meaning the rare / zero-day strategy area has the highest initial weight to encourage the exploration of unconventional passwords that may be used in deep malicious attachments.
[0191] The system calculates the statistical distribution characteristics of protected attachment ciphers flowing into the system in real time. Specifically, for each decryption attempt, it records the policy region to which the cipher belongs and whether it was successful or not, forming a cipher distribution histogram. At the same time, the system maintains a dynamically updated historical baseline, which is based on the distribution of successfully decrypted ciphers over a past period (e.g., the last 7 days).
[0192] The drift monitoring unit calculates the Kullback-Leibler divergence (KL divergence) between the current cryptographic distribution characteristics and the historical baseline to quantify the difference between the two distributions. When the KL divergence exceeds a preset entropy domain drift threshold (e.g., 0.15), the system determines that the attacker has changed the cryptographic strategy and encodes the current drift direction as a drift vector. Each dimension of the drift vector represents the relative direction of change (increase, decrease, or no change) of the cryptographic frequency in each strategy region.
[0193] The policy prediction unit receives the drift vector and outputs several cryptographic construction rules most likely to be used by the attacker, along with their confidence levels, through a policy mapping network (which may employ a lightweight multilayer perceptron). The policy mapping network takes the drift vector as input and outputs the probability distribution of each candidate rule. Each candidate rule is accompanied by a confidence value (between 0 and 1).
[0194] Based on the confidence level, the system dynamically adjusts the weights of the guessing resources in the three policy regions. The adjustment formula is as follows:
[0195] = ×(1+(Confidence level_pz-Regional baseline) / Regional baseline×ρ)
[0196] in, To determine the resource weights for the adjusted strategy region; The formula defines the resource weights for guessing the policy region before adjustment; pz = 1, 2, 3 represent common, variant, and rare regions, respectively; confidence_pz is the average confidence of rules belonging to this region in the policy mapping network output; the region benchmark is a preset expected confidence (e.g., 0.5); ρ is a step size constraint factor (e.g., 0.3), with an optimal range of 0.2 ≤ ρ ≤ 0.4; through this formula, the weights of regions with high confidence are increased, and the weights of regions with low confidence are decreased, thereby achieving adaptive allocation of guessing resources.
[0197] The system utilizes historical successful decryption cases to classify small-sample cryptographic rules based on a prototype network. The prototype network learns a prototype vector (i.e., the central representation of that category) for each cryptographic rule category. For newly received protected attachments, the system extracts their email context features (such as sender, subject, and body keywords), calculates the distance between these features and the prototype vectors of each category, uses the closest category as the prediction rule, and assigns guessing priorities based on distance (or probability). The closer the distance, the higher the priority, meaning the password corresponding to that rule is tried first.
[0198] The evolutionary tracking unit identifies new cipher patterns from failed decryption cases. When the system fails to decrypt after multiple consecutive attempts (e.g., 10 times), and the ciphers in these failed cases share common structural features (e.g., all in the format of "year + last name"), it is determined that an unmatched unknown policy has been discovered. At this point, a policy evolution event is triggered, and the new cipher pattern is added to the meta-learning unit as a new learning prototype.
[0199] When determining the degree of anomalousness of a new prototype, the system employs the same method as the aforementioned feature region clustering analysis: It alternately uses the score corresponding to the prototype (e.g., a score based on the successful decryption rate) as the center, calculates the sum of deviations from other existing prototype scores, selects the score with the smallest sum of deviations as the cluster center, and defines a mainstream interval within a predetermined percentage range (e.g., 50% above and below) of this cluster center. The system then calculates the average score within the mainstream interval. If this average score exceeds a preset high-risk threshold (e.g., 0.75), it is classified as high-risk, and the weight of its corresponding region is increased by 2% (a preset increment).
[0200] When the evolution tracking unit triggers a policy evolution event, the drift monitoring unit updates the calculation weights of the historical baseline based on the newly emerging cryptographic patterns. Specifically, the cryptographic patterns corresponding to the new prototypes are given higher weights in subsequent statistics (e.g., a weighting coefficient 1.5 times that of ordinary samples), enabling the baseline to reflect the latest attacker behavior more quickly.
[0201] Meanwhile, the entropy domain drift threshold is dynamically scaled according to the frequency of recent drift events: if the number of drift events in the past week exceeds a preset number (e.g., 5 times), the threshold is reduced proportionally (e.g., multiplied by 0.9), making the system more sensitive to policy changes; if no drift occurs for a long period of time, the threshold slowly recovers to the initial value.
[0202] The effects of the above technical solution are as follows:
[0203] This implementation divides the cryptographic guessing strategy library into three regions: common, variant, and rare, and configures differentiated initial weights (the rare region has the highest weight). This allows the system to prioritize exploring high-value but rare cryptographic patterns, significantly improving the success rate of guessing zero-day cryptographic strategies. Drift monitoring uses KL divergence to quantify the difference between the current cryptographic distribution and the historical baseline, enabling real-time detection of changes in attacker cryptographic strategies and encoding the direction of change as a drift vector, providing precise guidance for subsequent weight adjustments. The policy mapping network outputs high-confidence rules based on the drift vector, dynamically adjusting the guessing resource weights of each region with limited adjustment range, avoiding drastic weight fluctuations and ensuring system stability.
[0204] In meta-learning, the prototype network can quickly learn new rules with only a few successful decryption cases, assigning personalized guessing priorities to each email, greatly improving decryption efficiency. The evolutionary tracking unit actively mines new cryptographic patterns from failed cases and determines their risk level through cluster analysis, enabling the system to continuously learn and evolve, adapting to attackers' constantly changing encryption methods. A closed-loop feedback mechanism feeds the evolution results back into drift monitoring, updating historical baselines and dynamically scaling drift thresholds, ensuring the system maintains optimal sensitivity and stability under different attack intensities.
[0205] The above mechanisms collectively enable the adaptive evolution of cryptographic guessing strategies, effectively responding to the dynamically changing encryption behavior of attackers, significantly improving the detection rate of protected malicious attachments, while avoiding excessive attempts at invalid cryptographic strategies and saving system computing resources.
[0206] In one possible implementation, the attack tracing and analysis module further includes a cryptographic resource association analysis unit, which is configured as follows:
[0207] Construct a cross-organizational password-resource mapping graph, where nodes include password strings, attachment hashes, sender domains, backlink domains, and IP addresses, and edges represent relationships that co-occur in the same email;
[0208] A graph neural network is used to embed the mapping graph to calculate the similarity between the current email node and known APT organization nodes;
[0209] When the similarity exceeds a preset threshold, the associated APT organization identifier is output as the source tracing and judgment result.
[0210] The specific implementation is as follows.
[0211] First, email attack samples from different organizations were collected, and the following key information was extracted from each malicious email: the password string successfully used to decrypt the protected attachment, the attachment's hash value (e.g., MD5 or SHA256), the sender's domain name, the backlink domain name extracted from the email (e.g., the C&C server domain name), and the IP address obtained through DNS resolution. For each sample, this information was used as nodes, and an edge was established between any two nodes that co-occur in the same email, with the edge type labeled "co-occurring in the same email". Furthermore, when there is a successful decryption relationship between the password and the attachment hash, an additional "decryption relationship" edge was added; when a domain name resolves to an IP address, a "domain name resolves to IP" edge was added; and when the same IP address historically belonged to different domain names, an "IP historical attribution" edge was added. This ultimately forms a heterogeneous graph containing multiple node and edge types.
[0212] To rapidly adapt to the identification of new tissues with only a small number of known APT tissue labeled samples (e.g., 1 to 5 samples), this unit employs a meta-learning-based graph neural network training framework. Specifically:
[0213] Heterogeneous graph neural networks: These employ relational graph convolutional networks or heterogeneous graphs to learn projection matrices for different types of nodes and edges. Initial node features may include statistical characteristics of the password string (length, character entropy value), maliciousness rating of attachment hashes, domain registration time, etc.
[0214] Meta-learning training: Graph neural networks are trained on a large number of known APT attack events (e.g., samples from publicly available APT reports) using meta-learning algorithms (such as MAML or ProtoNet) to learn meta-knowledge of graph pattern matching across organizations. During training, each task simulates a scenario where a new query sample needs to be classified given only a small number of supporting samples.
[0215] Rapid Adaptation: When it is necessary to identify a new APT organization, only 1 to 5 labeled samples of the organization (e.g., known malicious email nodes belonging to the organization) need to be provided. The model can quickly adapt by performing a few gradient updates based on meta-knowledge and output the similarity score between the current email node and each known APT organization node.
[0216] To address the issue of sparse graphs in real-world scenarios (i.e., few connections between nodes), the unit introduces a graph data augmentation module:
[0217] Random walk: Starting from the target node, perform multiple random walks to generate several walk paths, and treat the nodes on the paths as positive sample pairs.
[0218] Edge discarding: Randomly delete a certain percentage (e.g., 10%) of edges to generate an augmented view.
[0219] Attribute mask: Randomly set some dimensions of the feature vectors of some nodes to zero to generate an augmented view.
[0220] Then, a contrastive learning loss function is employed to maximize the consistency of the representation of the same node across different augmented views, while minimizing the representation similarity between different nodes. In this way, the model can learn robust node embeddings even when the original graph is sparse.
[0221] When the model outputs a similarity score exceeding a preset threshold (e.g., 0.7) between the current email node and an APT organization node, the unit not only outputs the associated organization identifier but also generates an interpretable subgraph. Specifically, a graph interpretation algorithm (such as GNN Explainer or PG Explainer) is used to extract the K edges (e.g., K=5) and K neighbor nodes that contribute the most to the similarity score. These edges and nodes are extracted from the original graph to form a connection path from the current email node to the APT organization node. This path can be visually presented to security analysts, clearly demonstrating the basis for attribution analysis.
[0222] When the similarity exceeds a preset threshold but the model's output confidence score is low (e.g., below 0.6), an active learning mechanism is triggered: the system packages the current email's association subgraph (i.e., the aforementioned interpretability subgraph) and the related original email content, and sends it to security analysts for manual verification. The analysts determine whether the email indeed belongs to the APT group and add the verification result (yes or no) as a new labeled sample to the training set. After several rounds of active learning, the model's ability to distinguish boundary samples gradually improves, and the confidence assessment becomes more accurate.
[0223] The effects of the above technical solution are as follows:
[0224] By constructing a cross-organizational cryptographic-resource heterogeneous mapping graph, linking diverse entities such as password strings, attachment hashes, domain names, and IP addresses, and utilizing graph neural networks for embedding learning and similarity calculation, the APT organization to which an email belongs can be quickly identified with only a small number of labeled samples, overcoming the shortcomings of traditional attribution methods that rely on large amounts of labeled data. The small-sample heterogeneous graph primitive learning architecture enables the model to learn common graph patterns from historical APT events, thus exhibiting excellent generalization ability to new organizations. Graph data augmentation and contrastive learning effectively alleviate the problem of sparsity in actual data and improve the robustness of embeddings. Interpretable subgraph generation makes the attribution results interpretable, facilitating understanding and verification by security analysts. The active learning mechanism further utilizes human feedback to continuously optimize the model, reducing false positives and false negatives.
[0225] In one possible implementation, the attack tracing and analysis module and the real-time detection module work together through a bidirectional weighted feedback mechanism and are configured to perform the following steps:
[0226] After reconstructing the complete attack chain, the attack tracing and analysis module extracts the common features of all email samples in the attack chain, forms an attack pattern signature, and assigns an initial confidence level to each signature.
[0227] The attack pattern signature and its confidence level are sent to the real-time detection module, which then updates the attention weight of its deep learning detection engine or adds corresponding pre-filtering rules accordingly.
[0228] The real-time detection module periodically counts the number of newly detected malicious emails due to the attack pattern signature and the number of false alarms, and calculates the actual effective confidence level.
[0229] The actual effective confidence level is fed back to the attack tracing and analysis module. The attack tracing and analysis module adjusts the retention weight of the signature based on the ratio of the actual effective confidence level to the initial confidence level: if the ratio is lower than the first discard threshold, the signature is automatically discarded; if the ratio is higher than the second enhancement threshold, the priority of the signature in subsequent association analysis is increased.
[0230] In this embodiment, the attack tracing and analysis module and the real-time detection module work together through a two-way weighted feedback mechanism, specifically performing the following steps.
[0231] Once the attack attribution analysis module successfully reconstructs a complete attack chain (including initial delivery, vulnerability exploitation, persistence, and lateral movement stages) through cross-organizational correlation analysis, attack organization profiling, and dynamic behavior analysis of malicious samples, the system extracts common features from all email samples in that attack chain. These common features include, but are not limited to: common patterns in sender domain names, naming rules for attachment names, common top-level domains in URLs after QR code decoding, common intermediate nodes in short link redirect paths, and specific keywords or sentence structures appearing in the email body.
[0232] Based on these shared characteristics, the system generates an attack pattern signature to uniquely identify this type of attack. Simultaneously, the system assigns an initial confidence level, denoted as C0, to this signature. The initial confidence level C0 ranges from 0 to 1, and its value can be determined comprehensively based on the completeness of the attack chain, the amount of evidence in the correlation analysis, and the accuracy of similar historical attacks. For example, if the attack chain is complete and contains more than 10 independent pieces of evidence, C0 can be set to 0.9; if the evidence is limited, it can be set to 0.5.
[0233] The system sends the generated attack pattern signature and its initial confidence level C0 to the real-time detection module. Upon receiving the signature, the real-time detection module performs at least one of the following two update operations:
[0234] Updated attention weights: The attention mechanism in the deep learning detection engine was originally learned based on general training data. Now, based on the importance of features in the attack pattern signature, the attention weights of signature-related features (such as specific attachment name patterns and specific short link jump structures) are increased, so that the model pays more attention to these features when processing subsequent emails.
[0235] Add pre-filtering rules: In the lightweight and fast initial screening stage, directly add signature-based matching rules (such as regular expressions to match sender domain names or attachment names). If the email matches the signature, directly increase its initial malicious probability or skip the initial screening to enter deep analysis.
[0236] During operation, the real-time detection module periodically (e.g., every 24 hours) counts the number of newly detected malicious emails due to this attack pattern signature, denoted as N_new; it also counts the number of false positives among these detected emails, denoted as N_fp. False positives refer to emails that are judged as malicious by the signature rules but are confirmed as normal by manual or higher-level analysis.
[0237] Based on the above statistics, the system calculates the actual confidence level C_actual of the signature, using the following formula:
[0238] C_actual=C0×N_new / (N_new+N_fp+ε)
[0239] Where ε is a very small positive number (e.g., 10). -6 The formula (N_new / (N_new+N_fp)) is used to prevent the denominator from being zero. The meaning of this formula is: the actual effective confidence level equals the initial confidence level multiplied by the proportion of truly malicious emails detected. If the signature can accurately detect malicious emails with few false positives, then N_new / (N_new+N_fp) is close to 1, and C_actual is close to C0; if there are many false positives, the proportion decreases, and C_actual decreases accordingly.
[0240] The real-time detection module feeds back the calculated C_actual to the attack attribution analysis module. The attack attribution analysis module adjusts the retention weight of the signature based on the ratio of C_actual to the initial confidence level C0. The adjustment formula is as follows:
[0241] W_signature_new=W_signature_old×1 / (1+γ)
[0242] Where γ = max(0, (C0 - C_actual) / C0). That is, γ takes the maximum value between zero and (C0 - C_actual) / C0. When C_actual is less than C0, γ is positive and the retention weight decreases; when C_actual is equal to or greater than C0, γ = 0 and the retention weight remains unchanged.
[0243] Furthermore, the system sets two decision thresholds, for example:
[0244] If γ > 0.7, i.e. C_actual < 0.3 × C0, it indicates that the actual effective confidence level is less than 30% of the initial confidence level, the signature effect is extremely poor, and the signature will be automatically discarded and will no longer be used for subsequent detection and association analysis.
[0245] If C_actual / C0 > 0.8, meaning the actual effective confidence level remains above 80% of the initial confidence level, it indicates that the signature has high accuracy and stability, thus increasing its priority in subsequent correlation analysis. This increased priority means that the signature will be used preferentially for clustering and matching when performing cross-organizational correlation and attack script matching in the attack attribution analysis module, thereby accelerating the reconstruction of the attack chain.
[0246] The above process forms a continuous closed loop: the attack tracing module continuously discovers new attack patterns and issues signatures, the real-time detection module provides confidence levels based on the actual performance of the signatures, and the tracing module dynamically adjusts the retention weight and priority of the signatures accordingly. Signatures with good performance are retained and given higher priority, while signatures with poor performance are automatically eliminated, thus achieving adaptive co-evolution of detection and tracing.
[0247] The effects of the above technical solution are as follows:
[0248] A closed-loop collaboration between attack attribution tracing and real-time detection is established through a two-way weighted feedback mechanism, overcoming the shortcomings of the traditional architecture where the two are independent. The distribution of attack pattern signatures enables the real-time detection module to respond quickly to new attacks, improving the timeliness and targeting of detection. The effective confidence level calculated based on actual detection results objectively assesses the true value of the signature, avoiding bias caused by inaccurate initial confidence levels. The dynamic adjustment formula for retention weights introduces a decay factor γ, which gradually eliminates inefficient signatures while retaining and prioritizing efficient signatures, achieving automatic cleanup of the signature database. Signatures with extremely poor performance (γ>0.7) are automatically discarded, effectively preventing long-term pollution of false positive rules. The priority enhancement mechanism allows verified high-quality signatures to play a greater role in subsequent attack chain correlation analysis, accelerating attribution tracing efficiency. The entire closed loop requires no manual intervention; the system can automatically optimize detection strategies and attribution tracing priorities as attack patterns change, significantly improving the overall adaptability and long-term effectiveness of the defense system.
[0249] In one possible implementation, the real-time detection module is further configured to perform multimodal semantic consistency detection based on the QR code and the main text, including the following steps:
[0250] Perform adversarial noise detection on QR code images; if human noise is detected, the risk level of the email is directly increased.
[0251] Obtain the deep semantic similarity, entity set similarity, and normalized edit distance between the QR code decoding string and the email body;
[0252] The semantic consistency score is determined based on the comparison between the normalized edit distance and the deep semantic similarity.
[0253] When the normalized edit distance is less than the first threshold and the deep semantic similarity is less than the second threshold, it is determined to be a homonymous phishing attack, and the semantic consistency score is set to the first low score.
[0254] When the normalized edit distance is greater than the third threshold, it is determined that there is no associated payload implantation, the semantic consistency score is set to the second lowest value, and the real-time detection module is triggered to perform deep recursive parsing of the email.
[0255] Otherwise, the weighted sum of the negative correlation value of the normalized edit distance, the deep semantic similarity, and the entity set similarity is used as the semantic consistency score.
[0256] In specific applications, the real-time detection module is also configured to perform multimodal semantic consistency detection based on the QR code and the text, specifically including the following steps.
[0257] When an email contains a QR code image, the system first performs adversarial noise detection on the QR code image. Adversarial noise refers to small perturbations added to the image by attackers to interfere with QR code decoding or deceive the detection model. Examples include adding tiny black dots to the white area of the QR code or adding interfering lines near the positioning pattern. Detection methods can be based on image frequency domain analysis: performing a Fast Fourier Transform on the QR code image and observing whether high-frequency components are abnormally concentrated; or using a deep learning-based adversarial sample detection model (such as an adversarial detector). If artificially added adversarial noise is detected, the system directly increases the risk level of the email (e.g., increasing the initial malicious probability by 0.3 or directly marking it as high-risk) and skips subsequent steps, because adversarial noise itself is a strong signal of malice.
[0258] If no adversarial noise is detected or further analysis is required after the risk increases, the system decodes the QR code image to obtain the decoded string. Simultaneously, the plain text body of the email is extracted (HTML tags, special characters, and non-text content are removed). Then, the following three features are calculated:
[0259] Deep semantic similarity: The decoded QR code string and the email body are input into a pre-trained semantic model (e.g., a BERT-based sentence encoder) to obtain two sentence vectors. Then, the cosine similarity between the two vectors is calculated. This similarity value ranges from 0 to 1, with values closer to 1 indicating greater semantic similarity.
[0260] Entity set similarity: Named entities (such as URLs, phone numbers, email addresses, names, and locations) are extracted from the QR code decoding string and the email body, forming two entity sets. The Jaccard similarity coefficient between the two sets is calculated, which is the intersection size divided by the union size. This similarity reflects the consistency of key information between the two sets.
[0261] Normalized edit distance: This calculates the global edit distance (Levenshtein distance) between the QR code decoded string and the email body, which is the minimum number of operations required to transform one string into another through insertion, deletion, and replacement. The edit distance is then divided by the length of the QR code decoded string to obtain the normalized edit distance. The smaller this value, the more similar the two strings are.
[0262] The system determines the semantic consistency score based on a comparison between normalized edit distance and deep semantic similarity using a three-part rule:
[0263] Rule 1 (Homograph Phishing Attack Detection): When the normalized edit distance is less than the first threshold (e.g., 0.1) and the deep semantic similarity is less than the second threshold (e.g., 0.4), it indicates that the QR code decoded string and the text are very similar at the character level (e.g., only a few characters are different), but they differ significantly semantically. This situation is typical of "homophonic phishing attacks," for example, the URL after QR code decoding is "rnicrosoft.com," while the text says "microsoft.com," using the character "rn" to obfuscate "m." In this case, the system determines it as a homograph phishing attack and sets the semantic consistency score to the lowest possible value (e.g., 0.1).
[0264] Rule 2 (Determination of Unrelated Payload Implantation): When the normalized edit distance is greater than the third threshold (e.g., 0.8), it indicates that the QR code decoding string is almost completely different from the body text, and the QR code carries a payload unrelated to the email content (e.g., directly embedding a piece of executable code or a completely different URL). In this case, the system determines it as unrelated payload implantation, sets the semantic consistency score to the second lowest value (e.g., 0.2), and triggers the real-time detection module to perform deep recursive parsing of the email (e.g., decompressing the compressed file hidden in the QR code, scanning the file pointed to by the QR code, etc.) to discover potential malicious payloads.
[0265] Rule 3 (Normal Case): If the above two extreme cases are not met, a weighted summation method is used to calculate the semantic consistency score. Specifically, the negative correlation value of the normalized edit distance (i.e., 1 minus the normalized edit distance), the deep semantic similarity, and the entity set similarity are taken, multiplied by preset weight coefficients (e.g., 0.3, 0.4, and 0.3 respectively), and then summed to obtain the final semantic consistency score. This score ranges from 0 to 1, with a higher score indicating stronger semantic consistency between the QR code and the text.
[0266] The calculated semantic consistency score can be used as an independent feature dimension in the multi-dimensional feature comprehensive evaluation, and input into the deep learning detection engine to participate in the final classification along with other features. When the score is too low (e.g., below 0.2), the system can trigger an alarm or increase the risk level of the email independently.
[0267] The effects of the above technical solution are as follows:
[0268] Adversarial noise detection enables early identification of adversarial attacks against QR code detection models, directly increasing the risk level and enhancing defense against advanced evasion techniques. By introducing three complementary features—deep semantic similarity, entity set similarity, and normalized edit distance—the consistency between the QR code and the text is comprehensively evaluated at the semantic, entity, and character levels, avoiding the limitations of single indicators. Segmentation-based judgment rules are designed with specific low scores and subsequent actions for two typical malicious scenarios—homophonic phishing attacks and unrelated payload implantation—enabling the system to accurately identify these high-threat attacks. For normal cases, a weighted summation method integrates multi-dimensional information, providing a smooth score output. Overall, this embodiment significantly improves the system's ability to detect phishing and payload implantation attacks using QR codes, filling a gap in existing technologies for multimodal semantic consistency detection.
[0269] In one possible implementation, the real-time detection module is further configured to perform three-feature joint anti-bypass detection, including the following steps:
[0270] Outlier detection is performed on the triplet features using an isolated forest or single-class support vector machine model. The distance distribution from the features of historical normal emails to the cluster centers is dynamically maintained, and the preset quantile of this distribution is used as the dynamic anomaly threshold. The dynamic anomaly threshold is updated using a time decay weighting method, with samples farther away from the current time being assigned lower weights. The triplet features are three-dimensional feature vectors composed of normalized edit distance, deep semantic similarity, and entity set similarity.
[0271] When the current email's features deviate from the historical cluster center by more than the dynamic anomaly threshold, the static threshold judgment in the real-time detection module is bypassed, the email is forcibly sent to deep recursive parsing, and the attack source analysis module is triggered to prioritize attack chain correlation analysis of the email.
[0272] The real-time detection module also collaborates with the attack source analysis module to perform semi-supervised incremental training and feature orthogonalization constraints on the outlier detection model using the malicious email features in the attack chain reconstructed by the attack source analysis module, and feeds back the type of the dominant deviation feature in the outlier detection to the attack source analysis module for attack script matching.
[0273] The real-time detection module also collaborates with the attack tracing and analysis module in the following ways:
[0274] Once the attack source analysis module reconstructs the complete attack chain, it extracts the triplet features of all malicious emails in the attack chain and adds them as known attack class samples to the training set of the outlier detection model, thus upgrading the model to a semi-supervised learning mode.
[0275] A random perturbation within a preset range is applied to the triplet features of the known attack class samples to generate variant features as hard negative samples, which are then used for incremental training of the model.
[0276] The mutual information value between each pair of features in the triplet is calculated in real time. When the mutual information value of any pair of features exceeds the preset homogenization threshold, a feature orthogonalization penalty term is added to the loss function of the outlier detection model.
[0277] When forced deep parsing is triggered by outlier detection, the feature with the largest distance from the cluster center among the triplet features is determined as the dominant deviation feature, and the type of the dominant deviation feature is recorded in the email metadata in the form of an interpretable label for use by the attack tracing analysis module when performing script matching.
[0278] In specific applications, the real-time detection module is also configured to perform joint three-feature anti-bypass detection and to work in deep collaboration with the attack tracing and analysis module, specifically including the following steps.
[0279] The system establishes an outlier detection model based on the triplet features (i.e., QR code semantic consistency score, deep semantic similarity, and entity set similarity). This model can employ either an isolation forest or a single-class support vector machine. An isolation forest constructs multiple isolation trees by randomly selecting features and random split values, further isolating outliers; a single-class support vector machine searches for a hyperplane in the feature space, ensuring that normal samples fall to one side of the hyperplane as much as possible.
[0280] The system dynamically maintains the distance distribution from the triplet features of historical normal emails to the cluster centers. The cluster centers can be the mean or median of the feature vectors of all normal samples. For each normal email, the Euclidean distance from its feature vector to the cluster center is calculated. These distances constitute a distance distribution. The system uses a preset quantile (e.g., the 95th percentile) of this distribution as a dynamic anomaly threshold.
[0281] The dynamic anomaly threshold is updated using a time-decay weighted approach: samples further removed from the current time are assigned lower weights when calculating the distance distribution. Specifically, the weight of each historical sample decays exponentially with its age; that is, the weight equals the initial weight multiplied by an exponential function with a base of the natural constant and a negative decay rate multiplied by the time interval. The decay rate can be set according to business needs (e.g., 0.01). In this way, recent samples have a greater impact on the threshold, enabling the model to quickly adapt to changes in normal behavior while retaining long-term stable historical information.
[0282] When a new email is received, the system first calculates the triplet features of the email according to the aforementioned process, and then calculates the Euclidean distance from the feature vector to the historical cluster centers. If the distance exceeds the current dynamic anomaly threshold, the email is determined to be an outlier, indicating that it significantly deviates from the normal email pattern in terms of multimodal semantic consistency.
[0283] Once an outlier is identified, the system bypasses the static threshold judgment in the real-time detection module (i.e., it no longer relies on a preset malicious probability threshold to determine whether to perform deep parsing), and forces the email to undergo deep recursive parsing (e.g., decompressing to the maximum depth, fully tracing short links, parsing all QR codes, etc.). At the same time, the system triggers the attack tracing analysis module, prioritizing attack chain correlation analysis of the email in order to discover possible new attack patterns.
[0284] A collaborative mechanism is established between the real-time detection module and the attack attribution analysis module. Once the attack attribution analysis module successfully reconstructs a complete attack chain, it extracts the triplet features of all malicious emails within that chain and adds these features as known attack class samples to the training set of the outlier detection model. In this way, the original single-class model based solely on normal samples is upgraded to a semi-supervised learning mode, knowing both the distribution of normal samples and information about known attack samples.
[0285] To enhance the model's robustness and generalization ability, the system applies random perturbations within a preset range to the triplet features of known attack class samples, generating variant features. For example, by adding or subtracting a small amount (such as ±5%) from the original feature values, multiple variants are generated. These variants serve as hard negative samples for incremental training of the model, enabling it to better identify variants of known attacks.
[0286] The system calculates the mutual information value between every two features in a triplet in real time. Mutual information measures the degree of dependence between two features; a higher value indicates a stronger correlation. When the mutual information value of any pair of features exceeds a preset homogenization threshold (e.g., 0.7), it indicates that these two features have high redundancy, which may lead to model overfitting or sensitivity to noise.
[0287] At this point, the system adds a feature orthogonality penalty term to the loss function of the outlier detection model. This penalty term encourages different features to be mutually orthogonal in the feature space (i.e., their covariance is close to zero), thereby reducing feature redundancy. For example, for two features f1 and f2, the penalty term can be set as the square of their covariance. By minimizing the total loss function including this penalty term, the model tends to learn more independent and complementary feature representations.
[0288] When forced deep parsing is triggered by outlier detection, the system determines the feature in the triplet that has the largest distance from the cluster center as the dominant deviation feature. For example, if the semantic consistency score is abnormally low while the other two features are normal, the dominant deviation feature is the "semantic consistency score".
[0289] The system records the type of the dominant deviation feature in the email metadata as an interpretable label, such as "QR code semantics are inconsistent with the body text" or "entity set similarity is abnormally low". These labels are passed to the attack attribution analysis module for use when matching attack scripts. For example, if the dominant deviation feature of a large number of outlier emails is "homographs", the attack attribution module can prioritize matching scripts related to phishing attacks, improving attribution efficiency.
[0290] The effects of the above technical solution are as follows:
[0291] Outlier detection using isolated forests or single-class support vector machines on triple features effectively identifies malicious emails that are carefully crafted to bypass static thresholds. Dynamic outlier thresholds combined with time-decay weighting allow the model to adapt to the temporal evolution of normal behavior, preventing fixed thresholds from becoming ineffective due to concept drift. Once an outlier is detected, the system immediately bypasses the static threshold, forcing deep parsing and prioritizing source tracing, significantly improving the response speed to novel and unknown attacks.
[0292] The semi-supervised collaboration with the attack attribution analysis module enables the outlier detection model to continuously learn known malicious patterns from the reconstructed attack chains, and enhances the model's generalization ability by generating variant-hard negative samples. Feature orthogonalization constraints reduce feature redundancy, improving the model's generalization performance and interpretability. A type feedback mechanism for dominant deviation features provides high-value clues for attack script matching, accelerating the classification and response to attack behaviors. Overall, this embodiment constructs a closed-loop anti-bypass system from outlier detection to forced parsing, attribution learning, and finally feedback optimization, greatly enhancing the system's defense against adaptive attackers.
[0293] In one possible implementation, the system further includes:
[0294] The auxiliary operation module is configured to connect to the cloud-based big data model. In response to users forwarding suspicious emails to a designated analysis entry point, the cloud-based big data model performs in-depth semantic analysis and automatically generates an analysis report containing security judgment, risk interpretation and handling suggestions. It also supports differentiated alarm push and multi-channel early warning notifications.
[0295] The auxiliary operation module is also configured as follows:
[0296] Periodically extract protected attachment samples that failed to be decrypted from the malicious behavior dynamic analysis subsystem and the attack tracing analysis module, and send the email metadata, attachment hash value and parsing failure reason of the sample to the cloud big model to request the generation of targeted password construction rule hypotheses;
[0297] The system receives hypothetical rules returned by a large cloud model, converts them into candidate rules for a heuristic password generator, and sets a low initial confidence level for experimental deployment. The experimental deployment includes: performing batch replay tests in an offline sandbox using a set of historically retained but undecrypted attachment samples, and only allowing entry into the real-time detection environment when the successful decryption rate reaches a preset threshold.
[0298] For rules that pass sandbox pre-validation but perform worse than expected after actual deployment, perform genetic mutation operations to generate mutated offspring rules, and then perform sandbox pre-validation again.
[0299] The experimental deployment also employs an online A / B testing mechanism:
[0300] A traffic bucketing strategy was adopted, and the new rule was applied to only 1% of the random email traffic. The effect was compared with that of the control group that did not apply the rule. If the success rate of decryption in the experimental group was significantly higher than that in the control group within the predetermined time window, the confidence of the rule was rapidly increased and the traffic proportion was expanded. If the effect was not significant or had a negative effect, the deployment was terminated and rolled back.
[0301] Regularly deduplicate and generalize rules that have been verified to be effective and have high confidence, and merge multiple specific rules into template rules at a higher level of abstraction.
[0302] The auxiliary operations module is configured to interface with cloud-based large models (such as GPT-4, Claude, or domestically developed general-purpose large models). When a user (such as a security analyst) forwards a suspicious email to the system's designated analysis entry point (e.g., via the "Report to Security Analysis" button in the email client plugin, or by uploading via the web interface), the auxiliary operations module automatically packages the complete content of the email (including the body, attachment description, header information, etc.) and calls the API interface of the cloud-based large model for deep semantic analysis.
[0303] The analysis results returned by the large cloud-based model include the following:
[0304] Security assessment: Whether the email is malicious, suspicious, or normal, with a confidence score attached.
[0305] Risk Interpretation: Describe the threat characteristics found in the email using natural language, such as "the email body attempts to trick users into clicking a link disguised as a Microsoft login page" or "the QR code in the attachment, after decoding, points to a fake bank website," etc.
[0306] Recommended actions: Such as "isolate the email and block the sender's domain" or "conduct dynamic sandbox analysis of the attachments or notify the recipient to change their password".
[0307] The auxiliary operations module automatically generates a structured analysis report from the above results and displays it to the user through the system interface. Simultaneously, the system supports differentiated alert pushes: based on the risk level of the email (threat, suspicious, spam, security), alerts of varying urgency are sent to administrators at different levels, and notifications are delivered through multiple channels (email, WeChat Work, SMS, DingTalk, etc.).
[0308] The auxiliary operations module periodically (e.g., every 24 hours) extracts samples of protected attachments that failed to decrypt from the malicious behavior dynamic analysis subsystem and the attack tracing analysis module. For each sample, the following information is collected: email metadata (sender, subject, sending time), attachment hash value, and reason for parsing failure (e.g., "dictionary attempt completed, no match" or "decryption timed out"). This information is organized into structured data and sent to the cloud-based large model, along with the following request prompt:
[0309] "The following is a password-protected malicious attachment that the current system has been unable to decrypt. Based on the email context and attachment characteristics, please infer the password construction rules that the attacker may have used, such as: {year}{common surname}, {sender domain prefix}+123, etc. Please output 3-5 of the most likely rule hypotheses, and attach a confidence level (0-1) to each rule."
[0310] The cloud-based large model returns several cryptographic construction rule assumptions and their confidence levels. The auxiliary operations module transforms these rules into candidate rules for a heuristic cryptography generator (e.g., converting the natural language description "year + last name" into a regular expression or generation function), and sets a low initial confidence level (e.g., 0.1) for each rule for experimental deployment.
[0311] All newly generated candidate rules are not applied directly to the real-time detection environment, but are first pre-validated in an offline sandbox:
[0312] The system maintains a sample set of attachments that have been stored in history but have not been decrypted (e.g., attachments that failed to be decrypted in the past 90 days, with a number of no less than 1,000).
[0313] In an isolated offline sandbox environment, the new rules were used to perform batch replay tests on the above sample set, that is, to try to decrypt each attachment with the password generated by the rules in turn, and record the number of successful decryptions.
[0314] The successful decryption rate is calculated as the number of successfully decrypted samples divided by the total number of samples. This rule is only allowed to enter the real-time detection environment when the successful decryption rate exceeds a preset threshold (e.g., 5%).
[0315] For rules that pass the sandbox pre-validation, the system uses an online A / B testing mechanism to further evaluate their actual effectiveness:
[0316] Traffic bucketing: Real-time email traffic is divided into 100 buckets using a consistent hashing algorithm, with each bucket accounting for 1% of the traffic. The new rule is applied only to one of these buckets (i.e., 1% of random traffic), designated as the experimental group; the remaining 99% of traffic serves as the control group and is not subject to this rule.
[0317] Performance Comparison: Within a predetermined time window (e.g., 72 hours), the successful decryption rate of protected attachments in the experimental and control groups is statistically analyzed. If the decryption rate of the experimental group is significantly higher than that of the control group (e.g., p-value < 0.05 and relative improvement ≥ 20% through chi-square test), the rule is considered valid.
[0318] Rapid scaling: For valid rules, quickly increase their confidence (e.g., from 0.1 to 0.6) and expand the application traffic ratio to 10%, 50%, until full deployment.
[0319] Termination and rollback: If the effect is not significant (p value ≥ 0.05) or the decryption rate of the experimental group is significantly lower than that of the control group (negative effect), the deployment of the rule will be terminated and rolled back from the real-time detection environment, and the rule will no longer be used.
[0320] For rules that pass sandbox pre-validation but perform worse than expected after actual deployment (e.g., less than 10% improvement in A / B testing), the system does not discard them directly, but instead performs a genetic mutation operation:
[0321] Treating the rules as "genes," a mutation operator from a genetic algorithm is used: a parameter (such as password length, character set, or fixed prefix) is randomly selected and modified. For example, "{year}{surname}" is mutated to "{year}{surname}{special symbols}", or "domain prefix + 123" is mutated to "domain prefix + 2024".
[0322] Multiple variant child rules (e.g., 3) are generated, and each child rule undergoes sandbox pre-validation and A / B testing again. Through this evolution, the system can explore better solutions in the rule space, gradually approximating the cryptographic patterns actually used by attackers.
[0323] The auxiliary operations module periodically (e.g., weekly) deduplicates and generalizes rules that have been verified to be effective and have high confidence (confidence ≥ 0.8):
[0324] Generalization compression: This merges multiple specific rules into a template rule at a higher level of abstraction. For example, the rules "2024+abc", "2024+xyz", and "2023+abc" can be generalized to "{year[2020-2024]}+{lowercase letter combination}". This template rule can match more variations at once, while reducing the number of entries in the rule base and improving matching efficiency.
[0325] The effects of the above technical solution are as follows:
[0326] This implementation connects to a cloud-based large-scale model through an auxiliary operations module, introducing the powerful semantic understanding capabilities of the large-scale model into the field of email security detection. This allows security analysts to quickly obtain professional-grade analysis reports through natural language interaction, significantly lowering the barrier to manual analysis. Simultaneously, it utilizes the large-scale model to generate cryptographic rule hypotheses, combining offline sandbox pre-verification and online A / B testing to construct a complete closed loop from hypothesis generation to experimental deployment and effect evaluation. A genetic mutation mechanism enables the system to automatically evolve cryptographic rules, continuously adapting to changes in attacker strategies and avoiding the lag of manually maintaining the rule base. Rule compression and generalization further improve the compactness and coverage of the rule base. Overall, this module not only enhances the system's intelligence level but also achieves continuous evolution of cryptographic guessing capabilities through data-driven iterative optimization, effectively addressing the decryption challenges of protected attachments.
[0327] In one possible implementation, the system further includes:
[0328] The sender identity analysis module is configured to perform multi-layered email authentication and verification, and combines display name spoofing detection, domain name impersonation identification, key field consistency comparison, and supply chain phishing protection analysis to identify sender spoofing attacks; and
[0329] The malicious behavior dynamic analysis subsystem is configured to execute suspicious files in an isolated environment. Through anti-escape detection, two-layer behavior monitoring, and multi-engine composite analysis, it captures the complete behavior chain of samples and identifies unknown threats.
[0330] Specifically, the subsystem executes suspicious files within the isolated sandbox:
[0331] Anti-escape: Simulates real user environment, accelerates execution time, and triggers multiple branches.
[0332] Two-layer monitoring: User-mode hooking of key APIs + kernel-mode monitoring of system calls and file / network filtering drivers to prevent bypass.
[0333] Multi-engine analysis: static analysis, dynamic behavior sequence (hidden Markov model scoring), memory snapshot detection, network traffic threat intelligence matching, weighted fusion to obtain malicious score and behavior description.
[0334] Unknown threat handling: When the score is in the gray zone or a new pattern is discovered, upload it to the cloud for in-depth analysis and send back the results to update the rules.
[0335] The system also includes a response and handling module, configured to perform differentiated interception, isolation, alarm, or release actions based on the output results of the real-time detection module, attack tracing and analysis module, auxiliary operation module, sender identity analysis module, and malicious behavior dynamic analysis subsystem, and generate traceable handling logs.
[0336] Through identity forgery detection, dynamic behavior analysis, and differentiated responses, the system identifies impersonation attacks at the source, captures unknown threats in an isolated environment, and executes precise measures based on comprehensive risks, forming a complete protection loop.
[0337] During the recursive parsing, feature extraction, and log storage processes, the system desensitizes or hashes sensitive information such as sender email addresses and attachment hashes, and sets up an automatic data expiration and deletion mechanism to ensure that the collection, processing, and retention of email data comply with the requirements of relevant laws and regulations on personal information protection and data security.
[0338] This invention also provides an electronic device, which includes a memory and a processor. The memory stores a computer program, and the processor executes the functions of the system described in Embodiment 1 when executing the computer program.
[0339] This invention also provides a computer-readable storage medium for storing a computer program. When the computer program is executed, it performs the functions of the system described in Embodiment 1. The specific implementation method and the technical effects achieved are consistent with those described in the above method embodiments, and some details will not be repeated.
[0340] In this invention, the readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. The program product can take the form of any combination of one or more readable media.
[0341] Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention. Those skilled in the art can make changes, modifications, substitutions and variations to the above embodiments within the scope of the invention without departing from the principles and spirit of the invention, and all such changes should fall within the protection scope of the claims of the present invention.
Claims
1. A novel email attack detection and analysis system, characterized in that, include: The real-time detection module is configured to acquire email traffic in real time, perform multi-dimensional feature comprehensive analysis on each email, and output classification results. The real-time detection module has recursive deep content parsing capabilities; The real-time detection module is also configured to: divide feature regions according to recursive parsing depth and configure dynamic weights; obtain malicious tendency scores of each feature through a single feature classifier; and calculate the comprehensive risk coefficient by weighted calculation after adaptively adjusting the region weights through cluster analysis. If the weights exceed a preset threshold, deep parsing is triggered; otherwise, the region features are merged into a dynamic subset and input into the deep learning engine. The attack attribution analysis module is configured to track the attack behavior of the same attacker against different targets by cross-organizational correlation analysis of attack resources, and combine attack organization profiles, attack script matching and dynamic behavior analysis of malicious samples to reconstruct the complete attack chain and conduct attribution analysis.
2. The system according to claim 1, characterized in that, The real-time detection module is configured to perform the following steps: Based on the intermediate metadata generated during the recursive parsing process, the feature space is divided into shallow feature regions, medium feature regions, and deep feature regions according to the depth of recursive parsing, and each region is configured with an independent dynamic weight, wherein the initial weight of the deep feature region is higher than that of the shallow and medium feature regions; wherein, the intermediate metadata includes at least the number of decompression layers, the distribution of embedded object types, the QR code payload entropy value, and the short link jump chain length; For each original feature and the recursively derived feature generated by statistical transformation of the intermediate metadata, a single feature classifier is trained to output the malicious tendency score of the feature for the current email. Based on the statistical values of malicious tendency scores in each region and the corresponding weights of the regions, a weighted summation method is used to calculate the comprehensive risk coefficient. Cluster analysis is performed on the malicious tendency scores in each region. The cluster analysis includes: calculating the sum of deviations from other scores with each score as the center in turn, selecting the score with the smallest sum of deviations as the cluster center, defining the mainstream interval with a predetermined percentage range of the cluster center, calculating the average score within the mainstream interval, and adjusting the weight of the region within a preset step size range in combination with the false positive and false negative statistics of the region. If the overall risk coefficient exceeds a preset threshold, it is marked as a high-risk email and deep analysis or an alarm is triggered; otherwise, the features of each region are merged into a dynamic feature subset, which is used as input to the deep learning detection engine.
3. The system according to claim 2, characterized in that, The intermediate metadata also includes at least one of the following: MIME type transfer entropy, number of changes in short link jump autonomous system number, and minimum distance between QR code and text edit: The MIME type transfer entropy is obtained in the following way: during the recursive decompression process, the MIME type of the object extracted from each layer is recorded to form a type sequence, the frequency of type transfer between adjacent layers is counted and a transfer probability matrix is constructed, and the conditional entropy of the next layer type is calculated based on the transfer probability matrix, given the current layer type. This conditional entropy is used to quantify the degree of anomaly in the type distribution. The number of changes in the Autonomous System Number (ASN) of the short link redirection is obtained as follows: During the short link tracing process, the IP address corresponding to each level of redirection URL and its corresponding ASN number are queried in sequence, the number of times the ASN number changes is counted, and the number is divided by the total number of redirections to obtain the change rate. The minimum edit distance between the QR code and the body text is obtained in the following way: the global edit distance is calculated between the string obtained after decoding the QR code and the email body, and then divided by the length of the QR code string to obtain the normalized edit distance. When an email contains multiple QR codes, the minimum value among all normalized edit distances is taken. The recursive derived features are generated from the intermediate metadata through statistical transformations, including calculating the mean, difference, ratio, or logarithmic transformation within a sliding window.
4. The system according to claim 2, characterized in that, The real-time detection module is also configured to perform the following steps: A lightweight feature set is extracted from the shallow feature region, and a lightweight classifier is used to output the preliminary malicious probability of the email. The recursive parsing depth is dynamically determined based on the comparison results between the preliminary malicious probability and the first threshold and the second threshold: if the preliminary malicious probability is less than the first threshold, no recursive parsing is performed; if the preliminary malicious probability is between the first threshold and the second threshold, recursive parsing at a first preset depth is performed; if the preliminary malicious probability is greater than or equal to the second threshold, recursive parsing at a maximum preset depth is performed; wherein, the first threshold and the second threshold are both dynamically adjustable thresholds, and the first threshold is less than the second threshold.
5. The system according to claim 4, characterized in that, The real-time detection module is also configured to perform the following steps: Based on the recursive parsing results, all features are extracted, and a deep learning detection engine is used for final classification. The actual computing resources consumed during the parsing process are weighted and summed, and added as a resource penalty factor to the loss function of the deep learning detection engine. Record the average resource consumption and average detection accuracy within the historical sliding window. When the average resource consumption exceeds a preset resource upper limit threshold and the average detection accuracy does not increase by a preset amount, a threshold tightening event is triggered, and the first threshold and the second threshold are adjusted upward according to the preset tightening rules. When the average detection accuracy is lower than the preset lower limit threshold, a threshold relaxation event is triggered, and the first threshold and the second threshold are adjusted downward according to the preset relaxation rules.
6. The system according to claim 1, characterized in that, The function of obtaining the password through intelligent identification in the real-time detection module to decrypt the protected attachment is also configured to perform the following steps: The password guessing strategy library is divided into common strategy area, variant strategy area and rare strategy area. Each area is assigned different guessing resource weights, and the initial weight of the deeper areas is higher than that of the shallower areas. The system calculates the statistical distribution characteristics of the protected attachment passwords flowing into the system in real time and compares them with the dynamically updated historical baseline. When the difference between the distribution characteristics and the baseline exceeds the preset drift threshold, it determines that the attacker has changed the password strategy and encodes the current drift direction as a drift vector. Based on the drift vector, the policy mapping network outputs several cryptographic construction rules most likely to be used by the attacker and their confidence levels, and dynamically adjusts the guessing resource weights of the three regions according to the confidence levels, with the single adjustment range limited to a preset step size. By utilizing historical successful decryption cases, we classify cryptographic rules based on few-sample learning and assign guessing priorities to new emails.
7. The system according to claim 6, characterized in that, The function of obtaining the password through intelligent identification in the real-time detection module to decrypt the protected attachment is also configured to perform the following steps: Identify new cryptographic patterns from failed decryption cases. When an unmatched unknown strategy is found, trigger a strategy evolution event. Add the new cryptographic pattern as a new learning prototype and use the following steps to determine the degree of anomalousness of the new prototype: calculate the sum of deviations from other scores with the corresponding score of the prototype as the center in turn, select the score with the smallest sum of deviations as the cluster center, define the mainstream interval with a predetermined percentage range of the cluster center, calculate the average score within the mainstream interval, and if the average score is higher than the preset high-risk threshold, it is judged as high-risk, and the weight of its region is increased by a preset amount on the original basis. When a policy evolution event is triggered, the calculation weight of the historical baseline is updated according to the newly emerging cryptographic pattern, and the drift threshold is dynamically adjusted according to the frequency of recent drift events.
8. The system according to claim 1, characterized in that, The attack tracing and analysis module and the real-time detection module work together through a two-way weighted feedback mechanism and are configured to perform the following steps: After reconstructing the complete attack chain, the attack tracing and analysis module extracts the common features of all email samples in the attack chain, forms an attack pattern signature, and assigns an initial confidence level to each signature. The attack pattern signature and its confidence level are sent to the real-time detection module, which then updates the attention weight of its deep learning detection engine or adds corresponding pre-filtering rules accordingly. The real-time detection module periodically counts the number of newly detected malicious emails due to the attack pattern signature and the number of false alarms, and calculates the actual effective confidence level. The actual effective confidence level is fed back to the attack tracing and analysis module. The attack tracing and analysis module adjusts the retention weight of the signature based on the ratio of the actual effective confidence level to the initial confidence level: if the ratio is lower than the first discard threshold, the signature is automatically discarded; if the ratio is higher than the second enhancement threshold, the priority of the signature in subsequent association analysis is increased.
9. The system according to claim 1, characterized in that, The real-time detection module is also configured to perform multimodal semantic consistency detection based on the QR code and the main text, including the following steps: Perform adversarial noise detection on QR code images; if human noise is detected, the risk level of the email is directly increased. Obtain the deep semantic similarity, entity set similarity, and normalized edit distance between the QR code decoding string and the email body; The semantic consistency score is determined based on the comparison between the normalized edit distance and the deep semantic similarity. When the normalized edit distance is less than the first threshold and the deep semantic similarity is less than the second threshold, it is determined to be a homonymous phishing attack, and the semantic consistency score is set to the first low score. When the normalized edit distance is greater than the third threshold, it is determined that there is no associated payload implantation, the semantic consistency score is set to the second lowest value, and the real-time detection module is triggered to perform deep recursive parsing of the email. Otherwise, the weighted sum of the negative correlation value of the normalized edit distance, the deep semantic similarity, and the entity set similarity is used as the semantic consistency score.
10. The system according to claim 9, characterized in that, The real-time detection module is also configured to perform three-feature joint anti-bypass detection, including the following steps: The isolated forest or single-class support vector machine model is used to detect outliers in the triplet features. The distance distribution from the features of historical normal emails to the cluster center is dynamically maintained, and the preset quantile of this distribution is used as the dynamic anomaly threshold. The dynamic anomaly threshold is updated using a time decay weighting method, and samples that are further away from the current time are assigned lower weights. When the current email's features deviate from the historical cluster center by more than the dynamic anomaly threshold, the static threshold judgment in the real-time detection module is bypassed, the email is forcibly sent to deep recursive parsing, and the attack source analysis module is triggered to prioritize attack chain correlation analysis of the email. The real-time detection module also collaborates with the attack source analysis module to perform semi-supervised incremental training and feature orthogonalization constraints on the outlier detection model using the malicious email features in the attack chain reconstructed by the attack source analysis module, and feeds back the type of the dominant deviation feature in the outlier detection to the attack source analysis module for attack script matching.