Method for inspecting encrypted compressed file attached to email and email security system for performing same

Abstract

The present invention relates to a method for inspecting an encrypted compressed file attached to an email and an email security system for performing same, and the method comprises the steps of: configuring a recombined EML by including, as a file attached to a reception EML, a report file comprising information about an encrypted compressed file attached to the reception EML; transmitting the recombined EML to a user terminal via an email server; providing the user terminal with an encrypted file report comprising information about the encrypted compressed file; receiving, as an input, a password for the encrypted compressed file from the user terminal by using the encrypted file report; decompressing the encrypted compressed file; and performing a security inspection on the decompressed file.

Description

Method for inspecting encrypted compressed files attached to emails and email security system for performing the same

[0001] The present invention relates to a method for examining an encrypted compressed file attached to an email.

[0002] Email enables the sending and receiving of messages through a network such as the Internet, and email users can transmit content they wish to share by attaching a file to the email or including a URL (Uniform Resource Locator) in the body.

[0003] The EML (Electronic Mail) files used for sending and receiving emails as described above represent email messages stored using Outlook and other related applications, and most email clients support the EML file format to comply with the RFC-822 Internet Message Format standard.

[0004] For example, Microsoft Outlook is the default software for opening EML message types, and EML files can be stored on computer storage media and sent to recipients using communication protocols.

[0005] The format of an EML file can be provided according to the RFC 822 standard, and can be generated and transmitted according to the MIME RFC-822 standard so that content in various formats, such as plain text as well as HTML data and multimedia, can be included in the mail data.

[0006] Meanwhile, cases of cybercrime damage are surging due to various attacks using spam or malicious emails, and corporate damage caused by fraudulent emails disguised as legitimate emails is also increasing.

[0007] Recently, beyond random email attacks targeting an unspecified number of people, there has been an increasing trend of targeted email attacks aimed at specific individuals using techniques such as header tampering, pseudo-domains, spoofing emails, sending IP forgery, sender impersonation, and routing changes.

[0008] Accordingly, mail security systems are required to effectively respond to targeted email attacks by comprehensively considering not only conventional spam blocking but also incoming and outgoing email security.

[0009] In addition, there is a need to develop an email security system capable of effectively inspecting and managing contents such as attachments, URLs, and images transmitted in various forms via email, blocking unauthorized access, and detecting potential risks that may occur after the fact.

[0010] Also, when an encrypted compressed file was attached to an email, there was a problem where it was difficult to inspect the attachment.

[0011] The present invention was devised to solve the problems described above, and aims to provide a method for inspecting encrypted compressed files that enables the safe delivery of encrypted compressed files attached to an email, and an email security system that performs the same.

[0012] A method for inspecting an encrypted compressed file according to an embodiment of the present invention for solving the problem described above is a method for inspecting an encrypted compressed file attached to an email, comprising: a step of constructing a recombined EML by including a report file containing information about an encrypted compressed file attached to a received EML as an attachment to the received EML; a step of transmitting the constructed recombined EML to a user terminal through a mail server; a step of providing an encrypted file report containing information about the encrypted compressed file to the user terminal; a step of receiving a password for the encrypted compressed file from the user terminal using the provided encrypted file report; a step of decompressing the encrypted compressed file using the received password; and a step of performing a security inspection on the decompressed file.

[0013] The above encrypted compressed file is stored separately from the received EML, and the report file is generated as an HTML (Hyper Text Markup Language) file and can be included as a general attachment in the recombined EML.

[0014] When the report file is selected on the user terminal, the encrypted file report including a list of encrypted attachments is provided to the user terminal, and when confirmation of an attachment is requested on the encrypted file report, an interface for receiving a password for the encrypted compressed file may be provided to the user terminal.

[0015] Meanwhile, the above security scan may include at least one of a virus scan, a malware scan, a ransomware scan, a spyware scan, a macro scan within the file, and a URL scan within the file for the above-decompressed file.

[0016] If the result of the security check on the above-mentioned uncompressed file is normal, the original email according to the received EML can be processed to be delivered to the user terminal, or the encrypted compressed file itself can be processed to be delivered to the user terminal.

[0017] A mail security system according to an embodiment of the present invention comprises: a storage unit for storing an attachment; a control unit for separating an encrypted compressed file attached to a received EML and storing it in the storage unit; an EML processing unit for constructing a recombined EML by including a report file containing information about the encrypted compressed file as an attachment in the received EML; a communication unit for transmitting the constructed recombined EML to a user terminal through a mail server; a user interface unit for providing an encrypted file report containing information about the encrypted compressed file to the user terminal and receiving a password for the encrypted compressed file from the user terminal using the provided encrypted file report; a decompression unit for decompressing the encrypted compressed file stored in the storage unit using the received password; and a file inspection unit for performing a security inspection on the decompressed file.

[0018] In addition, at least some steps of the above-mentioned method for inspecting encrypted compressed files may be implemented on a computer-readable recording medium that records a program for execution on a computer, and may be provided as the program itself.

[0019] According to an embodiment of the present invention, when an encrypted compressed file is attached to an EML, a recombined EML containing a report file as an attachment is constructed and delivered to a user terminal, and by decompressing the encrypted compressed file using a password entered through the encrypted file report and performing a security check, the encrypted compressed file attached to the email can be easily checked, and accordingly, the email attachment can be safely delivered.

[0020] FIG. 1 is a block diagram schematically illustrating the overall configuration according to an embodiment of the present invention.

[0021] FIG. 2 is a block diagram showing the configuration of a mail security system according to an embodiment of the present invention.

[0022] FIG. 3 is a flowchart illustrating an EML recombination method according to an embodiment of the present invention.

[0023] Figure 4 is a diagram illustrating an example of a method for recombining EML in a mail security system.

[0024] FIGS. 5 and 6 are drawings for illustrating embodiments of a method for recombining and delivering EML for a received mail.

[0025] FIGS. 7 and FIGS. 8 are drawings for illustrating embodiments of a method for recombining and delivering EML for outgoing mail.

[0026] FIG. 9 is a diagram illustrating an embodiment of a method for encrypting and transmitting an attachment file.

[0027] FIGS. 10 and FIGS. 11 are drawings for illustrating embodiments of a method for providing post-inspection results for an attached file.

[0028] FIG. 12 is a block diagram showing another embodiment of the configuration of a mail security system according to the present invention.

[0029] FIG. 13 is a flowchart illustrating an embodiment of a method for securing incoming mail.

[0030] FIG. 14 is a flowchart illustrating an embodiment of a method for security of outgoing mail.

[0031] FIG. 15 is a block diagram showing another embodiment of the configuration of a mail security system according to the present invention.

[0032] FIG. 16 is a flowchart illustrating a method for inspecting encrypted compressed files according to an embodiment of the present invention.

[0033] FIGS. 17 to 21 are drawings for explaining embodiments of a method for inspecting an encrypted compressed file attached to an email and delivering it to a user terminal.

[0034] Hereinafter, the configuration and operation of a mail security system according to an embodiment of the present invention will be described in detail with reference to the attached drawings.

[0035] In the following description of the present invention, specific descriptions of related known functions or configurations will be omitted if it is determined that such detailed descriptions could unnecessarily obscure the essence of the invention. Furthermore, the terms described below are defined in consideration of their functions within the present invention, and these definitions may vary depending on the intentions or practices of the user or operator. Therefore, their definitions should be based on the overall content of the present invention.

[0036] In addition, the preferred embodiments of the present invention described below will focus on explaining the functional configurations that must be additionally provided for the present invention, while omitting as much as possible the system functional configurations that are already provided in each system functional configuration or are ordinarily provided in the technical field to which the present invention belongs, in order to efficiently explain the technical components constituting the present invention.

[0037] If a person skilled in the art to which the present invention pertains can easily understand the function of a component that has been used in the past among the functional configurations that are omitted and not illustrated below, and can also clearly understand the relationship between the component that was omitted as above and the component added for the present invention.

[0038] As used in this specification, the term 'mail' may be used collectively to refer to terms such as electronic mail, web mail, electronic mail, and electronic mail items that are exchanged by a user using a computer communication network through a terminal device and a client program or website installed thereon.

[0039] FIG. 1 is a block diagram schematically illustrating the overall configuration according to an embodiment of the present invention, wherein a mail security system (100), a user terminal (200), and a mail server (300) can be connected through a network.

[0040] Referring to FIG. 1, the mail security system (100), user terminal (200), and mail server (300) can transmit and receive data by connecting to one or more of wired and wireless networks through a connection with a public network.

[0041] A public network is a communication network established and managed by a state or a telecommunications infrastructure operator, and generally includes telephone networks, data networks, CATV networks, and mobile communication networks, and can provide connection services to enable an unspecified number of ordinary people to access other communication networks or the Internet.

[0042] Additionally, the mail security system (100), user terminal (200), and mail server (300) may each include a communication module for communicating with a protocol corresponding to each communication network.

[0043] The mail security system (100) can be connected to a user terminal (200) and a mail server (300) via a wired or wireless network to provide mail security and diagnostic services, and the devices or terminals connected to each network can communicate with each other through a pre-configured network channel.

[0044] Here, each network can be implemented as any type of wired or wireless network, such as a Local Area Network (LAN), Wide Area Network (WAN), Value Added Network (VAN), Personal Area Network (PAN), Mobile radio communication network, or satellite communication network.

[0045] The mail security system (100) described in this specification can provide a mail security service capable of detecting and blocking attacks that cause unintended program execution through mail, deterioration of data processing capabilities of mail-related systems, phishing scams, etc.

[0046] Specifically, the mail security system (100) can perform targeted email security threat checks on incoming mail and outgoing mail, and the targeted email security threat checks may include spam attack threat checks targeting specific email accounts, malware email attack threat checks, social engineering email attack threat checks and email information leakage threat checks.

[0047] Meanwhile, the mail security system (100) can perform targeted email security threat checks on incoming and outgoing mail according to a predefined stepwise inspection process corresponding to a security level, and provide integrated security services for the incoming and outgoing sections by linking the accumulated inspection result data for incoming mail and the accumulated inspection result data for outgoing mail.

[0048] For example, malicious account data accumulated from incoming emails is linked to the email sending section, so that the sending of emails to recipients registered as malicious accounts may be warned against or blocked.

[0049] Additionally, the mail security system (100) can perform a mail diagnosis process based on quantitative analysis of mail security threat factors using targeted email inspection result data, and provide a diagnosis report based on the diagnosis process to a user terminal (200).

[0050] The user terminal (200) may include a PC (personal computer), a laptop computer, a mobile phone, a tablet PC, a PDA (Personal Digital Assistants), a PMP (Portable Multimedia Player), etc., but the present invention is not limited thereto and may be various devices capable of connecting to a mail security system (100) and a mail server (300) through a public network or a private network, etc.

[0051] Additionally, the user terminal (200) is a device capable of inputting and outputting information through application execution or web browsing, and can be connected to the mail security system (100) through an individual security network.

[0052] The mail server (300) is a system that relays and stores mail so that the user terminal (200) can send mail to the outside or receive mail from the outside, and can communicate with an external device by utilizing a pre-configured protocol according to the purpose of use, such as processing the reception and sending of mail.

[0053] For example, POP3 (Post Office Protocol 3) or IMAP (Internet Message Access Protocol) may be used for receiving mail, and SMTP (Simple Mail Transfer Protocol) may be used for sending mail.

[0054] In this way, the mail server (300) can be configured and operated as a server system for processing mail transmission and reception, and can be subdivided into a mail receiving server and a mail sending server to provide respective functions.

[0055] Meanwhile, a text-based format of EML (Electronic Mail) may be used to store and transmit emails, and EML may include a header section containing information about the email and a body section containing the content of the email.

[0056] Specifically, the header of an EML may include the sender's email address, the recipient's email address, the email subject, and the time and date stamp of the message, while the body may include text, links, and attachments in various multimedia formats.

[0057] A mail security system (100) according to one embodiment of the present invention can separate and store content elements within an EML, and then recombine the EML according to an operation policy related to mail security, etc.

[0058] That is, the mail security system (100) separates and stores content elements included in the EML, and recombines and delivers the EML according to the mail security operation policy, thereby securing the capacity of the mail server for incoming mail from the outside, providing a safe download environment for attachments, and enabling efficient history management of attachments, etc.

[0059] In addition, the mail security system (100) can prevent external exposure of the mail server by recombining and sending EML for outgoing mail, and effectively manage the history of attachments and other items transmitted externally and block unauthorized access.

[0060] FIG. 2 is a block diagram illustrating the configuration of a mail security system according to an embodiment of the present invention. The illustrated mail security system (100) may be configured to include a control unit (111), a content detection unit (112), a storage unit (113), an EML processing unit (114), a communication unit (115), an attachment management unit (116), and a post-inspection unit (117).

[0061] Referring to FIG. 2, the control unit (111) can control the overall operation of the mail security system (100) to process the EML for sending or receiving mail.

[0062] The content detection unit (112) detects content elements included in the EML, and the detected content elements can be stored in the storage unit (113).

[0063] The control unit (111) can separate at least some of the content elements detected by the content detection unit (112) from the EML and store them in the storage unit (113).

[0064] Meanwhile, the EML processing unit (114) can construct a recombined EML by replacing the information corresponding to the separated content element stored in the EML with the location information of the storage unit (113) where the content element is stored.

[0065] For example, if the content element within the EML is a large attachment file, the control unit (111) can download the large attachment file through the communication unit (115) and store it in the storage unit (113), and then control the EML processing unit (114) so ​​that the stored file is included as a regular attachment file within the recombined EML.

[0066] If the content element within the EML is a URL within the body of the email, the control unit (111) can control the EML processing unit (114) so ​​that the screen of the webpage accessed using the URL within the body is captured and the webpage capture image is stored in the storage unit (113), and the location information of the storage unit (113) where the webpage capture image is stored is included in the recombined EML.

[0067] Meanwhile, if the content element within the EML is a linked image, the control unit (111) can download the linked image through the communication unit (115) and then control the EML processing unit (114) so ​​that the downloaded image is included as an image within the body of the recombined EML.

[0068] According to another embodiment of the present invention, the control unit (111) can store the attachment file in the storage unit (113) when the content element in the EML is an attachment file (a general attachment file or a large attachment file), and process the recombined EML to include location information of the storage unit (113) where the attachment file is stored.

[0069] In this case, when a user terminal (200) that has received the recombined EML requests a download of an attachment stored in the storage unit (113), the control unit (111) can check the user terminal (200)'s access rights to the attachment and refuse the request to download the attachment from a terminal that does not have access rights.

[0070] Meanwhile, the control unit (111) can ensure that when an attachment file stored in the storage unit (113) is downloaded to the user terminal (200) in response to a request from the user terminal (200), the download history for the attachment file is stored in the storage unit (113).

[0071] To this end, the attachment management unit (116) can manage access rights and download history, etc. for each of the attachment files stored in the storage unit (113).

[0072] The post-inspection unit (117) performs a risk detection post-inspection at regular intervals on the attachments stored in the storage unit (113), and can detect risks that may occur after receiving the email through post-inspection via antivirus scheduling.

[0073] The control unit (111) can process the post-warning report EML containing information about the detected risk element to be generated through the EML processing unit (114) when a risk element is detected in the attached file according to the risk detection post-inspection result of the post-inspection unit (117), and send the post-warning report EML to the user terminal (200) that received the recombined EML.

[0074] Accordingly, the mail security system (100) can detect risks or malicious elements that may occur after an antivirus update through post-inspection of attachments and deliver post-inspection information to administrators and users in real time.

[0075] Hereinafter, with reference to FIGS. 3 to 11, embodiments of a method for recombining EML by a mail security system (100) according to the present invention will be described in detail.

[0076] FIG. 3 is a flowchart illustrating an EML recombination method according to an embodiment of the present invention, and descriptions of the illustrated method that are identical to those described with reference to FIG. 1 and FIG. 2 are omitted.

[0077] Referring to FIG. 3, the mail security system (100) detects content elements included in the EML (step S300).

[0078] The mail security system (100) can obtain an EML of a mail received from the outside (or a mail sent to the outside) and parse the EML to extract mail information included in the header and mail content included in the body.

[0079] For example, the header of an EML may include information such as that shown in Table 1 below, but the present invention is not limited thereto.

[0080]

[0081] Meanwhile, the content types included in the body of the email may be expressed as types and subtypes associated with each type as defined in Table 2 below, but the present invention is not limited thereto.

[0082]

[0083] The mail security system (100) can parse the EML to obtain information included in the header and body of the EML as described above, and detect content elements included in the EML according to the obtained information.

[0084] For example, as illustrated in FIG. 4, the mail security system (100) can detect content elements such as mail body, large attachments, URLs within the body, and linked images in EML.

[0085] After that, the mail security system (100) separates and stores at least some of the content elements detected in step S300 (step S310).

[0086] For example, in the case illustrated in FIG. 4, the mail security system (100) can download and save the large attachment file using the large attachment file link information included in the EML.

[0087] Additionally, the mail security system (100) can access a webpage using URL information within the body of the EML, capture the first screen of the webpage, and save the webpage capture image.

[0088] And the mail security system (100) can download and save the image using the link-type image information included in the EML.

[0089] Next, the mail security system (100) constructs a recombined EML by replacing the information corresponding to the content element stored in step S310 within the EML with the location information where the content element is stored (step S320).

[0090] For example, if a separately stored content element is a large attachment, the recombined EML can be configured so that the file is included in the email as a regular attachment.

[0091] In this case, as shown in Fig. 4, a file attached as a large attachment in the original EML can be changed to a Content-Type corresponding to a regular attachment in the recombined EML and included in the email.

[0092] Meanwhile, if the separately stored content element is a URL within the body of the email, the recombined EML can be configured so that location information where the web page capture image is stored (e.g., a link to the email security system (100) for downloading the web page capture image) is included in the email.

[0093] In this case, the URL in the body of the original EML can be changed to the URL of the mail security system (100) for downloading the web page capture image in the recombined EML.

[0094] In addition, if a separately stored content element is a linked image, the recombined EML can be configured so that the image is included within the body of the email.

[0095] In this case, linked images in the original EML can be changed to a Content-Type corresponding to images within the body in the recombined EML and included in the email.

[0096] Hereinafter, with reference to FIGS. 5 and FIGS. 6, embodiments of a method in which a mail security system (100) recombines and delivers EML for a received mail will be described in more detail.

[0097] Referring to FIG. 5, the mail security system (100) can receive an EML from an external sender user terminal (220), separate and store content elements within the received EML, and then reassemble the EML and deliver it to an internal recipient user terminal (210) through a mail server (300).

[0098] At this time, the mail security system (100) can save the attachment and configure the recombined EML to include location information where the attachment is saved, if the content element in the EML is an attachment corresponding to a general attachment or a large attachment.

[0099] For example, as illustrated in FIG. 6, the EML received by the mail security system (100) may include two regular attachments (ABC.pdf, DDEE.docx) and one large attachment (DEF.pdf) as content elements.

[0100] In this case, the mail security system (100) can obtain and store two general attachment files (ABC.pdf, DDEE.docx) from the EML, and download and store a large attachment file (DEF.pdf) using the large attachment file link information included in the EML.

[0101] After that, the mail security system (100) can include URLs of the mail security system (100) that can download each of the three saved files (ABC.pdf, DDEE.docx, DEF.pdf) in a recombined EML so that they can be attached to the mail as large attachment files.

[0102] Meanwhile, the user of the internal recipient user terminal (210) that received the recombined EML can select a desired file among the files (ABC.pdf, DDEE.docx, DEF.pdf) attached as large attachments in the received email, and the internal recipient user terminal (210) can access the mail security system (100) using the URL included in the recombined EML to download the file.

[0103] Here, when an attachment stored in the mail security system (100) is downloaded to the user terminal (210) in response to a request from an internal recipient user terminal (210), the download history of the said attachment can be stored and managed in the mail security system (100).

[0104] According to the received mail processing described above, the storage capacity of the mail server (300) is secured, a safe download environment for various attachments can be provided, and the download history of users' attachments can be managed through the mail security system (100).

[0105] Hereinafter, with reference to FIGS. 7 and FIGS. 8, embodiments of a method in which a mail security system (100) recombines and delivers EML for an outgoing mail will be described in more detail.

[0106] Referring to FIG. 7, the mail security system (100) receives an EML sent from an internal sender user terminal (230) through a mail server (300), separates and stores content elements within the received EML, and then recombines the EML to transmit it to an external recipient user terminal (240).

[0107] At this time, the mail security system (100) can save the attachment and configure the recombined EML to include location information where the attachment is saved, if the content element in the EML is an attachment corresponding to a general attachment or a large attachment.

[0108] For example, as illustrated in FIG. 8, the EML of an outgoing mail received by the mail security system (100) may include a regular attachment (DEF.pdf) and a large attachment (FGHH.pdf) as content elements.

[0109] In this case, the mail security system (100) can obtain and store a general attachment (DEF.pdf) from the EML, and download and store a large attachment (FGHH.pdf) using the large attachment link information included in the EML.

[0110] After that, the mail security system (100) can include URLs of the mail security system (100) that can download each of the two saved files (DEF.pdf, FGHH.pdf) in a recombined EML so that they can be attached to the mail as large attachment files.

[0111] Meanwhile, the user of the external recipient user terminal (240) that received the recombined EML selects a desired file among the files (DEF.pdf, FGHH.pdf) attached as large attachments in the received email, and the external recipient user terminal (240) can access the mail security system (100) using the URL included in the recombined EML to download the file.

[0112] Here, when an attachment stored in the mail security system (100) is downloaded to the user terminal (240) in response to a request from an external recipient user terminal (240), the download history of the said attachment can be stored and managed in the mail security system (100).

[0113] Additionally, when a request is made from an external recipient user terminal (240) to download an attachment stored in the mail security system (100), the mail security system (100) can check the user terminal (240)'s access rights to the attachment.

[0114] For example, an internal sender user terminal (230) sending an email can receive a sender notification email from the email security system (100) as shown in FIG. 9.

[0115] An authentication code for each of the attached files (DEF.pdf, FGHH.pdf) is provided in the sender notification email, and if the external recipient user terminal (240) does not access the mail security system (100) and enter the authentication code provided in the sender notification email, the corresponding file cannot be downloaded.

[0116] According to the outgoing mail processing described above, external exposure of the mail server (300) is prevented, external download history of attachments can be managed through the mail security system (100), and access to attachments by unauthorized users without access rights can be blocked.

[0117] According to another embodiment of the present invention, a risk detection post-inspection can be performed at regular intervals on attachment files stored in the mail security system (100) as described above.

[0118] For example, the mail security system (100) may perform post-inspection to detect risks such as malicious code in attachments using the latest updated antivirus engine three times over a period of six hours from the time of receiving the EML, but the present invention is not limited thereto and may perform post-inspection to detect risks in attachments at various periods and intervals.

[0119] If, as a result of a post-inspection, a risk factor is detected in an attachment stored in the mail security system (100), the mail security system (100) can generate a post-warning report EML containing information about the detected risk factor and send the post-warning report EML to a user terminal (200) that has received a recombined EML containing the attachment.

[0120] For example, the post-warning report EML may include mail information where a malicious file was detected and a list of attachments, as illustrated in Fig. 10.

[0121] Meanwhile, when a user terminal (200) accesses the mail security system (100) through a post-warning report EML, the mail security system (100) can provide detailed information about the detected risk factors to the user terminal (200).

[0122] For example, when the "Check Mail" button (1010) is selected in the post-warning report shown in FIG. 10, the status of incoming mail as shown in FIG. 11 can be provided to the user terminal (200).

[0123] Risks that may occur after receiving an email can be detected through post-examination via the antivirus scheduling described above, and malicious elements that may appear after an antivirus update can be detected and delivered to administrators and users in real time.

[0124] FIG. 12 is a block diagram illustrating another embodiment of the configuration of a mail security system according to the present invention, and descriptions of the configuration and operation of the illustrated mail security system that are identical to those described with reference to FIG. 1 to FIG. 11 will be omitted.

[0125] Referring to FIG. 12, the mail security system (100) may be configured to include a mail linkage device (110), a spam mail security device (120), a receiving mail security device (130), and a sending mail security device (140).

[0126] The mail linkage device (110) can perform an EML recombination method as described with reference to FIGS. 1 to 11, and in addition, can provide an account-specific branching function, an attachment file integration report function, an active firewall function, an internal mail management function, and an EML content recombination function in a network separation environment.

[0127] The spam mail security device (120) provides a function for blocking spam mail, and for this purpose, it can perform spam mail response, mass mail blocking, illegal relay blocking and RBL (Real-time Blocking List) blocking, etc.

[0128] In addition, the spam mail security device (120) can additionally perform network attack blocking, learning spam filtering, and signature virus blocking through static analysis.

[0129] The receiving mail security device (130) provides a function for filtering falsified and tamper-evident mail, and for this purpose, it can perform fraud mail blocking, attachment inspection, URL endpoint tracking inspection, encrypted file inspection, fraudulent similar domain screening inspection, mail sender and transit point backtracking inspection, header analysis falsified mail inspection, etc.

[0130] Meanwhile, the outgoing mail security device (140) provides management and supervision functions for outgoing mail according to the sending policy and approval policy, and to this end, it can perform encryption of outgoing mail attachments, prevention of sending encrypted attachments, DRM / AIP decryption and encryption, blocking of sending mail containing personal information, restriction of sending mass mail, and restriction of sending of hacked accounts.

[0131] FIG. 13 is a flowchart illustrating an embodiment of a receiving mail security method, wherein the receiving mail security method may sequentially include spam filtering (step S1200), filtering of tampered or impersonated mail (step S1210), and management and analysis (step S1220).

[0132] Referring to FIG. 13, in the spam filtering step (S1200), network attack blocking and learning-type spam filtering can be performed by the spam mail security device (120).

[0133] Specifically, the attack blocking items in spam filtering (step S1200) may include SMTP attacks, mass mail, illegal relay, spam mail, viruses, and malicious mail, and additionally may include new types of malware, ransomware, and malicious macros.

[0134] In the filtering of tamper-evident emails (step S1210), sender trustworthiness check, header tampering check, and similar domain check may be performed by the receiving email security device (130).

[0135] In addition, the receiving mail security device (130) performs static analysis and dynamic analysis on each of the general / large attachments and the body / attachment internal URLs, and can additionally perform Nth-order URL tracking checks and password compressed file checks.

[0136] Here, static checking of a URL may be a check that compares the URL with already known URL information, and dynamic checking may be a check that connects to a server using the URL.

[0137] Specifically, the attack blocking items in the filtering of forged and tamper-evident emails (step S1210) may include viruses, novel malware, ransomware, malicious macros, phishing sites, phishing within documents, secondary phishing sites, encrypted compressed files, etc., detected through attachment / URL inspection.

[0138] In addition, the attack blocking items in the filtering of forged and tamper-evident emails (step S1210) may additionally include header forgery, similar domains, SPF protocol violations, sending IP forgery, sender forgery, and reply address change through fraud email inspection.

[0139] Next, in the management and analysis (step S1220), the EML and attachments can be separated, the attachments saved, the URLs checked, the attachments checked, and static analysis can be performed by the mail linkage device (110).

[0140] Specifically, attack blocking items in management and analysis (step S1220) may include viruses, malicious document files, ransomware, and malicious macros, which enable secure management through securing mail server storage space, managing attachment history, and post-inspection.

[0141] FIG. 14 is a flowchart illustrating an embodiment of an outgoing mail security method, wherein the outgoing mail security method may sequentially include management and analysis (step S1300) and filtering and sending (step S1310).

[0142] Referring to FIG. 14, in the management and analysis (step S1300), the separation of EML and attachments, storage of attachments, recombination of EML content, conversion of attachment download links, and insertion of linked images into the body may be performed by the mail linking device (110).

[0143] Next, in filtering and sending (step S1310), sending policy filtering, such as approval / reference, personal information identification check, and blocking of sending confidential information, can be performed by the sending mail security device (140).

[0144] Additionally, during filtering and sending (step S1310), malware scanning and conversion of attachment download links may be performed, and additionally, attachment policies such as criteria for converting link-type attachments and download period / number / IP settings may be applied.

[0145] According to another embodiment of the present invention, when an encrypted compressed file is attached to a received email, a recombined EML is configured and delivered to a user terminal, in which a report file containing information about the encrypted compressed file is included as an attachment. By using the encrypted file report to decompress the encrypted compressed file with an input password and performing a security check, the encrypted compressed file attached to the email can be easily inspected, and accordingly, the email attachment can be safely delivered.

[0146] FIG. 15 is a block diagram illustrating another embodiment of the configuration of a mail security system according to the present invention, wherein the illustrated mail security system (100) may be configured to include a control unit (111), a content detection unit (112), a storage unit (113), an EML processing unit (114), a communication unit (115), a file inspection unit (118), and a decompression unit (119).

[0147] Among the configurations shown in FIG. 15, the description of those identical to those described with reference to FIG. 1 to FIG. 14 will be omitted.

[0148] Referring to FIG. 16, the control unit (111) separates the encrypted compressed file attached to the received EML and stores it in the storage unit (113).

[0149] To this end, the content detection unit (112) detects content elements included in the received EML and can detect encrypted compressed files included as attachments in the EML.

[0150] An encrypted compressed file is a compressed file encrypted with a specific password, and the password must be entered to decompress it and view the files contained within.

[0151] Here, the encrypted compressed file may be a file attached to an email in the form of a regular attachment or a large attachment, but the present invention is not limited thereto and may be a file attached to a received email in various forms.

[0152] In addition, embodiments of the present invention are described using the example where an encrypted compressed file is attached to an EML, but the present invention is not limited thereto and may be applicable to files encrypted in various ways.

[0153] Meanwhile, the EML processing unit (114) generates a report file containing information about an encrypted compressed file stored separately in the storage unit (113), and includes the generated report file as an attachment to the received EML to construct a recombined EML.

[0154] In this case, the encrypted compressed file attached to the received EML is excluded from the EML, and the report file is included in the reconstructed EML to replace the encrypted compressed file attached to the original email.

[0155] The communication unit (115) transmits the recombined EML configured in the EML processing unit (114) to the mail server so that the recombined EML is delivered to the user terminal through the mail server.

[0156] The user interface of the control unit (111) provides an encrypted file report containing information about the encrypted compressed file to a user terminal, and receives a password for the encrypted compressed file from the user terminal using the encrypted file report.

[0157] For example, if a report file included as a general attachment in the recombined EML is selected at a user terminal that has received the recombined EML, the user interface unit can provide the user terminal with an encrypted file report containing a list of encrypted attachments.

[0158] And the user interface section may provide an interface to the user terminal to receive the password for the encrypted compressed file when confirmation of the attached file is requested on the encrypted file report.

[0159] When a user enters a password through the password input interface, the decompression unit (119) uses the entered password to decompress the encrypted compressed file stored in the storage unit (113).

[0160] Next, the file inspection unit (118) performs a security inspection on the uncompressed file to determine whether the file contained in the encrypted compressed file is normal or malicious.

[0161] For example, the file inspection unit (118) may perform at least one of virus inspection, malware inspection, ransomware inspection, spyware inspection, macro inspection within the file, and URL inspection within the file on the uncompressed file, but the present invention is not limited thereto, and various inspections on the attached file may be additionally performed.

[0162] Meanwhile, if the uncompressed file is normal as a result of the security check by the file inspection unit (118), the control unit (111) can process the original email according to the received EML to be delivered to the user terminal.

[0163] In this case, after a recombined EML with a report file attached is delivered to the user terminal replacing the encrypted compressed file, the EML of the original email with the said encrypted compressed file attached can be delivered back to the user terminal.

[0164] As another example, if the security check result for the uncompressed file is normal, the control unit (111) may process the encrypted compressed file to be delivered to the user terminal.

[0165] In this case, an EML with only the corresponding encrypted compressed file attached can be additionally delivered to the user terminal.

[0166] Hereinafter, with reference to FIGS. 16 to 21, embodiments of a method for a mail security system (100) according to the present invention to inspect an encrypted compressed file attached to a mail will be described in detail.

[0167] FIG. 16 is a flowchart illustrating a method for inspecting encrypted compressed files according to an embodiment of the present invention, and descriptions of the illustrated method that are identical to those described with reference to FIG. 1 to FIG. 15 will be omitted.

[0168] Referring to FIG. 16, the mail security system (100) constructs a recombined EML by including a report file containing information about an encrypted compressed file attached to the received EML as an attachment to the received EML (step S1600).

[0169] Then, the mail security system (100) transmits the recombined EML configured in step S1600 to the user terminal via the mail server (step S1610), and then provides the user terminal with an encrypted file report containing information about the encrypted compressed file (step S1620).

[0170] Here, the encrypted compressed file may be a file included as a regular attachment or a large attachment in the received EML, and may be separated from the received EML and stored in the mail security system (100).

[0171] Meanwhile, the report file is generated as an HTML (Hyper Text Markup Language) file containing information about the corresponding encrypted compressed file, and can be included as a regular attachment in the recombined EML.

[0172] Referring to FIG. 17, an encrypted compressed file (compressedfile a.zip) included as a general attachment (1715) in a received EML (1710) is separated from the received EML (1710) and stored in a mail security system (100), and a report file (report.html) containing information about the encrypted compressed file (compressedfile a.zip) can be included as a general attachment (1725) in a recombined EML (1720).

[0173] The mail security system (100) transmits the recombined EML (1720) to the mail server, and the mail server can deliver the recombined EML (1720) to the user terminal of the mail recipient.

[0174] Meanwhile, when the "report.html" file attached as a general attachment (1725) is selected on a user terminal that has received the recombined EML (1720), the "report.html" file is downloaded to the user terminal, and an encrypted file report containing a list of encrypted attachments can be provided to the user terminal.

[0175] Referring to FIG. 18, the encrypted file report (1800) may include an encrypted attachment list (1810) for encrypted files attached to the email.

[0176] The user who receives the email can select the "Check attachment" button (1820) to check the encrypted compressed file (compressed file a.zip) included in the list of encrypted attachments (1810).

[0177] Meanwhile, the mail security system (100) receives a password for the corresponding encrypted compressed file from the user terminal using the encrypted file report provided in step S1620 (step S1620).

[0178] To this end, when a request for confirmation of an attachment is made on an encrypted file report, the mail security system (100) may provide an interface to a user terminal to receive a password for the encrypted compressed file.

[0179] For example, when the "Check attachment" button (1820) is selected in the encrypted file report (1800) shown in FIG. 18, a password input window (1900) as shown in FIG. 19 may be displayed on the screen of the user terminal.

[0180] When a user checks the attachment in the password input window (1900), enters the password for the corresponding encrypted compressed file (compressed file a.zip) in the password input field (1915), and presses the "OK" button (1920), the password entered in the password input field (1915) can be transmitted from the user terminal to the mail security system (100).

[0181] After that, the mail security system (100) uses the password received in step S1630 to decompress the corresponding encrypted compressed file (step S1640) and performs a security check on the decompressed file (step S1650).

[0182] In step S1650, the mail security system (100) can perform virus scanning, malware scanning, ransomware scanning, spyware scanning, macro scanning within the file, or URL scanning within the file on the uncompressed file.

[0183] Meanwhile, if the file extracted from the encrypted compressed file (compressed file a.zip) is normal as a result of the security check performed at step S1650, the mail security system (100) can deliver the original mail back to the user terminal.

[0184] Referring to FIG. 20, the original email (2010) containing an encrypted compressed file (compressedfile a.zip) as a regular attachment (2015), identical to the received EML (1710) shown in FIG. 17, is delivered back to the user terminal, and the user can download and check the encrypted compressed file (compressedfile a.zip) through the original email (2010).

[0185] As another example, if the result of the security check on the uncompressed file is normal, the mail security system (100) can deliver the encrypted compressed file (compressed file a.zip) to the user terminal.

[0186] Referring to FIG. 21, a receiving email (2110) containing only an encrypted compressed file (compressed file a.zip) as a regular attachment (2115) is delivered to a user terminal, and the user can download and check the encrypted compressed file (compressed file a.zip) through the receiving email (2110).

[0187] Although embodiments of the present invention have been described above with the example of a case where an encrypted compressed file (compressedfilea.zip) is included as a general attachment (1715) in a received EML (1710), the present invention is not limited thereto and is applicable even when an encrypted compressed file (compressedfilea.zip) is attached as a large attachment to a received EML (1710).

[0188] The method according to the present invention described above can be produced as a program to be executed on a computer and stored on a computer-readable recording medium, and examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.

[0189] Computer-readable recording media are distributed across networked computer systems, allowing computer-readable code to be stored and executed in a distributed manner. Furthermore, functional programs, codes, and code segments for implementing the above method can be easily inferred by programmers skilled in the art to which the present invention pertains.

[0190] Furthermore, although preferred embodiments of the present invention have been illustrated and described above, the present invention is not limited to the specific embodiments described above. It is understood that various modifications can be made by those skilled in the art without departing from the essence of the invention as claimed in the claims, and such modifications should not be understood individually from the technical spirit or perspective of the present invention.

Claims

1. A method for examining an encrypted compressed file attached to an email, A step of constructing a recombined EML by including a report file containing information about an encrypted compressed file attached to a received EML as an attachment to the received EML; A step of transmitting the above-configured recombined EML to a user terminal via a mail server; A step of providing an encrypted file report containing information about the above-mentioned encrypted compressed file to the user terminal; A step of receiving a password for the encrypted compressed file from the user terminal using the provided encrypted file report; A step of decompressing the encrypted compressed file using the password received above; and A method for inspecting an encrypted compressed file, characterized by including the step of performing a security inspection on the above-mentioned uncompressed file.

2. In paragraph 1, the encrypted compressed file A method for inspecting an encrypted compressed file separated and stored from the above-mentioned received EML.

3. In paragraph 1, the above report file A method for inspecting an encrypted compressed file that is generated as an HTML (Hyper Text Markup Language) file and included as a general attachment in the recombined EML.

4. In Paragraph 1, A method for inspecting encrypted compressed files in which, when the report file is selected at the user terminal, the encrypted file report including an encrypted attachment list is provided to the user terminal.

5. In Paragraph 4, A method for inspecting an encrypted compressed file, wherein an interface for receiving a password for the encrypted compressed file is provided to the user terminal when a request for verification of an attached file is made on the above encrypted file report.

6. In paragraph 1, the above security inspection A method for inspecting an encrypted compressed file comprising at least one of virus scanning, malware scanning, ransomware scanning, spyware scanning, macro scanning within the file, and URL scanning within the file for the above-mentioned uncompressed file.

7. In Paragraph 1, A method for inspecting an encrypted compressed file, further comprising the step of processing so that if the result of the security inspection of the uncompressed file is normal, the original email according to the received EML is delivered to the user terminal.

8. In Paragraph 1, A method for inspecting an encrypted compressed file, further comprising the step of processing to deliver the encrypted compressed file to the user terminal if the result of the security inspection of the uncompressed file is normal.

9. A computer program recorded on a recording medium for executing the method described in any one of paragraphs 1 through 8 on a computer.

10. In a mail security system for inspecting an encrypted compressed file attached to an email, Storage unit for saving attachments; A control unit that separates an encrypted compressed file attached to a received EML and stores it in the storage unit; An EML processing unit that constructs a recombined EML by including a report file containing information about the above-mentioned encrypted compressed file as an attachment to the above-mentioned received EML; A communication unit for transmitting the above-configured recombined EML to a user terminal via a mail server; A user interface unit for providing an encrypted file report containing information about the above encrypted compressed file to the user terminal, and for receiving a password for the above encrypted compressed file from the user terminal using the provided encrypted file report; A decompression unit that decompresses the encrypted compressed file stored in the storage unit using the input password; and A mail security system characterized by including a file inspection unit that performs a security inspection on the above-mentioned uncompressed file.

11. In Clause 10, the above user interface part A mail security system that provides the encrypted file report containing an encrypted attachment list to the user terminal when the report file included as a general attachment in the recombined EML is selected at the user terminal.

12. In paragraph 11, the user interface part A mail security system that provides an interface to the user terminal for receiving a password for the encrypted compressed file when confirmation of an attachment is requested on the encrypted file report.

13. In Clause 10, the above file inspection unit A mail security system that performs at least one of virus scanning, malware scanning, ransomware scanning, spyware scanning, file macro scanning, and file URL scanning on the above-mentioned uncompressed file.

14. In Clause 10, the control unit A mail security system that processes the original mail according to the received EML to be delivered to the user terminal when the result of the security check on the above-decompressed file is normal.

15. In Clause 10, the above control unit A mail security system that processes the encrypted compressed file to be delivered to the user terminal when the result of the security check on the uncompressed file is normal.

Images