CN101674584B - Method for detecting virus and system - Google Patents
Method for detecting virus and system Download PDFInfo
- Publication number
- CN101674584B CN101674584B CN2009101716747A CN200910171674A CN101674584B CN 101674584 B CN101674584 B CN 101674584B CN 2009101716747 A CN2009101716747 A CN 2009101716747A CN 200910171674 A CN200910171674 A CN 200910171674A CN 101674584 B CN101674584 B CN 101674584B
- Authority
- CN
- China
- Prior art keywords
- user data
- user
- data
- virus
- deep
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a method for detecting virus and a system; the method comprises the following steps: detecting user data by a deep packet inspection chip via a virus rule base, and judging whether the user data is infected with a virus according to the virus rule base, if the user data is determined to be infected with the virus, intercepting the user data. The invention solves the problems that the detection speed is low and the detection process is complex on the cell phone viruses in the associated technology, thus achieving the effect that the virus detection efficiency is increased.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of method and system of virus detection.
Background technology
Mainly through sending multimedia message, Email browses web sites mobile phone viruses, downloads the tinkle of bells and bluetooth or infrared mode and propagates.Mainly propagate through the file in download mode, it is viral fewer that multimedia service center (Multi Media Service Center abbreviates MMSC as) mode is propagated.The use regular handset basically can infective virus.Smart mobile phone has adopted operating systems such as Symbian or Windows Mobile system, possesses the function of download, installation and operation software, than being easier to by infective virus.Mobile phone viruses harm mainly shows as: cause user mobile phone deadlock, shutdown, data to be deleted, even outwards send note, multimedia message, EMAIL, outwards call etc., cause user's economic loss.Simultaneously also can steal subscriber data.
Deep-packet detection (Deep Packet Inspection; Abbreviate DPI as) in, so-called " degree of depth " is to compare with common message analysis level, " common message detection " be the content of layer below 4 of analyzing IP bag only; Comprise source address, destination address, source port, destination interface and protocol type; And DPI has also increased application layer analysis except the step analysis to the front, discerns various application and content thereof.
The key of DPI technology is the various application that identify efficiently on the network.Common message detects and comes the recognition application type through port numbers.
Problem to lower to the detection speed of mobile phone viruses in the correlation technique and testing process more complicated does not propose effective solution at present as yet.
Summary of the invention
Propose the present invention to the problem of lower to the detection speed of mobile phone viruses in the correlation technique and testing process more complicated, for this reason, main purpose of the present invention is the method and system that provide a kind of virus to detect, to address the above problem.
To achieve these goals, according to an aspect of the present invention, the method that provides a kind of virus to detect.
The method that detects according to virus according to the present invention comprises: detect user data through the deep-packet detection chip via viral rule base, and according to viral rule base judges data infective virus whether; If confirm the user data infective virus, then user data tackled.
Preferably, before user data was tackled, said method also comprised: notify the user so that whether the user confirms receiving subscriber data; If the user confirms not receiving subscriber data, then through SMS confirmation and tackle.
Preferably, notify the user so that the user confirms whether receiving subscriber data comprises: notify the user via short message mode.
Preferably, after whether the user confirmed receiving subscriber data, said method also comprised: if the user confirms receiving subscriber data, then do not tackle user data.
Preferably, user data is tackled comprised:, then user data is not issued the user if user data is multimedia message, Email or note; If user data is the website, then the disable access website.
Preferably, user data is tackled comprised: the user terminal downloads antivirus software is to upgrade local antivirus software.
Preferably, detecting user data through the deep-packet detection chip via viral rule base comprises: user data is diverted in the different deep-packet detection chips carries out the virus detection so that each deep-packet detection chip walks abreast.
Preferably, user data is distributed in the different deep-packet detection chips comprises: the user data of same establishment Packet Data Protocol activation is diverted in the same deep-packet detection chip.
To achieve these goals, according to a further aspect in the invention, the system that provides a kind of virus to detect.
This system comprises: preferably, detection module is used for detecting user data through the deep-packet detection chip via viral rule base; Judge module is used for according to viral rule base judges data infective virus whether; Blocking module is used for user data is tackled.
Preferably, said system also comprises: notification module, notify the user so that whether the user confirms receiving subscriber data.
Through the present invention, adopt through the deep-packet detection chip and detect user data via viral rule base, and according to viral rule base judges data infective virus whether; If confirm the user data infective virus, the method for then user data being tackled has solved in the correlation technique problem of the lower and testing process more complicated of detection speed to mobile phone viruses, and then has reached the effect that improves viral detection efficiency.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the sketch map of DPI in network according to the embodiment of the invention;
Fig. 2 is the flow chart according to the method for the virus detection of the embodiment of the invention;
Fig. 3 is the data flow sketch map according to the embodiment of the invention;
Fig. 4 is the preferred flow chart according to the method for the virus detection of the embodiment of the invention;
Fig. 5 is the sketch map according to the system of the virus detection of the embodiment of the invention.
Embodiment
Functional overview
Consider in the correlation technique the lower and testing process more complicated of detection speed, the method and system that the embodiment of the invention provides a kind of virus to detect to mobile phone viruses.This method comprises: detect user data through the deep-packet detection chip via viral rule base, and according to viral rule base judges data infective virus whether; If confirm the user data infective virus, then user data tackled.
Preferably, the method for passing through GN interface detection of handset virus according to the embodiment of the invention can comprise the steps:
Virus detects: adopt viral rule base, through DPI search mobile phone viruses.All user data are delivered to the DPI chip detect, the DPI chip comes whether infective virus of judgment data according to virus base.
Interception: after confirming that user data contains virus, then data are tackled.If when multimedia message, EMAIL, note, do not issue mobile phone.As if the website virus is arranged, then this website of disable access.
Notify the user: after the data of interception user infective virus, through the cellphone subscriber, the user confirms whether mode is accepted through short message mode, if the user does not accept interception, does not then tackle.If need interception, then pass through SMS confirmation.And note is sent connecting mode download antivirus software to upgrade local antivirus software.
Need to prove that under the situation of not conflicting, embodiment and the characteristic among the embodiment among the application can make up each other.Below with reference to accompanying drawing and combine embodiment to specify the present invention.
Method embodiment
According to embodiments of the invention, the method that provides a kind of virus to detect.
Fig. 2 is the flow chart according to the method for the virus detection of the embodiment of the invention;
As shown in Figure 2, this method comprises that following step S202 is to step S204:
Step S202 detects user data through the deep-packet detection chip via viral rule base, and according to viral rule base judges data infective virus whether;
Step S204 if confirm the user data infective virus, then tackles user data.
To combine instance that the implementation procedure of the embodiment of the invention is described in detail below.
Mobile phone all has internal memory and CPU, but internal memory and cpu resource are limited.In order to detect the network data of big flow in real time, must make full use of internal memory and cpu resource, then propose a kind of DPI technology and improve viral detection speed.
The DPI deep packet inspection technical is a kind of virus detection techniques based on application layer data.As IP packet, transmission control protocol (Transfer Control Protocol; Abbreviate TCP as) or User Data Protocol (User Date Protocol; Abbreviate UDP as) when data flow was passed through based on the system of DPI technology, DPI can detect virus quickly and accurately.All data in mobile phone are carried out virus detect, but only the data of authorized user are tackled.Then this user can not send viral data and receive viral data, thereby helps operator to improve network and quality of service, promotes user satisfaction.
The present invention proposes a kind of mobile phone viruses detection method based on DPI, virus detects to be used for realizing to carry out in real time to mobile data.The solution thinking that the present invention implements to provide is: the data distribution module is diverted to data in the DPI chip, and each DPI chip carries out virus to data and detects, if detect virus, then returns the virus numbering.If do not find virus, then need not export testing result.The data of same establishment data pack protocol (Packet Data Protocol abbreviates PDP as) activation must be diverted in the same DPI chip, thereby accurately navigate to the user of viral data.Carry out SMS notification to detecting virulent user.If this user authorizes the hurdle to cut the user, then carry out field and cut.
Fig. 1 is the sketch map of DPI in network according to the embodiment of the invention.
DPI detects and has access to dual mode, and a kind of parallel connection inserts, and another kind of is that series connection inserts.As shown in Figure 1, adopted the series connection access way among the present invention, can realize data interception.Particularly; The DPI chip can with ggsn (GatewayGeneral Packet Radio Service Supporting Node; Abbreviate GGSN as) and service universal packet wireless business affair support node (Serving General packet radioservice support node abbreviates SGSN as) be connected in series.
Fig. 3 is the data flow sketch map according to the embodiment of the invention.
As shown in Figure 3, the present invention comprises that mainly data acquisition, data distribution strategy, DPI chip virus detect, obtain viral testing result 4 parts.Data acquisition module is mainly used in image data.The data distribution strategy is will be diverted in each DPI process chip the data based distributing strategy of gathering, each DPI chip parallel processing, thus improve viral detection speed.DPI chip virus detection module carries out virus according to viral rule base and detects.Obtain viral testing result module and be mainly used in user and the Virus Name that obtains infective virus.
Fig. 4 is the preferred flow chart according to the method for the virus detection of the embodiment of the invention.
As shown in Figure 4, concrete treatment step is following:
Step S401 compiles text regular expression rule base, converts thereof into the data that the DPI chip can be discerned form.
Step S402, DPI veneer initialization DPI chip guarantees that the DPI chip can operate as normal.After the normal operation of DPI chip, the rule base of load step S401 compiling.After the loading rule Kucheng merit, the DPI veneer could carry out protocol-decoding to the data message.
Step S403 gathers the GN interface data.
Step S404 is distributed to data based distributing strategy in the different DPI chips, and the parallel virus of carrying out of each DPI chip detects.
Step S405 is if the PDP request of setting up (CREATE PDPREQUEST) of GN interface signaling face and set up PDP and reply (CREATE PDP RESPONSE) data is then carried out compound event, and obtained user related information, be i.e. msisdn, imsi, userip etc.And obtain keyword key; Key is mainly by SGSN service universal packet wireless business affair support node (Serving General packet radio service support node; Abbreviate SGSN as) be used for the IP address (Address for user traffic) of data; Data tunnel Endpoint ID (Tunnel Endpoint Identifier data abbreviates TEID DATA as) is formed.
Step S406 is if message is among the T-PDU, so according to purpose IP; Tunnel End Point Identifier (Tunnel Endpoint Identifier abbreviates TEID as) composition characteristic value is searched in the TDR of GN incident according to characteristic value; If can find, carry out virus again and detect.Change step S407, otherwise change step S403.
Step S407 is other data, changes step S403.
Step S408 submits to the DPI module in order with data, and the DPI chip calls decoding functions, carries out virus according to the regular expression rule base again and detects.Adopt a plurality of DPI chips parallel.Each DPI chip virus detection speed is faster more than 10 times than software virus detection speed.
Step S409 obtains result from the DPI module, and converting oneself to needs form.Can be through the upgrading rule base virus base of upgrading.If virus is arranged, then ID number of the corresponding virus of output, obtain Virus Name.Obtain cell-phone number in the affairs detail record (TransactionDetailed Records abbreviates TDR as) according to the GN of association.
Step S410 notifies the user: after the data of user's infective virus, pass through the cellphone subscriber through short message mode, and short message mode sends the connection of disease upgrading antivirus software bag.The user can the download and upgrade antivirus software, next time occurs such virus and no longer carries out the hurdle and cut, and such virus is handled by the virus base of mobile phone itself.
Step S411, interception: after confirming that user data contains virus, and be authorized user, then data are tackled, and do not cut otherwise do not carry out the hurdle.
In embodiments of the present invention; Need data be sent in the DPI chip, the embodiment of the invention adopts the DPI detection technique, in conjunction with GGSN data network monitoring system characteristics; The DPI veneer is connected in series in the existing network; The invention solves the real-time viral measuring ability of DPI, thereby help operator to improve network and quality of service, promote user satisfaction.
From above description, can find out that the present invention has realized following technique effect: improve viral detection speed, and help operator to improve network and quality of service, promote user satisfaction.
Device embodiment
According to embodiments of the invention, the system that provides a kind of virus to detect.
Fig. 5 is the sketch map according to the system of the virus detection of the embodiment of the invention.
The method that can be used to realize above-mentioned virus detection according to the system of the embodiment of the invention.
As shown in Figure 5, this system comprises: detection module 501, judge module 503, blocking module 505 and notification module 507.
Detection module 501 is used for detecting user data through the deep-packet detection chip via viral rule base; Judge module 503 is used for according to viral rule base judges data infective virus whether; Blocking module 505 is used for user data is tackled; Notification module 507 is used to notify the user so that whether the user confirms receiving subscriber data.
Preferably, this system can also comprise: data acquisition, data distribution, DPI chip virus detect, obtain viral testing result 4 parts.The data distribution module: according to distributing strategy data are distributed to many in the DPI chip, each DPI chip parallel processing, thus improve viral detection speed.
The above is merely the preferred embodiments of the present invention, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (9)
1. the method that virus detects is characterized in that, comprising:
Detect user data through the deep-packet detection chip via viral rule base, and judge whether infective virus of said user data according to said viral rule base;
If confirm said user data infective virus, then said user data tackled;
Wherein, detecting user data through the deep-packet detection chip via viral rule base comprises: said user data is diverted in the different deep-packet detection chips carries out the virus detection so that each said deep-packet detection chip walks abreast.
2. method according to claim 1 is characterized in that, before said user data was tackled, said method also comprised:
Notify said user so that said user confirms whether to receive said user data;
If said user confirms not receive said user data, then through SMS confirmation and tackle.
3. method according to claim 2 is characterized in that, notifies the user so that said user confirms that whether receiving said user data comprises:
Notify said user via short message mode.
4. method according to claim 2 is characterized in that, after said user confirmed whether receive said user data, said method also comprised:
If said user confirms to receive said user data, then do not tackle said user data.
5. method according to claim 1 is characterized in that, said user data is tackled comprise:
If said user data is multimedia message, Email or note, then said user data is not issued the user;
If said user data is the website, the said website of disable access then.
6. method according to claim 1 is characterized in that, said user data is tackled comprise:
The user terminal downloads antivirus software is to upgrade local antivirus software.
7. method according to claim 1 is characterized in that, said user data is diverted in the different deep-packet detection chips comprise:
The said user data of same establishment Packet Data Protocol activation is diverted in the same deep-packet detection chip.
8. the system that virus detects is characterized in that, comprising:
Detection module is used for detecting user data through the deep-packet detection chip via viral rule base;
Judge module is used for judging whether infective virus of said user data according to said viral rule base;
Blocking module is used for said user data is tackled;
The data distribution module is used for according to distributing strategy said user data being distributed to a plurality of said deep-packet detection chips, so that each said deep-packet detection chip parallel processing.
9. system according to claim 8 is characterized in that, said system also comprises:
Notification module is notified the user so that said user confirms whether to receive said user data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101716747A CN101674584B (en) | 2009-09-03 | 2009-09-03 | Method for detecting virus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101716747A CN101674584B (en) | 2009-09-03 | 2009-09-03 | Method for detecting virus and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101674584A CN101674584A (en) | 2010-03-17 |
| CN101674584B true CN101674584B (en) | 2012-07-04 |
Family
ID=42021512
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009101716747A Active CN101674584B (en) | 2009-09-03 | 2009-09-03 | Method for detecting virus and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101674584B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102238634B (en) * | 2010-05-05 | 2015-05-27 | 中国移动通信集团公司 | Method and device for data distribution in wireless network |
| CN106375311B (en) * | 2016-08-31 | 2019-10-01 | 北京青石绿网科技有限公司 | A kind of mobile device DPI application method for managing security |
| CN106375309B (en) * | 2016-08-31 | 2020-02-11 | 北京青石绿网科技有限公司 | DPI data security management method for mobile equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1968278A (en) * | 2006-11-24 | 2007-05-23 | 杭州华为三康技术有限公司 | Data packet content analysis and processing method and system |
| EP1798914A1 (en) * | 2005-12-13 | 2007-06-20 | Alcatel Lucent | Congestion control |
| CN101056222A (en) * | 2007-05-17 | 2007-10-17 | 华为技术有限公司 | A deep message detection method, network device and system |
| CN101339523A (en) * | 2007-07-05 | 2009-01-07 | 国际商业机器公司 | Multi-processor environment assembly line processing method and equipment |
| CN101399749A (en) * | 2007-09-27 | 2009-04-01 | 华为技术有限公司 | Method, system and device for packet filtering |
-
2009
- 2009-09-03 CN CN2009101716747A patent/CN101674584B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1798914A1 (en) * | 2005-12-13 | 2007-06-20 | Alcatel Lucent | Congestion control |
| CN1968278A (en) * | 2006-11-24 | 2007-05-23 | 杭州华为三康技术有限公司 | Data packet content analysis and processing method and system |
| CN101056222A (en) * | 2007-05-17 | 2007-10-17 | 华为技术有限公司 | A deep message detection method, network device and system |
| CN101339523A (en) * | 2007-07-05 | 2009-01-07 | 国际商业机器公司 | Multi-processor environment assembly line processing method and equipment |
| CN101399749A (en) * | 2007-09-27 | 2009-04-01 | 华为技术有限公司 | Method, system and device for packet filtering |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101674584A (en) | 2010-03-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103856446B (en) | A kind of login method, device and open platform system | |
| CN101194523B (en) | The method of the message that messaging delivery services transmits, system and computer program in monitor communications network | |
| JP2009246997A (en) | Call processing in mobile telecommunication networks | |
| CN105828413A (en) | Safety method of D2D mode B discovery, terminal and system | |
| CN102752756A (en) | Method and device for preventing surfing the Internet by privately connecting wireless access point (AP) | |
| CN101741902B (en) | System and method for Internet terminal to quickly access to Internet server | |
| CN101674584B (en) | Method for detecting virus and system | |
| WO2009071013A1 (en) | Method and system for guiding package data protocol activation | |
| CN105635934A (en) | Method and device for opening service, and HSS | |
| CN102098642B (en) | System and method for realizing short message transfer in mobile network | |
| CN101228767A (en) | System and method for using quarantine networks to protect cellular networks from viruses and worms | |
| US20080064420A1 (en) | Driver notification | |
| US8229414B1 (en) | Release of temporarily allocated number triggered by voice disconnect at mobile switching center | |
| US20130305375A1 (en) | Method for malicious attacks monitoring | |
| CN104641667B (en) | A kind of method for network access, equipment and system | |
| CN103096273B (en) | Method, equipment and the system that a kind of up short message sends | |
| CN101330664A (en) | Method, system and apparatus for realizing multimedia business | |
| WO2017193798A1 (en) | Junk information monitoring method and apparatus and communication system | |
| CN100488275C (en) | Method and apparatus for saving network wireless resource and mobile terminal cell | |
| CN102480703B (en) | Method for filtering unknown international short message | |
| KR100875912B1 (en) | Apparatus and method for processing network event processing network events in open environment | |
| WO2007068192A1 (en) | System, method, short message service center and signaling processing device for transmission short message | |
| CN114666752B (en) | Short message management and control system and method of IMS domain | |
| US20230141028A1 (en) | Traffic control server and method | |
| CN115460270B (en) | 5G UPF (high speed uplink packet filter) illegal service blocking method and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |