CN108289032B - Data transmission method and device - Google Patents

Data transmission method and device Download PDF

Info

Publication number
CN108289032B
CN108289032B CN201710014004.9A CN201710014004A CN108289032B CN 108289032 B CN108289032 B CN 108289032B CN 201710014004 A CN201710014004 A CN 201710014004A CN 108289032 B CN108289032 B CN 108289032B
Authority
CN
China
Prior art keywords
data
log
network card
network
transmission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710014004.9A
Other languages
Chinese (zh)
Other versions
CN108289032A (en
Inventor
杨经宇
王旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201710014004.9A priority Critical patent/CN108289032B/en
Publication of CN108289032A publication Critical patent/CN108289032A/en
Application granted granted Critical
Publication of CN108289032B publication Critical patent/CN108289032B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a data transmission method, which comprises the following steps: controlling a first network card and a second network card to be virtualized in a virtual machine; receiving data, and configuring configuration information for transmitting the data, wherein the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card; running a preset network service to trigger the transmission of the data, and triggering the transmission of the data from the first network card to the second network card according to the configuration information; recording the transmission behavior of the data based on the second network card, and generating a first log according to the recorded transmission behavior. The invention also discloses a data transmission device.

Description

Data transmission method and device
Technical Field
The present invention relates to data processing technologies, and in particular, to a data transmission method and apparatus.
Background
In the prior art, software is generally analyzed based on network transmission behaviors by monitoring the network transmission behaviors of the software; therefore, in order to ensure the security of the network, such as avoiding leakage of virus samples of malware to the external network, it is required that network transmission behavior of the malware must be triggered in case of network connection interruption.
Existing schemes for triggering network transmission behavior of malware in the event of a network connection interruption include three types: the first is to change the execution result of Application Programming Interface (API) for the network-related system; when the network connection is interrupted, the system API relevant to the network returns a corresponding error code to prompt that the network is unavailable, and the system considers that the network connection is available by changing the execution result of the API; however, the scheme needs to write corresponding HOOK codes for each common API, which results in high implementation technology cost; and the API related to the network will change along with the upgrade of the operating system, and then the logic of the HOOK code needs to be adjusted; therefore, the versatility of this scheme is low.
The second is to analyze the malware by using a static analysis technology, but the static analysis technology cannot analyze encrypted and confused malware, so that the universality of the scheme is not strong; meanwhile, when the network API is called, some parameters are dynamically generated, and at the moment, the static analysis technology cannot acquire the dynamically generated parameters, so that the network behavior information of the malicious software acquired by the static analysis technology is limited.
The third is to trigger the network behavior of the malware by building an internal network cluster, but the scheme does not belong to the strictly defined network connection interruption, and the scheme still cannot trigger the network behavior of the malware accessing the internet, so that the solution has limited capability of solving the problem; and a large amount of manpower and material resources are required to be invested when the internal network cluster is deployed, so that the cost for implementing the scheme is high.
Disclosure of Invention
In view of this, embodiments of the present invention provide a data transmission method and apparatus to solve the problems in the prior art.
The embodiment of the invention provides a data transmission method, which comprises the following steps:
virtualizing a first network card and a second network card in a virtual machine;
receiving data, and configuring configuration information for transmitting the data, wherein the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card;
running a preset network service, and triggering the data to be transmitted from the first network card to the second network card according to the configuration information;
recording the transmission behavior of the data based on the second network card, and generating a first log according to the recorded transmission behavior.
In the above solution, the configuring the configuration information for transmitting data includes:
configuring a destination address for receiving the data as an IP address of the second network card, configuring a destination port for receiving the data as a preset port, and generating first configuration information;
and generating configuration log information containing the first configuration information.
In the foregoing solution, before the triggering transmission of the data through the preset network service, the method further includes:
creating a network service for transmitting the data, the network service comprising: HyperText Transfer Protocol (HTTP) services, Secure HyperText Transfer Protocol (HTTPs) services, and mail services.
In the above scheme, after the generating the first log, the method further includes:
and modifying the information of the second network card representing the destination address recorded in the first log into the real destination address information of the prestored transmission data to generate a second log.
In the foregoing solution, after generating the second log, the method further includes:
and processing the network service log generated by running the network service and the second log to generate a third log.
In the foregoing solution, after generating the second log, the method further includes:
and processing the network service log generated by running the network service and the second log to generate a third log.
In the foregoing solution, the recording of the network behavior of the data based on the second network card includes:
monitoring the transmission behavior of the data within a preset time based on the second network card, or monitoring all the transmission behaviors of the data based on the second network card; and recording the transmission behavior of the data obtained by monitoring.
In the foregoing solution, the recording of the network behavior of the data based on the second network card includes:
when the data are transmitted in a multi-process mode and the transmission of the main process data is finished, monitoring the transmission behavior of the sub-process data in a preset time based on the second network card, or monitoring all the transmission behaviors of the sub-process data based on the second network card; and recording the transmission behavior of the data obtained by monitoring.
In the above scheme, the network service log and the second log are merged, and information irrelevant to the transmission behavior of the data in the network service log and the second log is deleted.
An embodiment of the present invention further provides a data transmission device, where the device includes:
the virtual unit is used for virtualizing a first network card and a second network card in a virtual machine;
the configuration unit is used for receiving data and configuring configuration information used for transmitting the data, wherein the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card;
the triggering unit is used for running a preset network service and triggering the data to be transmitted from the first network card to the second network card according to the configuration information;
and the recording unit is used for recording the transmission behavior of the data based on the second network card and generating a first log according to the recorded transmission behavior.
In the foregoing solution, the configuration unit is specifically configured to configure a destination address for receiving the data as an IP address of the second virtual network card, configure a destination port for receiving the data as a preset port, and generate first configuration information;
and generating configuration log information containing the first configuration information.
In the above scheme, the apparatus further comprises:
a creating unit configured to create a network service that transmits the data; the network service comprises: a hypertext transfer protocol service, a secure hypertext transfer protocol service, and a mail service.
In the above solution, the apparatus further includes:
and the modifying unit is used for modifying the information of the second network card representing the destination address recorded in the first log into the real destination address information of the prestored transmission data and generating a second log.
In the above scheme, the apparatus further comprises:
and the processing unit is used for processing the network service log generated by running the network service and the second log to generate a third log.
In the above scheme, the recording unit is specifically configured to monitor a transmission behavior of the data within a preset time based on the second network card, or monitor all transmission behaviors of the data based on the second network card; and recording the transmission behavior of the data obtained by monitoring.
In the above scheme, the recording unit is specifically configured to monitor a transmission behavior of the sub-process data within a preset time based on the second network card, or monitor all transmission behaviors of the sub-process data based on the second network card, when the data is transmitted in the multi-process mode and the transmission of the main-process data is finished; recording the transmission behavior of the data obtained by monitoring
In the foregoing solution, the processing unit is specifically configured to merge the web service log and the second log, and delete information that is irrelevant to the transmission behavior of the data in the web service log and the second log.
The data transmission method and the device provided by the embodiment of the invention virtualize a first network card and a second network card in a virtual machine; receiving data, and configuring configuration information for transmitting the data, wherein the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card; running a preset network service, and triggering the data to be transmitted from the first network card to the second network card according to the configuration information; recording the transmission behavior of the data based on the second network card, and generating a first log according to the recorded transmission behavior. Thus, a first network card and a second network card are virtualized in a virtual machine, a real destination address of transmission data is configured to be an IP address and a destination port of the second network card, the data is triggered to be transmitted from the first network card to the second network card based on preset network service, and the transmission behavior of the data is recorded; the data transmission is triggered in the real network connection interrupted environment, and the virtual network environment obtained by the first network card and the second network card virtualized by the embodiment of the invention can trigger more data transmission behaviors of malicious software so as to obtain more data transmission data; the embodiment of the invention only needs to configure the configuration information of the transmission data in the operating system, so the implementation technology has low cost and strong universality.
Drawings
Fig. 1 is a schematic diagram of a basic processing flow of a data transmission method according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a hardware configuration according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a detailed processing flow of a data transmission method according to an embodiment of the present invention;
FIG. 4 is a detailed processing flow diagram of another data transmission method according to another embodiment of the present invention;
FIG. 5 is a detailed process flow diagram of the data transmission method applied to the Hubble analysis system according to the embodiment of the invention;
FIG. 6 is a schematic interface diagram illustrating a virtual machine in a network connection interruption state according to an embodiment of the present invention;
FIG. 7 is a diagram illustrating a log recording the transmission behavior of the data according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a data transmission apparatus according to an embodiment of the present invention;
fig. 9 is a schematic diagram of a hardware entity structure of a data transmission device according to an embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the figures and specific examples.
A basic processing flow diagram of a data transmission method according to an embodiment of the present invention, as shown in fig. 1, includes the following steps:
101, virtualizing a first network card and a second network card in a virtual machine;
specifically, as shown in fig. 2, an operating system supporting virtual machine management is run on an external physical machine, where the physical machine is called Host, and a typical Host operating system may be Linux, Mac OS, or Windows; a plurality of virtual machines can be operated in one Host, the virtual machines are called Guest, and each Guest can install a corresponding operating system aiming at the network environment needing to be simulated; in the embodiment of the invention, the main implementation environment of Guest is Linux; in the embodiment of the invention, at least two network cards, namely a first network card and a second network card, need to be virtualized for each Guest.
Step 102, receiving data, and configuring configuration information for transmitting the data;
here, the configuration information includes at least: the destination address for receiving the data is configured to be address information and destination port information of the second network card;
specifically, a Network management command provided by an operating system, such as an iptable [7] command, is used to configure a destination Address for receiving the data as an IP Address of the second Network card by using a Network Address Translation (NAT) technology, and configure a destination port for receiving the data as a preset port, so as to generate first configuration information; generating configuration log information containing the first configuration information;
the configuration log information records configuration information for transmitting the data, the configuration log information is stored in a kernel log under the Linux environment, and the kernel log also stores real destination address information of the transmitted data; and when the configuration information stored in the kernel log and the real destination address information of the transmission data are used for analyzing the transmission behavior of the data subsequently, the IP address of the second network card is restored to the real destination address for transmitting the data.
Here, taking the IP address of the second network card as 10.0.2.30 as an example, in the Linux environment, the destination address for receiving the data is configured as the IP address of the second network card by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j DNAT--to-dest 10.0.2.30。
in the embodiment of the present invention, a situation that a part of ports are not opened may exist on the second network card, so that the ports to be accessed for transmitting the data cannot be covered; therefore, the port with low use frequency is configured as a fixed port to trigger the transmission of data as much as possible; in the Linux environment, the device configures ports 515-65535 to be port 1 by:
/sbin/iptables-t nat-A OUTPUT-o eth0-p tcp--dport 515:65535-j DNAT--to-dest 10.0.2.30:1。
in the Linux environment, storing the configuration log information containing the first configuration information in a kernel log by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j LOG--log-level debug--log-prefix"[NAT]"--log-tcp-sequence。
103, running a preset network service, and triggering and transmitting the data according to the configuration information;
here, the preset network service includes at least: HTTP services, HTTPs services, and mail services;
specifically, because the embodiment of the invention is applied to the environment of network connection interruption, common network services such as HTTP service, HTTPS service, mail service and the like can be created by using self-developed or open source tools such as INetSim [10] and the like; triggering and transmitting the data through the HTTP service, the HTTPS service and the mail service respectively and independently so as to control the data to be transmitted from the first network card to the second network card based on the HTTP service, the HTTPS service and the mail service respectively according to the configuration information;
here, for an ELE file in the Linux environment, the data is generally directly triggered to be transmitted from the first network card to the second network card through the network service, and Process Identifier (PID) information of the data is recorded; for non-ELE files in a Linux environment, such as scripts, python or php and other language programs, corresponding operating environments need to be installed, and then the non-ELE files are operated, so that the data are transmitted from the first network card to the second network card;
wherein, the log for simulating network service by INetSim [10] is shown in Table 1, and it is shown from Table 1 that INetSim [10] can be simulated for services such as DNS.
Figure BDA0001205713860000071
TABLE 1
104, recording the transmission behavior of the data based on the second network card, and generating a first log according to the recorded transmission behavior;
in particular, in a Linux environment, recording the transmission behavior of the data by running a tcpdump [8] command on the second network card;
here, a maximum execution time of data transmission may be set, and a transmission behavior of the data may be monitored for a preset time; when reaching the preset time, finishing the transmission behavior of the data by using a kill-9[ pid ] command; when a multi-process mode is adopted in the data transmission process, after the data transmission of the main process is finished, the transmission behavior of the data can be recorded to the maximum extent only after the data transmission of the sub-process reaches the preset time; it is also possible not to set the maximum execution time for the data transmission, i.e. to record the overall transmission behavior of the data.
Here, in the Linux environment, monitoring of the transmission behavior of the data may be triggered by the following command:
/ust/sbin/tcpdump-iany-w out.pcap;
recording the transmission behavior of the data through a tcpdump [8] command, and saving the transmission behavior of the data in an out.
A detailed processing flow diagram of a data transmission method according to an embodiment of the present invention, as shown in fig. 3, includes the following steps:
step 201, virtualizing a first network card and a second network card in a virtual machine;
specifically, in the embodiment of the present invention, an external physical machine needs to run an operating system supporting virtual machine management, where the physical machine is called Host, and a typical Host operating system may be Linux, MacOS, or Windows; as shown in fig. 2, a plurality of virtual machines may be run inside one Host, where the virtual machines are referred to as guests, and each Guest may install a corresponding operating system for a network environment that needs to be simulated; in the embodiment of the invention, the main implementation environment of Guest is Linux; in the embodiment of the invention, at least two network cards, namely a first network card and a second network card, need to be virtualized for each Guest.
Step 202, receiving data, configuring configuration information for transmitting the data;
here, the configuration information includes at least: the destination address for receiving the data is configured to be address information and destination port information of the second network card;
specifically, through a network management command provided by an operating system, such as an iptable [7] command, using an NAT to configure a destination address for receiving the data as an IP address of the second network card, and configure a destination port for receiving the data as a preset port, generating first configuration information; generating configuration log information containing the first configuration information;
the configuration log information records configuration information for transmitting the data, the configuration log information is stored in a kernel log under the Linux environment, and the kernel log also stores real destination address information of the transmission data; and when the configuration information stored in the kernel log and the real destination address information of the transmission data are used for analyzing the transmission behavior of the data subsequently, the IP address of the second network card is restored to the real destination address for transmitting the data.
Here, taking the IP address of the second network card as 10.0.2.30 as an example, in the Linux environment, the destination address for receiving the data is configured as the IP address of the second network card by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j DNAT--to-dest 10.0.2.30。
in the embodiment of the present invention, a situation that a part of ports are not opened may exist on the second network card, so that the ports to be accessed for transmitting the data cannot be covered; therefore, the port with low use frequency is configured as a fixed port to trigger the transmission of data as much as possible; in the Linux environment, the device configures ports 515-65535 to be port 1 by:
/sbin/iptables-t nat-A OUTPUT-o eth0-p tcp--dport 515:65535-j DNAT--to-dest 10.0.2.30:1。
in the Linux environment, the configuration log information containing the first configuration information is stored in a kernel log by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j LOG--log-level debug--log-prefix"[NAT]"--log-tcp-sequence。
step 203, creating a network service;
specifically, because the embodiment of the invention is applied to the environment of network connection interruption, common network services such as HTTP service, HTTPS service, mail service and the like are created by utilizing open source tools such as INetSim [10] or the like developed by self; the data are respectively and independently triggered and transmitted through HTTP service, HTTPS service and mail service, so that the data are controlled to be respectively transmitted from the first network card to the second network card based on the HTTP service, the HTTPS service and the mail service according to the configuration information;
here, the network service includes at least: HTTP services, HTTPs services, and mail services.
Step 204, triggering and transmitting the data through the network service;
specifically, for an ELE file in a Linux environment, the data is generally directly triggered to be transmitted from the first network card to the second network card through the network service, and Process Identifier (PID) information of the data is recorded; for non-ELE files in a Linux environment, such as scripts, python or php and other language programs, corresponding running environments need to be installed, and then the non-ELE files are run, so that the data are transmitted from the first network card to the second network card;
the log for simulating network services by using INetSim [10] is shown in table 1, and it is shown from table 1 that INetSim [10] can simulate services such as DNS.
Figure BDA0001205713860000101
TABLE 1
Step 205, based on the transmission behavior of the data, the second network card sends a response data packet to the first network card;
specifically, the IP address of the second network card is configured to transmit the real destination address information of the data through the NAT technology, so that the first network card sending the data considers that the received response data packet is sent by an external network;
in the Linux environment, the NAT service supports an address recovery function for response packets, that is: the IP address of the second network card sending the response packet does not need to be configured to transmit the real destination address information of the data.
Step 206, recording the transmission behavior of the data based on the second network card, and generating a first log according to the recorded transmission behavior;
specifically, under the Linux environment, recording the transmission behavior of the data by running a tcpdump [8] command on the second network card;
here, a maximum execution time of data transmission may be set, and a transmission behavior of the data may be monitored for a preset time; when reaching the preset time, finishing the transmission behavior of the data by utilizing a kill-9[ pid ] command; when a multi-process mode is adopted in the data transmission process, after the data transmission of the main process is finished, the transmission behavior of the data can be recorded to the maximum extent only after the data transmission of the sub-process reaches the preset time; it is also possible not to set the maximum execution time for the data transmission, i.e. to record the overall transmission behavior of the data.
Here, in the Linux environment, monitoring of the transmission behavior of the data may be triggered by the following command:
/ust/sbin/tcpdump-iany-w out.pcap;
recording the transmission behavior of the data through a tcpdump [8] command, and saving the transmission behavior of the data in an out.
Step 207, modifying the information of the second network card representing the destination address recorded in the first log into the real destination address information, and generating a second log;
specifically, the kernel log of the operating system records relevant information of data before configuration information for transmitting the data is configured, such as real destination address information of the data; therefore, the information of the second network card which is recorded in the first log and represents the destination address is modified into the real destination address information, and a second log is generated.
Taking an actual destination address of the data as an example, 58.203, where the actual destination address is a network IPv4 address, the actual destination address is recorded in a kernel log of the operating system before configuration information for transferring data is configured, as shown in table 2:
Figure BDA0001205713860000111
TABLE 2
In the embodiment of the present invention, the information "10.0.2.30" of the second network card, which is recorded in the first log and represents the destination address, is modified to ". 58.203." to generate a second log, where the second log is shown in table 3:
Figure BDA0001205713860000112
Figure BDA0001205713860000121
TABLE 3
As shown in fig. 4, a detailed processing flow diagram of another data transmission method according to an embodiment of the present invention includes the following steps:
step 301, virtualizing a first network card and a second network card in a virtual machine;
specifically, in implementing the embodiment of the present invention, an operating system supporting management of a virtual machine needs to be run on an external physical machine, where the physical machine is referred to as a Host, and a typical Host operating system may be Linux, Mac OS, or Windows; as shown in fig. 2, a plurality of virtual machines may be run inside one Host, where the virtual machines are referred to as guests, and each Guest may install a corresponding operating system for a network environment that needs to be simulated; in the embodiment of the invention, the main implementation environment of Guest is Linux; in the embodiment of the invention, at least two network cards, namely a first network card and a second network card, need to be virtualized for each Guest.
Step 302, receiving data, configuring configuration information for transmitting the data;
here, the configuration information includes at least: the destination address for receiving the data is configured to be address information and destination port information of the second network card;
specifically, through a network management command provided by an operating system, such as an iptable [7] command, using an NAT to configure a destination address for receiving the data as an IP address of the second network card, and configure a destination port for receiving the data as a preset port, generating first configuration information; generating configuration log information containing the first configuration information;
the configuration log information records configuration information for transmitting the data, the configuration log information is stored in a kernel log under the Linux environment, and the kernel log also stores real destination address information of the transmission data; and when the configuration information stored in the kernel log and the real destination address information of the transmission data are used for analyzing the transmission behavior of the data subsequently, the IP address of the second network card is restored to the real destination address for transmitting the data.
Here, taking the IP address of the second network card as 10.0.2.30 as an example, in the Linux environment, the destination address for receiving the data is configured as the IP address of the second network card by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j DNAT--to-dest 10.0.2.30。
in the embodiment of the present invention, a situation that a part of ports are not opened may exist on the second network card, so that the ports to be accessed for transmitting the data cannot be covered; therefore, the port with low use frequency is configured as a fixed port to trigger the transmission of data as much as possible; in the Linux environment, the device configures ports 515-65535 to be port 1 by:
/sbin/iptables-t nat-A OUTPUT-o eth0-p tcp--dport 515:65535-j DNAT--to-dest 10.0.2.30:1。
in the Linux environment, the configuration log information containing the first configuration information is stored in a kernel log by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j LOG--log-level debug--log-prefix"[NAT]"--log-tcp-sequence。
step 303, creating a network service;
specifically, because the embodiment of the invention is applied to the environment of network connection interruption, common network services such as HTTP service, HTTPS service, mail service and the like are created by utilizing open source tools such as INetSim [10] or the like developed by self; triggering and transmitting the data through HTTP service, HTTPS service and mail service respectively and independently so as to control the data to be transmitted from the first network card to the second network card based on the HTTP service, the HTTPS service and the mail service respectively according to the configuration information;
here, the network service includes at least: HTTP services, HTTPs services, and mail services.
Step 304, triggering and transmitting the data through the network service;
specifically, for an ELE file in a Linux environment, the data is generally directly triggered to be transmitted from the first network card to the second network card through the network service, and Process Identifier (PID) information of the data is recorded; for non-ELE files in a Linux environment, such as scripts, python or php and other language programs, corresponding operating environments need to be installed, and then the non-ELE files are operated, so that the data are transmitted from the first network card to the second network card;
wherein, the log for simulating network service by INetSim [10] is shown in Table 1, and it is shown from Table 1 that INetSim [10] can be simulated for services such as DNS.
Figure BDA0001205713860000131
Figure BDA0001205713860000141
TABLE 1
305, based on the transmission behavior of the data, the second network card sends a response data packet to the first network card;
specifically, the IP address of the second network card is configured to transmit the real destination address information of the data through the NAT technology, so that the first network card sending the data considers that the received response data packet is sent by an external network;
in the Linux environment, the NAT service supports an address recovery function for response packets, that is: the IP address of the second network card sending the response packet does not need to be configured to transmit the real destination address information of the data.
Step 306, recording the transmission behavior of the data based on the second network card, and generating a first log according to the recorded transmission behavior;
specifically, under the Linux environment, recording the transmission behavior of the data by running a tcpdump [8] command on the second network card;
here, a maximum execution time of data transmission may be set, and a transmission behavior of the data may be monitored for a preset time; when reaching the preset time, finishing the transmission behavior of the data by utilizing a kill-9[ pid ] command; when a multi-process mode is adopted in the data transmission process, after the data transmission of the main process is finished, the transmission behavior of the data can be recorded to the maximum extent only after the data transmission of the sub-process reaches the preset time; it is also possible not to set the maximum execution time for the data transmission, i.e. to record the overall transmission behavior of the data.
Here, in the Linux environment, monitoring of the transmission behavior of the data may be triggered by the following command:
/ust/sbin/tcpdump-iany-w out.pcap;
recording the transmission behavior of the data through a tcpdump [8] command, and saving the transmission behavior of the data in an out.
Step 307, modifying the information of the second network card representing the destination address recorded in the first log into the real destination address information, and generating a second log;
specifically, the kernel log of the operating system records relevant information of data before configuration information for transmitting the data is configured, such as real destination address information of the data; therefore, the information of the second network card which is recorded in the first log and represents the destination address is modified into the real destination address information, and a second log is generated.
Taking an actual destination address of the data as an example, 58.203, where the actual destination address is a network IPv4 address, the actual destination address is recorded in a kernel log of the operating system before configuration information for transferring data is configured, as shown in table 2:
Figure BDA0001205713860000151
TABLE 2
In the embodiment of the present invention, the information "10.0.2.30" of the second network card, which is recorded in the first log and represents the destination address, is modified to ". 58.203." to generate a second log, where the second log is shown in table 3:
Figure BDA0001205713860000152
TABLE 3
In the embodiment of the present invention, when the HTTP service, the HTTPs service, and the mail service are operated, a corresponding web service log is generated, where the web service log is, as shown in table 4:
Figure BDA0001205713860000161
TABLE 4
Step 308, processing the web service log and the second log to generate a third log;
specifically, the web service log and the second log are merged, information irrelevant to the transmission behavior of the data in the web service log and the second log is deleted, and a third log is generated, where the third log is used to represent the real transmission behavior of the data.
Here, the act of transferring the data of the third log record includes: receiving and sending UDP packets, sending DNS requests, replying to DNS requests, creating sockets, receiving and sending TCP packets, sending HTTP requests, replying to HTTP requests, and the like.
The data transmission method of the embodiment of the invention is applied to a detailed processing flow schematic diagram of a Hubble analysis system, and as shown in FIG. 5, the method comprises the following steps:
step 401, virtualizing a first network card and a second network card in a virtual machine;
specifically, in implementing the embodiment of the present invention, an operating system supporting virtual machine management needs to be run on an external physical machine, where the physical machine is referred to as Host, and a typical Host operating system may be Linux, MacOS, or Windows; as shown in fig. 2, a plurality of virtual machines may be run inside one Host, where the virtual machines are referred to as guests, and each Guest may install a corresponding operating system for a network environment that needs to be simulated; in the embodiment of the invention, the main implementation environment of Guest is Linux; in the embodiment of the invention, at least two network cards, namely a first network card and a second network card, need to be virtualized for each Guest;
here, the first network card and the second network card may be virtualized by using VirtualBox virtual machine software [9] or other virtual machine software, and the interface diagram of the virtual machine in the network connection interruption state is shown in fig. 6, where the selection box of "access network cable" is in the non-selected state, which indicates that the virtual machine is in the network connection interruption state at this time.
Step 402, starting a first network card and a second network card;
specifically, the first network card is represented by eth0, the second network card is represented by eth1, and in the Linux environment, the first network card and the second network card can be started through the following commands:
/sbin/ifup eth0;
/sbin/ifup eth1。
step 403, receiving data, and configuring configuration information for transmitting the data;
here, the configuration information includes at least: and configuring the destination address for receiving the data into address information of the second network card, destination port information and real destination address information of the data.
Step 404, the user sends the data to the harb analysis system platform through the network interface.
Step 405, triggering and transmitting the data through a preset network service;
here, the preset network service includes at least: HTTP services, HTTPs services, and mail services;
specifically, because the embodiment of the invention is applied to the environment of network connection interruption, common network services such as HTTP service, HTTPS service, mail service and the like can be created by using self-developed or open source tools such as INetSim [10] and the like; triggering and transmitting the data through HTTP service, HTTPS service and mail service respectively and independently so as to control the data to be transmitted from the first network card to the second network card based on the HTTP service, the HTTPS service and the mail service respectively according to the configuration information;
here, for an ELE file in a Linux environment, the data is generally directly triggered to be transmitted from the first network card to the second network card through the network service, and PID information of the data is recorded; for non-ELE files in the Linux environment, such as scripts, python or php and other language programs, corresponding operating environments need to be installed, and then the non-ELE files are operated, so that the data are transmitted from the first network card to the second network card.
Step 406, based on the transmission behavior of the data, the second network card sends a response data packet to the first network card.
Step 407, operating the harb analysis system on the second network card, and monitoring the transmission behavior of the data based on the harb analysis system;
in particular, the specific implementation of monitoring the transmission behavior of the data based on the harb analysis system refers to the above embodiments; com, as an example of accessing a website http:// example, a schematic diagram of a log recording transmission behaviors of the data, as shown in fig. 7, the recorded transmission behaviors of the data include: sending and receiving UDP packets, sending DNS requests, replying to DNS requests, creating sockets, sending and receiving TCP packets, sending HTTP requests, replying to HTTP requests, and the like.
Device embodiment
In order to implement the above method embodiment of the present invention, the present invention further provides a data transmission device, where a schematic structural diagram of the device is shown in fig. 8, and the data transmission device includes: a virtual unit 11, a configuration unit 12, a trigger unit 13 and a recording unit 14; wherein the content of the first and second substances,
the virtual unit 11 is configured to virtualize a first network card and a second network card in a virtual machine;
the configuration unit 12 is configured to receive data and configure configuration information for transmitting the data, where the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card;
the triggering unit 13 is configured to run a preset network service, and trigger the data to be transmitted from the first network card to the second network card according to the configuration information;
the recording unit 14 is configured to record a transmission behavior of the data based on the second network card, and generate a first log according to the recorded transmission behavior.
When the device of the embodiment of the invention realizes the corresponding functions, an operating system supporting virtual machine management needs to be operated on an external physical machine, the physical machine is called Host, and a typical Host operating system can be Linux, Mac OS or Windows; as shown in fig. 2, a plurality of virtual machines may be run inside one Host, where the virtual machines are referred to as Guest, and each Guest may install a corresponding operating system for a network environment that needs to be simulated; the Guest main implementation environment in the embodiment of the invention is Linux.
In this embodiment of the present invention, the configuration unit 12 is specifically configured to configure, through a network management command provided by an operating system, such as an iptable [7], a destination address for receiving the data as an IP address of the second network card by using an NAT technology, and configure a destination port for receiving the data as a preset port, so as to generate first configuration information; and generating configuration log information containing the first configuration information.
The configuration log information records configuration information for transmitting the data, and is stored in a kernel log under a Linux environment, so that when the transmission behavior of the data is analyzed subsequently, the IP address of the second network card is restored to a real destination address for transmitting the data.
Here, taking the IP address of the second network card as 10.0.2.30 as an example, in the Linux environment, the device configures the destination address for receiving the data as the IP address of the second network card by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j DNAT--to-dest 10.0.2.30。
in a specific embodiment, a situation that a part of ports are not opened may exist on the second network card, so that the ports to be accessed for transmitting the data cannot be covered; therefore, the device configures the port with low use frequency as a fixed port to trigger data transmission as much as possible; in the Linux environment, the device configures ports 515-65535 to be port 1 by:
/sbin/iptables-t nat-A OUTPUT-o eth0-p tcp--dport 515:65535-j DNAT--to-dest 10.0.2.30:1。
in a Linux environment, the device stores configuration log information including the first configuration information in a kernel log by:
/sbin/iptables-t nat-A OUTPUT-o eth0-j LOG--log-level debug--log-prefix"[NAT]"--log-tcp-sequence。
in a specific embodiment, the apparatus further comprises: a creating unit 17, configured to create a network service for transmitting the data, where the network service at least includes: HTTP services, HTTPs services, and mail services.
In a specific embodiment, the recording unit 14 is specifically configured to monitor a transmission behavior of the data within a preset time based on the second network card; or monitoring all transmission behaviors of the data based on the second network card.
Specifically, the maximum execution time of data transmission may be set, and the transmission behavior of the data may be monitored within a preset time; when reaching the preset time, finishing the transmission behavior of the data by using a kill-9[ pid ] command; when a multi-process mode is adopted in the data transmission process, after the data transmission of the main process is finished, the transmission behavior of the data can be recorded to the maximum extent only after the data transmission of the sub-process reaches the preset time; it is also possible not to set the maximum execution time for the data transmission, i.e. to record the overall transmission behavior of the data.
Here, in the Linux environment, monitoring of the transmission behavior of the data may be triggered by the following command:
/ust/sbin/tcpdump-iany-w out.pcap;
recording the transmission behavior of the data through a tcpdump [8] command, and saving the transmission behavior of the data in an out.
In a specific embodiment, the apparatus further comprises: and a modifying unit 15, configured to modify the information of the second network card representing the destination address recorded in the first log into real destination address information of transmission data stored in advance, and generate a second log.
In the embodiment of the present invention, since the kernel log of the operating system of the apparatus records the related information of the data before configuring the configuration information for transmitting the data, such as the real destination address information of the data; therefore, the modifying unit 15 modifies the information of the second network card representing the destination address recorded in the first log to the actual destination address information, and generates a second log.
Taking an actual destination address of the data as 58.203, where the actual destination address is a network IPv4 address, and before configuring configuration information for transmitting data, the actual destination address is recorded in a kernel log of the operating system, as shown in table 2:
Figure BDA0001205713860000201
TABLE 2
In a specific embodiment, the modifying unit 15 is specifically configured to modify "10.0.2.30" of the second network card, which is recorded in the first log and represents the destination address, to ". 58.203.", so as to generate second log information, where the second log is as shown in table 3:
Figure BDA0001205713860000202
TABLE 3
In the embodiment of the present invention, when the HTTP service, the HTTPs service, and the mail service are operated, a corresponding web service log is generated, where the web service log is, as shown in table 4:
Figure BDA0001205713860000211
TABLE 4
In a specific embodiment, the apparatus further comprises: and the processing unit 16 is configured to merge the web service log and the second log, delete information that is irrelevant to the transmission behavior of the data in the web service log and the second log, and generate a third log.
Here, the third log is used for characterizing a real transmission behavior of the data, and the transmission behavior of the data recorded by the third log includes: sending and receiving UDP packets, sending DNS requests, replying to DNS requests, creating sockets, sending and receiving TCP packets, sending HTTP requests, replying to HTTP requests, and the like.
In a specific embodiment, the processing unit 16 is specifically configured to merge the web service log and the second log, delete information that is irrelevant to the transmission behavior of the data in the web service log and the second log, and generate a third log, where the third log is used to characterize a real transmission behavior of the data.
It should be noted that the functions of the virtual unit 11, the configuration unit 12, the trigger unit 13, the recording unit 14, the modification unit 15, the processing unit 16 and the creation unit 17 in the data transmission device according to the embodiment of the present invention may be implemented by a Central Processing Unit (CPU), a microprocessor unit (MPU), a Digital Signal Processor (DSP) or a programmable gate array (FPGA) located on a terminal; and the method can also be realized by a CPU (central processing unit), an MPU (micro processing unit), a DSP (digital signal processor) or an FPGA (field programmable gate array) which is positioned on a server.
In this embodiment, the apparatus is taken as an example of a hardware entity, and as shown in fig. 9, the apparatus includes a processor 61, a storage medium 62, and at least one external communication interface 63; the processor 61, the storage medium 62 and the external communication interface 63 are all connected by a bus 64.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit may be implemented in the form of hardware, or in the form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (16)

1. A method of data transmission, the method comprising:
virtualizing a first network card and a second network card in a virtual machine;
receiving data, and configuring configuration information for transmitting the data, wherein the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card;
running a preset network service, and triggering the data to be transmitted from the first network card to the second network card according to the configuration information;
recording the transmission behavior of the data based on the second network card, and generating a first log according to the recorded transmission behavior;
and modifying the information of the second network card representing the destination address recorded in the first log into the real destination address information of the prestored transmission data, and taking the modified first log as a second log.
2. The method of claim 1, wherein configuring configuration information for transmitting the data comprises:
configuring a destination address for receiving the data as an IP address of the second network card, configuring a destination port for receiving the data as a preset port, and generating first configuration information;
and generating configuration log information containing the first configuration information.
3. The method of claim 1, wherein before the running the predetermined network service, the method further comprises:
creating a network service for transmitting the data, the network service comprising: a hypertext transfer protocol service, a secure hypertext transfer protocol service, and a mail service.
4. The method of claim 1, wherein after the modifying the first log as a second log, the method further comprises:
and processing the network service log generated by running the network service and the second log, and taking the processed second log as a third log.
5. The method according to any one of claims 1 to 3, wherein the recording of the network behavior of the data based on the second network card comprises:
monitoring the transmission behavior of the data within a preset time based on the second network card, or monitoring all the transmission behaviors of the data based on the second network card;
and recording the transmission behavior of the data obtained by monitoring.
6. The method according to any one of claims 1 to 3, wherein the recording of the network behavior of the data based on the second network card comprises:
when the data are transmitted in a multi-process mode and the transmission of the main process data is finished, monitoring the transmission behavior of the sub-process data in a preset time based on the second network card, or monitoring all the transmission behaviors of the sub-process data based on the second network card;
and recording the transmission behavior of the data obtained by monitoring.
7. The method of claim 4, wherein processing the web service log and the second log generated by running the web service comprises:
and merging the network service log and the second log, and deleting information which is irrelevant to the transmission behavior of the data in the network service log and the second log.
8. A data transmission apparatus, characterized in that the apparatus comprises:
the virtual unit is used for virtualizing a first network card and a second network card in a virtual machine;
the configuration unit is used for receiving data and configuring configuration information used for transmitting the data, wherein the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card;
the triggering unit is used for running a preset network service and triggering the data to be transmitted from the first network card to the second network card according to the configuration information;
the recording unit is used for recording the transmission behavior of the data based on the second network card and generating a first log according to the recorded transmission behavior;
and the modifying unit is used for modifying the information of the second network card representing the destination address recorded in the first log into the real destination address information of the prestored transmission data and taking the modified first log as a second log.
9. The apparatus according to claim 8, wherein the configuration unit is specifically configured to configure a destination address for receiving the data as an IP address of the second network card, and configure a destination port for receiving the data as a preset port, and generate first configuration information;
and generating configuration log information containing the first configuration information.
10. The apparatus of claim 8, further comprising:
a creating unit configured to create a network service that transmits the data; the network service comprises: a hypertext transfer protocol service, a secure hypertext transfer protocol service, and a mail service.
11. The apparatus of claim 8, further comprising:
and the processing unit is used for processing the network service log generated by running the network service and the second log, and taking the processed second log as a third log.
12. The device according to any one of claims 8 to 10, wherein the recording unit is specifically configured to monitor a transmission behavior of the data within a preset time based on the second network card, or monitor all transmission behaviors of the data based on the second network card; and recording the transmission behavior of the data obtained by monitoring.
13. The apparatus according to any one of claims 8 to 10, wherein the recording unit, when the data is transmitted in a multiprocess mode and the transmission of the main process data is finished, is specifically configured to monitor a transmission behavior of the sub-process data within a preset time based on the second network card, or monitor all transmission behaviors of the sub-process data based on the second network card; and recording the transmission behavior of the data obtained by monitoring.
14. The apparatus according to claim 11, wherein the processing unit is specifically configured to merge the web service log and the second log, and delete information that is not related to the transmission behavior of the data in the web service log and the second log.
15. An electronic device, comprising:
a memory for storing computer executable instructions;
a processor for implementing the data transmission method of any one of claims 1 to 7 when executing computer executable instructions stored in the memory.
16. A computer-readable storage medium having stored thereon computer-executable instructions for implementing the data transmission method of any one of claims 1 to 7 when executed.
CN201710014004.9A 2017-01-09 2017-01-09 Data transmission method and device Active CN108289032B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710014004.9A CN108289032B (en) 2017-01-09 2017-01-09 Data transmission method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710014004.9A CN108289032B (en) 2017-01-09 2017-01-09 Data transmission method and device

Publications (2)

Publication Number Publication Date
CN108289032A CN108289032A (en) 2018-07-17
CN108289032B true CN108289032B (en) 2022-05-13

Family

ID=62819374

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710014004.9A Active CN108289032B (en) 2017-01-09 2017-01-09 Data transmission method and device

Country Status (1)

Country Link
CN (1) CN108289032B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645119A (en) * 2008-08-07 2010-02-10 中国科学院软件研究所 Method and system for automatically analyzing malicious codes based on virtual hardware environment
CN104426906A (en) * 2013-08-30 2015-03-18 瞻博网络公司 Identifying malicious devices within a computer network
CN106201657A (en) * 2016-07-07 2016-12-07 天脉聚源(北京)传媒科技有限公司 A kind of network interface card information processing method based on virtual machine and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2981925B1 (en) * 2013-04-05 2019-08-28 OLogN Technologies AG Systems, methods and apparatuses for protection of antivirus software

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645119A (en) * 2008-08-07 2010-02-10 中国科学院软件研究所 Method and system for automatically analyzing malicious codes based on virtual hardware environment
CN104426906A (en) * 2013-08-30 2015-03-18 瞻博网络公司 Identifying malicious devices within a computer network
CN106201657A (en) * 2016-07-07 2016-12-07 天脉聚源(北京)传媒科技有限公司 A kind of network interface card information processing method based on virtual machine and device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Chuliang Weng ; Yuan Luo ; Minglu Li ; Xinda Lu.A BLp-Based Access Control Mechanism for the virtual Machine System.《2008 The 9th International Conference for young Computer Scientists》.2008,全文. *
基于系统调用依赖图的恶意代码检测;唐柯;《中国优秀硕士学位论文数据库》;20131201;全文 *
计算机病毒实践汇总五:搭建虚拟网络环境;weixin_30652897;《CSDN》;20160521;全文 *

Also Published As

Publication number Publication date
CN108289032A (en) 2018-07-17

Similar Documents

Publication Publication Date Title
US11080399B2 (en) System and method for vetting mobile phone software applications
US9910765B2 (en) Providing testing environments for software applications using virtualization and a native hardware layer
US20180039507A1 (en) System and method for management of a virtual machine environment
JP6782307B2 (en) Dynamic access to hosted applications
CN108965203B (en) Resource access method and server
US20180191779A1 (en) Flexible Deception Architecture
JP6419787B2 (en) Optimized resource allocation to virtual machines in malware content detection system
US9294442B1 (en) System and method for threat-driven security policy controls
JP7115526B2 (en) Analysis system, method and program
US9509760B2 (en) Virtual packet analyzer for a cloud computing environment
US8875296B2 (en) Methods and systems for providing a framework to test the security of computing system over a network
WO2016160599A1 (en) System and method for threat-driven security policy controls
CN112272177B (en) Method for deploying honey net trapping nodes in batches
US20150067399A1 (en) Analysis, recovery and repair of devices attached to remote computing systems
US20130191850A1 (en) Intercepting data
US20170329739A1 (en) Methods and systems for loading a boot agent on a router network device
EP4184357A1 (en) Malware detection based on user interactions
CN113626133B (en) Virtual machine control method, device, equipment and computer readable storage medium
US11880465B2 (en) Analyzing multiple CPU architecture malware samples
JP6738013B2 (en) Attack content analysis program, attack content analysis method, and attack content analysis device
CN111240924A (en) Detection method and system for Socket monitoring of Linux virtual machine
JP2022506847A (en) Automatic keyboard mapping for virtual desktops
CN108289032B (en) Data transmission method and device
Si et al. EmuIoTNet: An Emulated IoT Network for Dynamic Analysis
JP2016177371A (en) Monitor, monitoring program and monitoring method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant