CN108289032B - Data transmission method and device - Google Patents
Data transmission method and device Download PDFInfo
- Publication number
- CN108289032B CN108289032B CN201710014004.9A CN201710014004A CN108289032B CN 108289032 B CN108289032 B CN 108289032B CN 201710014004 A CN201710014004 A CN 201710014004A CN 108289032 B CN108289032 B CN 108289032B
- Authority
- CN
- China
- Prior art keywords
- data
- log
- network card
- network
- transmission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45504—Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a data transmission method, which comprises the following steps: controlling a first network card and a second network card to be virtualized in a virtual machine; receiving data, and configuring configuration information for transmitting the data, wherein the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card; running a preset network service to trigger the transmission of the data, and triggering the transmission of the data from the first network card to the second network card according to the configuration information; recording the transmission behavior of the data based on the second network card, and generating a first log according to the recorded transmission behavior. The invention also discloses a data transmission device.
Description
Technical Field
The present invention relates to data processing technologies, and in particular, to a data transmission method and apparatus.
Background
In the prior art, software is generally analyzed based on network transmission behaviors by monitoring the network transmission behaviors of the software; therefore, in order to ensure the security of the network, such as avoiding leakage of virus samples of malware to the external network, it is required that network transmission behavior of the malware must be triggered in case of network connection interruption.
Existing schemes for triggering network transmission behavior of malware in the event of a network connection interruption include three types: the first is to change the execution result of Application Programming Interface (API) for the network-related system; when the network connection is interrupted, the system API relevant to the network returns a corresponding error code to prompt that the network is unavailable, and the system considers that the network connection is available by changing the execution result of the API; however, the scheme needs to write corresponding HOOK codes for each common API, which results in high implementation technology cost; and the API related to the network will change along with the upgrade of the operating system, and then the logic of the HOOK code needs to be adjusted; therefore, the versatility of this scheme is low.
The second is to analyze the malware by using a static analysis technology, but the static analysis technology cannot analyze encrypted and confused malware, so that the universality of the scheme is not strong; meanwhile, when the network API is called, some parameters are dynamically generated, and at the moment, the static analysis technology cannot acquire the dynamically generated parameters, so that the network behavior information of the malicious software acquired by the static analysis technology is limited.
The third is to trigger the network behavior of the malware by building an internal network cluster, but the scheme does not belong to the strictly defined network connection interruption, and the scheme still cannot trigger the network behavior of the malware accessing the internet, so that the solution has limited capability of solving the problem; and a large amount of manpower and material resources are required to be invested when the internal network cluster is deployed, so that the cost for implementing the scheme is high.
Disclosure of Invention
In view of this, embodiments of the present invention provide a data transmission method and apparatus to solve the problems in the prior art.
The embodiment of the invention provides a data transmission method, which comprises the following steps:
virtualizing a first network card and a second network card in a virtual machine;
receiving data, and configuring configuration information for transmitting the data, wherein the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card;
running a preset network service, and triggering the data to be transmitted from the first network card to the second network card according to the configuration information;
recording the transmission behavior of the data based on the second network card, and generating a first log according to the recorded transmission behavior.
In the above solution, the configuring the configuration information for transmitting data includes:
configuring a destination address for receiving the data as an IP address of the second network card, configuring a destination port for receiving the data as a preset port, and generating first configuration information;
and generating configuration log information containing the first configuration information.
In the foregoing solution, before the triggering transmission of the data through the preset network service, the method further includes:
creating a network service for transmitting the data, the network service comprising: HyperText Transfer Protocol (HTTP) services, Secure HyperText Transfer Protocol (HTTPs) services, and mail services.
In the above scheme, after the generating the first log, the method further includes:
and modifying the information of the second network card representing the destination address recorded in the first log into the real destination address information of the prestored transmission data to generate a second log.
In the foregoing solution, after generating the second log, the method further includes:
and processing the network service log generated by running the network service and the second log to generate a third log.
In the foregoing solution, after generating the second log, the method further includes:
and processing the network service log generated by running the network service and the second log to generate a third log.
In the foregoing solution, the recording of the network behavior of the data based on the second network card includes:
monitoring the transmission behavior of the data within a preset time based on the second network card, or monitoring all the transmission behaviors of the data based on the second network card; and recording the transmission behavior of the data obtained by monitoring.
In the foregoing solution, the recording of the network behavior of the data based on the second network card includes:
when the data are transmitted in a multi-process mode and the transmission of the main process data is finished, monitoring the transmission behavior of the sub-process data in a preset time based on the second network card, or monitoring all the transmission behaviors of the sub-process data based on the second network card; and recording the transmission behavior of the data obtained by monitoring.
In the above scheme, the network service log and the second log are merged, and information irrelevant to the transmission behavior of the data in the network service log and the second log is deleted.
An embodiment of the present invention further provides a data transmission device, where the device includes:
the virtual unit is used for virtualizing a first network card and a second network card in a virtual machine;
the configuration unit is used for receiving data and configuring configuration information used for transmitting the data, wherein the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card;
the triggering unit is used for running a preset network service and triggering the data to be transmitted from the first network card to the second network card according to the configuration information;
and the recording unit is used for recording the transmission behavior of the data based on the second network card and generating a first log according to the recorded transmission behavior.
In the foregoing solution, the configuration unit is specifically configured to configure a destination address for receiving the data as an IP address of the second virtual network card, configure a destination port for receiving the data as a preset port, and generate first configuration information;
and generating configuration log information containing the first configuration information.
In the above scheme, the apparatus further comprises:
a creating unit configured to create a network service that transmits the data; the network service comprises: a hypertext transfer protocol service, a secure hypertext transfer protocol service, and a mail service.
In the above solution, the apparatus further includes:
and the modifying unit is used for modifying the information of the second network card representing the destination address recorded in the first log into the real destination address information of the prestored transmission data and generating a second log.
In the above scheme, the apparatus further comprises:
and the processing unit is used for processing the network service log generated by running the network service and the second log to generate a third log.
In the above scheme, the recording unit is specifically configured to monitor a transmission behavior of the data within a preset time based on the second network card, or monitor all transmission behaviors of the data based on the second network card; and recording the transmission behavior of the data obtained by monitoring.
In the above scheme, the recording unit is specifically configured to monitor a transmission behavior of the sub-process data within a preset time based on the second network card, or monitor all transmission behaviors of the sub-process data based on the second network card, when the data is transmitted in the multi-process mode and the transmission of the main-process data is finished; recording the transmission behavior of the data obtained by monitoring
In the foregoing solution, the processing unit is specifically configured to merge the web service log and the second log, and delete information that is irrelevant to the transmission behavior of the data in the web service log and the second log.
The data transmission method and the device provided by the embodiment of the invention virtualize a first network card and a second network card in a virtual machine; receiving data, and configuring configuration information for transmitting the data, wherein the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card; running a preset network service, and triggering the data to be transmitted from the first network card to the second network card according to the configuration information; recording the transmission behavior of the data based on the second network card, and generating a first log according to the recorded transmission behavior. Thus, a first network card and a second network card are virtualized in a virtual machine, a real destination address of transmission data is configured to be an IP address and a destination port of the second network card, the data is triggered to be transmitted from the first network card to the second network card based on preset network service, and the transmission behavior of the data is recorded; the data transmission is triggered in the real network connection interrupted environment, and the virtual network environment obtained by the first network card and the second network card virtualized by the embodiment of the invention can trigger more data transmission behaviors of malicious software so as to obtain more data transmission data; the embodiment of the invention only needs to configure the configuration information of the transmission data in the operating system, so the implementation technology has low cost and strong universality.
Drawings
Fig. 1 is a schematic diagram of a basic processing flow of a data transmission method according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a hardware configuration according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a detailed processing flow of a data transmission method according to an embodiment of the present invention;
FIG. 4 is a detailed processing flow diagram of another data transmission method according to another embodiment of the present invention;
FIG. 5 is a detailed process flow diagram of the data transmission method applied to the Hubble analysis system according to the embodiment of the invention;
FIG. 6 is a schematic interface diagram illustrating a virtual machine in a network connection interruption state according to an embodiment of the present invention;
FIG. 7 is a diagram illustrating a log recording the transmission behavior of the data according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a data transmission apparatus according to an embodiment of the present invention;
fig. 9 is a schematic diagram of a hardware entity structure of a data transmission device according to an embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the figures and specific examples.
A basic processing flow diagram of a data transmission method according to an embodiment of the present invention, as shown in fig. 1, includes the following steps:
101, virtualizing a first network card and a second network card in a virtual machine;
specifically, as shown in fig. 2, an operating system supporting virtual machine management is run on an external physical machine, where the physical machine is called Host, and a typical Host operating system may be Linux, Mac OS, or Windows; a plurality of virtual machines can be operated in one Host, the virtual machines are called Guest, and each Guest can install a corresponding operating system aiming at the network environment needing to be simulated; in the embodiment of the invention, the main implementation environment of Guest is Linux; in the embodiment of the invention, at least two network cards, namely a first network card and a second network card, need to be virtualized for each Guest.
here, the configuration information includes at least: the destination address for receiving the data is configured to be address information and destination port information of the second network card;
specifically, a Network management command provided by an operating system, such as an iptable [7] command, is used to configure a destination Address for receiving the data as an IP Address of the second Network card by using a Network Address Translation (NAT) technology, and configure a destination port for receiving the data as a preset port, so as to generate first configuration information; generating configuration log information containing the first configuration information;
the configuration log information records configuration information for transmitting the data, the configuration log information is stored in a kernel log under the Linux environment, and the kernel log also stores real destination address information of the transmitted data; and when the configuration information stored in the kernel log and the real destination address information of the transmission data are used for analyzing the transmission behavior of the data subsequently, the IP address of the second network card is restored to the real destination address for transmitting the data.
Here, taking the IP address of the second network card as 10.0.2.30 as an example, in the Linux environment, the destination address for receiving the data is configured as the IP address of the second network card by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j DNAT--to-dest 10.0.2.30。
in the embodiment of the present invention, a situation that a part of ports are not opened may exist on the second network card, so that the ports to be accessed for transmitting the data cannot be covered; therefore, the port with low use frequency is configured as a fixed port to trigger the transmission of data as much as possible; in the Linux environment, the device configures ports 515-65535 to be port 1 by:
/sbin/iptables-t nat-A OUTPUT-o eth0-p tcp--dport 515:65535-j DNAT--to-dest 10.0.2.30:1。
in the Linux environment, storing the configuration log information containing the first configuration information in a kernel log by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j LOG--log-level debug--log-prefix"[NAT]"--log-tcp-sequence。
103, running a preset network service, and triggering and transmitting the data according to the configuration information;
here, the preset network service includes at least: HTTP services, HTTPs services, and mail services;
specifically, because the embodiment of the invention is applied to the environment of network connection interruption, common network services such as HTTP service, HTTPS service, mail service and the like can be created by using self-developed or open source tools such as INetSim [10] and the like; triggering and transmitting the data through the HTTP service, the HTTPS service and the mail service respectively and independently so as to control the data to be transmitted from the first network card to the second network card based on the HTTP service, the HTTPS service and the mail service respectively according to the configuration information;
here, for an ELE file in the Linux environment, the data is generally directly triggered to be transmitted from the first network card to the second network card through the network service, and Process Identifier (PID) information of the data is recorded; for non-ELE files in a Linux environment, such as scripts, python or php and other language programs, corresponding operating environments need to be installed, and then the non-ELE files are operated, so that the data are transmitted from the first network card to the second network card;
wherein, the log for simulating network service by INetSim [10] is shown in Table 1, and it is shown from Table 1 that INetSim [10] can be simulated for services such as DNS.
TABLE 1
104, recording the transmission behavior of the data based on the second network card, and generating a first log according to the recorded transmission behavior;
in particular, in a Linux environment, recording the transmission behavior of the data by running a tcpdump [8] command on the second network card;
here, a maximum execution time of data transmission may be set, and a transmission behavior of the data may be monitored for a preset time; when reaching the preset time, finishing the transmission behavior of the data by using a kill-9[ pid ] command; when a multi-process mode is adopted in the data transmission process, after the data transmission of the main process is finished, the transmission behavior of the data can be recorded to the maximum extent only after the data transmission of the sub-process reaches the preset time; it is also possible not to set the maximum execution time for the data transmission, i.e. to record the overall transmission behavior of the data.
Here, in the Linux environment, monitoring of the transmission behavior of the data may be triggered by the following command:
/ust/sbin/tcpdump-iany-w out.pcap;
recording the transmission behavior of the data through a tcpdump [8] command, and saving the transmission behavior of the data in an out.
A detailed processing flow diagram of a data transmission method according to an embodiment of the present invention, as shown in fig. 3, includes the following steps:
specifically, in the embodiment of the present invention, an external physical machine needs to run an operating system supporting virtual machine management, where the physical machine is called Host, and a typical Host operating system may be Linux, MacOS, or Windows; as shown in fig. 2, a plurality of virtual machines may be run inside one Host, where the virtual machines are referred to as guests, and each Guest may install a corresponding operating system for a network environment that needs to be simulated; in the embodiment of the invention, the main implementation environment of Guest is Linux; in the embodiment of the invention, at least two network cards, namely a first network card and a second network card, need to be virtualized for each Guest.
here, the configuration information includes at least: the destination address for receiving the data is configured to be address information and destination port information of the second network card;
specifically, through a network management command provided by an operating system, such as an iptable [7] command, using an NAT to configure a destination address for receiving the data as an IP address of the second network card, and configure a destination port for receiving the data as a preset port, generating first configuration information; generating configuration log information containing the first configuration information;
the configuration log information records configuration information for transmitting the data, the configuration log information is stored in a kernel log under the Linux environment, and the kernel log also stores real destination address information of the transmission data; and when the configuration information stored in the kernel log and the real destination address information of the transmission data are used for analyzing the transmission behavior of the data subsequently, the IP address of the second network card is restored to the real destination address for transmitting the data.
Here, taking the IP address of the second network card as 10.0.2.30 as an example, in the Linux environment, the destination address for receiving the data is configured as the IP address of the second network card by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j DNAT--to-dest 10.0.2.30。
in the embodiment of the present invention, a situation that a part of ports are not opened may exist on the second network card, so that the ports to be accessed for transmitting the data cannot be covered; therefore, the port with low use frequency is configured as a fixed port to trigger the transmission of data as much as possible; in the Linux environment, the device configures ports 515-65535 to be port 1 by:
/sbin/iptables-t nat-A OUTPUT-o eth0-p tcp--dport 515:65535-j DNAT--to-dest 10.0.2.30:1。
in the Linux environment, the configuration log information containing the first configuration information is stored in a kernel log by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j LOG--log-level debug--log-prefix"[NAT]"--log-tcp-sequence。
specifically, because the embodiment of the invention is applied to the environment of network connection interruption, common network services such as HTTP service, HTTPS service, mail service and the like are created by utilizing open source tools such as INetSim [10] or the like developed by self; the data are respectively and independently triggered and transmitted through HTTP service, HTTPS service and mail service, so that the data are controlled to be respectively transmitted from the first network card to the second network card based on the HTTP service, the HTTPS service and the mail service according to the configuration information;
here, the network service includes at least: HTTP services, HTTPs services, and mail services.
specifically, for an ELE file in a Linux environment, the data is generally directly triggered to be transmitted from the first network card to the second network card through the network service, and Process Identifier (PID) information of the data is recorded; for non-ELE files in a Linux environment, such as scripts, python or php and other language programs, corresponding running environments need to be installed, and then the non-ELE files are run, so that the data are transmitted from the first network card to the second network card;
the log for simulating network services by using INetSim [10] is shown in table 1, and it is shown from table 1 that INetSim [10] can simulate services such as DNS.
TABLE 1
specifically, the IP address of the second network card is configured to transmit the real destination address information of the data through the NAT technology, so that the first network card sending the data considers that the received response data packet is sent by an external network;
in the Linux environment, the NAT service supports an address recovery function for response packets, that is: the IP address of the second network card sending the response packet does not need to be configured to transmit the real destination address information of the data.
specifically, under the Linux environment, recording the transmission behavior of the data by running a tcpdump [8] command on the second network card;
here, a maximum execution time of data transmission may be set, and a transmission behavior of the data may be monitored for a preset time; when reaching the preset time, finishing the transmission behavior of the data by utilizing a kill-9[ pid ] command; when a multi-process mode is adopted in the data transmission process, after the data transmission of the main process is finished, the transmission behavior of the data can be recorded to the maximum extent only after the data transmission of the sub-process reaches the preset time; it is also possible not to set the maximum execution time for the data transmission, i.e. to record the overall transmission behavior of the data.
Here, in the Linux environment, monitoring of the transmission behavior of the data may be triggered by the following command:
/ust/sbin/tcpdump-iany-w out.pcap;
recording the transmission behavior of the data through a tcpdump [8] command, and saving the transmission behavior of the data in an out.
specifically, the kernel log of the operating system records relevant information of data before configuration information for transmitting the data is configured, such as real destination address information of the data; therefore, the information of the second network card which is recorded in the first log and represents the destination address is modified into the real destination address information, and a second log is generated.
Taking an actual destination address of the data as an example, 58.203, where the actual destination address is a network IPv4 address, the actual destination address is recorded in a kernel log of the operating system before configuration information for transferring data is configured, as shown in table 2:
TABLE 2
In the embodiment of the present invention, the information "10.0.2.30" of the second network card, which is recorded in the first log and represents the destination address, is modified to ". 58.203." to generate a second log, where the second log is shown in table 3:
TABLE 3
As shown in fig. 4, a detailed processing flow diagram of another data transmission method according to an embodiment of the present invention includes the following steps:
specifically, in implementing the embodiment of the present invention, an operating system supporting management of a virtual machine needs to be run on an external physical machine, where the physical machine is referred to as a Host, and a typical Host operating system may be Linux, Mac OS, or Windows; as shown in fig. 2, a plurality of virtual machines may be run inside one Host, where the virtual machines are referred to as guests, and each Guest may install a corresponding operating system for a network environment that needs to be simulated; in the embodiment of the invention, the main implementation environment of Guest is Linux; in the embodiment of the invention, at least two network cards, namely a first network card and a second network card, need to be virtualized for each Guest.
here, the configuration information includes at least: the destination address for receiving the data is configured to be address information and destination port information of the second network card;
specifically, through a network management command provided by an operating system, such as an iptable [7] command, using an NAT to configure a destination address for receiving the data as an IP address of the second network card, and configure a destination port for receiving the data as a preset port, generating first configuration information; generating configuration log information containing the first configuration information;
the configuration log information records configuration information for transmitting the data, the configuration log information is stored in a kernel log under the Linux environment, and the kernel log also stores real destination address information of the transmission data; and when the configuration information stored in the kernel log and the real destination address information of the transmission data are used for analyzing the transmission behavior of the data subsequently, the IP address of the second network card is restored to the real destination address for transmitting the data.
Here, taking the IP address of the second network card as 10.0.2.30 as an example, in the Linux environment, the destination address for receiving the data is configured as the IP address of the second network card by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j DNAT--to-dest 10.0.2.30。
in the embodiment of the present invention, a situation that a part of ports are not opened may exist on the second network card, so that the ports to be accessed for transmitting the data cannot be covered; therefore, the port with low use frequency is configured as a fixed port to trigger the transmission of data as much as possible; in the Linux environment, the device configures ports 515-65535 to be port 1 by:
/sbin/iptables-t nat-A OUTPUT-o eth0-p tcp--dport 515:65535-j DNAT--to-dest 10.0.2.30:1。
in the Linux environment, the configuration log information containing the first configuration information is stored in a kernel log by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j LOG--log-level debug--log-prefix"[NAT]"--log-tcp-sequence。
specifically, because the embodiment of the invention is applied to the environment of network connection interruption, common network services such as HTTP service, HTTPS service, mail service and the like are created by utilizing open source tools such as INetSim [10] or the like developed by self; triggering and transmitting the data through HTTP service, HTTPS service and mail service respectively and independently so as to control the data to be transmitted from the first network card to the second network card based on the HTTP service, the HTTPS service and the mail service respectively according to the configuration information;
here, the network service includes at least: HTTP services, HTTPs services, and mail services.
specifically, for an ELE file in a Linux environment, the data is generally directly triggered to be transmitted from the first network card to the second network card through the network service, and Process Identifier (PID) information of the data is recorded; for non-ELE files in a Linux environment, such as scripts, python or php and other language programs, corresponding operating environments need to be installed, and then the non-ELE files are operated, so that the data are transmitted from the first network card to the second network card;
wherein, the log for simulating network service by INetSim [10] is shown in Table 1, and it is shown from Table 1 that INetSim [10] can be simulated for services such as DNS.
TABLE 1
305, based on the transmission behavior of the data, the second network card sends a response data packet to the first network card;
specifically, the IP address of the second network card is configured to transmit the real destination address information of the data through the NAT technology, so that the first network card sending the data considers that the received response data packet is sent by an external network;
in the Linux environment, the NAT service supports an address recovery function for response packets, that is: the IP address of the second network card sending the response packet does not need to be configured to transmit the real destination address information of the data.
specifically, under the Linux environment, recording the transmission behavior of the data by running a tcpdump [8] command on the second network card;
here, a maximum execution time of data transmission may be set, and a transmission behavior of the data may be monitored for a preset time; when reaching the preset time, finishing the transmission behavior of the data by utilizing a kill-9[ pid ] command; when a multi-process mode is adopted in the data transmission process, after the data transmission of the main process is finished, the transmission behavior of the data can be recorded to the maximum extent only after the data transmission of the sub-process reaches the preset time; it is also possible not to set the maximum execution time for the data transmission, i.e. to record the overall transmission behavior of the data.
Here, in the Linux environment, monitoring of the transmission behavior of the data may be triggered by the following command:
/ust/sbin/tcpdump-iany-w out.pcap;
recording the transmission behavior of the data through a tcpdump [8] command, and saving the transmission behavior of the data in an out.
specifically, the kernel log of the operating system records relevant information of data before configuration information for transmitting the data is configured, such as real destination address information of the data; therefore, the information of the second network card which is recorded in the first log and represents the destination address is modified into the real destination address information, and a second log is generated.
Taking an actual destination address of the data as an example, 58.203, where the actual destination address is a network IPv4 address, the actual destination address is recorded in a kernel log of the operating system before configuration information for transferring data is configured, as shown in table 2:
TABLE 2
In the embodiment of the present invention, the information "10.0.2.30" of the second network card, which is recorded in the first log and represents the destination address, is modified to ". 58.203." to generate a second log, where the second log is shown in table 3:
TABLE 3
In the embodiment of the present invention, when the HTTP service, the HTTPs service, and the mail service are operated, a corresponding web service log is generated, where the web service log is, as shown in table 4:
TABLE 4
specifically, the web service log and the second log are merged, information irrelevant to the transmission behavior of the data in the web service log and the second log is deleted, and a third log is generated, where the third log is used to represent the real transmission behavior of the data.
Here, the act of transferring the data of the third log record includes: receiving and sending UDP packets, sending DNS requests, replying to DNS requests, creating sockets, receiving and sending TCP packets, sending HTTP requests, replying to HTTP requests, and the like.
The data transmission method of the embodiment of the invention is applied to a detailed processing flow schematic diagram of a Hubble analysis system, and as shown in FIG. 5, the method comprises the following steps:
specifically, in implementing the embodiment of the present invention, an operating system supporting virtual machine management needs to be run on an external physical machine, where the physical machine is referred to as Host, and a typical Host operating system may be Linux, MacOS, or Windows; as shown in fig. 2, a plurality of virtual machines may be run inside one Host, where the virtual machines are referred to as guests, and each Guest may install a corresponding operating system for a network environment that needs to be simulated; in the embodiment of the invention, the main implementation environment of Guest is Linux; in the embodiment of the invention, at least two network cards, namely a first network card and a second network card, need to be virtualized for each Guest;
here, the first network card and the second network card may be virtualized by using VirtualBox virtual machine software [9] or other virtual machine software, and the interface diagram of the virtual machine in the network connection interruption state is shown in fig. 6, where the selection box of "access network cable" is in the non-selected state, which indicates that the virtual machine is in the network connection interruption state at this time.
specifically, the first network card is represented by eth0, the second network card is represented by eth1, and in the Linux environment, the first network card and the second network card can be started through the following commands:
/sbin/ifup eth0;
/sbin/ifup eth1。
here, the configuration information includes at least: and configuring the destination address for receiving the data into address information of the second network card, destination port information and real destination address information of the data.
here, the preset network service includes at least: HTTP services, HTTPs services, and mail services;
specifically, because the embodiment of the invention is applied to the environment of network connection interruption, common network services such as HTTP service, HTTPS service, mail service and the like can be created by using self-developed or open source tools such as INetSim [10] and the like; triggering and transmitting the data through HTTP service, HTTPS service and mail service respectively and independently so as to control the data to be transmitted from the first network card to the second network card based on the HTTP service, the HTTPS service and the mail service respectively according to the configuration information;
here, for an ELE file in a Linux environment, the data is generally directly triggered to be transmitted from the first network card to the second network card through the network service, and PID information of the data is recorded; for non-ELE files in the Linux environment, such as scripts, python or php and other language programs, corresponding operating environments need to be installed, and then the non-ELE files are operated, so that the data are transmitted from the first network card to the second network card.
in particular, the specific implementation of monitoring the transmission behavior of the data based on the harb analysis system refers to the above embodiments; com, as an example of accessing a website http:// example, a schematic diagram of a log recording transmission behaviors of the data, as shown in fig. 7, the recorded transmission behaviors of the data include: sending and receiving UDP packets, sending DNS requests, replying to DNS requests, creating sockets, sending and receiving TCP packets, sending HTTP requests, replying to HTTP requests, and the like.
Device embodiment
In order to implement the above method embodiment of the present invention, the present invention further provides a data transmission device, where a schematic structural diagram of the device is shown in fig. 8, and the data transmission device includes: a virtual unit 11, a configuration unit 12, a trigger unit 13 and a recording unit 14; wherein the content of the first and second substances,
the virtual unit 11 is configured to virtualize a first network card and a second network card in a virtual machine;
the configuration unit 12 is configured to receive data and configure configuration information for transmitting the data, where the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card;
the triggering unit 13 is configured to run a preset network service, and trigger the data to be transmitted from the first network card to the second network card according to the configuration information;
the recording unit 14 is configured to record a transmission behavior of the data based on the second network card, and generate a first log according to the recorded transmission behavior.
When the device of the embodiment of the invention realizes the corresponding functions, an operating system supporting virtual machine management needs to be operated on an external physical machine, the physical machine is called Host, and a typical Host operating system can be Linux, Mac OS or Windows; as shown in fig. 2, a plurality of virtual machines may be run inside one Host, where the virtual machines are referred to as Guest, and each Guest may install a corresponding operating system for a network environment that needs to be simulated; the Guest main implementation environment in the embodiment of the invention is Linux.
In this embodiment of the present invention, the configuration unit 12 is specifically configured to configure, through a network management command provided by an operating system, such as an iptable [7], a destination address for receiving the data as an IP address of the second network card by using an NAT technology, and configure a destination port for receiving the data as a preset port, so as to generate first configuration information; and generating configuration log information containing the first configuration information.
The configuration log information records configuration information for transmitting the data, and is stored in a kernel log under a Linux environment, so that when the transmission behavior of the data is analyzed subsequently, the IP address of the second network card is restored to a real destination address for transmitting the data.
Here, taking the IP address of the second network card as 10.0.2.30 as an example, in the Linux environment, the device configures the destination address for receiving the data as the IP address of the second network card by the following command:
/sbin/iptables-t nat-A OUTPUT-o eth0-j DNAT--to-dest 10.0.2.30。
in a specific embodiment, a situation that a part of ports are not opened may exist on the second network card, so that the ports to be accessed for transmitting the data cannot be covered; therefore, the device configures the port with low use frequency as a fixed port to trigger data transmission as much as possible; in the Linux environment, the device configures ports 515-65535 to be port 1 by:
/sbin/iptables-t nat-A OUTPUT-o eth0-p tcp--dport 515:65535-j DNAT--to-dest 10.0.2.30:1。
in a Linux environment, the device stores configuration log information including the first configuration information in a kernel log by:
/sbin/iptables-t nat-A OUTPUT-o eth0-j LOG--log-level debug--log-prefix"[NAT]"--log-tcp-sequence。
in a specific embodiment, the apparatus further comprises: a creating unit 17, configured to create a network service for transmitting the data, where the network service at least includes: HTTP services, HTTPs services, and mail services.
In a specific embodiment, the recording unit 14 is specifically configured to monitor a transmission behavior of the data within a preset time based on the second network card; or monitoring all transmission behaviors of the data based on the second network card.
Specifically, the maximum execution time of data transmission may be set, and the transmission behavior of the data may be monitored within a preset time; when reaching the preset time, finishing the transmission behavior of the data by using a kill-9[ pid ] command; when a multi-process mode is adopted in the data transmission process, after the data transmission of the main process is finished, the transmission behavior of the data can be recorded to the maximum extent only after the data transmission of the sub-process reaches the preset time; it is also possible not to set the maximum execution time for the data transmission, i.e. to record the overall transmission behavior of the data.
Here, in the Linux environment, monitoring of the transmission behavior of the data may be triggered by the following command:
/ust/sbin/tcpdump-iany-w out.pcap;
recording the transmission behavior of the data through a tcpdump [8] command, and saving the transmission behavior of the data in an out.
In a specific embodiment, the apparatus further comprises: and a modifying unit 15, configured to modify the information of the second network card representing the destination address recorded in the first log into real destination address information of transmission data stored in advance, and generate a second log.
In the embodiment of the present invention, since the kernel log of the operating system of the apparatus records the related information of the data before configuring the configuration information for transmitting the data, such as the real destination address information of the data; therefore, the modifying unit 15 modifies the information of the second network card representing the destination address recorded in the first log to the actual destination address information, and generates a second log.
Taking an actual destination address of the data as 58.203, where the actual destination address is a network IPv4 address, and before configuring configuration information for transmitting data, the actual destination address is recorded in a kernel log of the operating system, as shown in table 2:
TABLE 2
In a specific embodiment, the modifying unit 15 is specifically configured to modify "10.0.2.30" of the second network card, which is recorded in the first log and represents the destination address, to ". 58.203.", so as to generate second log information, where the second log is as shown in table 3:
TABLE 3
In the embodiment of the present invention, when the HTTP service, the HTTPs service, and the mail service are operated, a corresponding web service log is generated, where the web service log is, as shown in table 4:
TABLE 4
In a specific embodiment, the apparatus further comprises: and the processing unit 16 is configured to merge the web service log and the second log, delete information that is irrelevant to the transmission behavior of the data in the web service log and the second log, and generate a third log.
Here, the third log is used for characterizing a real transmission behavior of the data, and the transmission behavior of the data recorded by the third log includes: sending and receiving UDP packets, sending DNS requests, replying to DNS requests, creating sockets, sending and receiving TCP packets, sending HTTP requests, replying to HTTP requests, and the like.
In a specific embodiment, the processing unit 16 is specifically configured to merge the web service log and the second log, delete information that is irrelevant to the transmission behavior of the data in the web service log and the second log, and generate a third log, where the third log is used to characterize a real transmission behavior of the data.
It should be noted that the functions of the virtual unit 11, the configuration unit 12, the trigger unit 13, the recording unit 14, the modification unit 15, the processing unit 16 and the creation unit 17 in the data transmission device according to the embodiment of the present invention may be implemented by a Central Processing Unit (CPU), a microprocessor unit (MPU), a Digital Signal Processor (DSP) or a programmable gate array (FPGA) located on a terminal; and the method can also be realized by a CPU (central processing unit), an MPU (micro processing unit), a DSP (digital signal processor) or an FPGA (field programmable gate array) which is positioned on a server.
In this embodiment, the apparatus is taken as an example of a hardware entity, and as shown in fig. 9, the apparatus includes a processor 61, a storage medium 62, and at least one external communication interface 63; the processor 61, the storage medium 62 and the external communication interface 63 are all connected by a bus 64.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit may be implemented in the form of hardware, or in the form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (16)
1. A method of data transmission, the method comprising:
virtualizing a first network card and a second network card in a virtual machine;
receiving data, and configuring configuration information for transmitting the data, wherein the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card;
running a preset network service, and triggering the data to be transmitted from the first network card to the second network card according to the configuration information;
recording the transmission behavior of the data based on the second network card, and generating a first log according to the recorded transmission behavior;
and modifying the information of the second network card representing the destination address recorded in the first log into the real destination address information of the prestored transmission data, and taking the modified first log as a second log.
2. The method of claim 1, wherein configuring configuration information for transmitting the data comprises:
configuring a destination address for receiving the data as an IP address of the second network card, configuring a destination port for receiving the data as a preset port, and generating first configuration information;
and generating configuration log information containing the first configuration information.
3. The method of claim 1, wherein before the running the predetermined network service, the method further comprises:
creating a network service for transmitting the data, the network service comprising: a hypertext transfer protocol service, a secure hypertext transfer protocol service, and a mail service.
4. The method of claim 1, wherein after the modifying the first log as a second log, the method further comprises:
and processing the network service log generated by running the network service and the second log, and taking the processed second log as a third log.
5. The method according to any one of claims 1 to 3, wherein the recording of the network behavior of the data based on the second network card comprises:
monitoring the transmission behavior of the data within a preset time based on the second network card, or monitoring all the transmission behaviors of the data based on the second network card;
and recording the transmission behavior of the data obtained by monitoring.
6. The method according to any one of claims 1 to 3, wherein the recording of the network behavior of the data based on the second network card comprises:
when the data are transmitted in a multi-process mode and the transmission of the main process data is finished, monitoring the transmission behavior of the sub-process data in a preset time based on the second network card, or monitoring all the transmission behaviors of the sub-process data based on the second network card;
and recording the transmission behavior of the data obtained by monitoring.
7. The method of claim 4, wherein processing the web service log and the second log generated by running the web service comprises:
and merging the network service log and the second log, and deleting information which is irrelevant to the transmission behavior of the data in the network service log and the second log.
8. A data transmission apparatus, characterized in that the apparatus comprises:
the virtual unit is used for virtualizing a first network card and a second network card in a virtual machine;
the configuration unit is used for receiving data and configuring configuration information used for transmitting the data, wherein the configuration information represents that a destination address for receiving the data is address information and destination port information of the second network card;
the triggering unit is used for running a preset network service and triggering the data to be transmitted from the first network card to the second network card according to the configuration information;
the recording unit is used for recording the transmission behavior of the data based on the second network card and generating a first log according to the recorded transmission behavior;
and the modifying unit is used for modifying the information of the second network card representing the destination address recorded in the first log into the real destination address information of the prestored transmission data and taking the modified first log as a second log.
9. The apparatus according to claim 8, wherein the configuration unit is specifically configured to configure a destination address for receiving the data as an IP address of the second network card, and configure a destination port for receiving the data as a preset port, and generate first configuration information;
and generating configuration log information containing the first configuration information.
10. The apparatus of claim 8, further comprising:
a creating unit configured to create a network service that transmits the data; the network service comprises: a hypertext transfer protocol service, a secure hypertext transfer protocol service, and a mail service.
11. The apparatus of claim 8, further comprising:
and the processing unit is used for processing the network service log generated by running the network service and the second log, and taking the processed second log as a third log.
12. The device according to any one of claims 8 to 10, wherein the recording unit is specifically configured to monitor a transmission behavior of the data within a preset time based on the second network card, or monitor all transmission behaviors of the data based on the second network card; and recording the transmission behavior of the data obtained by monitoring.
13. The apparatus according to any one of claims 8 to 10, wherein the recording unit, when the data is transmitted in a multiprocess mode and the transmission of the main process data is finished, is specifically configured to monitor a transmission behavior of the sub-process data within a preset time based on the second network card, or monitor all transmission behaviors of the sub-process data based on the second network card; and recording the transmission behavior of the data obtained by monitoring.
14. The apparatus according to claim 11, wherein the processing unit is specifically configured to merge the web service log and the second log, and delete information that is not related to the transmission behavior of the data in the web service log and the second log.
15. An electronic device, comprising:
a memory for storing computer executable instructions;
a processor for implementing the data transmission method of any one of claims 1 to 7 when executing computer executable instructions stored in the memory.
16. A computer-readable storage medium having stored thereon computer-executable instructions for implementing the data transmission method of any one of claims 1 to 7 when executed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710014004.9A CN108289032B (en) | 2017-01-09 | 2017-01-09 | Data transmission method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710014004.9A CN108289032B (en) | 2017-01-09 | 2017-01-09 | Data transmission method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108289032A CN108289032A (en) | 2018-07-17 |
CN108289032B true CN108289032B (en) | 2022-05-13 |
Family
ID=62819374
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710014004.9A Active CN108289032B (en) | 2017-01-09 | 2017-01-09 | Data transmission method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108289032B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101645119A (en) * | 2008-08-07 | 2010-02-10 | 中国科学院软件研究所 | Method and system for automatically analyzing malicious codes based on virtual hardware environment |
CN104426906A (en) * | 2013-08-30 | 2015-03-18 | 瞻博网络公司 | Identifying malicious devices within a computer network |
CN106201657A (en) * | 2016-07-07 | 2016-12-07 | 天脉聚源(北京)传媒科技有限公司 | A kind of network interface card information processing method based on virtual machine and device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2981925B1 (en) * | 2013-04-05 | 2019-08-28 | OLogN Technologies AG | Systems, methods and apparatuses for protection of antivirus software |
-
2017
- 2017-01-09 CN CN201710014004.9A patent/CN108289032B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101645119A (en) * | 2008-08-07 | 2010-02-10 | 中国科学院软件研究所 | Method and system for automatically analyzing malicious codes based on virtual hardware environment |
CN104426906A (en) * | 2013-08-30 | 2015-03-18 | 瞻博网络公司 | Identifying malicious devices within a computer network |
CN106201657A (en) * | 2016-07-07 | 2016-12-07 | 天脉聚源(北京)传媒科技有限公司 | A kind of network interface card information processing method based on virtual machine and device |
Non-Patent Citations (3)
Title |
---|
Chuliang Weng ; Yuan Luo ; Minglu Li ; Xinda Lu.A BLp-Based Access Control Mechanism for the virtual Machine System.《2008 The 9th International Conference for young Computer Scientists》.2008,全文. * |
基于系统调用依赖图的恶意代码检测;唐柯;《中国优秀硕士学位论文数据库》;20131201;全文 * |
计算机病毒实践汇总五:搭建虚拟网络环境;weixin_30652897;《CSDN》;20160521;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN108289032A (en) | 2018-07-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11080399B2 (en) | System and method for vetting mobile phone software applications | |
US9910765B2 (en) | Providing testing environments for software applications using virtualization and a native hardware layer | |
US20180039507A1 (en) | System and method for management of a virtual machine environment | |
JP6782307B2 (en) | Dynamic access to hosted applications | |
CN108965203B (en) | Resource access method and server | |
US20180191779A1 (en) | Flexible Deception Architecture | |
JP6419787B2 (en) | Optimized resource allocation to virtual machines in malware content detection system | |
US9294442B1 (en) | System and method for threat-driven security policy controls | |
JP7115526B2 (en) | Analysis system, method and program | |
US9509760B2 (en) | Virtual packet analyzer for a cloud computing environment | |
US8875296B2 (en) | Methods and systems for providing a framework to test the security of computing system over a network | |
WO2016160599A1 (en) | System and method for threat-driven security policy controls | |
CN112272177B (en) | Method for deploying honey net trapping nodes in batches | |
US20150067399A1 (en) | Analysis, recovery and repair of devices attached to remote computing systems | |
US20130191850A1 (en) | Intercepting data | |
US20170329739A1 (en) | Methods and systems for loading a boot agent on a router network device | |
EP4184357A1 (en) | Malware detection based on user interactions | |
CN113626133B (en) | Virtual machine control method, device, equipment and computer readable storage medium | |
US11880465B2 (en) | Analyzing multiple CPU architecture malware samples | |
JP6738013B2 (en) | Attack content analysis program, attack content analysis method, and attack content analysis device | |
CN111240924A (en) | Detection method and system for Socket monitoring of Linux virtual machine | |
JP2022506847A (en) | Automatic keyboard mapping for virtual desktops | |
CN108289032B (en) | Data transmission method and device | |
Si et al. | EmuIoTNet: An Emulated IoT Network for Dynamic Analysis | |
JP2016177371A (en) | Monitor, monitoring program and monitoring method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |