CN113872936A - Stream mode network security detection method and system - Google Patents
Stream mode network security detection method and system Download PDFInfo
- Publication number
- CN113872936A CN113872936A CN202110987124.3A CN202110987124A CN113872936A CN 113872936 A CN113872936 A CN 113872936A CN 202110987124 A CN202110987124 A CN 202110987124A CN 113872936 A CN113872936 A CN 113872936A
- Authority
- CN
- China
- Prior art keywords
- file
- network
- data
- interaction
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 105
- 238000000034 method Methods 0.000 claims abstract description 51
- 241000700605 Viruses Species 0.000 claims abstract description 41
- 230000003993 interaction Effects 0.000 claims abstract description 39
- 230000005540 biological transmission Effects 0.000 claims abstract description 34
- 230000008569 process Effects 0.000 claims description 24
- 238000004891 communication Methods 0.000 claims description 16
- 230000000903 blocking effect Effects 0.000 claims description 4
- 230000008901 benefit Effects 0.000 abstract description 6
- 230000002155 anti-virotic effect Effects 0.000 description 12
- 230000006870 function Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000010295 mobile communication Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 description 1
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 description 1
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 description 1
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000010267 cellular communication Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a stream mode network security detection method and system, and relates to the field of network data security. The method comprises the following steps: acquiring data packets of network transmission files, classifying network interaction, and combining the data packets of the same interaction into a data stream; acquiring a data stream corresponding to each interaction according to each interaction, analyzing the data stream based on a network protocol, analyzing each data packet in the data stream and extracting a file block; acquiring and caching file blocks corresponding to files, and setting the maximum caching length of the files; setting a virtual file, wherein the virtual file corresponds to a network transmission file and comprises a cache file block; and carrying out security detection in a file form based on the virtual file. According to the stream mode network security detection method and system, the virtual file is set, and the security detection of the file form is performed on the virtual file, so that the high detection rate of file form virus killing is ensured to a certain extent, and the stream mode network security detection method and system have the advantages of stream virus searching and killing.
Description
Technical Field
The present application relates to the field of network data security, and in particular, to a method and a system for detecting stream mode network security.
Background
A network virus is a set of instructions or program code that someone programs with the vulnerabilities inherent in computer software and hardware. At present, network viruses can be hidden in a storage medium (or a program) of a computer in a certain way, and are activated when a certain condition is reached, the network viruses are accurately copied or put into other programs in an evolvable form by modifying other programs, so that other programs are infected, computer resources are damaged, and the network viruses are artificially caused but have great harm to other users.
The traditional antivirus function is mainly to deploy antivirus software at a terminal, and along with the continuous development of network technology and network security technology, a systematic security solution scheme of end, pipe and cloud linkage becomes a necessary means for network virus protection. The security gateway deployed at the network boundary needs to perform comprehensive centralized control on the security of the application layer so as to realize the three-dimensional security control of the network from two layers to seven layers. In the application layer security function, the anti-virus function is very important, and the security gateway needs to perform real-time virus scanning on traffic such as FTP, HTTP, POP3, SMTP, IMAP and the like passing through the security gateway, for example, content and feature codes stored in an anti-virus library in the prior art, and perform relevant processing on files containing viruses, so as to realize a comprehensive anti-virus function.
At present, virus detection methods for network data streams mainly include proxy mode detection and streaming detection. The agent mode virus detection method is similar to the traditional file-based virus detection method, network data streams are analyzed through a transparent agent function of a transmission session, files in the data streams are extracted and stored, and then a traditional virus detection engine is used for searching and killing the files. The virus detection mode inherits the mature virus searching and killing method of the traditional antivirus software, and has good detection effect and high detection rate. However, for the network transmission session, the proxy virus detection mode splits one session between the server and the client into two sessions, which has a certain effect on the network protocol consistency, and a large amount of data needs to be cached in the proxy transmission process. On the other hand, the process of extracting the files from the network flow and the process of virus detection are two completely serial stages, so that the network data transmission and detection efficiency is greatly reduced. The flow pattern virus detection pattern is a detection pattern formed by optimization based on the defects of the proxy pattern. The mode does not depend on files for detection, and partial serialization characteristics in a virus characteristic library are extracted to detect the network data flow. The streaming virus detection can only detect the file from front to back in a single direction aiming at the current transmission block of the network file, and cannot detect the file block which is transmitted completely from front to back after the file data block is transmitted. Most of the traditional virus detection scans files repeatedly according to the characteristics of executable file formats, so that most of virus characteristics in a virus library cannot be fully utilized, and the virus detection capability and the detection rate are poor.
Therefore, it is desirable to provide a method and a system for detecting security of a streaming mode network, which ensure a high detection rate of file form virus killing to a certain extent by setting a virtual file and performing security detection of a file form on the virtual file, and have the advantage of streaming virus searching and killing.
Disclosure of Invention
According to a first aspect of some embodiments of the present application, there is provided a stream mode network security detection method applied in a terminal (e.g., an electronic device, etc.), which may include: acquiring data packets of network transmission files, classifying network interaction, and combining the data packets of the same interaction into a data stream; acquiring a data stream corresponding to each interaction according to each interaction, analyzing the data stream based on a network protocol, analyzing each data packet in the data stream and extracting a file block; acquiring and caching file blocks corresponding to files, and setting the maximum caching length of the files; setting a virtual file, wherein the virtual file corresponds to a network transmission file and comprises a cache file block; and carrying out security detection in a file form based on the virtual file.
In some embodiments, the security detection in the form of a file includes virus detection, and specifically includes generating a detection result according to the virus detection; the detection result comprises a positive result and a negative result; and blocking the network interaction according to the negative result.
In some embodiments, the data packet is obtained through a network interaction management module, and the detection result is notified to the network interaction management module through a file security module according to the forward result.
In some embodiments, parsing each data packet in the data stream and extracting a file block by using a network protocol parsing module specifically includes parsing each data packet by using an application layer network protocol, and extracting a file block is required based on detection of application layer data.
In some embodiments, the file block corresponding to the file is obtained and cached through the virtual file caching module, and the maximum caching length L of the file is set, specifically including deleting the file caching content before the position C and retaining the data of the maximum caching length L of each file when the file caching amount is greater than L.
In some embodiments, when the application reads the virtual file, the method specifically includes obtaining the start position and length information of the file to be read, and obtaining the file content from the cache file block through the virtual file system module.
In some embodiments, specifically, when the content of the file needs to be read, the content needs to be read is returned to the application program through the virtual file system in the file cache module.
In some embodiments, specifically, when the starting position of the file content to be read is greater than the current cache file block, suspending the read request until the file block transmitted by the network reaches the starting position and meets the read condition, continuing to execute the read process and returning the file content.
In some embodiments, the method specifically includes returning a read failure and deleting the file when the file transmission is interrupted due to network transmission exception, or when the content of the file to be read is smaller than the location C in the corresponding cache.
According to a second aspect of some embodiments of the present application, there is provided a system comprising: a memory configured to store data and instructions; a processor in communication with the memory, wherein the processor, when executing instructions in the memory, is configured to: acquiring data packets of network transmission files, classifying network interaction, and combining the data packets of the same interaction into a data stream; acquiring a data stream corresponding to each interaction according to each interaction, analyzing the data stream based on a network protocol, analyzing each data packet in the data stream and extracting a file block; acquiring and caching file blocks corresponding to files, and setting the maximum caching length of the files; setting a virtual file, wherein the virtual file corresponds to a network transmission file and comprises a cache file block; and carrying out security detection in a file form based on the virtual file.
Therefore, according to the stream mode network security detection method and system of some embodiments of the present application, by setting the virtual file and performing security detection in a file form on the virtual file, a high detection rate of file form antivirus is ensured to a certain extent, and the method and system have the advantage of stream virus checking and killing.
Drawings
For a better understanding and appreciation of some embodiments of the present application, reference will now be made to the description of embodiments taken in conjunction with the accompanying drawings, in which like reference numerals designate corresponding parts in the figures.
Fig. 1 is an exemplary schematic diagram of a flow mode network security detection system provided in accordance with some embodiments of the present application.
Fig. 2 is an exemplary flow diagram of a method of stream mode network security detection provided in accordance with some embodiments of the present application.
Fig. 3 is an exemplary flow diagram of a flow mode network security detection system module provided in accordance with some embodiments of the present application.
Detailed Description
The following description, with reference to the accompanying drawings, is provided to facilitate a comprehensive understanding of various embodiments of the application as defined by the claims and their equivalents. These embodiments include various specific details for ease of understanding, but these are to be considered exemplary only. Accordingly, those skilled in the art will appreciate that various changes and modifications may be made to the various embodiments described herein without departing from the scope and spirit of the present application. In addition, descriptions of well-known functions and constructions will be omitted herein for brevity and clarity.
The terms and phrases used in the following specification and claims are not to be limited to the literal meaning, but are merely for the clear and consistent understanding of the application. Accordingly, it will be appreciated by those skilled in the art that the description of the various embodiments of the present application is provided for illustration only and not for the purpose of limiting the application as defined by the appended claims and their equivalents.
The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the accompanying drawings in some embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It is to be understood that the terminology used in the embodiments of the present application is for the purpose of describing particular embodiments only, and is not intended to be limiting of the application. As used in the examples of this application and the appended claims, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items. The expressions "first", "second", "the first" and "the second" are used for modifying the corresponding elements without regard to order or importance, and are used only for distinguishing one element from another element without limiting the corresponding elements.
A terminal according to some embodiments of the present application may be an electronic device, which may include one or a combination of several of a personal computer (PC, e.g., tablet, desktop, notebook, netbook, PDA), a client device, a virtual reality device (VR), an augmented reality device (AR), a mixed reality device (MR), an XR device, a renderer, a smartphone, a mobile phone, an e-book reader, a Portable Multimedia Player (PMP), an audio/video player (MP3/MP4), a camera, a wearable device, and the like. According to some embodiments of the present application, the wearable device may include an accessory type (e.g., watch, ring, bracelet, glasses, or Head Mounted Device (HMD)), an integrated type (e.g., electronic garment), a decorative type (e.g., skin pad, tattoo, or built-in electronic device), and the like, or a combination of several. In some embodiments of the present application, the electronic device may be flexible, not limited to the above devices, or may be a combination of one or more of the above devices. In this application, the term "user" may indicate a person using an electronic device or a device using an electronic device (e.g., an artificial intelligence electronic device).
The embodiment of the application provides a stream mode network security detection method and system. In order to facilitate understanding of the embodiments of the present application, the embodiments of the present application will be described in detail below with reference to the accompanying drawings.
Fig. 1 is an exemplary schematic diagram of a flow mode network security detection system provided in accordance with some embodiments of the present application. As shown in fig. 1, the stream mode network security detection system 100 may include a network 110, a control end 120, a user end 130, a server 140, and the like. Specifically, the control end 120 and the user end 130 establish communication through a network, for example, the control end 120 and the user end 130 may communicate in the same local area network (e.g., the network environment of the same router, etc.). Further, the control end 120 may be connected to the network 110 in a wired (e.g., internet cable, etc.) or wireless (e.g., cloud server, etc.), and the user end 130 may establish a communication connection with the network 110 in a wired or wireless (e.g., WIFI, etc.) manner. In some embodiments, the user terminal 130 may be communicatively connected to the control terminal 120 through the network 110. In some embodiments, the user terminal 130 may send a file transfer instruction to the control terminal 120, the server 140, and the like. Further, the control end 120 and the server 140 may send the detection result of the file security to the user end 130. As an example, the control end 120 may set a virtual file, and perform file-form virus detection on the virtual file, and the like. In some embodiments, the control end 120 may set a maximum buffer length of the file, and the like.
In some embodiments, the control end 120 and the user end 130 may be the same or different terminal devices, and the like. The terminal device may include, but is not limited to, a smart terminal, a mobile terminal, a computer, a rendering machine, and the like. In some embodiments, server 140 is one type of computer that has the advantages of running faster, being more heavily loaded, etc. than a normal computer, and the corresponding price is higher. In a network environment, a server may provide computing or application services to other clients (e.g., terminals such as PCs, smart phones, ATMs, and large devices such as transportation systems). The server has high-speed CPU computing capability, long-time reliable operation, strong I/O external data throughput capability and better expansibility. The services that the server may provide include, but are not limited to, the ability to undertake responding to service requests, undertake services, secure services, and the like. The server, as an electronic device, has an extremely complex internal structure, including an internal structure similar to that of a general computer, and the like, and the internal structure of the server may include a Central Processing Unit (CPU), a hard disk, a memory, a system bus, and the like, as an example.
In some embodiments of the present application, the stream mode network security detection system 100 may omit one or more elements, or may further include one or more other elements. As an example, the stream mode network security detection system 100 may include a plurality of clients 130 and the like. The plurality of clients 130 may perform network file transmission, etc. For another example, the stream mode network security detection system 100 may include a plurality of control terminals 120. As another example, the stream mode network security detection system 100 may include a plurality of servers 140, and the like. The Network 110 may be any type of communication Network, which may include a computer Network (e.g., a Local Area Network (LAN) or Wide Area Network (WAN)), the internet and/or a telephone Network, etc., or a combination of several. In some embodiments, the network 110 may be other types of wireless communication networks. The wireless communication may include microwave communication and/or satellite communication, among others. The Wireless communication may include cellular communication, such as Global System for Mobile Communications (GSM), Code Division Multiple Access (CDMA), third Generation Mobile communication (3G, The 3rd Generation communication), fourth Generation Mobile communication (4G), fifth Generation Mobile communication (5G), sixth Generation Mobile communication (6G), Long Term Evolution (LTE-a), Wideband Code Division Multiple Access (WCDMA), Universal Mobile Telecommunications System (UMTS), Wireless Broadband (bro, Wireless) and The like, or a combination thereof. In some embodiments, the user terminal 130 may be other electronic devices with equivalent functional modules, and the electronic devices may include one or a combination of several of a virtual reality device (VR), a rendering machine, a personal computer (PC, such as a tablet computer, a desktop computer, a notebook, a netbook, a PDA), a smart phone, a mobile phone, an e-book reader, a Portable Multimedia Player (PMP), an audio/video player (MP3/MP4), a camera, and a wearable device.
In some embodiments, the WIFI may be other types of wireless communication technologies. According to some embodiments of the present application, the Wireless Communication may include Wireless local Area Network (WiFi), Bluetooth Low Energy (BLE), ZigBee (ZigBee), Near Field Communication (NFC), magnetic security transmission, radio frequency and Body Area Network (BAN), or the like, or a combination of several. According to some embodiments of the present application, the wired communication may include a Global Navigation Satellite System (Global Navigation Satellite System), a Global Positioning System (GPS), a beidou Navigation Satellite System, galileo (european Global Satellite Navigation System), or the like. The wired communication may include a Universal Serial Bus (USB), a High-Definition Multimedia Interface (HDMI), a recommended Standard 232 (RS-232), and/or Plain Old Telephone Service (POTS), or the like, or a combination of several.
It should be noted that the above description of the stream mode network security detection system 100 is merely for convenience of description and is not intended to limit the scope of the present application. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the principles of the system, which may be combined in any manner or combined with other elements to form a subsystem for use in a field of application in which the method and system described above is practiced. For example, the control end 120 may send the detection result to the user end 130. Such variations are within the scope of the present application.
Fig. 2 is an exemplary flow diagram of a method of stream mode network security detection provided in accordance with some embodiments of the present application. As illustrated in fig. 2, the process 200 may be implemented by the stream mode network security detection system 100. In some embodiments, the stream mode network security detection method 200 may be initiated automatically or by command. The instructions may include system instructions, device instructions, user instructions, action instructions, and the like, or a combination of the several.
At 201, data packets of network transmission files are obtained, network interactions are classified, and the data packets of the same interaction are combined into a data stream. The operation 201 may be implemented by the control end 120 of the stream mode network security detection system 100. In some embodiments, the control end 120 may obtain the data packets of the network transmission file through the network interaction management module, classify the network interactions, and combine the data packets of the same interaction into a data stream.
At 202, a data stream corresponding to each interaction is obtained, the data stream is analyzed based on a network protocol, each data packet in the data stream is parsed, and a file block is extracted. Operation 202 may be implemented by control end 120 of stream mode network security detection system 100. In some embodiments, the control end 120 may obtain, through the network protocol parsing module, a data stream corresponding to each interaction according to each interaction, analyze the data stream based on the network protocol, parse each data packet in the data stream, and extract a file block.
According to some embodiments of the present application, the control end 120 may parse each data packet in the data stream through the network protocol parsing module and extract the file block, specifically including parsing the application layer network protocol for each data packet, and the file block needs to be extracted based on detection of the application layer data.
At 203, file blocks corresponding to the file are obtained and cached, and the maximum caching length of the file is set. Operation 203 may be implemented by the control end 120 of the stream mode network security detection system 100. In some embodiments, the control end 120 may obtain and cache a file block corresponding to the file through the virtual file cache module, and set a maximum cache length of the file. As an example, the control end 120 may obtain and cache a file block corresponding to a file through the virtual file cache module, and set the maximum cache length L of the file, specifically including deleting the file cache content before the position C when the file cache amount is greater than L, and retaining the data of the maximum cache length L of each file. As an example, when the application reads the virtual file, the control end 120 may obtain the start position and length information of the file to be read, and obtain the file content from the cache file block through the virtual file system module.
According to some embodiments of the present application, when the content of the file needs to be read, in the file cache module, the control end 120 may return the content needing to be read to the application program through the virtual file system.
According to some embodiments of the present application, when the starting position of the file content to be read is greater than the current cache file block, the control end 120 may suspend the read request until the file block transmitted through the network reaches the starting position and meets the read condition, continue to execute the read process and return the file content.
According to some embodiments of the present application, when the network transmission is interrupted abnormally, or when the content of the file to be read is smaller than the location C in the corresponding cache, the control end 120 may return a read failure and delete the file. For another example, when the content of the file to be read is smaller than the location C in the corresponding cache, the control end 120 may delete the current cache file block of the file, re-extract the cache file block according to the starting location of the file to be read, execute the reading process, and return the content.
At 204, a virtual file is set, the virtual file corresponding to the network transport file, including the cached file blocks. Operation 204 may be implemented by the control end 120 of the stream mode network security detection system 100. In some embodiments, the control end 120 may set a virtual file corresponding to the network transmission file, including the cache file block, through the virtual file system module. As an example, the control end 120 may set a virtual file, which may include cache file blocks and the like.
At 205, based on the virtual file, a security check in the form of a file is performed. Operation 205 may be implemented by the control end 120 of the stream mode network security detection system 100. In some embodiments, the control end 120 may perform security detection in the form of a file or the like based on the virtual file through the file security module. As an example, the security detection in the form of a file includes virus detection, and specifically includes performing virus detection by a file security module, and the like.
According to some embodiments of the present application, the process 200 may further include performing virus detection by the file security module, generating a detection result, and the like. The detection results may include positive results and negative results. As an example, network interaction is blocked according to the negative result. According to some embodiments of the present application, the process 200 may further include notifying, by the file security module, the detection result to the network interaction management module, and the like, according to the forward result.
Fig. 3 is an exemplary flow diagram of a flow mode network security detection system module provided in accordance with some embodiments of the present application. As shown in fig. 3, the flow mode network security detection system module may be a specific implementation form of the flow mode network security detection system 100. As an example, the front-end and back-end separated data encryption transmission scenario of the stream mode network security detection system 100 is based on a stream mode network security detection system module of the system 100, as a specific implementation manner of the process 200.
As shown in fig. 3, the stream mode network security detection system 100 may include a network interaction management module (network session management module), a network protocol parsing module, a virtual file caching module, a virtual file system module, a file security module (e.g., file antivirus engine), and the like.
According to some embodiments of the present application, the network session management module may obtain data packets in a network, classify the data packets according to network sessions, and combine the data packets of the same session into a data stream; the network session management module may further include a function of performing a session blocking according to a detection result of the file security module.
According to some embodiments of the present application, the network protocol parsing module may obtain a corresponding session data stream according to each session, and analyze the data stream according to a network protocol. The network protocol analysis module can further extract file blocks needing to be detected in the application layer data by analyzing the application layer network protocol of each data packet.
According to some embodiments of the present application, the virtual file caching module may obtain a cached file block corresponding to a file. And when the file caching amount is larger than L, deleting the file caching content before the position C, and only keeping the data of the maximum caching length L of each file.
According to some embodiments of the present application, the virtual file system module may be configured to generate a virtual file. When the application program reads the virtual file, the initial position and the length of the file content are read according to the requirement, and the virtual file system module can acquire the required content from the cache file block. And if the file content needs to be read, the virtual file system returns the content needing to be read to the application program in the file cache module. If the file content needing to be read is not obtained from the network in the corresponding cache, namely the initial position of the read file is larger than the current cache file block, suspending the read request until the file block transmitted by the network reaches the initial position, and when the read condition is met, continuing to execute reading and returning the content. And if the file transmission is interrupted due to the abnormal network transmission, immediately returning the reading failure and deleting the file. If the file content needing to be read is smaller than the position C in the corresponding cache, namely the deleted cache content based on the maximum cache length L, the reading failure is immediately returned, and the file is deleted.
In some embodiments, when the file content to be read is smaller than the position C in the corresponding cache, that is, the deleted cache content based on the maximum cache length L, the read request may be suspended, the current cache file block of the virtual file may be deleted, the cache file block may be re-extracted according to the file start position of the read request, and the file content to be read may be returned to the application program.
According to some embodiments of the present application, the file security module (file antivirus engine) may perform virus detection on a file and notify a network session management module of a detection result. The detection result comprises a positive result and a negative result, and when the negative result is returned, the network session management module can block the session.
It should be noted that the above description of the process 200 and the flow-mode network security detection system module is only for convenience of description, and the present application is not limited to the scope of the illustrated embodiments. It will be understood by those skilled in the art that various modifications and changes in form and detail may be made in the functions implementing the above-described processes and operations based on the principles of the present system, in any combination of operations or in combination with other operations constituting sub-processes without departing from the principles. For example, the process 200 may further include generating a detection result based on the virus detection; and blocking network interaction and the like according to the negative result. Such variations are within the scope of the present application.
According to the stream mode network security detection method and system, the whole network transmission and protocol analysis process is in a stream mode, so that the original interaction (session) is not interfered, and the consistency of a network protocol is ensured; when the transmission of the network file data is not finished, the reading operation is in a suspension state until the data transmission is finished, and the antivirus process and the file transmission process are ensured to be parallel; the occupation degree of the storage space of the whole cache file is limited through the maximum cache length L of the file; the antivirus process is carried out in a file form, and the overall detection rate is high. And for the failure condition that the read backtracking position exceeds the maximum cache position L, the operations of re-extracting cache file blocks and the like can be completed through suspending the request. According to the stream mode network security detection method and system, application layer protocol analysis is carried out on network transmission data containing files, part of transmitted file block data is cached, a virtual file mode is established, a traditional antivirus engine aiming at the files is used for searching and killing the virtual files, and file type searching and killing of the data streams are achieved. The method can ensure the virus detection rate by using the traditional virus characteristic library, and has the advantages of parallel detection of a stream detection mode, transmission session consistency, controllable cache data volume and the like.
In summary, according to the stream mode network security detection method and system of the embodiment of the present application, by setting the virtual file and performing security detection on the virtual file in a file form, a high detection rate of file form virus killing is ensured to a certain extent, and the method and system have the advantage of stream virus searching and killing.
It is to be noted that the above-described embodiments are merely examples, and the present application is not limited to such examples, but various changes may be made.
It should be noted that, in the present specification, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Finally, it should be noted that the series of processes described above includes not only processes performed in time series in the order described herein, but also processes performed in parallel or individually, rather than in time series.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware associated with computer program instructions, and the program can be stored in a computer readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
While the invention has been described with reference to a number of illustrative embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention.
Claims (10)
1. A stream mode network security detection method is characterized by comprising the following steps:
acquiring data packets of network transmission files, classifying network interaction, and combining the data packets of the same interaction into a data stream;
acquiring a data stream corresponding to each interaction according to each interaction, analyzing the data stream based on a network protocol, analyzing each data packet in the data stream and extracting a file block;
acquiring and caching file blocks corresponding to files, and setting the maximum caching length of the files;
setting a virtual file, wherein the virtual file corresponds to a network transmission file and comprises a cache file block;
and carrying out security detection in a file form based on the virtual file.
2. The method according to claim 1, wherein the security detection in the form of a file comprises a virus detection, in particular comprising:
generating a detection result according to the virus detection; the detection result comprises a positive result and a negative result;
and blocking the network interaction according to the negative result.
3. The method of claim 2, wherein the data packet is obtained by a network interaction management module, and the detection result is notified to the network interaction management module by a file security module according to the forward result.
4. The method according to claim 1, wherein parsing each data packet in the data stream and extracting a file block by a network protocol parsing module specifically comprises:
and analyzing an application layer network protocol of each data packet, and extracting file blocks based on detection of the application layer data.
5. The method according to claim 1, wherein the obtaining and caching of the file block corresponding to the file by the virtual file caching module and the setting of the maximum caching length L of the file specifically comprise:
and when the file caching amount is larger than L, deleting the file caching content before the position C, and reserving the data of the maximum caching length L of each file.
6. The method according to claim 5, wherein when the application reads the virtual file, the method specifically comprises:
and acquiring the initial position and length information of the file to be read, and acquiring the file content from the cache file block through the virtual file system module.
7. The method according to claim 6, specifically comprising returning the content to be read to the application program in the file cache module through the virtual file system when the content of the file to be read is required.
8. The method according to claim 7, specifically comprising suspending the read request when the starting position of the file content to be read is larger than the current cache file block, until the file block transmitted by the network reaches the starting position and meets the read condition, continuing to execute the read process and returning the file content.
9. The method according to claim 6, specifically comprising returning a reading failure and deleting the file when the file transmission is interrupted due to network transmission anomaly or when the content of the file to be read is smaller than the position C in the corresponding cache.
10. A system, comprising:
a memory configured to store data and instructions;
a processor in communication with the memory, wherein the processor, when executing instructions in the memory, is configured to:
acquiring data packets of network transmission files, classifying network interaction, and combining the data packets of the same interaction into a data stream;
acquiring a data stream corresponding to each interaction according to each interaction, analyzing the data stream based on a network protocol, analyzing each data packet in the data stream and extracting a file block;
acquiring and caching file blocks corresponding to files, and setting the maximum caching length of the files;
setting a virtual file, wherein the virtual file corresponds to a network transmission file and comprises a cache file block;
and carrying out security detection in a file form based on the virtual file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110987124.3A CN113872936A (en) | 2021-08-26 | 2021-08-26 | Stream mode network security detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110987124.3A CN113872936A (en) | 2021-08-26 | 2021-08-26 | Stream mode network security detection method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113872936A true CN113872936A (en) | 2021-12-31 |
Family
ID=78988536
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110987124.3A Pending CN113872936A (en) | 2021-08-26 | 2021-08-26 | Stream mode network security detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113872936A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050097358A1 (en) * | 2003-10-29 | 2005-05-05 | Boris Yanovsky | Method and apparatus for datastream |
| CN102970294A (en) * | 2012-11-21 | 2013-03-13 | 网神信息技术(北京)股份有限公司 | Method and device for detecting virus of security gateway |
| EP2575044A1 (en) * | 2011-09-30 | 2013-04-03 | Deutsche Telekom AG | Method and system of using networked virtual machines of mobile devices in the cloud to provide mobile applications and services |
| US20130097666A1 (en) * | 2010-07-13 | 2013-04-18 | Huawei Technologies Co., Ltd. | Proxy gateway anti-virus method, pre-classifier, and proxy gateway |
| CN103905417A (en) * | 2013-11-12 | 2014-07-02 | 国家计算机网络与信息安全管理中心 | Device and method for authentication of network device files |
| CN104022998A (en) * | 2013-03-01 | 2014-09-03 | 北京瑞星信息技术有限公司 | Network transmission data virus detection processing method |
| US20160314299A1 (en) * | 2013-12-10 | 2016-10-27 | David Almer | Mobile Device with Improved Security |
| CN107800663A (en) * | 2016-08-31 | 2018-03-13 | 华为数字技术(苏州)有限公司 | The detection method and device of flow off-line files |
| CN112039849A (en) * | 2020-08-06 | 2020-12-04 | 成都安恒信息技术有限公司 | SSH-based dual-network safety synchronization system and method |
-
2021
- 2021-08-26 CN CN202110987124.3A patent/CN113872936A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050097358A1 (en) * | 2003-10-29 | 2005-05-05 | Boris Yanovsky | Method and apparatus for datastream |
| US20130097666A1 (en) * | 2010-07-13 | 2013-04-18 | Huawei Technologies Co., Ltd. | Proxy gateway anti-virus method, pre-classifier, and proxy gateway |
| EP2575044A1 (en) * | 2011-09-30 | 2013-04-03 | Deutsche Telekom AG | Method and system of using networked virtual machines of mobile devices in the cloud to provide mobile applications and services |
| CN102970294A (en) * | 2012-11-21 | 2013-03-13 | 网神信息技术(北京)股份有限公司 | Method and device for detecting virus of security gateway |
| CN104022998A (en) * | 2013-03-01 | 2014-09-03 | 北京瑞星信息技术有限公司 | Network transmission data virus detection processing method |
| CN103905417A (en) * | 2013-11-12 | 2014-07-02 | 国家计算机网络与信息安全管理中心 | Device and method for authentication of network device files |
| US20160314299A1 (en) * | 2013-12-10 | 2016-10-27 | David Almer | Mobile Device with Improved Security |
| CN107800663A (en) * | 2016-08-31 | 2018-03-13 | 华为数字技术(苏州)有限公司 | The detection method and device of flow off-line files |
| CN112039849A (en) * | 2020-08-06 | 2020-12-04 | 成都安恒信息技术有限公司 | SSH-based dual-network safety synchronization system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9356943B1 (en) | Systems and methods for performing security analyses on network traffic in cloud-based environments | |
| Thing et al. | Live memory forensics of mobile phones | |
| RU2589310C2 (en) | System and method of calculating interval of repeated determination of categories of network resource | |
| US8819819B1 (en) | Method and system for automatically obtaining webpage content in the presence of javascript | |
| US9098707B2 (en) | Mobile device application interaction reputation risk assessment | |
| KR20180006380A (en) | Methods and systems for behavior-specific actuation for real-time whitelisting | |
| US7996000B1 (en) | Managing page sizes for a mobile device using estimation of content customizer techniques | |
| US8683595B1 (en) | Systems and methods for detecting potentially malicious content within near field communication messages | |
| US20150347305A1 (en) | Method and apparatus for outputting log information | |
| US10623450B2 (en) | Access to data on a remote device | |
| JP2015530831A (en) | System and method for performing selective deep packet inspection | |
| US9509793B2 (en) | Content caching in a network for efficient user device access | |
| US9407726B1 (en) | Caching objects identified by dynamic resource identifiers | |
| US9338599B1 (en) | Location-based mobile object management in a distributed cloud for enhancing access and performance | |
| US9779250B1 (en) | Intelligent application wrapper | |
| CN105630662B (en) | Internal-memory detection method and device | |
| US11410705B2 (en) | Automated video bumper system | |
| JP2013533554A (en) | System and method for creating customized trust bands for use in malware detection | |
| US8447857B2 (en) | Transforming HTTP requests into web services trust messages for security processing | |
| CN111371778A (en) | Attack group identification method, device, computing equipment and medium | |
| CN115278684A (en) | 5G signaling attack monitoring method and device based on DPI technology | |
| US10887379B2 (en) | Dynamically determining a content delivery network from which to receive content | |
| US8751568B1 (en) | Systems and methods for data loss prevention | |
| US9762516B2 (en) | Variable image acquisition and processing techniques based on image data type | |
| CN108345793A (en) | A kind of extracting method and device of software detection feature |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |