CN113973019B - Network virus detection method and network equipment - Google Patents

Network virus detection method and network equipment Download PDF

Info

Publication number
CN113973019B
CN113973019B CN202111606921.9A CN202111606921A CN113973019B CN 113973019 B CN113973019 B CN 113973019B CN 202111606921 A CN202111606921 A CN 202111606921A CN 113973019 B CN113973019 B CN 113973019B
Authority
CN
China
Prior art keywords
file
virus
transmitted
hash value
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111606921.9A
Other languages
Chinese (zh)
Other versions
CN113973019A (en
Inventor
张晓东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Abt Networks Co ltd
Original Assignee
Beijing Abt Networks Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Abt Networks Co ltd filed Critical Beijing Abt Networks Co ltd
Priority to CN202111606921.9A priority Critical patent/CN113973019B/en
Publication of CN113973019A publication Critical patent/CN113973019A/en
Application granted granted Critical
Publication of CN113973019B publication Critical patent/CN113973019B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/13File access structures, e.g. distributed indices
    • G06F16/137Hash-based
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/14Details of searching files based on file metadata
    • G06F16/148File search processing
    • G06F16/152File search processing using file content signatures, e.g. hash values
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Library & Information Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Information Transfer Between Computers (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application provides a network virus detection method and network equipment, wherein the method comprises the following steps: acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted; filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files; if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, caching the file to be transmitted; after caching, calculating the hash value of the file to be transmitted; matching the hash value with a reference hash value; storing the reference hash value in a preset virus library; and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file. The method can timely pre-detect the virus of the file to be transmitted, saves the memory of the network equipment, and can reduce the pressure of the CPU of the network equipment and reduce invalid hash.

Description

Network virus detection method and network equipment
Technical Field
The present application relates to the field of network virus detection, and in particular, to a network virus detection method and a network device.
Background
A network virus is a virus that propagates through a network, and during the propagation, the network virus may destroy network devices, for example, destroy servers, switches, routing devices, and the like. Generally, when a client uses a network device for data transmission, a virus file is mixed in a normal file and enters the network device. Therefore, selecting to perform virus checking and killing in the network equipment is a feasible network virus detection method.
At present, the process of network virus detection is generally as follows: the network equipment acquires a file being transmitted, caches the file, calculates the hash value of the complete cached file after caching, matches the hash value with the hash value of the network virus stored in the virus library, and if the hash value of the network virus matched with the hash value is obtained, confirms that the cached file is the virus file.
However, caching the complete file and performing hash calculation, on one hand, a large amount of memory of the network device is occupied, and pressure is caused to storage. On the other hand, the hash calculation of the complete file may increase the pressure of a Central Processing Unit (CPU) of the network device. Because the ratio of the network virus to the normal file is small, the efficiency of virus detection is low when the complete file is cached and subjected to hash calculation.
Disclosure of Invention
The embodiment of the application provides a network virus detection method and network equipment, and aims to solve the problem of low virus detection efficiency caused by the fact that a traditional network virus detection method caches complete virus files.
In a first aspect, an embodiment of the present application provides a network virus detection method, including: acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted;
filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library;
if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, caching the file to be transmitted;
after caching, calculating the hash value of the file to be transmitted;
matching the hash value with a reference hash value; storing the reference hash value in a preset virus library;
and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file.
In one implementation, the step of obtaining a target byte segment of a file to be transmitted includes:
caching a target byte segment when a file to be transmitted starts to be transmitted; the target byte segment is the first N bytes of the first message of the file to be transmitted, and N is less than or equal to the total length of the first message.
In one implementation, the step of obtaining a transmission file transmitted between network devices includes:
acquiring a transmission data stream of network equipment;
in the transmission data stream, a file to be transmitted is identified, which is being transmitted via the network device.
In one implementation, before the step of calculating the hash value of the file to be transmitted after caching, the method further includes:
calculating the file size of a file to be transmitted;
if the preset virus library has a preset virus file matched with the file size of the file to be transmitted, continuously calculating the hash value of the file to be transmitted;
and if the preset virus file matched with the file size of the file to be transmitted does not exist in the preset virus library, determining that the file to be transmitted is not the virus file.
In one implementation manner, if a preset virus file matching the file size of the file to be transmitted exists in the preset virus library, after the step of continuously calculating the hash value of the file to be transmitted, the method further includes:
and in the preset virus library, acquiring the hash value of the preset virus file matched with the file size of the file to be transmitted according to the corresponding relation between the file size of the preset virus file and the hash value, and taking the hash value as a reference hash value.
In one implementation, the method further comprises:
constructing a preset virus library;
calculating the file size and the hash value of a preset virus file;
storing the size of the file into a preset virus library;
performing range division on all file sizes to form different file size ranges;
and storing the hash values corresponding to different file size ranges into a preset virus library according to the file size ranges to establish the corresponding relation between the file sizes and the hash values.
In one implementation, the method further comprises:
acquiring byte segments of a preset virus file and storing the byte segments into a preset virus library; presetting a byte segment of the virus file, wherein the length of the byte segment is equal to that of the target byte segment.
In one implementation, if the filter result shows that there are no byte fragments of the virus file that match the target byte fragment, then it is confirmed that the file to be transmitted is not a virus file.
In one implementation, if there is no reference hash value matching the hash value, it is confirmed that the file to be transmitted is not a virus file.
In a second aspect, an embodiment of the present application further provides a network device, including a memory and a processor, where the memory is used to store program instructions, and the processor is used to execute the following steps by executing the program instructions:
acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted;
filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library;
if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, caching the file to be transmitted;
after caching, calculating the hash value of the file to be transmitted;
matching the hash value with a reference hash value; storing the reference hash value in a preset virus library;
and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file.
As can be seen from the foregoing technical solutions, an embodiment of the present application provides a network virus detection method and a network device, where the method includes: acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted; filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library; if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, caching the file to be transmitted; after caching, calculating the hash value of the file to be transmitted; matching the hash value with a reference hash value; storing the reference hash value in a preset virus library; and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file. The method provided by the embodiment of the application can timely perform virus pre-detection on the file to be transmitted, save the memory of the network equipment, and simultaneously can reduce the pressure of a CPU of the network equipment and reduce invalid hash.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without any creative effort.
Fig. 1 is a schematic flowchart of a network virus detection method according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of another network virus detection method according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart of a process for constructing a default virus library according to an embodiment of the present disclosure.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Network virus (network virus): broadly, it is believed that a virus that can propagate through a network while destroying certain network components (servers, clients, switching and routing devices) is a network virus. It is considered that the network-wide virus is a network virus in a narrow sense, that is, the network virus should make full use of the network protocol and the network architecture as its propagation path or mechanism, and the network virus should be destroyed to the network.
Bloom filters are a long binary vector and a series of random mapping functions. A bloom filter may be used to retrieve whether an element is in a collection. Its advantages are high space efficiency and inquiry time, and high effect.
Hash (hash) is the transformation of an input of arbitrary length (also called pre-mapped pre-image) into a fixed-length output, i.e. a hash value, by a hashing algorithm, which is a kind of compression mapping. In short, it is a function of compressing a message of an arbitrary length to a message digest of a certain fixed length.
MD5 Message Digest Algorithm (Message-Digest Algorithm, MD 5): a widely used cryptographic hash function generates a 128-bit (16-byte) hash value to ensure the integrity of the message transmission. The principle of the MD5 algorithm can be briefly described as: the MD5 code processes incoming information in 512-bit packets, each of which is divided into 16 32-bit sub-packets, and after a series of processing, the output of the algorithm consists of four 32-bit packets, which are concatenated to produce a 128-bit hash value.
A network virus is a virus that propagates through a network, and during the propagation, the network virus may destroy network devices, for example, destroy servers, switches, routing devices, and the like. Taking the switch and the firewall as examples, the switch and the firewall can help the computer network to construct a relatively isolated protection barrier between the internal network and the external network so as to protect the user data and the information security. Therefore, virus can be found quickly by virus killing at the network equipment. The network traffic of the network device generally includes a File to be transferred, for example, a File transferred by a File Transfer Protocol (FTP), an attachment of a mail, or the like. Virus files are generally hidden in transmitted files, enter a client through network equipment, and attack the client, the network equipment and the like. In addition to the transmitted files, the network traffic of the network device may also include information search, listening to music, watching videos, and the like, and the above activities may make the volume of the network traffic large. When the client side utilizes the network equipment to transmit data, the virus files are mixed in the normal files and enter the network equipment. Therefore, selecting to perform virus checking and killing in the network equipment is a feasible network virus detection method.
At present, the process of network virus detection is generally as follows: the network equipment acquires a file which is being transmitted, caches the file, calculates the hash value of the complete cached file after caching, matches the hash value with the hash value of the network virus stored in the virus library, and if the hash value of the network virus matched with the hash value is obtained, confirms that the cached file is the virus file.
However, the amount of data of all transmission files in the network flow is huge, and virus files included in the transmission files are few, and if the complete transmission files are cached one by one and hash calculation is performed, on one hand, a large amount of memory of network equipment is occupied, and pressure is caused to storage. On the other hand, the hash calculation of the complete file may increase the pressure of a Central Processing Unit (CPU) of the network device. Because the ratio of the network virus to the normal file is small, the hash calculation is carried out on the complete file, the invalid hash operation is excessive, and the virus detection efficiency is low.
The network virus detection method provided by the embodiment of the present application is exemplarily described below with reference to the accompanying drawings.
In order to reduce the pressure of file caching and the consumption of a network device CPU, the embodiments of the present application provide a network virus detection method. Referring to fig. 1, a schematic flow chart of a network virus detection method provided in the embodiment of the present application is shown, and as shown in fig. 1, the network virus detection method provided in the embodiment of the present application includes the following steps:
s1: acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted;
the network device can be a switch or a firewall, the switch or the firewall is arranged between the client and the external network, and when the client needs to transmit data with the external network, the file to be transmitted can enter the client through the network device. Therefore, when the network device starts to transmit the file to be transmitted, the target byte segment of the file to be transmitted is obtained, the file to be transmitted can be checked for viruses in time, whether the file to be transmitted is the virus file or not is determined, if the file to be transmitted is not the virus file, the file to be transmitted can not be checked continuously, and if the file to be transmitted is possibly the virus file, the file to be transmitted can be further checked.
The step of acquiring the file to be transmitted through the network device may include:
s101: acquiring a transmission data stream of network equipment;
s102: in the transmission data stream, a file to be transmitted is identified, which is being transmitted via the network device.
The transmission data stream of the network device includes numerous data, such as information search, music listening, video watching, file transmission, and the like, and since the virus file is hidden in the transmission file, the file to be transmitted can be identified in the transmission data stream of the network device, and virus check is performed on the file to be transmitted. For example, http file transfers are identified from the messages.
Further, the step of obtaining the target byte segment of the file to be transmitted may include:
s103: caching a target byte segment when a file to be transmitted starts to be transmitted; the target byte segment is the first N bytes of the first message of the file to be transmitted, and N is less than or equal to the total length of the first message.
When the file to be transmitted starts to be transmitted, the target byte segment is obtained, and the target byte segment is the first N bytes of the first message of the file to be transmitted, so that virus can be pre-detected in the first time.
In some implementations, N may have a value of 1000. Because the length of one message is generally 1440 bytes, and some header files and the like which are irrelevant to virus inspection may exist in the message, the length of the target byte segment may be selected to be 1000, so that not only is misjudgment caused by the fact that the target byte segment is too short avoided, but also the problem that virus inspection efficiency is low caused by the fact that the target byte segment is too long is avoided. The specific value of N may be designed according to actual conditions, and the embodiment of the present application is not particularly limited.
Further, the steps of virus checking according to the target byte segment are as follows:
s2: filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files, and the bloom filter is stored in a preset virus library.
The bloom filter provided by the embodiment of the application is constructed by a large number of byte segments of the virus file, the bloom filter can rapidly filter the target byte segments and the byte segments of the virus file to obtain a filtering result, and the filtering result can show whether the byte segments of the virus file matched with the target byte segments exist in the preset virus library or not.
If the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, the file to be transmitted can be determined to be the virus file, and further checking is needed. And if the filtering result shows that the byte segments of the virus files matched with the target byte segments do not exist, determining that the file to be transmitted is not the virus file, and the subsequent transmission process of the file to be transmitted does not need to pay attention and subsequent messages can directly pass through. The file to be transmitted does not need to be cached any more, the storage pressure of network equipment is reduced, and the invalid occupation of a memory is reduced.
S3: and caching the file to be transmitted if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist.
After the file to be transmitted is completely cached, virus inspection can be further carried out on the file to be transmitted.
S4: and calculating the hash value of the file to be transmitted after caching.
The method for checking the virus file by using the hash value is a very accurate virus checking method. The specific choice of calculating the hash value can be to calculate the md5 value of the file to be transmitted, and the md5 is used for matching, so that the method is very accurate and the virus checking accuracy is high.
S5: matching the hash value with a reference hash value; the reference hash value is stored in a preset virus library.
The reference hash value can be a hash value of a preset virus file, and the hash value of the file to be transmitted is matched with the reference hash value, so that whether the file to be transmitted is a virus file or not can be judged.
S6: and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file.
If the hash value of the preset virus file matched with the hash value of the file to be transmitted exists in the preset virus library, it can be shown that the file to be transmitted and the preset virus file are the same file, that is, the file to be transmitted is a virus file.
Correspondingly, if the reference hash value matched with the hash value does not exist, the file to be transmitted is confirmed not to be the virus file.
In some implementations, referring to fig. 2, a schematic flowchart of a network virus detection method provided in an embodiment of the present application is shown. As shown in fig. 2, before performing hash value calculation on a complete file to be transmitted, the network virus detection method provided in the embodiment of the present application may further include the following steps:
s7: calculating the file size of a file to be transmitted;
s8: and if the preset virus file matched with the file size of the file to be transmitted exists in the preset virus library, continuously calculating the hash value of the file to be transmitted.
The file size can also be used for judging whether a file to be transmitted is a virus file, if the file size of the file to be transmitted is the same as the file size of the preset virus file, or the file size of the file to be transmitted falls into a file size set formed by the file sizes of the preset virus files, the file to be transmitted can be determined to be a virus file, and the hash value can be calculated and matched continuously.
If the file size of the file to be transmitted is different from the file size of the preset virus file, or the file size of the file to be transmitted does not fall into a file size set formed by the file sizes of the preset virus files, that is, the preset virus library does not have the preset virus file matched with the file size of the file to be transmitted, the file to be transmitted is determined not to be the virus file, the follow-up transmission process of the file to be transmitted does not need to pay attention, and the follow-up message can directly pass through the file to be transmitted. Not calculating the hash value at this time relieves the pressure on the network device CPU.
If the preset virus file matched with the file size of the file to be transmitted exists in the preset virus library, after the step of continuously calculating the hash value of the file to be transmitted, the method also comprises the following steps:
s9: and in the preset virus library, acquiring the hash value of the preset virus file matched with the file size of the file to be transmitted according to the corresponding relation between the file size of the preset virus file and the hash value, and taking the hash value as a reference hash value.
The method for matching the hash values of the preset virus files can be adopted, the reference hash value is one part of the hash values of all the preset virus files, and can be dozens or hundreds, the amount of data is far less than the hash values of all the preset virus files, and the efficiency of hash value matching can be improved.
The correspondence between the file size of the preset virus file and the hash value will be described in detail below, and will not be described herein again.
In some implementation manners, the network virus detection method provided in the embodiment of the present application further includes constructing a preset virus library. Referring to fig. 3, a schematic flow chart of constructing a preset virus library provided in the embodiment of the present application is shown in fig. 3, where the specific steps of constructing the preset virus library are as follows:
s10: constructing a preset virus library;
s11: calculating the file size and the hash value of a preset virus file;
s12: storing the size of the file into a preset virus library;
s13: performing range division on all file sizes to form different file size ranges;
s14: storing hash values corresponding to different file size ranges into a preset virus library according to the file size ranges to establish a corresponding relation between the file sizes and the hash values;
s15: acquiring byte segments of a preset virus file and storing the byte segments into a preset virus library; presetting a byte segment of the virus file, wherein the length of the byte segment is equal to that of the target byte segment.
The preset virus library is a database constructed according to known network viruses and relevant parameters of the known network viruses. Specifically, the preset virus library may store a preset virus file, a file size and a hash value of the preset virus file for detecting a file to be transmitted, a bloom filter constructed according to a byte segment of the preset virus file, and the like.
An example of the correspondence between the file size and the hash value is as follows: for example, if the size of the virus file is between 0k-500M and the hash of the file size is between 0k-500M, the file size may be divided into the following ranges: the first range is: 0k to 100 k; the second range is: 101k-500 k; the third range: 501 k-1M; the fourth range: 1M-100M; the fifth range: 100M-200M; the sixth range: 200M-300M; the seventh range: 300M-400M; the eighth range: 400M-500M. The different ranges are not overlapped, and the file size of the preset virus file corresponds to the hash value of the preset virus file, so that each range can be attached with the hash value (reference hash value) of the corresponding preset virus file.
When the file size range is divided, the file size range may be specifically divided into K ranges, and specific numerical values of K may be designed according to actual situations, which is not specifically limited in the embodiment of the present application.
If the size of the file to be transmitted falls within the first range, when the hash value of the file to be transmitted is matched, the hash value of the file to be transmitted is matched with the hash value of the preset virus file attached to the first range.
In some implementation manners, when the byte segment of the preset virus file is selected, the selected byte segment may correspond to the target byte segment, that is, the byte segment is also N bytes of the preset virus file, specifically, the first N bytes, or the first N bytes after the partial header file are removed, so that the accuracy of matching the target byte segment can be ensured, and misjudgment cannot be caused.
The length of the byte segment of the preset virus file is equal to the length of the target byte segment, that is, when the length of the target byte segment is 1000 bytes, the length of the byte segment selected for the preset virus file is also 1000 bytes.
According to the technical scheme, the network virus detection method provided by the embodiment of the application can be applied to network equipment, can timely perform virus pre-detection on the file to be transmitted, and can perform complete caching on the file to be transmitted if the file to be transmitted is possibly a virus file after the pre-detection, so that the memory of the network equipment can be saved. The sizes of the files to be transmitted are matched after the file size is detected, and if the sizes of the files are matched, the Hash calculation of the complete files is carried out, so that the pressure of a CPU (central processing unit) of network equipment can be relieved, and invalid Hash is reduced.
According to the foregoing embodiments, the present application may further provide a network device, which may include a memory and a processor, where the memory is configured to store program instructions, and the processor is configured to execute the program instructions to perform the following steps:
acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted;
filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library;
if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, caching the file to be transmitted;
after caching, calculating the hash value of the file to be transmitted;
matching the hash value with a reference hash value; storing the reference hash value in a preset virus library;
and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file.
In some implementations, the network device provided in the embodiments of the present application may be a switch or a firewall.
When the network equipment provided by the embodiment of the application detects the network virus, the network virus can be quickly checked, the occupied memory is small, and the pressure of a CPU is small.
As can be seen from the foregoing technical solutions, an embodiment of the present application provides a network virus detection method and a network device, where the method includes: acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted; filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library; if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, caching the file to be transmitted; after caching, calculating the hash value of the file to be transmitted; matching the hash value with a reference hash value; storing the reference hash value in a preset virus library; and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file. The method provided by the embodiment of the application can timely perform virus pre-detection on the file to be transmitted, save the memory of the network equipment, and simultaneously can reduce the pressure of a CPU of the network equipment and reduce invalid hash.
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments in this specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (9)

1. A network virus detection method is characterized by comprising the following steps:
acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted in the transmission process of the file to be transmitted, wherein the target byte fragment is the first N bytes of a first message of the file to be transmitted, and N is less than or equal to the total length of the first message;
filtering the target byte fragments through a bloom filter to perform pre-detection on the network viruses; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library;
if the filtering result shows that the byte fragments of the virus files matched with the target byte fragments exist, caching the files to be transmitted;
after caching, calculating the hash value of the file to be transmitted;
matching the hash value with a reference hash value; the reference hash value is stored in the preset virus library;
and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file.
2. The method of claim 1, wherein the step of obtaining the transmission file transmitted between the network devices comprises:
acquiring a transmission data stream of network equipment;
and identifying files to be transmitted which are transmitted through network equipment in the transmission data stream.
3. The method according to claim 1, wherein before the step of calculating the hash value of the file to be transmitted after caching, the method further comprises:
calculating the file size of the file to be transmitted;
if a preset virus file matched with the file size of the file to be transmitted exists in the preset virus library, continuously calculating the hash value of the file to be transmitted;
and if the preset virus file matched with the file size of the file to be transmitted does not exist in the preset virus library, determining that the file to be transmitted is not a virus file.
4. The method according to claim 3, wherein if a preset virus file matching the file size of the file to be transmitted exists in the preset virus library, after the step of continuously calculating the hash value of the file to be transmitted, the method further comprises:
and in the preset virus library, acquiring the hash value of the preset virus file matched with the file size of the file to be transmitted according to the corresponding relation between the file size of the preset virus file and the hash value, and taking the hash value as the reference hash value.
5. The method of claim 4, further comprising:
constructing a preset virus library;
calculating the file size and the hash value of a preset virus file;
storing the file size into the preset virus library;
performing range division on all the file sizes to form different file size ranges;
and storing the hash values corresponding to different file size ranges into the preset virus library according to the file size ranges so as to establish the corresponding relation between the file sizes and the hash values.
6. The method of claim 5, further comprising:
acquiring byte segments of the preset virus file and storing the byte segments into the preset virus library; and the length of the byte segment of the preset virus file is equal to that of the target byte segment.
7. The method according to claim 1, wherein if the filtering result shows that there is no byte fragment of the virus file matching the target byte fragment, the file to be transmitted is determined not to be a virus file.
8. The network virus detection method according to claim 1, wherein if there is no reference hash value matching the hash value, it is confirmed that the file to be transmitted is not a virus file.
9. A network device comprising a memory for storing program instructions and a processor for executing the program instructions to perform the steps of:
acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted;
filtering the target byte fragments through a bloom filter to perform pre-detection on the network viruses; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library;
if the filtering result shows that the byte fragments of the virus files matched with the target byte fragments exist, caching the files to be transmitted;
after caching, calculating the hash value of the file to be transmitted;
matching the hash value with a reference hash value; the reference hash value is stored in the preset virus library;
and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file.
CN202111606921.9A 2021-12-27 2021-12-27 Network virus detection method and network equipment Active CN113973019B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111606921.9A CN113973019B (en) 2021-12-27 2021-12-27 Network virus detection method and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111606921.9A CN113973019B (en) 2021-12-27 2021-12-27 Network virus detection method and network equipment

Publications (2)

Publication Number Publication Date
CN113973019A CN113973019A (en) 2022-01-25
CN113973019B true CN113973019B (en) 2022-04-01

Family

ID=79590734

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111606921.9A Active CN113973019B (en) 2021-12-27 2021-12-27 Network virus detection method and network equipment

Country Status (1)

Country Link
CN (1) CN113973019B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117201193B (en) * 2023-11-06 2024-01-26 新华三网络信息安全软件有限公司 Virus detection method and device, storage medium and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101359325A (en) * 2007-08-01 2009-02-04 北京启明星辰信息技术有限公司 Multi-key-word matching method for rapidly analyzing content
CN102609654A (en) * 2012-02-08 2012-07-25 北京百度网讯科技有限公司 Method and device for detecting malicious flash files
CN103780676A (en) * 2013-12-12 2014-05-07 北京奇虎科技有限公司 File transmission method, device and system
CN104298711A (en) * 2014-09-12 2015-01-21 百度在线网络技术(北京)有限公司 Method and device for scanning information to be scanned and computer equipment
CN113051568A (en) * 2021-03-29 2021-06-29 深信服科技股份有限公司 Virus detection method and device, electronic equipment and storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
BRPI0616018A2 (en) * 2005-07-29 2011-06-07 Bit9 Inc security systems and methods for computer networks
US9363339B2 (en) * 2011-07-12 2016-06-07 Hughes Network Systems, Llc Staged data compression, including block level long range compression, for data streams in a communications system
CN112272212B (en) * 2020-09-30 2022-07-12 新华三信息安全技术有限公司 File transmission method and device
CN113139871A (en) * 2021-05-07 2021-07-20 新晨科技股份有限公司 Adaptive consensus on block chain method, apparatus and computer readable storage medium
CN113709110B (en) * 2021-07-27 2023-07-21 深圳市风云实业有限公司 Intrusion detection system and method combining soft and hard

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101359325A (en) * 2007-08-01 2009-02-04 北京启明星辰信息技术有限公司 Multi-key-word matching method for rapidly analyzing content
CN102609654A (en) * 2012-02-08 2012-07-25 北京百度网讯科技有限公司 Method and device for detecting malicious flash files
CN103780676A (en) * 2013-12-12 2014-05-07 北京奇虎科技有限公司 File transmission method, device and system
CN104298711A (en) * 2014-09-12 2015-01-21 百度在线网络技术(北京)有限公司 Method and device for scanning information to be scanned and computer equipment
CN113051568A (en) * 2021-03-29 2021-06-29 深信服科技股份有限公司 Virus detection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN113973019A (en) 2022-01-25

Similar Documents

Publication Publication Date Title
CN109829310B (en) Similar attack defense method, device, system, storage medium and electronic device
EP1365556B1 (en) Method and apparatus for efficiently matching responses to requests previously passed by a network node
US7831822B2 (en) Real-time stateful packet inspection method and apparatus
WO2022083417A1 (en) Method and device for data pack processing, electronic device, computer-readable storage medium, and computer program product
US20160065595A1 (en) Apparatus and method for performing real-time network antivirus function
US11546372B2 (en) Method, system, and apparatus for monitoring network traffic and generating summary
US20030204703A1 (en) Multi-pass hierarchical pattern matching
KR20130014226A (en) Dns flooding attack detection method on the characteristics by attack traffic type
CN112565299B (en) Content-based optimization and pre-acquisition mechanism for security analysis of network devices
WO2014094441A1 (en) Virus detection method and device
CN104768139A (en) Method and device for sending short messages
CN108667921B (en) Bank business recommendation information generation method and system based on network bypass
CN113973019B (en) Network virus detection method and network equipment
WO2020037781A1 (en) Anti-attack method and device for server
CN111314328A (en) Network attack protection method and device, storage medium and electronic equipment
CN112559824A (en) Message processing method, device and equipment
CN110958245B (en) Attack detection method, device, equipment and storage medium
US10567399B2 (en) Fragmented malware hash lookup in cloud repository
RU2285287C1 (en) Method for protecting computer networks from computer attacks
CN113890758A (en) Threat information method, device, equipment and computer storage medium
CN115017502A (en) Flow processing method and protection system
CN112583827A (en) Data leakage detection method and device
TWI682644B (en) Dynamic protection method for network node and network protection server
WO2024036822A1 (en) Method and apparatus for determining malicious domain name, device, and medium
WO2019240054A1 (en) Communication device, packet processing method, and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant