CN113973019B - Network virus detection method and network equipment - Google Patents
Network virus detection method and network equipment Download PDFInfo
- Publication number
- CN113973019B CN113973019B CN202111606921.9A CN202111606921A CN113973019B CN 113973019 B CN113973019 B CN 113973019B CN 202111606921 A CN202111606921 A CN 202111606921A CN 113973019 B CN113973019 B CN 113973019B
- Authority
- CN
- China
- Prior art keywords
- file
- virus
- transmitted
- hash value
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/13—File access structures, e.g. distributed indices
- G06F16/137—Hash-based
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/14—Details of searching files based on file metadata
- G06F16/148—File search processing
- G06F16/152—File search processing using file content signatures, e.g. hash values
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Library & Information Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Transfer Between Computers (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application provides a network virus detection method and network equipment, wherein the method comprises the following steps: acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted; filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files; if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, caching the file to be transmitted; after caching, calculating the hash value of the file to be transmitted; matching the hash value with a reference hash value; storing the reference hash value in a preset virus library; and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file. The method can timely pre-detect the virus of the file to be transmitted, saves the memory of the network equipment, and can reduce the pressure of the CPU of the network equipment and reduce invalid hash.
Description
Technical Field
The present application relates to the field of network virus detection, and in particular, to a network virus detection method and a network device.
Background
A network virus is a virus that propagates through a network, and during the propagation, the network virus may destroy network devices, for example, destroy servers, switches, routing devices, and the like. Generally, when a client uses a network device for data transmission, a virus file is mixed in a normal file and enters the network device. Therefore, selecting to perform virus checking and killing in the network equipment is a feasible network virus detection method.
At present, the process of network virus detection is generally as follows: the network equipment acquires a file being transmitted, caches the file, calculates the hash value of the complete cached file after caching, matches the hash value with the hash value of the network virus stored in the virus library, and if the hash value of the network virus matched with the hash value is obtained, confirms that the cached file is the virus file.
However, caching the complete file and performing hash calculation, on one hand, a large amount of memory of the network device is occupied, and pressure is caused to storage. On the other hand, the hash calculation of the complete file may increase the pressure of a Central Processing Unit (CPU) of the network device. Because the ratio of the network virus to the normal file is small, the efficiency of virus detection is low when the complete file is cached and subjected to hash calculation.
Disclosure of Invention
The embodiment of the application provides a network virus detection method and network equipment, and aims to solve the problem of low virus detection efficiency caused by the fact that a traditional network virus detection method caches complete virus files.
In a first aspect, an embodiment of the present application provides a network virus detection method, including: acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted;
filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library;
if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, caching the file to be transmitted;
after caching, calculating the hash value of the file to be transmitted;
matching the hash value with a reference hash value; storing the reference hash value in a preset virus library;
and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file.
In one implementation, the step of obtaining a target byte segment of a file to be transmitted includes:
caching a target byte segment when a file to be transmitted starts to be transmitted; the target byte segment is the first N bytes of the first message of the file to be transmitted, and N is less than or equal to the total length of the first message.
In one implementation, the step of obtaining a transmission file transmitted between network devices includes:
acquiring a transmission data stream of network equipment;
in the transmission data stream, a file to be transmitted is identified, which is being transmitted via the network device.
In one implementation, before the step of calculating the hash value of the file to be transmitted after caching, the method further includes:
calculating the file size of a file to be transmitted;
if the preset virus library has a preset virus file matched with the file size of the file to be transmitted, continuously calculating the hash value of the file to be transmitted;
and if the preset virus file matched with the file size of the file to be transmitted does not exist in the preset virus library, determining that the file to be transmitted is not the virus file.
In one implementation manner, if a preset virus file matching the file size of the file to be transmitted exists in the preset virus library, after the step of continuously calculating the hash value of the file to be transmitted, the method further includes:
and in the preset virus library, acquiring the hash value of the preset virus file matched with the file size of the file to be transmitted according to the corresponding relation between the file size of the preset virus file and the hash value, and taking the hash value as a reference hash value.
In one implementation, the method further comprises:
constructing a preset virus library;
calculating the file size and the hash value of a preset virus file;
storing the size of the file into a preset virus library;
performing range division on all file sizes to form different file size ranges;
and storing the hash values corresponding to different file size ranges into a preset virus library according to the file size ranges to establish the corresponding relation between the file sizes and the hash values.
In one implementation, the method further comprises:
acquiring byte segments of a preset virus file and storing the byte segments into a preset virus library; presetting a byte segment of the virus file, wherein the length of the byte segment is equal to that of the target byte segment.
In one implementation, if the filter result shows that there are no byte fragments of the virus file that match the target byte fragment, then it is confirmed that the file to be transmitted is not a virus file.
In one implementation, if there is no reference hash value matching the hash value, it is confirmed that the file to be transmitted is not a virus file.
In a second aspect, an embodiment of the present application further provides a network device, including a memory and a processor, where the memory is used to store program instructions, and the processor is used to execute the following steps by executing the program instructions:
acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted;
filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library;
if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, caching the file to be transmitted;
after caching, calculating the hash value of the file to be transmitted;
matching the hash value with a reference hash value; storing the reference hash value in a preset virus library;
and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file.
As can be seen from the foregoing technical solutions, an embodiment of the present application provides a network virus detection method and a network device, where the method includes: acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted; filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library; if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, caching the file to be transmitted; after caching, calculating the hash value of the file to be transmitted; matching the hash value with a reference hash value; storing the reference hash value in a preset virus library; and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file. The method provided by the embodiment of the application can timely perform virus pre-detection on the file to be transmitted, save the memory of the network equipment, and simultaneously can reduce the pressure of a CPU of the network equipment and reduce invalid hash.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without any creative effort.
Fig. 1 is a schematic flowchart of a network virus detection method according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of another network virus detection method according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart of a process for constructing a default virus library according to an embodiment of the present disclosure.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Network virus (network virus): broadly, it is believed that a virus that can propagate through a network while destroying certain network components (servers, clients, switching and routing devices) is a network virus. It is considered that the network-wide virus is a network virus in a narrow sense, that is, the network virus should make full use of the network protocol and the network architecture as its propagation path or mechanism, and the network virus should be destroyed to the network.
Bloom filters are a long binary vector and a series of random mapping functions. A bloom filter may be used to retrieve whether an element is in a collection. Its advantages are high space efficiency and inquiry time, and high effect.
Hash (hash) is the transformation of an input of arbitrary length (also called pre-mapped pre-image) into a fixed-length output, i.e. a hash value, by a hashing algorithm, which is a kind of compression mapping. In short, it is a function of compressing a message of an arbitrary length to a message digest of a certain fixed length.
MD5 Message Digest Algorithm (Message-Digest Algorithm, MD 5): a widely used cryptographic hash function generates a 128-bit (16-byte) hash value to ensure the integrity of the message transmission. The principle of the MD5 algorithm can be briefly described as: the MD5 code processes incoming information in 512-bit packets, each of which is divided into 16 32-bit sub-packets, and after a series of processing, the output of the algorithm consists of four 32-bit packets, which are concatenated to produce a 128-bit hash value.
A network virus is a virus that propagates through a network, and during the propagation, the network virus may destroy network devices, for example, destroy servers, switches, routing devices, and the like. Taking the switch and the firewall as examples, the switch and the firewall can help the computer network to construct a relatively isolated protection barrier between the internal network and the external network so as to protect the user data and the information security. Therefore, virus can be found quickly by virus killing at the network equipment. The network traffic of the network device generally includes a File to be transferred, for example, a File transferred by a File Transfer Protocol (FTP), an attachment of a mail, or the like. Virus files are generally hidden in transmitted files, enter a client through network equipment, and attack the client, the network equipment and the like. In addition to the transmitted files, the network traffic of the network device may also include information search, listening to music, watching videos, and the like, and the above activities may make the volume of the network traffic large. When the client side utilizes the network equipment to transmit data, the virus files are mixed in the normal files and enter the network equipment. Therefore, selecting to perform virus checking and killing in the network equipment is a feasible network virus detection method.
At present, the process of network virus detection is generally as follows: the network equipment acquires a file which is being transmitted, caches the file, calculates the hash value of the complete cached file after caching, matches the hash value with the hash value of the network virus stored in the virus library, and if the hash value of the network virus matched with the hash value is obtained, confirms that the cached file is the virus file.
However, the amount of data of all transmission files in the network flow is huge, and virus files included in the transmission files are few, and if the complete transmission files are cached one by one and hash calculation is performed, on one hand, a large amount of memory of network equipment is occupied, and pressure is caused to storage. On the other hand, the hash calculation of the complete file may increase the pressure of a Central Processing Unit (CPU) of the network device. Because the ratio of the network virus to the normal file is small, the hash calculation is carried out on the complete file, the invalid hash operation is excessive, and the virus detection efficiency is low.
The network virus detection method provided by the embodiment of the present application is exemplarily described below with reference to the accompanying drawings.
In order to reduce the pressure of file caching and the consumption of a network device CPU, the embodiments of the present application provide a network virus detection method. Referring to fig. 1, a schematic flow chart of a network virus detection method provided in the embodiment of the present application is shown, and as shown in fig. 1, the network virus detection method provided in the embodiment of the present application includes the following steps:
s1: acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted;
the network device can be a switch or a firewall, the switch or the firewall is arranged between the client and the external network, and when the client needs to transmit data with the external network, the file to be transmitted can enter the client through the network device. Therefore, when the network device starts to transmit the file to be transmitted, the target byte segment of the file to be transmitted is obtained, the file to be transmitted can be checked for viruses in time, whether the file to be transmitted is the virus file or not is determined, if the file to be transmitted is not the virus file, the file to be transmitted can not be checked continuously, and if the file to be transmitted is possibly the virus file, the file to be transmitted can be further checked.
The step of acquiring the file to be transmitted through the network device may include:
s101: acquiring a transmission data stream of network equipment;
s102: in the transmission data stream, a file to be transmitted is identified, which is being transmitted via the network device.
The transmission data stream of the network device includes numerous data, such as information search, music listening, video watching, file transmission, and the like, and since the virus file is hidden in the transmission file, the file to be transmitted can be identified in the transmission data stream of the network device, and virus check is performed on the file to be transmitted. For example, http file transfers are identified from the messages.
Further, the step of obtaining the target byte segment of the file to be transmitted may include:
s103: caching a target byte segment when a file to be transmitted starts to be transmitted; the target byte segment is the first N bytes of the first message of the file to be transmitted, and N is less than or equal to the total length of the first message.
When the file to be transmitted starts to be transmitted, the target byte segment is obtained, and the target byte segment is the first N bytes of the first message of the file to be transmitted, so that virus can be pre-detected in the first time.
In some implementations, N may have a value of 1000. Because the length of one message is generally 1440 bytes, and some header files and the like which are irrelevant to virus inspection may exist in the message, the length of the target byte segment may be selected to be 1000, so that not only is misjudgment caused by the fact that the target byte segment is too short avoided, but also the problem that virus inspection efficiency is low caused by the fact that the target byte segment is too long is avoided. The specific value of N may be designed according to actual conditions, and the embodiment of the present application is not particularly limited.
Further, the steps of virus checking according to the target byte segment are as follows:
s2: filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files, and the bloom filter is stored in a preset virus library.
The bloom filter provided by the embodiment of the application is constructed by a large number of byte segments of the virus file, the bloom filter can rapidly filter the target byte segments and the byte segments of the virus file to obtain a filtering result, and the filtering result can show whether the byte segments of the virus file matched with the target byte segments exist in the preset virus library or not.
If the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, the file to be transmitted can be determined to be the virus file, and further checking is needed. And if the filtering result shows that the byte segments of the virus files matched with the target byte segments do not exist, determining that the file to be transmitted is not the virus file, and the subsequent transmission process of the file to be transmitted does not need to pay attention and subsequent messages can directly pass through. The file to be transmitted does not need to be cached any more, the storage pressure of network equipment is reduced, and the invalid occupation of a memory is reduced.
S3: and caching the file to be transmitted if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist.
After the file to be transmitted is completely cached, virus inspection can be further carried out on the file to be transmitted.
S4: and calculating the hash value of the file to be transmitted after caching.
The method for checking the virus file by using the hash value is a very accurate virus checking method. The specific choice of calculating the hash value can be to calculate the md5 value of the file to be transmitted, and the md5 is used for matching, so that the method is very accurate and the virus checking accuracy is high.
S5: matching the hash value with a reference hash value; the reference hash value is stored in a preset virus library.
The reference hash value can be a hash value of a preset virus file, and the hash value of the file to be transmitted is matched with the reference hash value, so that whether the file to be transmitted is a virus file or not can be judged.
S6: and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file.
If the hash value of the preset virus file matched with the hash value of the file to be transmitted exists in the preset virus library, it can be shown that the file to be transmitted and the preset virus file are the same file, that is, the file to be transmitted is a virus file.
Correspondingly, if the reference hash value matched with the hash value does not exist, the file to be transmitted is confirmed not to be the virus file.
In some implementations, referring to fig. 2, a schematic flowchart of a network virus detection method provided in an embodiment of the present application is shown. As shown in fig. 2, before performing hash value calculation on a complete file to be transmitted, the network virus detection method provided in the embodiment of the present application may further include the following steps:
s7: calculating the file size of a file to be transmitted;
s8: and if the preset virus file matched with the file size of the file to be transmitted exists in the preset virus library, continuously calculating the hash value of the file to be transmitted.
The file size can also be used for judging whether a file to be transmitted is a virus file, if the file size of the file to be transmitted is the same as the file size of the preset virus file, or the file size of the file to be transmitted falls into a file size set formed by the file sizes of the preset virus files, the file to be transmitted can be determined to be a virus file, and the hash value can be calculated and matched continuously.
If the file size of the file to be transmitted is different from the file size of the preset virus file, or the file size of the file to be transmitted does not fall into a file size set formed by the file sizes of the preset virus files, that is, the preset virus library does not have the preset virus file matched with the file size of the file to be transmitted, the file to be transmitted is determined not to be the virus file, the follow-up transmission process of the file to be transmitted does not need to pay attention, and the follow-up message can directly pass through the file to be transmitted. Not calculating the hash value at this time relieves the pressure on the network device CPU.
If the preset virus file matched with the file size of the file to be transmitted exists in the preset virus library, after the step of continuously calculating the hash value of the file to be transmitted, the method also comprises the following steps:
s9: and in the preset virus library, acquiring the hash value of the preset virus file matched with the file size of the file to be transmitted according to the corresponding relation between the file size of the preset virus file and the hash value, and taking the hash value as a reference hash value.
The method for matching the hash values of the preset virus files can be adopted, the reference hash value is one part of the hash values of all the preset virus files, and can be dozens or hundreds, the amount of data is far less than the hash values of all the preset virus files, and the efficiency of hash value matching can be improved.
The correspondence between the file size of the preset virus file and the hash value will be described in detail below, and will not be described herein again.
In some implementation manners, the network virus detection method provided in the embodiment of the present application further includes constructing a preset virus library. Referring to fig. 3, a schematic flow chart of constructing a preset virus library provided in the embodiment of the present application is shown in fig. 3, where the specific steps of constructing the preset virus library are as follows:
s10: constructing a preset virus library;
s11: calculating the file size and the hash value of a preset virus file;
s12: storing the size of the file into a preset virus library;
s13: performing range division on all file sizes to form different file size ranges;
s14: storing hash values corresponding to different file size ranges into a preset virus library according to the file size ranges to establish a corresponding relation between the file sizes and the hash values;
s15: acquiring byte segments of a preset virus file and storing the byte segments into a preset virus library; presetting a byte segment of the virus file, wherein the length of the byte segment is equal to that of the target byte segment.
The preset virus library is a database constructed according to known network viruses and relevant parameters of the known network viruses. Specifically, the preset virus library may store a preset virus file, a file size and a hash value of the preset virus file for detecting a file to be transmitted, a bloom filter constructed according to a byte segment of the preset virus file, and the like.
An example of the correspondence between the file size and the hash value is as follows: for example, if the size of the virus file is between 0k-500M and the hash of the file size is between 0k-500M, the file size may be divided into the following ranges: the first range is: 0k to 100 k; the second range is: 101k-500 k; the third range: 501 k-1M; the fourth range: 1M-100M; the fifth range: 100M-200M; the sixth range: 200M-300M; the seventh range: 300M-400M; the eighth range: 400M-500M. The different ranges are not overlapped, and the file size of the preset virus file corresponds to the hash value of the preset virus file, so that each range can be attached with the hash value (reference hash value) of the corresponding preset virus file.
When the file size range is divided, the file size range may be specifically divided into K ranges, and specific numerical values of K may be designed according to actual situations, which is not specifically limited in the embodiment of the present application.
If the size of the file to be transmitted falls within the first range, when the hash value of the file to be transmitted is matched, the hash value of the file to be transmitted is matched with the hash value of the preset virus file attached to the first range.
In some implementation manners, when the byte segment of the preset virus file is selected, the selected byte segment may correspond to the target byte segment, that is, the byte segment is also N bytes of the preset virus file, specifically, the first N bytes, or the first N bytes after the partial header file are removed, so that the accuracy of matching the target byte segment can be ensured, and misjudgment cannot be caused.
The length of the byte segment of the preset virus file is equal to the length of the target byte segment, that is, when the length of the target byte segment is 1000 bytes, the length of the byte segment selected for the preset virus file is also 1000 bytes.
According to the technical scheme, the network virus detection method provided by the embodiment of the application can be applied to network equipment, can timely perform virus pre-detection on the file to be transmitted, and can perform complete caching on the file to be transmitted if the file to be transmitted is possibly a virus file after the pre-detection, so that the memory of the network equipment can be saved. The sizes of the files to be transmitted are matched after the file size is detected, and if the sizes of the files are matched, the Hash calculation of the complete files is carried out, so that the pressure of a CPU (central processing unit) of network equipment can be relieved, and invalid Hash is reduced.
According to the foregoing embodiments, the present application may further provide a network device, which may include a memory and a processor, where the memory is configured to store program instructions, and the processor is configured to execute the program instructions to perform the following steps:
acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted;
filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library;
if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, caching the file to be transmitted;
after caching, calculating the hash value of the file to be transmitted;
matching the hash value with a reference hash value; storing the reference hash value in a preset virus library;
and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file.
In some implementations, the network device provided in the embodiments of the present application may be a switch or a firewall.
When the network equipment provided by the embodiment of the application detects the network virus, the network virus can be quickly checked, the occupied memory is small, and the pressure of a CPU is small.
As can be seen from the foregoing technical solutions, an embodiment of the present application provides a network virus detection method and a network device, where the method includes: acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted; filtering the target byte segment through a bloom filter to perform pre-detection on the network virus; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library; if the filtering result shows that the byte fragments of the virus file matched with the target byte fragments exist, caching the file to be transmitted; after caching, calculating the hash value of the file to be transmitted; matching the hash value with a reference hash value; storing the reference hash value in a preset virus library; and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file. The method provided by the embodiment of the application can timely perform virus pre-detection on the file to be transmitted, save the memory of the network equipment, and simultaneously can reduce the pressure of a CPU of the network equipment and reduce invalid hash.
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments in this specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.
Claims (9)
1. A network virus detection method is characterized by comprising the following steps:
acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted in the transmission process of the file to be transmitted, wherein the target byte fragment is the first N bytes of a first message of the file to be transmitted, and N is less than or equal to the total length of the first message;
filtering the target byte fragments through a bloom filter to perform pre-detection on the network viruses; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library;
if the filtering result shows that the byte fragments of the virus files matched with the target byte fragments exist, caching the files to be transmitted;
after caching, calculating the hash value of the file to be transmitted;
matching the hash value with a reference hash value; the reference hash value is stored in the preset virus library;
and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file.
2. The method of claim 1, wherein the step of obtaining the transmission file transmitted between the network devices comprises:
acquiring a transmission data stream of network equipment;
and identifying files to be transmitted which are transmitted through network equipment in the transmission data stream.
3. The method according to claim 1, wherein before the step of calculating the hash value of the file to be transmitted after caching, the method further comprises:
calculating the file size of the file to be transmitted;
if a preset virus file matched with the file size of the file to be transmitted exists in the preset virus library, continuously calculating the hash value of the file to be transmitted;
and if the preset virus file matched with the file size of the file to be transmitted does not exist in the preset virus library, determining that the file to be transmitted is not a virus file.
4. The method according to claim 3, wherein if a preset virus file matching the file size of the file to be transmitted exists in the preset virus library, after the step of continuously calculating the hash value of the file to be transmitted, the method further comprises:
and in the preset virus library, acquiring the hash value of the preset virus file matched with the file size of the file to be transmitted according to the corresponding relation between the file size of the preset virus file and the hash value, and taking the hash value as the reference hash value.
5. The method of claim 4, further comprising:
constructing a preset virus library;
calculating the file size and the hash value of a preset virus file;
storing the file size into the preset virus library;
performing range division on all the file sizes to form different file size ranges;
and storing the hash values corresponding to different file size ranges into the preset virus library according to the file size ranges so as to establish the corresponding relation between the file sizes and the hash values.
6. The method of claim 5, further comprising:
acquiring byte segments of the preset virus file and storing the byte segments into the preset virus library; and the length of the byte segment of the preset virus file is equal to that of the target byte segment.
7. The method according to claim 1, wherein if the filtering result shows that there is no byte fragment of the virus file matching the target byte fragment, the file to be transmitted is determined not to be a virus file.
8. The network virus detection method according to claim 1, wherein if there is no reference hash value matching the hash value, it is confirmed that the file to be transmitted is not a virus file.
9. A network device comprising a memory for storing program instructions and a processor for executing the program instructions to perform the steps of:
acquiring a file to be transmitted through network equipment, and acquiring a target byte fragment of the file to be transmitted;
filtering the target byte fragments through a bloom filter to perform pre-detection on the network viruses; the bloom filter is constructed according to byte fragments of a plurality of virus files and is stored in a preset virus library;
if the filtering result shows that the byte fragments of the virus files matched with the target byte fragments exist, caching the files to be transmitted;
after caching, calculating the hash value of the file to be transmitted;
matching the hash value with a reference hash value; the reference hash value is stored in the preset virus library;
and if the reference hash value matched with the hash value exists, confirming that the file to be transmitted is a virus file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111606921.9A CN113973019B (en) | 2021-12-27 | 2021-12-27 | Network virus detection method and network equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111606921.9A CN113973019B (en) | 2021-12-27 | 2021-12-27 | Network virus detection method and network equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113973019A CN113973019A (en) | 2022-01-25 |
CN113973019B true CN113973019B (en) | 2022-04-01 |
Family
ID=79590734
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111606921.9A Active CN113973019B (en) | 2021-12-27 | 2021-12-27 | Network virus detection method and network equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113973019B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117201193B (en) * | 2023-11-06 | 2024-01-26 | 新华三网络信息安全软件有限公司 | Virus detection method and device, storage medium and electronic equipment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101359325A (en) * | 2007-08-01 | 2009-02-04 | 北京启明星辰信息技术有限公司 | Multi-key-word matching method for rapidly analyzing content |
CN102609654A (en) * | 2012-02-08 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for detecting malicious flash files |
CN103780676A (en) * | 2013-12-12 | 2014-05-07 | 北京奇虎科技有限公司 | File transmission method, device and system |
CN104298711A (en) * | 2014-09-12 | 2015-01-21 | 百度在线网络技术(北京)有限公司 | Method and device for scanning information to be scanned and computer equipment |
CN113051568A (en) * | 2021-03-29 | 2021-06-29 | 深信服科技股份有限公司 | Virus detection method and device, electronic equipment and storage medium |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
BRPI0616018A2 (en) * | 2005-07-29 | 2011-06-07 | Bit9 Inc | security systems and methods for computer networks |
US9363339B2 (en) * | 2011-07-12 | 2016-06-07 | Hughes Network Systems, Llc | Staged data compression, including block level long range compression, for data streams in a communications system |
CN112272212B (en) * | 2020-09-30 | 2022-07-12 | 新华三信息安全技术有限公司 | File transmission method and device |
CN113139871A (en) * | 2021-05-07 | 2021-07-20 | 新晨科技股份有限公司 | Adaptive consensus on block chain method, apparatus and computer readable storage medium |
CN113709110B (en) * | 2021-07-27 | 2023-07-21 | 深圳市风云实业有限公司 | Intrusion detection system and method combining soft and hard |
-
2021
- 2021-12-27 CN CN202111606921.9A patent/CN113973019B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101359325A (en) * | 2007-08-01 | 2009-02-04 | 北京启明星辰信息技术有限公司 | Multi-key-word matching method for rapidly analyzing content |
CN102609654A (en) * | 2012-02-08 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for detecting malicious flash files |
CN103780676A (en) * | 2013-12-12 | 2014-05-07 | 北京奇虎科技有限公司 | File transmission method, device and system |
CN104298711A (en) * | 2014-09-12 | 2015-01-21 | 百度在线网络技术(北京)有限公司 | Method and device for scanning information to be scanned and computer equipment |
CN113051568A (en) * | 2021-03-29 | 2021-06-29 | 深信服科技股份有限公司 | Virus detection method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN113973019A (en) | 2022-01-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109829310B (en) | Similar attack defense method, device, system, storage medium and electronic device | |
EP1365556B1 (en) | Method and apparatus for efficiently matching responses to requests previously passed by a network node | |
US7831822B2 (en) | Real-time stateful packet inspection method and apparatus | |
WO2022083417A1 (en) | Method and device for data pack processing, electronic device, computer-readable storage medium, and computer program product | |
US20160065595A1 (en) | Apparatus and method for performing real-time network antivirus function | |
US11546372B2 (en) | Method, system, and apparatus for monitoring network traffic and generating summary | |
US20030204703A1 (en) | Multi-pass hierarchical pattern matching | |
KR20130014226A (en) | Dns flooding attack detection method on the characteristics by attack traffic type | |
CN112565299B (en) | Content-based optimization and pre-acquisition mechanism for security analysis of network devices | |
WO2014094441A1 (en) | Virus detection method and device | |
CN104768139A (en) | Method and device for sending short messages | |
CN108667921B (en) | Bank business recommendation information generation method and system based on network bypass | |
CN113973019B (en) | Network virus detection method and network equipment | |
WO2020037781A1 (en) | Anti-attack method and device for server | |
CN111314328A (en) | Network attack protection method and device, storage medium and electronic equipment | |
CN112559824A (en) | Message processing method, device and equipment | |
CN110958245B (en) | Attack detection method, device, equipment and storage medium | |
US10567399B2 (en) | Fragmented malware hash lookup in cloud repository | |
RU2285287C1 (en) | Method for protecting computer networks from computer attacks | |
CN113890758A (en) | Threat information method, device, equipment and computer storage medium | |
CN115017502A (en) | Flow processing method and protection system | |
CN112583827A (en) | Data leakage detection method and device | |
TWI682644B (en) | Dynamic protection method for network node and network protection server | |
WO2024036822A1 (en) | Method and apparatus for determining malicious domain name, device, and medium | |
WO2019240054A1 (en) | Communication device, packet processing method, and program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |