CN101562605A - Method and system for real-time monitoring in file transfer - Google Patents
Method and system for real-time monitoring in file transfer Download PDFInfo
- Publication number
- CN101562605A CN101562605A CNA2008101043225A CN200810104322A CN101562605A CN 101562605 A CN101562605 A CN 101562605A CN A2008101043225 A CNA2008101043225 A CN A2008101043225A CN 200810104322 A CN200810104322 A CN 200810104322A CN 101562605 A CN101562605 A CN 101562605A
- Authority
- CN
- China
- Prior art keywords
- file
- current
- transfer
- information
- file transfer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to a method and a system for real-time monitoring in file transfer. The system comprises a file transfer recognizer, a file information extractor, a file state memory, a file reformer, a detecting rule base and a detection engine. The method comprises a file transfer behavior recognizing step, a current transfer file information extracting step, a file state updating step, a file reforming step and a further detecting step. The invention solves the problem of reforming reduction because a traditional product can not accurately distinguish files of each district in the multi-file transfer process of IM software, realizes a function of accurately reforming and detecting each file in real time in the multi-file transfer process and has the advantages of high speed and accuracy, and the like.
Description
Technical field
The present invention relates to a kind of method and system of real-time monitoring in file transfer, it is a kind of method and system that is used for the communication security of computer network, being that a kind of instant messaging IM (Instant Messaging) class software that is used for carries out the method and system that the multifile transmission course is carried out file reorganization reduction, is a kind of method and system that can be used in intrusion detection defence (IDS/IPS) and the audit product.
Background technology
Intrusion detection/system of defense (Intrusion Detection/Protection System, IDS/IPS) as the important means of network safety prevention, usually be deployed in key network inside/network boundary porch, catch in the network in real time or the message data stream of turnover network and carry out the intelligent comprehensive analysis, find possible intrusion behavior and block in real time.
IM class software has more and more obtained user's use in the middle of the present network environment, and along with the development of software, IM class software mostly provides file transmitting function except the online chat function is provided.As MSN, qq, Yahoo Expert or the like.Now a lot of again virus is propagated or attack all is hidden in the middle of the file of these IM software transmission.Traditional intrusion detection product all is implemented in for these measuring abilities by the file of IM software transmission after the end of file transfer, and file is carried out complete reorganization and then carries out relevant detection.But this detection mode often relatively lags behind.Work as end of file transfer, corresponding file content has been saved on the client machine, might cause various direct or indirect losses.This mode certainly will be lost a large amount of time and system resource simultaneously.This is traditional detection mode ubiquitous one big defective.For improvement to this situation, some product has proposed the file function of carrying out real-time reorganization and detection to transmission, but at present most schemes to taking under the single file transfer situation, and often more than one and all be in the middle of the same TCP connection session of the file of transmission simultaneously in a lot of environment.This problem occurred and then may produce wrong report with regard to feasible all files that transmitting are recombinated respectively.So be necessary to develop a kind of method of IM class software being carried out carrying out in the multifile transmission course file reorganization reduction.Can be respectively in the middle of the process that multifile transmits simultaneously to the reduction of recombinating accurately of the file of each transmission, thereby detect efficiently accurately, find virus or the existence of attacking.So that the user can in time take counter-measure.In the invasion that the very first time takes precautions against virus or attacks, save time greatly and the prerequisite of system resource under, can be accurately to the reduction of recombinating efficiently of the multifile of transmission simultaneously.Further improve the accuracy that detects, reduced rate of false alarm.All possess tangible fileinfo sign according to discovering in the middle of the process of carrying out the multifile transmission in the middle of the IM software commonly used as MSN, Yahoo Expert, it is feasible therefore realizing this IM software multifile transmission reorganization and detecting.
Summary of the invention
The present invention proposes the method and system of real-time monitoring in a kind of multifile transmission, described multifile transmission real time monitoring can satisfy: carry out multifile at IM class software and can divide other reorganization and corresponding data content is carried out deep detection different files in real time in the middle of the transmission course simultaneously, find the virus or the attack of carrying in the middle of each file accurately.Can report to the police to the user in real time and then virus or the attack found are handled to improve systematic function greatly in the very first time.Avoided simultaneously improving the accuracy of whole intrusion detection, reduced rate of false alarm in the wrong report and the accuracy problem of carrying out in the middle of the same TCP session being difficult in the middle of the multifile transmission course each file is recombinated respectively and caused.
The object of the present invention is achieved like this, a kind of method of real-time monitoring in file transfer, employed system comprises: file transfer identifier, fileinfo extractor, file status holder, file reformer, detection rule base and detection engine, and described method comprises following steps:
File transfer behavior identification step;
Current transfer files information extraction step;
The file status step of updating;
The file reconstitution steps;
Deeply detect step.
A kind of system of real-time monitoring in file transfer comprises: the file transfer identifier of being responsible for carrying out according to data message file transfer behavior identification, the current file transmission information that comprises according to data message that is connected with described file transfer identifier is carried out the fileinfo extractor that relevant information is extracted, the file status memory of the current residing state information of transmitting of All Files of storage that is connected with described fileinfo extractor, the fileinfo of the current message of dependence that is connected with the file status memory with described fileinfo extractor and this document state of storage carry out the file reformer of corresponding document reorganization reduction, with the described detection rule base that gos deep into the detection rule that storage that detector is connected sets in advance, the detector that gos deep into that file data and the actual detected rule according to reorganization that is connected with described file reformer carried out deep detection.
The beneficial effect of generation of the present invention is: both solved in the conventional I DS/IPS product for IM software and carried out must waiting until in the middle of the document transmission process that end of file transfer carries out the real-time problem that deep detection is carried out in full backup again to file.Improved the performance of whole intruding detection system.Solved the problem that present monofile transmits the recombination error of recombination form outlet under multifile transmission situation simultaneously and causes wrong report simultaneously.The present invention is directed to these problems and proposed the processing method that a kind of real-time multifile is recombinated simultaneously.Can in the middle of the multifile transmission course, recombinate accurately to each file respectively, performance, accuracy and the applicability of intruding detection system have been improved greatly, have the fast and high accuracy for examination of detection speed simultaneously, can be widely used in the network security products such as IDS/IPS, audit.
Description of drawings
Fig. 1 is the schematic flow sheet of method of a kind of real-time monitoring in file transfer of embodiment one of the present invention;
Fig. 2 is the system schematic of a kind of real-time monitoring in file transfer of embodiment seven of the present invention.
The invention will be further described below in conjunction with drawings and Examples.
Embodiment
Embodiment one:
Present embodiment is a kind of method of real-time monitoring in file transfer.Comprise file transfer identifier, fileinfo extractor, file status holder, file reformer, detect rule base and detect engine that the workflow of described method as shown in Figure 1, comprises following steps:
File transfer behavior identification step;
Current transfer files information extraction step;
The file status step of updating;
The file reconstitution steps;
Deeply detect step.
Wherein:
1. file transfer behavior identification step.File transfer behavior identification adopts the protocol analysis technology to carry out the stratification parsing according to the data message of actual acquisition, determine the IM software type of current use, the static message characteristic of the corresponding IM software of foundation, file transfer action identification etc. are accurately discerned the file transfer behavior of current I M software.And the data message that extracts include file transmission information uses for current transfer files information extraction.
2. current transfer files information extraction step.The data message that current transfer files information extraction step provides with file transfer behavior identification step serves as to extract object.Mainly be responsible in this message extracting with current message in the relevant information of file transmitted.And these information are offered the foundation of file status memory as the file status step of updating.Simultaneously the data division that transmits in the middle of the data message is offered of the input of file reformer as the file reorganization.
3. file status step of updating.The information relevant with the file that transmits in the current message that the file status step of updating provides with current transfer files information extraction step is foundation, if with the file status memory in the middle of this document relevant information of storing compare the state information that meets this document that session requires then preserve in the middle of the transaction file status register.Finish the work of carrying out new file status foundation and in the file status thesaurus, deleting for new file transfer simultaneously for the fileinfo that has transmitted.
4. file reconstitution steps.File data and the central this document information of storing of file status memory that the step of file reorganization relies on current transfer files information extraction step to be provided are carried out the file reorganization.The file data part of mainly being responsible for transmitting in current data message is spliced with the data division that has transmitted.In every splicing, all the file data content of actual transmissions is exported to deep detection step as input after a grouped data report.
5. go deep into the step of detection.Deeply the step that detects is input with the splicing message of the stage of file reorganization stage output, carries out deep detection with predefined concrete the detections rule that detects in the middle of the rule base that is stored in as pattern employing multi-pattern matching algorithm.And when finding virus or attack, this virus or attack are implemented corresponding measures such as warning or blocking-up.
Embodiment two:
Present embodiment is the preferred version of the file transfer behavior identification step among the embodiment one, and the running of present embodiment comprises following substep:
Data message according to actual acquisition adopts the protocol analysis technology to carry out the stratification parsing;
Determine the IM software type of current use;
Static message characteristic, file transfer action identification according to corresponding IM software are discerned the file transfer behavior of current I M software;
The data message that extracts include file transmission information uses for current transfer files information extraction step.
Above substep can integrated interpretation be: the data pack protocol analytical method with stratification is carried out the identification of actual file transport behavior and is extracted the message that comprises the current file related data of transmitting according to the data message and the file transfer behavioural characteristic of actual acquisition.
The basic ideas of present embodiment are: at first determine the IM software type of current use, according to the corresponding protocol form message characteristic or the specific identifier that the file transfer behavior of this software has resolved and relied on to the data message according to this IM software type then and carry out the identification of actual file transport behavior.For example the data message that transmits in the middle of use of MSN software below is actual MSN protocol massages content with feature keyword " MSG " beginning.And for example the data message of transmission below is a Yahoo Expert protocol massages content with feature keyword " YMSG " beginning in the middle of Yahoo Expert software is using.Depend on the IM software type of our at first unique settled really preceding use of corresponding message characteristic.Specific identifier with the file transfer behavior is that pattern is mated in the middle of corresponding data message afterwards, and this IM software of identification current data message identification marking is about to execute file transmission action.For example in the middle of carrying out the process of file transfer, the MSN agreement has sign keyword " Content-Type:application/x-msnmsgrp2p r n ".And for example when Yahoo Expert software carried out file transfer, the service identifiers field of corresponding data message was " 00dc ".
Embodiment three:
Present embodiment is the preferred version of the current transfer files information extraction step among the embodiment one, and the running of present embodiment comprises following substep:
The data message that provides with file transfer behavior identification step serves as to extract object, in this message, extract with current message in the relevant information of file transmitted;
These information are offered the foundation of file status memory as the file status step of updating;
Simultaneously the data division that transmits in the middle of the data message is offered of the input of file reformer as the file reorganization.
Above substep can integrated interpretation be: the data pack protocol analytical method with stratification is carried out the identification of actual file transport behavior and is extracted the message that comprises the current file related data of transmitting according to the data message and the file transfer behavioural characteristic of actual acquisition.
The basic ideas of present embodiment are: for the reorganization of follow-up file and accurately distinguish the relevant information that file under the data division of current message transmissions need write down the current file that transmits in the multifile transmission environment, as filename, file size, source ID, purpose ID, file ID or the like.Use at different IM and need to determine the file-related information that keeps, be as the criterion with the file of this transmission of sign that can be unique.Here utilize the respective data field the inside of protocol analysis technology in the middle of data message to extract these file-related informations equally.For example in the middle of MSN actual file transmission course, matching characteristic keyword " P2P-Dest " was the purpose ID of this file transfer before first new line symbol afterwards.The matching characteristic keyword " Content-Length " before the first line feed carriage return character, be the file size of this file transfer afterwards.Matching characteristic keyword " Context " content before first new line symbol afterwards carries out the filename that the Base-64 decoding can obtain this file transfer.According with the first non-vanishing byte of back by the new line after " P2P-Dest " field in the middle of the data message of actual file transmission is the file ID of current transmission.Actual transmissions message sample sees Table 1:
Table 1
0000?00?17?df?ba?4c?00?00?15 58?29?d4?59?08?00?45?00 ....L...X).Y..E.
0010?05?82?d3?29?40?00?80?06 5a?d1?c0?a8?1c?65?cf2e ...)@...Z....e..
0020?1b?3f?0a?ce?07?47?b7?d8 a2?b5?f1?64?3d?79?50?18 .?...G..?...d=yP.
0030?ff?1e?10?df?00?00?4d?53 47?20?31?36?33?20?44?20 ......MS?G?163?D
0040?31?33?35?34?0d?0a?4d?49 4d?45?2d?56?65?72?73?69 1354..MI?ME-Versi
0050?6f?6e?3a?20?31?2e?30?0d 0a?43?6f?6e?74?65?6e?74 on:1.0..Content
0060?2d?54?79?70?65?3a?20?61 70?70?6c?69?63?61?74?69 -Type:a?pplicati
0070?6f?6e?2f?78?2d?6d?73?6e 6d?73?67?72?70?32?70?0d on/x-msn?msgrp2p.
0080?0a?50?32?50?2d?44?65?73 74?3a?20?63?61?72?69?6e .P2P-Des?t:carin
0090?61?66?75?62?61?69?6c?69 6e?67?40?68?6f?74?6d?61 afubaili?ng@hotma
00a0?69?6c?2e?63?6f?6d?0d?0a 0d?0a?3d?c8?ac?05?fb?ce il.com....=.....
The purpose ID that can see this file transfer here is carinafubailing@hotmail.com. and the file ID of this transmission is 3d.This step also needs to send to the input that the file status memory upgrades as file status after extracting corresponding fileinfo, and the file data that extracts concrete transmission simultaneously offers the input of file reformer as the file reorganization.
Embodiment four:
Present embodiment is the preferred version of the file status step of updating among the embodiment one, and the running of present embodiment comprises following substep:
This document state information according to storage in the middle of the file-related information documents status register that extracts in the middle of the current transfer files information extraction step;
As to meet rule be file status information in the middle of the transaction file status register;
Then do not preserve current information if do not comprise the information of current file in the middle of the file status memory as new transfer files;
If the current file relevant information is designated then deletion this document correlation behavior information in the file status holder of end of file transfer.
Above substep can integrated interpretation be: this document state information of storage in the middle of the file-related information documents status register that extracts in the middle of the current transfer files information extraction step of foundation, meeting rule is the central file status information of updated stored device.Then do not preserve current information if do not comprise the information of current file in the middle of the memory as new transfer files.If the current file relevant information is designated then deletion this document correlation behavior information in the file status holder of end of file transfer.
The basic ideas of present embodiment are: after the file-related information that in the middle of receiving the current data message transmission that current transfer files information step provides, extracts, and the All Files relevant information of storage in the middle of the inquiry current file state storage storehouse.Whether the fileinfo of at first determining the current data message transmission has been present in the middle of the file status thesaurus.Do not transmitting a new file if current data message is described, therefore the current file-related information that receives is being put in storage as one in the file status thesaurus new store items.If finding that this document information has been included in the file status thesaurus, inquiry verifies whether the current data message of receiving is the subsequent packet that this state should be received, if not then directly abandon, if then with corresponding fileinfo in the middle of this document information alternate file state storage storehouse of current extraction and wait for that subsequent packet arrives.If in the middle of the current file information extraction process, extract the end of file transfer sign, whether comprise this document information in the same inquiry current file state storage storehouse, if having, then directly delete this record.If what do not illustrate then that this data message comprises is then to need not to carry out new fileinfo warehouse-in in the middle of the file of a new transmission and file data all are included in the notebook data message.The data message of table 1 among the embodiment four for example, extract the clauses and subclauses that comprise all files information such as having identical sources ID, purpose ID, file ID after the corresponding document information in the middle of the inquiry file state storage storehouse, this moment, viewing files state storage storehouse was 47813 when the data message sequence number of storage, the data length of current transmission is 1320, then the subsequent packet sequence number should be 49133. and compares with the fileinfo in the data message of sequence number and current extraction, as identical message correctly is described then, and the calculated for subsequent test serial number is finished the file status information updating.Otherwise abandon current message.
Embodiment five:
Present embodiment is the preferred version of the file reconstitution steps among the embodiment one, and the running of present embodiment comprises following substep:
Extract the file data that current transfer files information extraction step provides;
This document information of storage in the middle of the extraction document status register;
The file data part that current data message is transmitted is spliced with the data division that has transmitted;
In every splicing, all the file data content of actual transmissions is exported to deep detection step as input after a grouped data report.
Above substep can integrated interpretation be: this document current state according to record in the middle of data message content that provides in the current transfer files information extraction step and the file status memory is recombinated to the file data of actual transmissions.
The basic ideas of present embodiment are: this document relevant information that file data that provides according to current transfer files information extraction step and file status database provide is spliced for according to protocol format the file content of actual transmissions being carried out order according to the message that will meet current file transfer files information.For example in the middle of the document transmission process of MSN, verify that at first all MSN data message Content-Type field datas are: application/x-msnmsgrp2p.After this field is the destination address of this transfer of data, and promptly the content of P2P-Dest field should conform to the file-related information that file transfer behavior identification step provides.After this mating up to follow-up nybble backward by this field is not zero continuous two 0d0a entirely.Be transmission content message afterwards.Determine that it is that file begins that first file transfer message is skipped 48 bytes afterwards, extract 00000002 this segment data of sign always and finish.After this in the middle of all follow-up MSN file transfer messages that meet the associated documents information check, all carry out the file splicing in order after the extraction document content piecemeal according to above step.After being designated 00000002, the whole end of file is the BYE keyword.Sign this document end of transmission.
Embodiment six:
Present embodiment is the preferred version of the deep detection step among the embodiment one, and the running of present embodiment comprises following substep:
Deeply detect the substep in the step:
Receive the splicing message of the stage of file reconstitution steps output;
Extract and detect the detection rule that stores in the rule base;
To detect rule is that pattern adopts multi-pattern matching algorithm that the message of splicing is detected;
If finding virus or attack then implements to report to the police or blocking-up.
The basic ideas of present embodiment are: after each file content that is transmitting that is provided successively by the file reformer is provided, deeply detecting step is input with the file of the stage received reorganization, detect with predefined being stored in that the actual detected rule is pattern (the actual detected rule here comprises the message characteristic of various attack and the feature of various viruses) in the middle of the rule base, adopt the multi-mode matching technique to carry out deep detection, and when finding virus or attack, implement corresponding measures such as warning or blocking-up.
The algorithm that adopts in the present embodiment: go deep into this step of detection-phase adopt multi-pattern matching algorithm according to the actual detected rule of storing in the middle of the detection rule base of having set up as match pattern, carry out the multi-mode coupling with the message fragment of splicing successively that the file reorganization stage provides as the sample that mates, detect the various viruses or the attack of carrying in the middle of the current file accurately.
Embodiment seven:
Present embodiment is the virtual bench system in other words that realizes embodiment one, two, three, four, five, six described methods, system as shown in Figure 2, present embodiment comprises: the file transfer identifier of being responsible for carrying out according to data message file transfer behavior identification; Carry out the fileinfo extractor that relevant information is extracted according to the current file transmission information that data message comprises; Store the file status memory of the current residing state information of transmitting of All Files; Rely on the fileinfo of current message and this document state of storage and carry out the file reformer that the corresponding document reorganization is reduced; The detector that gos deep into that the file data of foundation reorganization and actual detected rule are carried out deep detection.
Wherein, the file transfer identifier has been realized the function of carrying out file transfer behavior identification according to data message described in embodiment two; Current transfer files information extractor has realized carrying out the abstraction function of relevant information according to the fileinfo of the current transmission that comprises in the middle of the data message described in embodiment three; The file status device has been stored the current relevant information that is in each central file of transmission course, has realized the delete function of the fileinfo that the file status information updating described in embodiment four, new fileinfo warehouse-in and transmission are finished simultaneously; The file reformer has realized carrying out as this document state of the fileinfo of embodiment five described dependence current data message and storage the function of corresponding document reorganization reduction; Go deep into detector and realized the embodiment six described functions that the reorganization file is carried out deep detection.
A kind of system of real-time monitoring in file transfer comprises: file transfer identifier, fileinfo extractor, file status holder, file reformer, detection rule base and detection engine; Described file transfer identifier is connected with the fileinfo extractor; Described fileinfo extractor is connected with file status memory and file reformer; Described file status memory is connected with the file reformer; Described file reformer with go deep into detector and be connected.
Claims (7)
1. the method for a real-time monitoring in file transfer, employed system comprises: file transfer identifier, fileinfo extractor, file status holder, file reformer, detection rule base and detection engine is characterized in that described method comprises following steps:
File transfer behavior identification step;
Current transfer files information extraction step;
The file status step of updating;
The file reconstitution steps;
Deeply detect step.
2. the method for a kind of real-time monitoring in file transfer according to claim 1 is characterized in that the substep in the described file transfer behavior identification step:
Data message according to actual acquisition adopts the protocol analysis technology to carry out the stratification parsing;
Determine the IM software type of current use;
Static message characteristic, file transfer action identification according to corresponding IM software are discerned the file transfer behavior of current I M software;
The data message that extracts include file transmission information uses for current transfer files information extraction step.
3. the method for a kind of real-time monitoring in file transfer according to claim 1 is characterized in that the substep in the described current transfer files information extraction step:
The data message that provides with file transfer behavior identification step serves as to extract object, in this message, extract with current message in the relevant information of file transmitted;
These information are offered the foundation of file status memory as the file status step of updating;
Simultaneously the data division that transmits in the middle of the data message is offered of the input of file reformer as the file reorganization.
4. the method for a kind of real-time monitoring in file transfer according to claim 1 is characterized in that the substep in the described file status step of updating:
This document state information according to storage in the middle of the file-related information documents status register that extracts in the middle of the current transfer files information extraction step;
As to meet rule be file status information in the middle of the transaction file status register;
Then do not preserve current information if do not comprise the information of current file in the middle of the file status memory as new transfer files;
If the current file relevant information is designated then deletion this document correlation behavior information in the file status holder of end of file transfer.
5. the method for a kind of real-time monitoring in file transfer according to claim 1 is characterized in that the substep in the described file reconstitution steps:
Extract the file data that current transfer files information extraction step provides;
This document information of storage in the middle of the extraction document status register;
The file data part that current data message is transmitted is spliced with the data division that has transmitted;
In every splicing, all the file data content of actual transmissions is exported to deep detection step as input after a grouped data report.
6. the method for a kind of real-time monitoring in file transfer according to claim 1 is characterized in that the described substep that deeply detects in the step:
Receive the splicing message of the stage of file reconstitution steps output;
Extract and detect the detection rule that stores in advance in the rule base;
To detect rule is that pattern adopts multi-pattern matching algorithm that the message of splicing is detected;
If finding virus or attack then implements to report to the police or blocking-up.
7. the system of a real-time monitoring in file transfer, it is characterized in that, comprising: the file transfer identifier of being responsible for carrying out file transfer behavior identification according to data message, the current file transmission information that comprises according to data message that is connected with described file transfer identifier is carried out the fileinfo extractor that relevant information is extracted, the file status memory of the current residing state information of transmitting of All Files of storage that is connected with described fileinfo extractor, the fileinfo of the current message of dependence that is connected with the file status memory with described fileinfo extractor and this document state of storage carry out the file reformer of corresponding document reorganization reduction, with the described detection rule base that gos deep into the detection rule that storage that detector is connected sets in advance, the detector that gos deep into that file data and the actual detected rule according to reorganization that is connected with described file reformer carried out deep detection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101043225A CN101562605A (en) | 2008-04-17 | 2008-04-17 | Method and system for real-time monitoring in file transfer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101043225A CN101562605A (en) | 2008-04-17 | 2008-04-17 | Method and system for real-time monitoring in file transfer |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101562605A true CN101562605A (en) | 2009-10-21 |
Family
ID=41221225
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008101043225A Pending CN101562605A (en) | 2008-04-17 | 2008-04-17 | Method and system for real-time monitoring in file transfer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101562605A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102916955A (en) * | 2012-10-15 | 2013-02-06 | 北京神州绿盟信息安全科技股份有限公司 | System and method for preventing/detecting network intrusion |
-
2008
- 2008-04-17 CN CNA2008101043225A patent/CN101562605A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102916955A (en) * | 2012-10-15 | 2013-02-06 | 北京神州绿盟信息安全科技股份有限公司 | System and method for preventing/detecting network intrusion |
| CN102916955B (en) * | 2012-10-15 | 2016-03-02 | 北京神州绿盟信息安全科技股份有限公司 | Network intrusion prevention/detection system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101873259B (en) | SCTP (Stream Control Transmission Protocol) message identification method and device | |
| CN101540740B (en) | Prompting method of a plurality of instant communication windows, system and device thereof | |
| CN102609653B (en) | File quick-scanning method and file quick-scanning system | |
| WO2017059717A1 (en) | Identification method and system for user information in social network | |
| WO2009111492A4 (en) | Data synchronization protocol | |
| CN102594809B (en) | Method and system for rapidly scanning files | |
| CN103268449B (en) | A kind of high speed detection method and system of mobile phone malicious code | |
| CN104679596A (en) | Message processing method and system for improving concurrence performance of server-side | |
| CN105095330A (en) | Method and system for identifying file format based on compressed package content | |
| CN103366120A (en) | Bug attack graph generation method based on script | |
| CN105407096A (en) | Message data detection method based on stream management | |
| CN102111400A (en) | Trojan horse detection method, device and system | |
| CN110008462B (en) | Command sequence detection method and command sequence processing method | |
| CN101465738B (en) | Real time monitoring method and system for document transmission | |
| CN106790130B (en) | Message matching method and device | |
| CN110399485B (en) | Data tracing method and system based on word vector and machine learning | |
| CN101562605A (en) | Method and system for real-time monitoring in file transfer | |
| CN101286903B (en) | Method for enhancing integrity of sessions in network audit field | |
| CN104012055A (en) | Method and apparatus processing data | |
| CN106096804B (en) | Monitoring method for whole maintenance process of intelligent power grid dispatching control system model | |
| CN105357177A (en) | Method for processing data packet filtering rule set and data packet matching method | |
| CN114172744A (en) | Data transmission system and data transmission method used among multiple servers | |
| CN104715197B (en) | A kind of file fast scanning method and system | |
| CN114070819B (en) | Malicious domain name detection method, device, electronic device and storage medium | |
| CN114268480B (en) | Picture transmission monitoring method and device, storage medium and terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20091021 |