CN101873326B - Method for iteration-type virus detection based on sequenced packets - Google Patents
Method for iteration-type virus detection based on sequenced packets Download PDFInfo
- Publication number
- CN101873326B CN101873326B CN 201010208201 CN201010208201A CN101873326B CN 101873326 B CN101873326 B CN 101873326B CN 201010208201 CN201010208201 CN 201010208201 CN 201010208201 A CN201010208201 A CN 201010208201A CN 101873326 B CN101873326 B CN 101873326B
- Authority
- CN
- China
- Prior art keywords
- intermediateness
- bag
- data
- last
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 33
- 238000000034 method Methods 0.000 title claims abstract description 16
- 241000700605 Viruses Species 0.000 title claims abstract description 13
- 230000008676 import Effects 0.000 claims description 4
- 230000003139 buffering effect Effects 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 description 3
- 238000004321 preservation Methods 0.000 description 3
- 230000007812 deficiency Effects 0.000 description 1
Images
Abstract
The invention discloses a method for iteration-type virus detection based on sequenced packets. The method comprises the following steps of: allocating a buffer, and returning the address of the buffer to a caller; detecting the data of the packet, and ensuring that the sent packet is sequenced in the detecting process; and releasing the buffer. Accordingly, the invention can reduce the resource occupation and improve the detection accuracy under the circumstance that the efficiency loss is hardly caused.
Description
Technical field
The present invention relates to the network security technology field, particularly relate to a kind of iterative method for detecting virus based on orderly bag.
Background technology
Along with the development of the Internet with popularize, it is just progressively soaring to carry out the ratio that virus propagates by network, follows it and what come is the information security issue of more and more giving prominence to.Present detection means roughly is divided into two kinds:
Based on the detection of bag with based on the detection of flowing.
Detection weak point based on bag: the quality to condition code has higher demand (for example: the length of condition code can not be long, and the condition code complexity depends on the length of condition code to a certain extent); Can't not carry out format identification and format analysis processing to the file of transmission owing to preserving the context relation between bag and the bag, and format identification and processing guarantee one of means that accurately detect exactly; More difficult for the situation that feature is crossed between two bags or a plurality of bag.
Detection weak point based on stream: need to restore concrete file, so memory source takies greatly; Also original has affected detection efficiency.
Summary of the invention
For above deficiency, the problem to be solved in the present invention provides a kind of method for detecting virus, and the method can in the less situation of resource occupation, have been taken into account the accuracy and the efficient that detect.
In order to solve the problem of above-mentioned technology, the invention provides a kind of method for detecting virus, comprising:
A, allocation buffer;
B, detection bag data;
C, buffer release district.
Further, among the step a, the allocation buffer also returns to caller with buffer zone address, and buffering area is used for being kept at the intermediateness data that produce in the testing process.
Among the step b, detect the bag data, will guarantee that in testing process the bag that imports into is orderly.
Further, draw result of determination in conjunction with last intermediate object program and the current detection result who preserves.
Step b specifically comprises:
B1, read last intermediateness of preserving;
B2, detect the bag data that this provides, and the intermediateness result of current detection is preserved;
B3, draw judgement according to intermediateness and the current detection result of last time.
Further, step b2 specifically comprises:
Check last intermediateness data of preserving, determine whether the scope of determining data to be tested according to the intermediateness of last time, if can't determine detection range then detect whole bag data, preserve current state in conjunction with last intermediateness and this testing result.
Among the step c, buffer release district after the detection of tail bag is finished
The present invention has reduced resource occupation basically not losing in the situation of detection efficiency, has improved the accuracy that detects.Owing to only need reserve part intermediateness and testing result, need not to cushion total data, the stream of comparing detects and has reduced resource occupation.Because the reservation intermediateness has avoided can't obtaining in single bag detection the context relation between bag and the bag, improved the accuracy that detects.
Description of drawings
Fig. 1 is the implementation flow chart of the iterative method for detecting virus based on orderly bag of the present invention;
Fig. 2 is the flow chart of application example of the present invention.
Embodiment
Below in conjunction with drawings and Examples technical scheme of the present invention is described in detail.
Utilized in the present invention at one group in order in the bag, had these characteristics of relevance (namely in order) between the bag, equipment is at first guaranteed the order of wrapping, and then can carry out on this basis Check processing.
Iterative method for detecting virus based on orderly bag of the present invention as shown in Figure 1, step is as follows:
A is if the data of importing into are first packets, and then the allocation buffer is used for preserving intermediateness and testing result;
B, the last intermediateness of preserving of parsing obtain file format, position to be detected, the length of oneself detection, last testing result etc.;
Described intermediateness data include but not limited to file format, position to be detected, the length that oneself detects, last testing result etc. and other data relevant with detection;
C, the intermediateness of preserving according to the last time detect, and provide testing result according to current detection result and last intermediateness merging;
D, the current intermediateness data of preservation, intermediateness result and last intermediateness merging preservation of preserving with current detection are used for next iterative detection and use;
E, return testing result and intermediateness data, need not to carry out iterative detection if testing result is defined as virus;
If the data that F imports into are tail bags, detection of end then, buffer release district.
The below further is illustrated with an application example of the present invention.
Suppose that the packet that imports into is orderly, the file of transmission is the PE file, and position to be detected is the code joint, and the implementation step of application example comprises as shown in Figure 2:
Determining whether such as the size of the position that obtains the code joint by resolving last intermediateness, code joint and by the length that has detected at present needs continuous continuing to detect etc.
Step 205, return testing result.
Certainly; the present invention also can have other various embodiments; in the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make according to the present invention various corresponding changes and distortion, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (1)
1. the iterative method for detecting virus based on orderly bag is characterized in that,
A, allocation buffer, and buffer zone address returned to caller, buffering area is used for being kept at the intermediateness data that produce in the testing process;
B, detection bag data will guarantee that in testing process the bag that imports into is orderly, draw result of determination in conjunction with last intermediate object program and the current detection result who preserves;
Buffer release district after c, tail bag detect and finish;
Described step b specifically comprises:
B1, read last intermediateness of preserving;
B2, detect the bag data that this provides, and the intermediateness result of current detection is preserved;
B3, draw judgement according to intermediateness and the current detection result of last time;
Described step b2 specifically comprises:
Check last intermediateness data of preserving, determine whether the scope of determining data to be tested according to the intermediateness of last time, if can't determine detection range then detect whole bag data, preserve current state in conjunction with last intermediateness and this testing result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010208201 CN101873326B (en) | 2010-06-24 | 2010-06-24 | Method for iteration-type virus detection based on sequenced packets |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010208201 CN101873326B (en) | 2010-06-24 | 2010-06-24 | Method for iteration-type virus detection based on sequenced packets |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101873326A CN101873326A (en) | 2010-10-27 |
| CN101873326B true CN101873326B (en) | 2013-03-06 |
Family
ID=42997986
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010208201 Active CN101873326B (en) | 2010-06-24 | 2010-06-24 | Method for iteration-type virus detection based on sequenced packets |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101873326B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1280726C (en) * | 2002-10-18 | 2006-10-18 | 上海贝尔有限公司 | Virtual machine for embedded systemic software development |
| CN1851676A (en) * | 2006-05-25 | 2006-10-25 | 浙江大学 | Embedded system buffer internal memory distribution method |
| CN101494530A (en) * | 2008-01-21 | 2009-07-29 | 中兴通讯股份有限公司 | Method for distributing and using mixing automatic retransmission request data outburst buffer zone |
| CN101730271A (en) * | 2008-10-28 | 2010-06-09 | 大唐移动通信设备有限公司 | Method and device for recycling radio resource |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7007071B1 (en) * | 2000-07-24 | 2006-02-28 | Mosaid Technologies, Inc. | Method and apparatus for reducing pool starvation in a shared memory switch |
| US7979889B2 (en) * | 2005-01-07 | 2011-07-12 | Cisco Technology, Inc. | Methods and apparatus providing security to computer systems and networks |
| US20060206855A1 (en) * | 2005-03-09 | 2006-09-14 | Biju Nair | System and method for conflict identification and resolution |
-
2010
- 2010-06-24 CN CN 201010208201 patent/CN101873326B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1280726C (en) * | 2002-10-18 | 2006-10-18 | 上海贝尔有限公司 | Virtual machine for embedded systemic software development |
| CN1851676A (en) * | 2006-05-25 | 2006-10-25 | 浙江大学 | Embedded system buffer internal memory distribution method |
| CN101494530A (en) * | 2008-01-21 | 2009-07-29 | 中兴通讯股份有限公司 | Method for distributing and using mixing automatic retransmission request data outburst buffer zone |
| CN101730271A (en) * | 2008-10-28 | 2010-06-09 | 大唐移动通信设备有限公司 | Method and device for recycling radio resource |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101873326A (en) | 2010-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103823792B (en) | Method and equipment for detecting hotspot events from text document | |
| CN104424240B (en) | Multilist correlating method, main service node, calculate node and system | |
| CN103220352B (en) | Terminal, server, file storage system and file storage method | |
| CN106294222A (en) | A kind of method and device determining PCIE device and slot corresponding relation | |
| CN105187533A (en) | Data transmission method and device | |
| CN107247722A (en) | File scanning method and device and intelligent terminal | |
| CN103024819A (en) | Data distribution method of third-generation mobile communication core network based on user terminal IP (Internet Protocol) | |
| CN109542857A (en) | Audit log storage method, querying method, device and relevant device | |
| CN103150646A (en) | Classified display method and device of electronic mail | |
| CN107454205A (en) | A kind of method and apparatus of connection server | |
| CN104219639A (en) | Method and device for displaying text message record | |
| CN106201917A (en) | A kind of data handling system and method | |
| CN103888364A (en) | Message shunting method and device | |
| CN110908995B (en) | Data processing method, device and equipment | |
| CN102437959B (en) | Stream forming method based on dual overtime network message | |
| CN101873326B (en) | Method for iteration-type virus detection based on sequenced packets | |
| CN101789105A (en) | Packet-level dynamic mail attachment virus detection method | |
| CN109697281A (en) | The online method, apparatus and electronic equipment for merging document | |
| CN103179024A (en) | Method and device for filtering mails | |
| CN109597566A (en) | A kind of reading data, storage method and device | |
| CN103118028B (en) | Based on the security sweep method and system of web analysis | |
| CN106557535B (en) | Method and system for processing big data level Pcap file | |
| CN104216872B (en) | The method and device of rubbish chapters and sections in a kind of identification network novel | |
| CN106599320A (en) | File information abstract value calculation method and device | |
| KR101482229B1 (en) | Computer enabled method of data sort, system performing the same and storage media storing the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP02 | Change in the address of a patent holder |
Address after: 100190 Zhongguancun Haidian District street, No. 14, layer, 1 1415-16 Patentee after: Beijing Antiy Electronic Installation Co., Ltd. Address before: 100084. Office building 5, building 2, No. 1, Nongda South Road, Beijing, Haidian District, B-521 Patentee before: Beijing Antiy Electronic Installation Co., Ltd. |
|
| CP03 | Change of name, title or address |
Address after: 100195 Beijing City, Haidian District Jade Spring mountain minzhuang Road No. 3 Tsinghua Science Park, building 1, Yuquan Huigu on the ground floor on the west side, two layer (on both sides) Patentee after: Beijing ahtech network Safe Technology Ltd Address before: 100190 Zhongguancun Haidian District street, No. 14, layer, 1 1415-16 Patentee before: Beijing Antiy Electronic Installation Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Method for iteration-type virus detection based on sequenced packets Effective date of registration: 20170821 Granted publication date: 20130306 Pledgee: CITIC Bank Harbin branch Pledgor: Beijing ahtech network Safe Technology Ltd Registration number: 2017990000776 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20180817 Granted publication date: 20130306 Pledgee: CITIC Bank Harbin branch Pledgor: Beijing ahtech network Safe Technology Ltd Registration number: 2017990000776 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Method for iteration-type virus detection based on sequenced packets Effective date of registration: 20180817 Granted publication date: 20130306 Pledgee: CITIC Bank Harbin branch Pledgor: Beijing ahtech network Safe Technology Ltd Registration number: 2018990000700 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20191021 Granted publication date: 20130306 Pledgee: CITIC Bank Harbin branch Pledgor: Beijing ahtech network Safe Technology Ltd Registration number: 2018990000700 |