CN101873326B - Method for iteration-type virus detection based on sequenced packets - Google Patents

Method for iteration-type virus detection based on sequenced packets Download PDF

Info

Publication number
CN101873326B
CN101873326B CN 201010208201 CN201010208201A CN101873326B CN 101873326 B CN101873326 B CN 101873326B CN 201010208201 CN201010208201 CN 201010208201 CN 201010208201 A CN201010208201 A CN 201010208201A CN 101873326 B CN101873326 B CN 101873326B
Authority
CN
China
Prior art keywords
detection
intermediate
data
buffer
state
Prior art date
Application number
CN 201010208201
Other languages
Chinese (zh)
Other versions
CN101873326A (en
Inventor
张栗伟
童志明
Original Assignee
北京安天电子设备有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京安天电子设备有限公司 filed Critical 北京安天电子设备有限公司
Priority to CN 201010208201 priority Critical patent/CN101873326B/en
Publication of CN101873326A publication Critical patent/CN101873326A/en
Application granted granted Critical
Publication of CN101873326B publication Critical patent/CN101873326B/en

Links

Abstract

本发明公开了一种基于有序包的迭代式病毒检测方法。 The present invention discloses an iterative method of virus detection based on ordered packets. 方法包括:分配缓冲区,并将缓冲区地址返回给调用者;检测包数据,并在检测过程中要确保传入的包是有序的;释放缓冲区。 A method comprising: allocating a buffer and the buffer address is returned to the caller; detecting a data packet, and testing process to ensure that the incoming packets are ordered; release buffer. 本发明在基本上不损失检测效率的情况下,减少了资源占用,提高了检测的精确度。 In the case where the present invention is substantially no loss of detection efficiency, reduced resource consumption and improve the accuracy of detection.

Description

一种基于有序包的迭代式病毒检测方法 An iterative method is based on detecting the virus in an ordered packet

技术领域 FIELD

[0001] 本发明涉及网络安全技术领域,特别是涉及一种基于有序包的迭代式病毒检测方法。 [0001] The present invention relates to a technical field of network security, particularly to a method of virus detection based iterative ordered packet.

背景技术 Background technique

[0002] 随着互联网的发展和普及,通过网络进行病毒传播的比例正逐步攀升,伴随它而来的是越来越突出的信息安全问题。 [0002] With the development and popularity of the Internet, the proportion of virus spreading over a network is gradually rising, along with it came the increasingly prominent issue of information security. 目前的检测手段大致分为两种: The current detection means roughly divided into two types:

[0003] 基于包的检测和基于流的检测。 [0003] Based on the detection and the flow detection based on the packet.

[0004] 基于包的检测不足之处:对特征码的质量有较高的需求(例如:特征码的长度不能过长,而特征码复杂度在一定程度上又依赖于特征码的长度);由于没有保存包与包之间的上下文关系而无法对传输的文件进行格式识别以及格式处理,而格式识别及处理恰恰是保证精确检测的手段之一;对于特征跨越在两个包或多个包之间的情况较难处理。 [0004] Based on the shortcomings detected packet: the demand for a higher quality of the signature (e.g.,: the length of the signature can not be too long, and the complexity of the pattern and to some extent depends on the length of the signature); Since the context is not stored and the packets between the packet format identification can not be performed and the processing of the file transfer format, and the format identification process is precisely one of the means to ensure accurate detection; wherein for packet spans two or more packages between the case difficult to handle.

[0005] 基于流的检测不足之处:需要还原出具体的文件,因此内存资源占用极大;还原文件影响了检测效率。 [0005] Based on the shortcomings of the detection flow: the need to restore a specific file, so the memory resource consumption greatly; restore files affect the detection efficiency.

发明内容 SUMMARY

[0006] 针对以上不足,本发明要解决的问题是提供一种病毒检测方法,该方法可以在资源占用较小的情况下,兼顾了检测的精确度和效率。 [0006] For the above shortcomings, the present invention is to solve the problem is to provide a method of virus detection, which can be smaller resource consumption, taking into account the accuracy and efficiency of detection.

[0007] 为了解决上述技术的问题,本发明提供了一种病毒检测方法,包括: [0007] In order to solve the above technical problem, the present invention provides a method for detecting viruses, comprising:

[0008] a、分配缓冲区; [0008] a, allocated buffer;

[0009] b、检测包数据; [0009] b, detecting packet data;

[0010] C、释放缓冲区。 [0010] C, releasing buffer.

[0011] 进一步的,步骤a中,分配缓冲区并将缓冲区地址返回给调用者,缓冲区用来保存在检测过程中产生的中间状态数据。 [0011] Further, step a, the buffer address and allocated buffer back to the caller, the state of the buffer used to hold intermediate data generated in the detection process.

[0012] 步骤b中,检测包数据,在检测过程中要确保传入的包是有序的。 [0012] Step b, the data packet is detected, the detection process to ensure that the incoming packets are ordered.

[0013] 进一步的,结合上一次保存的中间结果及当前检测结果得出判定结果。 [0013] Further, with intermediate results stored last time and the current detection result obtained determination result.

[0014] 步骤b具体包括: [0014] Step b comprises:

[0015] bl、读取上一次保存的中间状态; [0015] bl, read the last saved intermediate state;

[0016] b2、检测本次给出的包数据,并将当前检测的中间状态结果进行保存; [0016] b2, this gives a data packet is detected, and the detected result of the current intermediate state to save;

[0017] b3、根据上一次的中间状态及当前检测结果得出判定。 [0017] b3, according to the last intermediate status and the current detection result obtained is determined.

[0018] 进一步的,步骤b2具体包括: [0018] Further, the step b2 comprises:

[0019] 检查上一次保存的中间状态数据,判定是否根据上一次的中间状态确定待检测数据的范围,如果无法确定检测范围则检测整个包数据,结合上一次的中间状态及本次检测结果保存当前状态。 The [0019] Check the stored intermediate state data, determines whether or not to be the range of detection data based on the first intermediate state, if unable to determine the detection range of the entire packet of data is detected, one of the binding intermediate state, and this detection result is stored the current status.

[0020] 步骤c中,在尾包检测完成之后释放缓冲区 [0020] Step (c), the buffer is released after the completion of end of packet detection

[0021] 本发明在基本上不损失检测效率的情况下,减少了资源占用,提高了检测的精确度。 [0021] In the case where the present invention is substantially no loss of detection efficiency, reduced resource consumption and improve the accuracy of detection. 由于只需保留部分中间状态及检测结果,无需缓冲全部数据,相比较流检测而言减少了资源占用。 Because only the remaining portion and the intermediate state detection result, all the data without buffering, as compared to the flow detection in terms of reduced resource usage. 因为保留中间状态避免了单包检测中无法获取包与包之间的上下文关系,提高了检测的精确度。 Because the intermediate retention state to avoid a single package can not be obtained in the context of detecting the relationship between the package and the package, to improve the accuracy of detection.

附图说明 BRIEF DESCRIPTION

[0022] 图I为本发明所述的基于有序包的迭代式病毒检测方法的具体实施流程图; [0022] FIG I virus detection methods based on the iterative ordered packet of the particular embodiment of the present invention, a flow chart;

[0023] 图2为本发明的应用实例的流程图。 [0023] The flowchart of FIG. Application Example 2 of the present invention.

具体实施方式 Detailed ways

[0024] 下面将结合附图及实施例对本发明的技术方案进行更详细的说明。 [0024] The accompanying drawings and the following technical scheme of the present invention in more detail with reference to Examples.

[0025] 在本发明中利用了在一组有序包中,包之间具有关联性(即有序)这一特点,设备首先确保包的有序性,然后可以在此基础上进行检测处理。 [0025] In the present invention utilizes a set of ordered packets, packets having a correlation between a (i.e., ordered) this feature, first ensure orderly device package, and then can be detected on the basis of process .

[0026] 本发明的基于有序包的迭代式病毒检测方法如图I所示,步骤如下: [0026] The present invention is iterative virus detection methods based ordered packet shown in FIG. I, the following steps:

[0027] A、如果是传入的数据是首包,则分配缓冲区用来保存中间状态及检测结果; [0027] A, if the incoming data is the first packet buffer is allocated and used to save an intermediate status detection result;

[0028] B、解析上一次保存的中间状态,获得文件格式、待检测的位置、己检测的长度、上一次的检测结果等; [0028] B, the last saved resolved intermediate state, to obtain a file format, the position to be detected, the length of the already detected, the last detection result;

[0029] 所述的中间状态数据包括但不限于文件格式、待检测的位置、己检测的长度、上一次的检测结果等以及其它与检测相关的数据; [0029] The state data of the intermediate format including but not limited to, a position to be detected, the length of the already detected, the last detection result of the detection, and other relevant data;

[0030] C、根据上一次保存的中间状态进行检测,根据当前检测结果及上一次的中间状态合并给出检测结果; [0030] C, the intermediate state is detected based on the last saved, combined gives a detection result of the current and the last detection result of the intermediate state;

[0031 ] D、保存当前的中间状态数据,将当前的检测的中间状态结果与上一次保存的中间状态合并保存,用于下次迭代检测使用; [0031] D, save the current state of the intermediate data, the intermediate results of the state of the current detection with the last saved state combined intermediate storage, used for detecting the next iteration;

[0032] E、返回检测结果及中间状态数据,如果检测结果确定为病毒则无需进行迭代检测; [0032] E, and returns the detection result of the intermediate state data, if the detection result is determined as the virus there is no need for iterative detection;

[0033] F、如果传入的数据是尾包,则结束检测,释放缓冲区。 [0033] F, if the end of the incoming data packet, the end detection, release the buffer.

[0034] 下面用本发明的一应用实例进一步加以说明。 [0034] further illustrated by the following example of an application of the present invention.

[0035] 假定传入的数据包为有序的,传输的文件为PE文件,待检测的位置为代码节,应用实例的具体实施步骤如图2所示,包括: [0035] assumed that incoming packets are ordered, for file transfer PE files, to be detected as the location code section, the step of applying the specific example embodiment shown in Figure 2, comprising:

[0036] 步骤201、获取包数据,得到当前传输的包数据内容。 [0036] Step 201, acquiring data packet, the current packet of data to obtain content transmission.

[0037] 步骤202、获取上一次保存的中间状态,所述的中间状态数据包括但不限于文件格式、待检测的位置、己检测的长度、上一次的检测结果等,以及其它与检测相关的数据。 [0037] Step 202, obtaining previously saved intermediate state, the intermediate state data file format including but not limited to, a position to be detected, the length of the already detected, the last detection result, the detection and other related data.

[0038] 步骤203、解析中间状态数据及包数据并对包数据进行检测,解析中间状态数据,利用上一次的中间状态数据进行检测。 [0038] Step 203, the intermediate state data and parse the data packet and the data packet is detected, resolved intermediate state data, once the data is detected by using the intermediate state.

[0039] 比如通过解析上一次的中间状态获得代码节的位置、代码节的大小以及通过目前已检测的长度判定是否需要续继检测等。 [0039] For example, a code section is obtained by parsing the neutral state once, and by the size of the code section has been determined whether the detected length resumed following the detection.

[0040] 步骤204、根据上一次的中间结果及当前检测结果判定是否为病毒。 [0040] Step 204, in accordance with the last intermediate result, and determines whether the current virus detection result. 根据判定结果确定下一步操作,如果是病毒则返回到步骤205,否则返回到步骤206继续进行迭代检测。 Determining the next operation according to the determination result, if the virus returns to step 205, otherwise it returns to step 206 to continue the iterative detection.

[0041] 步骤205、返回检测结果。 [0041] Step 205, return a detection result.

[0042] 步骤206、保存当前的状态数据,用于下一次的迭代检测,返回到步骤201直到检测到尾包。 [0042] Step 206, save the current state of the data detected for the next iteration, returns to step 201 until the end of packet is detected.

[0043]当然,本发明还可有其他多种实施例,在不背离本发明精神及其实质的情况下,熟悉本领域的技术人员当可根据本发明作出各种相应的改变和变形,但这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。 [0043] Of course, the present invention may have various other embodiments without departing from the spirit and the essence of the present invention, those skilled in the art can make various corresponding modifications and variations according to the present invention, but these corresponding changes and variations should fall within the scope of the appended claims. · ·

Claims (1)

1. 一种基于有序包的迭代式病毒检测方法,其特征在于, a、分配缓冲区,并将缓冲区地址返回给调用者,缓冲区用来保存在检测过程中产生的中间状态数据; b、检测包数据,在检测过程中要确保传入的包是有序的,结合上一次保存的中间结果及当前检测结果得出判定结果; C、尾包检测完成之后释放缓冲区; 所述步骤b具体包括: bl、读取上一次保存的中间状态; b2、检测本次给出的包数据,并将当前检测的中间状态结果进行保存; b3、根据上一次的中间状态及当前检测结果得出判定; 所述步骤b2具体包括: 检查上一次保存的中间状态数据,判定是否根据上一次的中间状态确定待检测数据的范围,如果无法确定检测范围则检测整个包数据,结合上一次的中间状态及本次检测结果保存当前状态。 An iterative method of virus detection based on ordered packets, wherein, a, allocates a buffer and returns to the caller buffer address, the buffer used to store intermediate data generated in the state detection process; B, packet data is detected, the detection process to ensure that the incoming packets are ordered, time saved on the bonding intermediate results and the current detection result obtained determination result; C after the release of buffer, end of packet detection is completed; the step b comprises: bl, the read once saved intermediate state; B2, detecting packet data from this analysis, and the detected result of the current intermediate state save; B3, in accordance with the last detection result of the current intermediate state and determining results; b2 comprises the step of: checking the status of a stored intermediate data, determines whether or not to be a range of detection data based on the intermediate state, the detection range can not be determined if the entire data packet is detected, the primary binding The intermediate status and save the current state of the detection result.
CN 201010208201 2010-06-24 2010-06-24 Method for iteration-type virus detection based on sequenced packets CN101873326B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010208201 CN101873326B (en) 2010-06-24 2010-06-24 Method for iteration-type virus detection based on sequenced packets

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010208201 CN101873326B (en) 2010-06-24 2010-06-24 Method for iteration-type virus detection based on sequenced packets

Publications (2)

Publication Number Publication Date
CN101873326A CN101873326A (en) 2010-10-27
CN101873326B true CN101873326B (en) 2013-03-06

Family

ID=42997986

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010208201 CN101873326B (en) 2010-06-24 2010-06-24 Method for iteration-type virus detection based on sequenced packets

Country Status (1)

Country Link
CN (1) CN101873326B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1280726C (en) 2002-10-18 2006-10-18 上海贝尔有限公司 Virtual machine for embedded systemic software development
CN1851676A (en) 2006-05-25 2006-10-25 浙江大学 Embedded system buffer internal memory distribution method
CN101494530A (en) 2008-01-21 2009-07-29 中兴通讯股份有限公司 Method for distributing and using mixing automatic retransmission request data outburst buffer zone
CN101730271A (en) 2008-10-28 2010-06-09 大唐移动通信设备有限公司 Method and device for recycling radio resource

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7007071B1 (en) * 2000-07-24 2006-02-28 Mosaid Technologies, Inc. Method and apparatus for reducing pool starvation in a shared memory switch
US7979889B2 (en) * 2005-01-07 2011-07-12 Cisco Technology, Inc. Methods and apparatus providing security to computer systems and networks
US20060206855A1 (en) * 2005-03-09 2006-09-14 Biju Nair System and method for conflict identification and resolution

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1280726C (en) 2002-10-18 2006-10-18 上海贝尔有限公司 Virtual machine for embedded systemic software development
CN1851676A (en) 2006-05-25 2006-10-25 浙江大学 Embedded system buffer internal memory distribution method
CN101494530A (en) 2008-01-21 2009-07-29 中兴通讯股份有限公司 Method for distributing and using mixing automatic retransmission request data outburst buffer zone
CN101730271A (en) 2008-10-28 2010-06-09 大唐移动通信设备有限公司 Method and device for recycling radio resource

Also Published As

Publication number Publication date
CN101873326A (en) 2010-10-27

Similar Documents

Publication Publication Date Title
CN1811757B (en) System and method for locating pages on the world wide web and for locating documents from a network of computers
CN1593041B (en) Method, apparatus and computer program for the decapsulation and encapsulation of packets with multiple headers
US9158649B2 (en) Methods and computer program products for generating a model of network application health
US9203734B2 (en) Optimized bi-directional communication in an information centric network
CN1910869B (en) TCP/IP offload device with reduced sequential processing
CN100452041C (en) Method and system for reading information at network resource site, and searching engine
Rizzo Netmap: a novel framework for fast packet I/O
US8868727B2 (en) Methods and computer program products for storing generated network application performance data
CN101908119B (en) Method and device for processing dynamic link library (DLL) file
WO2010033750A3 (en) Systems and methods for automatic detection and coordinated delivery of burdensome media content
WO2009032710A3 (en) Filing system and method for data files stored in a distributed communications network
US20080301254A1 (en) Method and system for splicing remote direct memory access (rdma) transactions in an rdma-aware system
WO2004051966A3 (en) System and methodology providing intelligent resource fork
CN101286936B (en) Method and apparatus for data message processing
CN101873259B (en) SCTP (Stream Control Transmission Protocol) message identification method and device
EP1883181A4 (en) A method and apparatus for computing a path in a network domain
EP2337305A3 (en) Header processing engine
US20070101023A1 (en) Multiple task offload to a peripheral device
EP1576487B1 (en) Web server hit multiplier and redirector
US8447898B2 (en) Task offload to a peripheral device
US7904894B2 (en) Automatically optimize performance of package execution
US20120195208A1 (en) Programmable multifield parser packet
CN103326893A (en) Limit speed measuring method
CN101076168B (en) Method for managing intelligent terminal system and intelligent terminal
RU2007148416A (en) UNITED architecture for remote network access

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
C14 Grant of patent or utility model
CP02 Change in the address of a patent holder

Address after: 100190 Zhongguancun Haidian District street, No. 14, layer, 1 1415-16

Patentee after: Beijing Antiy Electronic Installation Co., Ltd.

Address before: 100084. Office building 5, building 2, No. 1, Nongda South Road, Beijing, Haidian District, B-521

Patentee before: Beijing Antiy Electronic Installation Co., Ltd.

C56 Change in the name or address of the patentee
CP03 Change of name, title or address

Address after: 100195 Beijing City, Haidian District Jade Spring mountain minzhuang Road No. 3 Tsinghua Science Park, building 1, Yuquan Huigu on the ground floor on the west side, two layer (on both sides)

Patentee after: Beijing ahtech network Safe Technology Ltd

Address before: 100190 Zhongguancun Haidian District street, No. 14, layer, 1 1415-16

Patentee before: Beijing Antiy Electronic Installation Co., Ltd.

CP03 Change of name, title or address
PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Method for iteration-type virus detection based on sequenced packets

Effective date of registration: 20170821

Granted publication date: 20130306

Pledgee: CITIC Bank Harbin branch

Pledgor: Beijing ahtech network Safe Technology Ltd

Registration number: 2017990000776

PC01 Cancellation of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20180817

Granted publication date: 20130306

Pledgee: CITIC Bank Harbin branch

Pledgor: Beijing ahtech network Safe Technology Ltd

Registration number: 2017990000776

PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Method for iteration-type virus detection based on sequenced packets

Effective date of registration: 20180817

Granted publication date: 20130306

Pledgee: CITIC Bank Harbin branch

Pledgor: Beijing ahtech network Safe Technology Ltd

Registration number: 2018990000700

PC01 Cancellation of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20191021

Granted publication date: 20130306

Pledgee: CITIC Bank Harbin branch

Pledgor: Beijing ahtech network Safe Technology Ltd

Registration number: 2018990000700