New! View global litigation for patent families

CN103248606A - Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6) - Google Patents

Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6) Download PDF

Info

Publication number
CN103248606A
CN103248606A CN 201210022667 CN201210022667A CN103248606A CN 103248606 A CN103248606 A CN 103248606A CN 201210022667 CN201210022667 CN 201210022667 CN 201210022667 A CN201210022667 A CN 201210022667A CN 103248606 A CN103248606 A CN 103248606A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
protocol
data
network
detection
internet
Prior art date
Application number
CN 201210022667
Other languages
Chinese (zh)
Inventor
邱勇良
刘静
Original Assignee
哈尔滨安天科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Abstract

The invention provides a network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6). The method comprises the steps as follows: network data packages are captured; protocol identification for the network layer and the IP (internet protocol) layer is performed on data packages using an IPv4 protocol or an IPv6 protocol; data packages provided with the same transmission control protocol (TCP) tetrad are reorganized; an application layer protocol of a data stream is identified, data packages in the data stream are realigned sequentially and reduced into a correct realignment order of a file; protocol analysis is performed on the data stream using the IPv4 protocol or the IPv6 protocol, and the data stream comprising a file transfer behavior is reduced into a file according to a protocol analysis result; the data steam is sent to a detection engine for network virus detection, and a detection report is generated; and the detection report is provided for an external processing program. The invention further provides a network virus detection system for the IPv4 and the IPv6. With the adoption of the network virus detection method and system, the problem that network security is difficult to control in a conventional transport process from the IPv4 to the IPv6 is effectively solved.

Description

—种面向IPv4和IPv6的网络病毒检测方法及系统 - species IPv4 and IPv6 networks for virus detection method and system

技术领域 FIELD

[0001] 本发明涉及网络安全检测管理领域,特别涉及一种面向IPv4和IPv6的网络病毒检测方法及系统。 [0001] The present invention relates to the field of network management security detection, and particularly relates to detection systems oriented network virus IPv4 and IPv6.

背景技术 Background technique

[0002] 随着互联网的迅猛发展,由于IP网络环境的开放性以及IPv4在设计师缺乏对安全问题的周详考虑,传统的IPv4暴露出越来越多的缺点,目前IP网络安全形势严峻。 [0002] With the rapid development of the Internet, due to the openness of IP IPv4 network environment and a lack of careful consideration of security issues in the designer, more and more traditional IPv4 exposed the shortcomings of the current IP network security situation is grim. 病毒的泛滥,恶意代码攻击,黑客攻击使得整个网络越来越不安全,为此IEIF提出了新的互联网地址解决方案IPv6,经过几年的发展,IPv6技术已经日渐成熟,称为下一代互联网的标准。 The spread of viruses, malicious code, hacker attacks make the whole network more and more insecure, for IEIF proposed new Internet address solutions to IPv6, after years of development, IPv6 technology has been maturing, called the Next Generation Internet standard.

[0003] 作为下一代网络层协议标准,IPv6势必在今后得到广泛的推广和应用,在这种情况下,如何实现面向IPv6的安全技术成为当前的问题。 [0003] As the next generation network layer protocol standards, IPv6 in the future is bound to be widely promoted and applied, in this case, how to implement security technology for IPv6 becomes the current problem.

发明内容 SUMMARY

·[0004] 本发明提供一种面向IPv4和IPv6的网络病毒检测方法及系统,有效决绝了现行IPv4向IPv6迁移过程中网络安全难以监控的问题。 * [0004] The present invention provides a network for IPv4 and IPv6 virus detection method and system effectively pull the problem difficult to monitor existing IPv4 to IPv6 security network during the migration.

[0005] 一种面向IPv4和IPv6的网络病毒检测方法,包括: [0005] An IPv4 and IPv6 networks for virus detection method, comprising:

捕获网络数据包; Capturing network packets;

进行网络层协议识别,判断数据包IP地址协议,若数据包使用IPv4协议,则进行IPv4网络层协议识别,若数据包使用IPv6协议,则进行IPv6网络层协议识别; Network layer protocol identification, determines the IP address of the packet protocol, if the data packet using the IPv4 protocol, IPv4 network layer protocol for the identification, if the data packet using the IPv6 protocol, IPv6 network layer protocol identification is performed;

根据数据包所使用的协议类型进行IP协议解码,获取数据包的TCP四元组,若数据包使用IPv4协议,则使用IPv4IP层解码,若数据包使用IPv6协议,则使用IPv6IP层解码;所述的TCP四元组为数据包的源地址、目的地址、源端口及目的端口。 TCP four-tuple in accordance with the IP protocol type of the protocol data packet decoding is used, acquires data packet, if the data packet using the IPv4 protocol is used IPv4IP layer decoding, if the data packet using the IPv6 protocol is used IPv6IP layer decoding; the the TCP four-tuple of source address, destination address, source port and destination port.

[0006] 将具有相同TCP四元组的数据包重组,使离散的数据包汇聚成数据流; [0006] The packet having the same TCP four-tuple restructuring the converging discrete packet data stream;

对各数据流的应用层协议进行识别,识别出发生文件传输行为的应用层协议; Identifying the application layer protocol for each data stream, the identified file transfer application layer protocol behavior occurs;

根据应用层协议识别结果,将数据流中数据包顺序重新排列,还原为文件的正确排列顺序; The application layer protocol recognition result, the data stream packet sequence rearranged to restore the correct order in the file;

对数据流进行协议解析,根据协议栈,判断数据流所使用的协议类型,若为IPv4协议,则使用IPv4协议解析,若为IPv6协议,则使用IPv6协议解析; Protocol parsing the data stream, according to the protocol stack, the protocol determines the type of data stream is used, if the protocol is IPv4, the IPv4 protocol analysis used, if the IPv6 protocol, using IPv6 protocol analysis;

根据协议解析结果,对包含文件传输行为的数据流还原为文件,对非文件传输行为的数据流不进行处理; The protocol analysis results comprising data flow reduction behavior file transfer file, data file transfer behavior of the non-stream processing is not performed;

根据数据包的内容类型,将数据包发送到预设的对应检测引擎进行网络病毒检测,并生成检测报告; The content type of the data packet, the data packet corresponding to a preset network virus detection engine for detecting and generating a test report;

将检测报告发送给外部处理程序。 Test report will be sent to the external processor.

[0007] 所述的方法中,所述的网络层协议识别至少包括TCP/IP、ARP和RARP协议的识别。 [0007] The method, according to at least identify the network layer protocol comprises identifying TCP / IP, ARP and RARP protocol.

[0008] 所述的方法中,所述数据包的内容类型至少包括:文件和非文件内容的数据流。 [0008] The method, the content type of the data packet comprises at least: a data stream file and non-file content. [0009] 一种面向IPv4和IPv6的网络病毒检测系统,包括: [0009] An IPv4 and IPv6 networks for virus detection system, comprising:

捕包模块,用于捕获网络数据包; Packet capture module for capturing network packets;

网络层识别模块,用于进行网络层协议识别,判断数据包IP地址协议,若数据包使用IPv4协议,则进行IPv4网络层协议识别,若数据包使用IPv6协议,则进行IPv6网络层协议识别; Network layer identification module for identifying the network layer protocol, IP address of the packet protocol is determined, if the data packet using the IPv4 protocol, IPv4 network layer protocol for the identification, if the data packet using the IPv6 protocol, IPv6 network layer protocol identification is performed;

IP层识别模块,用于根据数据包所使用的协议类型进行IP协议解码,获取数据包的TCP四元组,若数据包使用IPv4协议,则使用IPv4IP层解码,若数据包使用IPv6协议,则使用IPv6IP层解码; IP layer identification module, for decoding according to the IP protocol type of the protocol used by the packet, the packet acquired TCP four-tuple, if the data packet using the IPv4 protocol is used IPv4IP layer decoding, if the data packet using the IPv6 protocol, then use IPv6IP layer decoding;

流汇聚模块,用于将具有相同TCP四元组的数据包重组,使离散的数据包汇聚成数据 Flow aggregation module, for a packet having the same recombinant TCP four-tuple, so that discrete data packets converging

流; flow;

应用协议识别模块,用于对各数据流的应用层协议进行识别,识别出发生文件传输行为的应用层协议; Application protocol identification module for identifying the application layer protocol for each data stream, identifying the file transfer application layer protocol behavior occurs;

流还原模块,用于根据应用层协议识别结果,将数据流中数据包顺序重新排列,还原为文件的正确排列顺序; Flow reducing module, the application layer protocol according to the recognition result, the data stream packet sequence rearranged to restore the correct order in the file;

协议解析模块,用于对数据流进行协议解析,根据协议栈,判断数据流所使用协议类型,若为IPv4协议,则使用IPv4协议解析,若为IPv6协议,则使用IPv6协议解析; Protocol parsing module, for parsing the data stream protocol, according to the protocol stack, the protocol type is determined using the data flow, if the IPv4 protocol, the protocol analysis using IPv4, IPv6 protocol if it is, then use the IPv6 protocol analysis;

文件还原模块,用于根据协议解析结果,对包含文件传输行为的数据流还原为文件,对非文件传输行为的数据流不进行处理; File recovery module, according to the protocol for the analysis result, the data stream comprising a file transfer actions to restore the file, the data file transfer behavior of the non-stream processing is not performed;

检测引擎模块,用于根据数据包的内容类型,将数据包发送到预设的对应检测引擎进行网络病毒检测,并生成检测报告; Detecting engine module, according to the content type of the packet, the packet is sent to the detection engine corresponding to a preset network virus detection, and generates a detection report;

响应接口模块,用于将检测报告发送给外部处理程序。 Response interface module, configured to send the test report to the external handler.

[0010] 所述的系统中,所述的网络层识别模块对网络层协议的识别至少包括TCP/IP、ARP和RARP协议的识别。 [0010] The system, according to the recognition module recognizes the network layer the network layer protocol comprises identifying at least TCP / IP, ARP and RARP protocol.

[0011] 所述的系统中,所述数据包的内容类型至少包括:文件和非文件内容的数据流。 The system of [0011] the content type of the data packet comprises at least: a data stream file and non-file content.

[0012] 本发明可以根据数据传输所使用的IP地址解析协议的不同,分别进行协议解析,能够有效监控网内的网络安全威胁事件,提供面向监控全网的安全态势报告。 [0012] According to the present invention may be a different IP address resolution protocol used for data transmission, protocol analysis, respectively, can be effectively monitored network events within the network security threats, security posture to provide for the whole network monitoring report.

[0013] 本发明提供一种面向IPv4和IPv6的网络病毒检测方法及系统,方法包括:捕获网络数据包;对使用IPv4协议或IPv6协议的数据包分别进行网络层和IP层协议识别;将具有相同TCP四元组的数据包重组;对数据流的应用层协议识别,将数据流中数据包顺序重新排列,还原为文件的正确排列顺序;对使用IPv4协议或IPv6协议的数据流进行协议解析,跟据协议解析结果,将包含文件传输行为的数据流还原为文件;将数据流发送到检测引擎进行网络病毒检测,并生成检测报告;将检测报告提供给外部处理程序。 [0013] The present invention provides a network for IPv4 and IPv6 virus detection method and system, the method comprising: capturing network packets; using IPv4 or IPv6 protocol network protocol packets and IP layers each protocol identification; having the same packet reassembly TCP four-tuple; application-layer protocol identification data stream will rearrange the data stream packet sequence, restore the file to correct the order; to use IPv4 protocol or IPv6 protocol data stream protocol analysis , according to the agreement with the analysis results, the stream file containing behavior restore file transfer; transmitting the data stream to detect network virus detection engine, and generating a test report; test report will be provided to the external processor. 本发明还提供了一种面向IPv4和IPv6的网络病毒检测系统,通过本发明的方法及系统,有效解决了现行IPv4向IPv6迁移过程中网络安全难以监控的问题,及时有效预防威胁蔓延。 The present invention also provides a network for virus detection system for IPv4 and IPv6, by the method and system of the present invention, an effective solution to the problem difficult to monitor the current IPv4 to IPv6 migration of network security, timely and effective prevention of the spread of threats.

附图说明 BRIEF DESCRIPTION

[0014] 为了更清楚地说明本发明或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明中记载的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。 [0014] In order to more clearly illustrate the present invention or the technical solution in the prior art, accompanying drawings for describing the embodiments or the prior art described in the introduction required simply Apparently, the following description of the drawings only some embodiments of the invention described, those of ordinary skill in the art is concerned, without creative efforts, can derive from these drawings other drawings.

[0015] 图1为一种面向IPv4和IPv6的网络病毒检测方法流程图; [0015] FIG. 1 as a flow chart for IPv4 and IPv6 networks of virus detection methods;

图2为一种面向IPv4和IPv6的网络病毒检测系统结构示意图。 FIG 2 is a schematic structure of a network system for virus detection IPv4 and IPv6.

具体实施方式 detailed description

[0016] 为了使本技术领域的人员更好地理解本发明实施例中的技术方案,并使本发明的上述目的、特征和优点能够更加明显易懂,下面结合附图对本发明中技术方案作进一步详细的说明。 [0016] In order to make those skilled in the art better understand the technical solutions in the embodiments of the present invention, the above and other objects, features and advantages of the invention more comprehensible, the present invention in conjunction with the accompanying drawings in the following technical solutions further detail.

[0017] 本发明提供一种面向IPv4和IPv6的网络病毒检测方法及系统,有效决绝了现行IPv4向IPv6迁移过程中网络安全难以监控的问题。 [0017] The present invention provides a network problem oriented IPv4 and IPv6 virus detection method and system, the effective pull of the existing IPv4 to IPv6 is difficult to monitor the migration of network security.

[0018] 一种面向IPv4和IPv6的网络病毒检测方法,包括: [0018] An IPv4 and IPv6 networks for virus detection method, comprising:

5101:捕获网络数据包; 5101: capturing network packets;

实现捕获网络数据包功能可以使用PCAP (packet capture library,抓包库)捕包、零拷贝技术捕包,以及专用网卡捕包等方式,使用Pcap方式捕包,则系统的适应性比较好,但性能不高;使用零拷贝技术捕包,具有较高的性能;使用专用网卡捕包,具有很高性能和稳定性;本系统是通过修改网卡的驱动,将网络数据以DMA的方式直接写入到用户空间,实现零拷贝获取网络数据; Implement network packet capture function may be used PCAP (packet capture library, packet filter) packet capture, zero-copy packet capture technology, and special packet capture cards, etc., using Pcap packet capture mode, the system is better adaptability, but performance is not high; the use of zero-copy packet capture technology, higher performance; dedicated packet capture card, having a very high performance and stability; the system is driven by modifying the network card, the network data is directly written in a DMA to the user space, to realize zero copy data acquisition network;

5102:进行网络层协议识别,判断数据包IP地址协议,若数据包使用IPv4协议,则执行S103,若数据包使用IPv6协议,则执行S104 ; 5102: the network layer protocol identification, determines the IP address of the packet protocol, if the data packet using the IPv4 protocol, S103 is executed, if the data packet using the IPv6 protocol, S104 is performed;

5103:进行IPv4网络层协议识别,并执行S105 ; 5103: IPv4 network layer protocol for identification, and performing S105;

5104:进行IPv6网络层协议识别,并执行S106 ; 5104: for IPv6 network layer protocol identification, and performing S106;

5105:使用IPv4IP层解码,对数据包的IP协议解码,获取数据包的TCP四元组; 5105: Use IPv4IP layer decoding, IP protocol decode the data packet, to obtain TCP four-tuple of the data packet;

5106:使用IPv6IP层解码,对数据包的IP协议解码,获取数据包的TCP四元组; 所述的TCP四元组为数据包的源地址、目的地址、源端口及目的端口。 5106: Use IPv6IP layer decoding, IP protocol decode the data packet, the packet acquired TCP four-tuple; TCP four-tuple, the packet source address, destination address, source port and the destination port.

[0019] S107:将具有相同TCP四元组的数据包重组,使离散的数据包汇聚成数据流; [0019] S107: The packet having the same TCP four-tuple restructuring the converging discrete packet data stream;

5108:对各数据流的应用层协议进行识别,识别出发生文件传输行为的应用层协议;完成对各种可能发生文件传输的协议的识别; 5108: for each data stream identified application-layer protocol recognizes that the file transfer application layer protocol behavior occurs; complete identification of various file transfer protocols that might occur;

5109:根据应用层协议识别结果,将数据流中数据包顺序重新排列,还原为文件的正确排列顺序;通过数据流中数据包的重新排列,将数据流重组为一个正确的、没有冗余数据的数据流; 5109: The application layer protocol recognition result, the data stream packet sequence rearranged, the order is reduced to the correct file; data packet flow by the rearrangement, the data stream is a correct recombinant, no redundant data data stream;

5110:对数据流进行协议解析,根据协议栈,判断数据流所使用的协议类型,若为IPv4协议,则执行S111,若为IPv6协议,则执行SI 12 ; 5110: the data stream protocol analysis, according to the protocol stack, the protocol determines the type of data stream is used, if an IPv4 protocol, S111 is executed, if the IPv6 protocol, is executed SI 12;

5111:使用IPv4协议解析; 5111: Using the IPv4 protocol analysis;

SI 12:使用IPv6协议解析; SI 12: parsed using the IPv6 protocol;

SI 13:根据协议解析结果,对包含文件传输行为的数据流还原为文件,对非文件传输行为的数据流不作处理; SI 13: The protocol analysis result, the data stream comprising a file transfer behavior for the file to restore the data of the non-paper transport stream acts not be processed;

S114:根据数据包的内容类型,将数据包发送到预设的对应检测引擎进行网络病毒检测,并生成检测报告; S114: The content type of the data packet, the data packet corresponding to a preset network virus detection engine for detecting and generating a test report;

S115:将检测报告发送给外部处理程序。 S115: The test report sent to the external processor. [0020] 所述的方法中,所述的网络层协议识别至少包括TCP/IP、ARP和RARP等协议的识别。 [0020] The method, according to the network layer protocol comprises identifying at least TCP / IP, ARP and RARP protocols such recognition.

[0021] 所述的方法中,所述数据包的内容类型至少包括:文件和非文件内容的数据流。 [0021] The method, the content type of the data packet comprises at least: a data stream file and non-file content. 本方法采用多检测引擎的工作模式,针对不同类型的数据采用合适的检测引擎,从而达到对网络病毒的高效检测,如行为检测引擎直接对数据包进行检测,得到检测结果;HTTP的请求数据包,调用URL检测引擎进行检测,得到可疑URL记录;对于不完整的文件,等待还原的字节大小满足要求之后,调用非完整数据流引擎,送入非完整数据流检测引擎进行检测等。 This method uses the modes of operation and detection engine, using a suitable detection engine for different types of data, thereby achieving efficient detection of network viruses, such as behavioral detection engine directly detect data packets, to obtain a detection result; the HTTP request packet , URL call detection engine detects suspicious URL to obtain the recording; for incomplete file, after waiting for the byte size reduced to meet the requirements, the complete non-call engine data stream, a complete data stream into non-detection engine detects the like.

[0022] 一种面向IPv4和IPv6的网络病毒检测系统,包括: [0022] An IPv4 and IPv6 networks for virus detection system, comprising:

捕包模块201,用于捕获网络数据包; Packet capture module 201 for capturing network packets;

网络层识别模块202,用于进行网络层协议识别,判断数据包IP地址协议,若数据包使用IPv4协议,则进行IPv4网络层协议识别,若数据包使用IPv6协议,则进行IPv6网络层协议识别; The network layer identification module 202, a network layer protocol identification, determines the IP address of the packet protocol, if the data packet using the IPv4 protocol, IPv4 network layer protocol identification is performed, if the data packet using the IPv6 protocol, IPv6 for network layer protocol to identify the ;

IP层识别模块203,用于根据数据包所使用的协议类型进行IP协议解码,获取数据包的TCP四元组,若数据包使用IPv4协议,则使用IPV4IP层解码,若数据包使用IPv6协议,则使用IPv6IP层解码; IP layer identification module 203 for decoding according to the IP protocol type of the protocol used by the packet, the packet acquired TCP four-tuple, if the data packet using the IPv4 protocol is used IPV4IP layer decoding, if the data packet using the IPv6 protocol, using IPv6IP layer decoding;

流汇聚模块204,用于将具有相同TCP四元组的数据包重组,使离散的数据包汇聚成数据流; Flow aggregation module 204, for a packet having the same recombinant TCP four-tuple, that the converging discrete packet data stream;

应用协议识别模块205,用于对数据流的应用层协议进行识别,识别出发生文件传输行为的应用层协议; Application protocol identification module 205, is used to identify the application layer protocol data stream, the identified file transfer application layer protocol behavior occurs;

流还原模块206,用于根据应用层协议识别结果,将数据流中数据包顺序重新排列,还原为文件的正确排列顺序; Flow reduction module 206, the application layer protocol according to the recognition result, rearranges the data stream packet sequence, to restore the correct order in the file;

协议解析模块207,用于对数据流进行协议解析,根据协议栈,判断数据流所使用的协议类型,若为IPv4协议,则使用IPv4协议解析,若为IPv6协议,则使用IPv6协议解析;文件还原模块208,用于根据协议解析结果,对包含文件传输行为的数据流还原为文件,对非文件传输行为的数据流不作处理; Protocol parsing module 207, a data stream protocol analysis, according to the type of the protocol stack, the data stream is determined to be used, if the protocol is IPv4, the IPv4 protocol analysis used, if the IPv6 protocol, using IPv6 protocol analysis; file recovery module 208, the analysis result according to the protocol, the data file comprising a transport stream acts to restore a file, the data file transfer for non-flow behavior without treatment;

检测引擎模块209,用于根据数据包的内容类型,将数据包发送到预设的对应检测引擎进行网络病毒检测,并生成检测报告; Detection engine module 209, according to the content type of the packet, the packet is sent to the detection engine corresponding to a preset network virus detection, and generates a detection report;

响应接口模块210,用于将检测报告发送给外部处理程序;为后续外部程序提供处理接口。 Response interface module 210, configured to send the test report to the external processor; provides an interface for subsequent processing external programs.

[0023] 所述的系统中,所述的网络层识别模块对网络层协议的识别至少包括TCP/IP、ARP和RARP协议的识别。 [0023] The system, according to the recognition module recognizes the network layer the network layer protocol comprises identifying at least TCP / IP, ARP and RARP protocol.

[0024] 所述的系统中,所述数据包的内容类型至少包括:文件和非文件内容的数据流。 The system of [0024] the content type of the data packet comprises at least: a data stream file and non-file content.

[0025] 本发明可以根据数据传输所使用的IP地址解析协议的不同,分别进行协议解析,能够有效监控网内的网络安全威胁事件,提供面向监控全网的安全态势报告。 [0025] According to the present invention may be a different IP address resolution protocol used for data transmission, protocol analysis, respectively, can be effectively monitored network events within the network security threats, security posture to provide for the whole network monitoring report.

[0026] 本发明提供一种面向IPv4和IPv6的网络病毒检测方法及系统,方法包括:捕获网络数据包;对使用IPv4协议或IPv6协议的数据包分别进行网络层和IP层协议识别;将具有相同TCP四元组的数据包重组;对数据流的应用层协议识别,将数据流中数据包顺序重新排列,还原为文件的正确排列顺序;对使用IPv4协议或IPv6协议的数据流进行协议解析,跟据协议解析结果,将包含文件传输行为的数据流还原为文件;将数据流发送到检测引擎进行网络病毒检测,并生成检测报告;将检测报告提供给外部处理程序。 [0026] The present invention provides a network for IPv4 and IPv6 virus detection method and system, the method comprising: capturing network packets; using IPv4 or IPv6 protocol network protocol packets and IP layers each protocol identification; having the same packet reassembly TCP four-tuple; application-layer protocol identification data stream will rearrange the data stream packet sequence, restore the file to correct the order; to use IPv4 protocol or IPv6 protocol data stream protocol analysis , according to the agreement with the analysis results, the stream file containing behavior restore file transfer; transmitting the data stream to detect network virus detection engine, and generating a test report; test report will be provided to the external processor. 本发明还提供了一种面向IPv4和IPv6的网络病毒检测系统,通过本发明的方法及系统,有效解决了现行IPv4向IPv6迁移过程中网络安全难以监控的问题,及时有效预防威胁蔓延。 The present invention also provides a network for virus detection system for IPv4 and IPv6, by the method and system of the present invention, an effective solution to the problem difficult to monitor the current IPv4 to IPv6 migration of network security, timely and effective prevention of the spread of threats.

[0027] 本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。 [0027] In the present specification, various embodiments are described in a progressive manner, between similar portions of the same embodiment of various embodiments refer to each other, it is different from the embodiment and the other embodiments described each embodiment focus. 尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。 In particular, for embodiments of the system, since they are substantially similar to the method embodiments, the description is relatively simple, some embodiments of the methods see relevant point can be described.

[0028] 虽然通过实施例描绘了本发明,本领域普通技术人员知道,本发明有许多变形和变化而不脱离本发明的精神,希望所附的权利要求包括这些变形和变化而不脱离本发明的精神。 [0028] Although the present invention is depicted by way of example, those of ordinary skill in the art know that there are many modifications and variations of the present invention without departing from the spirit of the invention, it intended that the appended claims cover such modifications and variations are possible without departing from the present invention the spirit of. ` `

Claims (6)

  1. 1.一种面向IPv4和IPv6的网络病毒检测方法,其特征在于,包括: 捕获网络数据包; 进行网络层协议识别,判断数据包IP地址协议,若数据包使用IPv4协议,则进行IPv4网络层协议识别,若数据包使用IPv6协议,则进行IPv6网络层协议识别; 根据数据包所使用的协议类型进行IP协议解码,获取数据包的TCP四元组,若数据包使用IPv4协议,则使用IPv4IP层解码,若数据包使用IPv6协议,则使用IPv6IP层解码;将具有相同TCP四元组的数据包重组,使离散的数据包汇聚成数据流; 对各数据流的应用层协议进行识别,识别出发生文件传输行为的应用层协议; 根据应用层协议识别结果,将数据流中数据包顺序重新排列,还原为数据包的正确排列顺序; 对数据流进行协议解析,根据协议栈,判断数据流所使用的协议类型,若为IPv4协议,则使用IPv4协议解析,若为IPv6协议,则使 A network for IPv4 and IPv6 virus detection methods, characterized in that, comprising: capturing network packets; network layer protocol identification, determines the IP address of the packet protocol, if the data packet using the IPv4 protocol, IPv4 network layer is performed protocol identification, if the data packet using the IPv6 protocol, the IPv6 network layer protocol identification performed; the IP protocol decoding according to the type of the protocol data packet is used to retrieve data packets TCP four-tuple, if the data packet using the IPv4 protocol is used IPv4IP layer decoding, if the data packet using the IPv6 protocol is used IPv6IP layer decoding; recombinant packets having the same TCP four-tuple, that the converging discrete packet data stream; identify the application layer protocol for each data stream, identification an application layer protocol occurs file transfer behavior; according to the application layer protocol recognition result, the data stream packet sequence rearranged, restore the correct order in which data packets; data stream protocol analysis, according to the protocol stack determines the data stream protocol type is used, if the protocol is IPv4, the IPv4 protocol analysis used, if the IPv6 protocol, so that the IPv6协议解析; 根据协议解析结果,对包含文件传输行为的数据流还原为文件,对非文件传输行为的数据流不作处理; 根据数据包的内容类型,将数据包发送到预设的对应检测引擎进行网络病毒检测,并生成检测报告; 将检测报告发送给外部处理程序。 IPv6 protocol analysis; according to the protocol analysis result, the data stream comprising a file transfer behavior restore a file, the data stream non-paper transfer behavior without treatment; according to the content type of the data packet, the data packet to a preset corresponding detection engine network virus detection, and generates a detection report; test report will be sent to the external processor.
  2. 2.如权利要求1所述的方法,其特征在于,所述的网络层协议识别至少包括TCP/IP、ARP和RARP协议的识别。 2. The method according to claim 1, wherein said network layer protocol comprises at least identification identifying TCP / IP, ARP and RARP protocol.
  3. 3.如权利要求1所述的方法,其特征在于,所述数据包的内容类型至少包括:文件和非文件内容的数据流。 The method according to claim 1, wherein the content type of the data packet comprises at least: a data stream file and non-file content.
  4. 4.一种面向IPv4和IPv6的网络病毒检测系统,其特征在于,包括: 捕包模块,用于捕获网络数据包; 网络层识别模块,用于进行网络层协议识别,判断数据包IP地址协议,若数据包使用IPv4协议,则进行IPv4网络层协议识别,若数据包使用IPv6协议,则进行IPv6网络层协议识别; IP层识别模块,用于根据数据包所使用的协议类型进行IP协议解码,获取数据包的TCP四元组,若数据包使用IPv4协议,则使用IPv4IP层解码,若数据包使用IPv6协议,则使用IPv6IP层解码; 流汇聚模块,用于将具有相同TCP四元组的数据包重组,使离散的数据包汇聚成数据流; 应用协议识别模块,用于对各数据流的应用层协议进行识别,识别出发生文件传输行为的应用层协议; 流还原模块,用于根据应用层协议识别结果,将数据流中数据包顺序重新排列,还原为数据包的正确排列顺序; 协议 An IPv4 and IPv6 networks for virus detection system, characterized by comprising: packet capture means for capturing network packets; network layer identification module for identifying the network layer protocol, IP address of the packet is determined protocol , if the data packet using the IPv4 protocol, IPv4 network layer protocol for the identification, if the data packet using the IPv6 protocol, IPv6 network layer protocol identification is performed; IP layer identification module, for decoding according to the IP protocol type of the protocol data packet using acquiring the packet TCP four-tuple, if the data packet using the IPv4 protocol is used IPv4IP layer decoding, if the data packet using the IPv6 protocol is used IPv6IP layer decoding; flow aggregation module, for the same TCP four-tuple packet reassembly the converging discrete packet data stream; application protocol identification module for identifying the application layer protocol for each data stream, identifying the file transfer application layer protocol behavior occurs; flow reducing module, according to the application layer protocol identification result, rearrange the order of the data stream packet, the data packet correctly restore the order; protocol 析模块,用于对数据流进行协议解析,根据协议栈,判断数据流所使用的协议类型,若为IPv4协议,则使用IPv4协议解析,若为IPv6协议,则使用IPv6协议解析; 文件还原模块,用于根据协议解析结果,对包含文件传输行为的数据流还原为文件,对非文件传输行为的数据流不进行处理;检测引擎模块,用于根据数据包的内容类型,将数据包发送到预设的对应检测引擎进行网络病毒检测,并生成检测报告; 响应接口模块,用于将检测报告发送给外部处理程序。 Analysis means for data stream protocol analysis, according to the type of the protocol stack, the data stream is determined to be used, if the protocol is IPv4, the IPv4 protocol analysis used, if the IPv6 protocol, using IPv6 protocol analysis; file restoration module , according to the protocol analysis result, the data stream comprising a file transfer behavior restore files, data flow behavior of non-file transfer processing is not performed; detection engine module, according to the content type of the packet, sends the packet to detecting the engine corresponding to a preset network virus detection, and generates a detection report; response interface module, configured to send the test report to the external handler.
  5. 5.如权利要求4所述的系统,其特征在于,所述的网络层识别模块对网络层协议的识别至少包括TCP/IP、ARP和RARP协议的识别。 5. The system of claim 4, wherein the recognition module recognizes the network layer of the network layer protocols include identifying at least TCP / IP, ARP and RARP protocol.
  6. 6.如权利要求4所述的系统,其特征在于,所述数据包的内容类型至少包括:文件和非文件内容的数据流。 The system as claimed in claim 4, characterized in that the content type of the data packet comprises at least: a data stream file and non-file content.
CN 201210022667 2012-02-02 2012-02-02 Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6) CN103248606A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201210022667 CN103248606A (en) 2012-02-02 2012-02-02 Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201210022667 CN103248606A (en) 2012-02-02 2012-02-02 Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6)

Publications (1)

Publication Number Publication Date
CN103248606A true true CN103248606A (en) 2013-08-14

Family

ID=48927830

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201210022667 CN103248606A (en) 2012-02-02 2012-02-02 Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6)

Country Status (1)

Country Link
CN (1) CN103248606A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103281291A (en) * 2013-02-19 2013-09-04 电子科技大学 Application layer protocol identification method based on Hadoop
CN103634306A (en) * 2013-11-18 2014-03-12 北京奇虎科技有限公司 Security detection method and security detection server for network data
CN103905417A (en) * 2013-11-12 2014-07-02 国家计算机网络与信息安全管理中心 Device and method for authentication of network device files

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6275937B1 (en) * 1997-11-06 2001-08-14 International Business Machines Corporation Collaborative server processing of content and meta-information with application to virus checking in a server network
CN1529248A (en) * 2003-10-20 2004-09-15 北京启明星辰信息技术有限公司 Network invasion related event detecting method and system
CN1909488A (en) * 2006-08-30 2007-02-07 北京启明星辰信息技术有限公司 Virus detection and invasion detection combined method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6275937B1 (en) * 1997-11-06 2001-08-14 International Business Machines Corporation Collaborative server processing of content and meta-information with application to virus checking in a server network
CN1529248A (en) * 2003-10-20 2004-09-15 北京启明星辰信息技术有限公司 Network invasion related event detecting method and system
CN1909488A (en) * 2006-08-30 2007-02-07 北京启明星辰信息技术有限公司 Virus detection and invasion detection combined method and system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103281291A (en) * 2013-02-19 2013-09-04 电子科技大学 Application layer protocol identification method based on Hadoop
CN103281291B (en) * 2013-02-19 2016-04-20 电子科技大学 An application layer protocol identification method based Hadoop
CN103905417A (en) * 2013-11-12 2014-07-02 国家计算机网络与信息安全管理中心 Device and method for authentication of network device files
CN103634306A (en) * 2013-11-18 2014-03-12 北京奇虎科技有限公司 Security detection method and security detection server for network data
CN103634306B (en) * 2013-11-18 2017-09-15 北京奇虎科技有限公司 Data security and method for detecting network security detection server

Similar Documents

Publication Publication Date Title
Bayer et al. Scalable, Behavior-Based Malware Clustering.
Lin et al. Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution.
US7802303B1 (en) Real-time in-line detection of malicious code in data streams
Shin et al. Avant-guard: Scalable and vigilant switch flow management in software-defined networks
US20100174770A1 (en) Runtime adaptable search processor
US20030140140A1 (en) Monitoring the flow of a data stream
US8522348B2 (en) Matching with a large vulnerability signature ruleset for high performance network defense
Locasto et al. Flips: Hybrid adaptive intrusion prevention
Dreger et al. Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection.
US20040030788A1 (en) Computer message validation system
Wang et al. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits
US20080134334A1 (en) Apparatus and method for detecting network attack
US20100154059A1 (en) Network based malware detection and reporting
Paxson Bro: a system for detecting network intruders in real-time
US20030084326A1 (en) Method, node and computer readable medium for identifying data in a network exploit
US6851061B1 (en) System and method for intrusion detection data collection using a network protocol stack multiplexor
US7461403B1 (en) System and method for providing passive screening of transient messages in a distributed computing environment
US20130247181A1 (en) Method of and system for computer system denial-of-service protection
US20060253908A1 (en) Stateful stack inspection anti-virus and anti-intrusion firewall system
US20140201838A1 (en) Systems and methods for detecting and mitigating threats to a structured data storage system
CN101572700A (en) Method for defending HTTP Flood distributed denial-of-service attack
US20030204586A1 (en) Intelligent data replicator
US20070088845A1 (en) Effective policies and policy enforcement using characterization of flow content and content-independent flow information
CN1909488A (en) Virus detection and invasion detection combined method and system
CN101035111A (en) Intelligent protocol parsing method and device

Legal Events

Date Code Title Description
C06 Publication
RJ01