CN103905269A - Network two-way detection method and system based on format recognition technology - Google Patents
Network two-way detection method and system based on format recognition technology Download PDFInfo
- Publication number
- CN103905269A CN103905269A CN201310619430.7A CN201310619430A CN103905269A CN 103905269 A CN103905269 A CN 103905269A CN 201310619430 A CN201310619430 A CN 201310619430A CN 103905269 A CN103905269 A CN 103905269A
- Authority
- CN
- China
- Prior art keywords
- network
- file
- packet
- detection
- data flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a network two-way detection method and system based on a format recognition technology. The method includes the steps that two-way network data flow is monitored, and a data package in the network data flow is captured and cached; whether the file format information of the data package is the same as the name suffix of a file which a corresponding URL points to is judged, if yes, a detection engine is used for detecting, if not, users are informed that high risk suffix disguise behaviors are discovered, and detailed depth detection is conducted. Meanwhile, the invention further provides the corresponding detection system. By the aid of the network two-way detection method and system based on the format recognition technology, the data flow with disguise behaviors can be detected according to the phenomenon that the file format disagrees with the URL format, threats are informed to the users, meanwhile, the detection environment is in a network, the network data transmission direction problem does not need to be taken into account, and two-way network data can be detected.
Description
Technical field
The present invention relates to computer network security technology field, relate in particular to a kind of network bi-directional detection method and system based on format identification technology.
Background technology
In legacy network data flow malicious code detection mode, existing many employings are first data cached, then the mode of carrying out malicious code detection.Legacy network data malicious code detects due to wrong report and detection speed, adopts unidirectional detection technique more, i.e. the data flow of Focus Control end to controlled terminal, and be indifferent to the data flow of controlled terminal to control end.Therefore unidirectional detection technique can more undetected not detection side in the process of Sampling network malicious code to malicious code.Meanwhile, first unidirectional detection technique needs to judge the transmission direction of network data flow in testing process, and the deterministic process of Network Traffic Data Flows direction is comparatively loaded down with trivial details, and therefore detection speed is lower.
Summary of the invention
The invention provides a kind of network bi-directional detection method and device based on format identification technology, solved and only one-way data has been detected to undetected problem in traditional detection method, also solved Network Traffic Data Flows direction and judged loaded down with trivial details problem simultaneously.
A network bi-directional detection method based on format identification technology, comprising:
Monitoring bidirectional network data flow;
Packet in crawl and buffer memory network data flow;
Whether the file format information that judges described packet is identical with the corresponding URL of institute file suffixes name pointed, if so, uses detection engine to detect; Otherwise documentation risk rank is set to height, carries out detailed depth detection, and notify user to find high-risk suffix camouflage behavior.
In described method, whether mutually the same with the corresponding URL of institute file suffixes name pointed in the file format information that judges described packet, also comprise:
Packet is carried out to file format identification, obtain file format information;
Obtain the corresponding URL of described packet file suffixes name pointed.
Choice for use of the present invention judges URL, is because URL is with suffix name, conventionally suffix name identification document actual format.The URL that there is no suffix name for some, it can be to extract information that the file of its download has suffix name from HTTP.Once therefore find that the file format obtaining and the actual format of the packet detecting are not inconsistent from URL, can there is camouflage, gain the behavior that user carries out or lets pass by cheating by specified data bag.
A network bi-directional detection system based on format identification technology, comprising:
Monitoring unit, for monitoring bidirectional network data flow;
Data extracting unit, for capturing and the packet of buffer memory network data flow;
Contrast module, whether identical with the corresponding URL of institute file suffixes name pointed for judging the file format information of described packet, if so, use detection engine to detect; Otherwise documentation risk rank is set to height, carries out detailed depth detection, and notify user to find high-risk suffix camouflage behavior.
In described system, also comprise:
Format identification unit, for packet is carried out to file format identification, obtains file format information;
URL suffix name recognition unit, for obtaining the corresponding URL of described packet file suffixes name pointed.
Advantage of the present invention is, use the packet in network data flow to judge, URL is judged to risk marries again to file object, such detection method, testing environment, in network, therefore without the problem of considering Internet Transmission direction, merges bi-directional data flow, avoid conventional method one-way data to detect undetected problem, also avoided the complicated processes of network data flow path direction judgement simultaneously.And utilize in URL with the feature of file format information, judge that whether the file format that URL identifies is consistent with the actual file format detecting, and then the file camouflage behavior of highly dangerous in discovering network transfer of data.
The invention provides a kind of network bi-directional detection method and system based on format identification technology, described method comprises: monitoring bidirectional network data flow, and packet in crawl and buffer memory network data flow; Whether the file format information that judges described packet is identical with the corresponding URL of institute file suffixes name pointed, if so, uses detection engine to detect; Otherwise documentation risk rank is set to height, carries out detailed depth detection, and notify user to find high-risk suffix camouflage behavior.The present invention simultaneously also provides corresponding detection system.By content of the present invention, can and be that form is not inconsistent according to file format, detect the data with camouflage behavior, and then inform that user threatens, because testing environment is in network, without the problem of considering network data transmission direction, can detect bilateral network data simultaneously.
Accompanying drawing explanation
In order to be illustrated more clearly in the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, the accompanying drawing the following describes is only some embodiment that record in the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the network bi-directional detection method flow chart that the present invention is based on format identification technology;
Fig. 2 is the network bi-directional detection system structural representation that the present invention is based on format identification technology.
Embodiment
In order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail.
The invention provides a kind of network bi-directional detection method and device based on format identification technology, solved and only one-way data has been detected to undetected problem in traditional detection method, also solved Network Traffic Data Flows direction and judged loaded down with trivial details problem simultaneously.
The invention provides a kind of network bi-directional detection method based on format identification technology, as shown in Figure 1, provide an embodiment of the inventive method:
S101: monitoring bidirectional network data flow;
S102: the packet in crawl and buffer memory network data flow;
S103: packet is carried out to file format identification, obtain file format information;
S104: obtain the corresponding URL of described packet file suffixes name pointed;
S105: whether the file format information that judges described packet is identical with the corresponding URL of institute file suffixes name pointed, if so, uses detection engine to detect; Otherwise documentation risk rank is set to height, carry out detailed depth detection, notify user to find high-risk suffix camouflage behavior.
Choice for use of the present invention judges URL, is because URL is with suffix name, conventionally suffix name identification document actual format.The URL that there is no suffix name for some, it can be to extract information that the file of its download has suffix name from HTTP.Once therefore find that the file format obtaining and the actual format of the packet detecting are not inconsistent from URL, can there is camouflage, gain the behavior that user carries out or lets pass by cheating by specified data bag.
The present invention also provides a kind of network bi-directional detection system based on format identification technology, as shown in Figure 2, comprising:
In described system, also comprise:
URL suffix name recognition unit 205, for obtaining the corresponding URL of described packet file suffixes name pointed.
Advantage of the present invention is, use the packet in network data flow to judge, URL is judged to risk marries again to file object, such detection method, testing environment, in network, therefore without the problem of considering Internet Transmission direction, merges bi-directional data flow, avoid conventional method one-way data to detect undetected problem, also avoided the complicated processes of network data flow path direction judgement simultaneously.And utilize in URL with the feature of file format information, judge that whether the file format that URL identifies is consistent with the actual file format detecting, and then the file camouflage behavior of highly dangerous in discovering network transfer of data.
The invention provides a kind of network bi-directional detection method and system based on format identification technology, described method comprises: monitoring bidirectional network data flow, and packet in crawl and buffer memory network data flow; Whether the file format information that judges described packet is identical with the corresponding URL of institute file suffixes name pointed, if so, uses detection engine to carry out depth detection; Otherwise notify user to find high-risk suffix camouflage behavior.The present invention simultaneously also provides corresponding detection system.By content of the present invention, can and be that form is not inconsistent according to file format, detect the data with camouflage behavior, and then inform that user threatens, because testing environment is in network, without the problem of considering network data transmission direction, can detect bilateral network data simultaneously.
Although described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not depart from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not depart from spirit of the present invention.
Claims (4)
1. the network bi-directional detection method based on format identification technology, is characterized in that, comprising:
Monitoring bidirectional network data flow;
Packet in crawl and buffer memory network data flow;
Whether the file format information that judges described packet is identical with the corresponding URL of institute file suffixes name pointed, if so, uses detection engine to detect; Otherwise documentation risk rank is set to height, carries out detailed depth detection, and notify user to find high-risk suffix camouflage behavior.
2. whether the method for claim 1, is characterized in that, mutually the same with the corresponding URL of institute file suffixes name pointed in the file format information that judges described packet, also comprises:
Packet is carried out to file format identification, obtain file format information;
Obtain the corresponding URL of described packet file suffixes name pointed.
3. the network bi-directional detection system based on format identification technology, is characterized in that, comprising:
Monitoring unit, for monitoring bidirectional network data flow;
Data extracting unit, for capturing and the packet of buffer memory network data flow;
Contrast module, whether identical with the corresponding URL of institute file suffixes name pointed for judging the file format information of described packet, if so, use detection engine to detect; Otherwise documentation risk rank is set to height, carries out detailed depth detection, and notify user to find high-risk suffix camouflage behavior.
4. system as claimed in claim 4, is characterized in that, also comprises:
Format identification unit, for packet is carried out to file format identification, obtains file format information;
URL suffix name recognition unit, for obtaining the corresponding URL of described packet file suffixes name pointed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310619430.7A CN103905269B (en) | 2013-11-29 | 2013-11-29 | Network bi-directional detection method and system based on format identification technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310619430.7A CN103905269B (en) | 2013-11-29 | 2013-11-29 | Network bi-directional detection method and system based on format identification technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103905269A true CN103905269A (en) | 2014-07-02 |
| CN103905269B CN103905269B (en) | 2017-11-28 |
Family
ID=50996426
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310619430.7A Active CN103905269B (en) | 2013-11-29 | 2013-11-29 | Network bi-directional detection method and system based on format identification technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103905269B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105740704A (en) * | 2015-12-25 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | User scanning frequency-based detection method and system for dynamically adjusting detection degree |
| CN106888221A (en) * | 2017-04-15 | 2017-06-23 | 北京科罗菲特科技有限公司 | A kind of Secure Information Tanslation Through Netware method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102446253A (en) * | 2011-12-23 | 2012-05-09 | 北京奇虎科技有限公司 | Webpage trojan detection method and system |
| CN202495954U (en) * | 2012-02-24 | 2012-10-17 | 上海欣诺通信技术有限公司 | Multifunctional network monitoring equipment |
| CN103392346A (en) * | 2010-08-19 | 2013-11-13 | 汤姆森特许公司 | Personalization of information content by monitoring network traffic |
-
2013
- 2013-11-29 CN CN201310619430.7A patent/CN103905269B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103392346A (en) * | 2010-08-19 | 2013-11-13 | 汤姆森特许公司 | Personalization of information content by monitoring network traffic |
| CN102446253A (en) * | 2011-12-23 | 2012-05-09 | 北京奇虎科技有限公司 | Webpage trojan detection method and system |
| CN202495954U (en) * | 2012-02-24 | 2012-10-17 | 上海欣诺通信技术有限公司 | Multifunctional network monitoring equipment |
Non-Patent Citations (1)
| Title |
|---|
| 朱晓蕊: ""面向多种流媒体传输协议的视频压缩格式识别"", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105740704A (en) * | 2015-12-25 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | User scanning frequency-based detection method and system for dynamically adjusting detection degree |
| CN105740704B (en) * | 2015-12-25 | 2019-07-02 | 哈尔滨安天科技股份有限公司 | Detection method and system based on scanning input frequency dynamic adjustment inspecting force |
| CN106888221A (en) * | 2017-04-15 | 2017-06-23 | 北京科罗菲特科技有限公司 | A kind of Secure Information Tanslation Through Netware method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103905269B (en) | 2017-11-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103746992B (en) | Based on reverse intruding detection system and method thereof | |
| CN103001817B (en) | A kind of method and apparatus of real-time detection of webpage cross-domain request | |
| CN102739663A (en) | Detection method and scanning engine of web pages | |
| CN104679747B (en) | Detection device and method for website redirection | |
| US10972496B2 (en) | Upload interface identification method, identification server and system, and storage medium | |
| CN104253785B (en) | Dangerous network address recognition methods, apparatus and system | |
| CN103401845B (en) | A kind of detection method of website safety, device | |
| CN107995179B (en) | Unknown threat sensing method, device, equipment and system | |
| CN104767747A (en) | Click jacking safety detection method and device | |
| CN103442361A (en) | Method for detecting safety of mobile application, and mobile terminal | |
| CN103905421A (en) | Suspicious event detection method and system based on URL heterogeneity | |
| CN112071016A (en) | Fire monitoring method, device, equipment and storage medium | |
| CN103869980B (en) | Mobile terminal and its operation object operation method based on fingerprint recognition | |
| CN102843270A (en) | Suspicious URL (uniform resource locator) detection method and device based on correlation of URL and local file | |
| JP2016063356A5 (en) | ||
| CN111049784A (en) | Network attack detection method, device, equipment and storage medium | |
| CN103425930B (en) | A kind of online script detection method and system in real time | |
| CN103905269A (en) | Network two-way detection method and system based on format recognition technology | |
| CN111049780B (en) | Network attack detection method, device, equipment and storage medium | |
| CN103685366B (en) | Improve the method, apparatus and system of file downloading speed | |
| CN113420300A (en) | Method and system for detecting and defending file uploading vulnerability | |
| CN102340428B (en) | URL (Uniform Resource Locator) detection and interception method and system based on network packet loss | |
| CN105049273A (en) | Method and system for detecting Trojan virus by simulating network activities | |
| CN102769607A (en) | Malicious code detecting method and system based on network packet | |
| CN104268284A (en) | Web browse filtering softdog device special for juveniles |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 150010 Heilongjiang science and technology innovation city, Harbin new and high tech Industrial Development Zone, No. 7 building, innovation and entrepreneurship Plaza, 838 Patentee after: Harbin Antian Science and Technology Group Co.,Ltd. Address before: 150090 room 506, Hongqi Street, Nangang District, Harbin Development Zone, Heilongjiang, China, 162 Patentee before: HARBIN ANTIY TECHNOLOGY Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180606 Address after: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No. Patentee after: SHENZHEN ANZHITIAN INFORMATION TECHNOLOGY Co.,Ltd. Address before: 150010 Heilongjiang science and technology innovation city, Harbin new and high tech Industrial Development Zone, No. 7 building, innovation and entrepreneurship Plaza, 838 Patentee before: Harbin Antian Science and Technology Group Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No. Patentee after: Shenzhen Antan Network Security Technology Co.,Ltd. Address before: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No. Patentee before: SHENZHEN ANZHITIAN INFORMATION TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |