CN106549969A - Data filtering method and device - Google Patents

Abstract

The present invention discloses a kind of data filtering method and device, sends the threat data bag into the packet of second terminal for filtering first terminal, and methods described includes：The tcp data bag for being received from first terminal is converted into into data flow；Data flow is analyzed according to preset rules to filter the threat data included in the data flow；Data in data flow in addition to threat data are packaged into into continuous tcp data bag；Continuous tcp data bag is sent successively to second terminal.The data filtering method and device of the embodiment of the present invention is converted into after data flow the identification of the data that impend again and filters by sending first terminal to the tcp data bag of second terminal, and send to second terminal after remaining secure data is then converted to TCP bags, so as to the continuity of the tcp data bag sent to second terminal is also assures that in the case where the filtration to threat data is realized, avoid the interruption of connection, it is ensured that the Stability and dependability of Industry Control.

Description

Data filtering method and device

Technical field

The present invention relates to Industry Control fire wall field, more particularly to a kind of data filtering method and device.

Background technology

Fire wall is a kind of system or system in combination for strengthening border between two or more networks, is a network With the controlled access point between other networks.Hardware firewall and software firewall can be divided into, which can be to flowing through its institute There is network communicated information to be scanned, and filter out some aggressiveness operations, in case objective network wrecks.Fire wall may be used also To close rarely needed port, but also the communication and the visit for forbidding from some special websites of particular port can be forbidden Ask, so as to prevent all communications from not clear invader.

Under Industry Control scene, different industrial control equipments are communicated by industrial control protocols.Industrial control protocols exist Carry out data transmission on the basis of TCP/IP, industrial fireproof wall is analyzed for industrial control protocols, prevention there are the data of threat Transmission.The way of traditional industry control fire wall is the number in units of packet, in analytical industry control protocol communication process According to bag.If detecting the packet of threat, the packet is directly abandoned.

But inventor is had found during the present invention is realized, due to continuity (each packet of Transmission Control Protocol Include continuous sequence number), packet discard can cause this connection to disconnect (because of receiving data bag after packet discard One end, such as server end will not receive the packet being dropped.According to the timeout mechanism of Transmission Control Protocol, work as server end Judgement does not receive the time of the packet being dropped more than after scheduled duration, and the TCP that will be switched off between client is connected), Do so destroys the continuity of data flow.Due to the particularity of Industry Control scene, the time delay and continuity to data is required It is high, if affecting the continuity of whole business due to abandoning some middle threat data bags, it will industrial production is made Into tremendous influence.

The content of the invention

The embodiment of the present invention provides a kind of data filtering method and device, at least solving one of above-mentioned technical problem.

In a first aspect, the embodiment of the present invention provides a kind of data filtering method, send to second for filtering first terminal Threat data bag in the packet of terminal, methods described include：

The tcp data bag for being received from the first terminal is converted into into data flow；

The data flow is analyzed according to preset rules to filter the threat data included in the data flow；

Data in the data flow in addition to the threat data are packaged into into continuous tcp data bag；

The continuous tcp data bag is sent successively to the second terminal.

Second aspect, the embodiment of the present invention also provide a kind of data filtering device, send to for filtering first terminal Threat data bag in the packet of two terminals, described device include：

Data flow conversion module, for the tcp data bag for being received from the first terminal is converted into data flow；

Data filtering module, for being analyzed to filter institute in the data flow according to preset rules to the data flow Comprising threat data；

Data packing block, for the data in the data flow in addition to the threat data are packaged into continuously Tcp data bag；

Packet sending module, for sending the continuous tcp data bag successively to the second terminal.

The third aspect, the embodiment of the present invention provide a kind of non-volatile computer readable storage medium storing program for executing, the storage medium In be stored with that one or more include the program of execute instruction, the execute instruction can be by electronic equipment (including but not limited to Computer, server, or network equipment etc.) read and perform, for performing any of the above-described data filtering side of the present invention Method.

Fourth aspect, there is provided a kind of electronic equipment, which includes：At least one processor, and with described at least one at The memory of reason device communication connection, wherein, the memory storage has can be by the instruction of at least one computing device, institute Instruction is stated by least one computing device, so that at least one processor is able to carry out any of the above-described of the present invention Data filtering method.

In terms of 5th, the embodiment of the present invention also provides a kind of computer program, and the computer program includes The calculation procedure being stored on non-volatile computer readable storage medium storing program for executing, the computer program include programmed instruction, work as institute When stating programmed instruction and being computer-executed, the computer is made to perform any of the above-described data filtering method.

The data filtering method and device of the embodiment of the present invention is by sending first terminal to the tcp data of second terminal Wrap the identification of the data that impended after being converted into data flow again and filter, and remaining secure data is then converted to after TCP bags Send to second terminal, so as to the TCP sent to second terminal is also assures that in the case where the filtration to threat data is realized The continuity of packet, it is to avoid the interruption of connection, it is ensured that the Stability and dependability of Industry Control.

Description of the drawings

In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below will be to using needed for embodiment description Accompanying drawing be briefly described, it should be apparent that, drawings in the following description are some embodiments of the present invention, for ability For the those of ordinary skill of domain, on the premise of not paying creative work, can be attached to obtain others according to these accompanying drawings Figure.

Fig. 1 is the flow chart of an embodiment of the data filtering method of the present invention；

Fig. 2 is the flow chart of an embodiment of step S11 in Fig. 1；

Fig. 3 is the structured flowchart of an embodiment of the data filtering device of the present invention；

Fig. 4 be the present invention data filtering device in data conversion module an embodiment structured flowchart；

Fig. 5 is the structural representation of an embodiment of the electronic equipment of the present invention.

Specific embodiment

To make purpose, technical scheme and the advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is The a part of embodiment of the present invention, rather than the embodiment of whole.Based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.

It should be noted that in the case where not conflicting, the feature in embodiment and embodiment in the application can phase Mutually combine.

The present invention can be described in the general context of computer executable instructions, such as program Module.Usually, program module includes execution particular task or realizes the routine of particular abstract data type, program, object, unit Part, data structure etc..The present invention is put into practice in a distributed computing environment can also, in these DCEs, by The remote processing devices connected by communication network are performing task.In a distributed computing environment, program module can be with In local and remote computer-readable storage medium including including storage device.

In the present invention, " module ", " device ", " system " etc. refer to and be applied to the related entities of computer, such as hardware, hard The combination of part and software, software or executory software etc..In detail, for example, element can with, but be not limited to run on place The process of reason device, processor, object, executable element, execution thread, program and/or computer.Further, run on server On application program or shell script, server can be element.One or more elements can be in the process and/or line for performing Cheng Zhong, and element can be localized on one computer and/or be distributed between two or multiple stage computers, it is possible to by Various computer-readable medium operations.Element can be with according to the signal with one or more packets, for example, from one Interact with another element in local system, distributed system, and/or the network in internet is handed over other systems by signal The signal of mutual data is communicated by locally and/or remotely process.

Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relational terms be used merely to by One entity or operation are made a distinction with another entity or operation, and are not necessarily required or implied these entities or operation Between there is any this actual relation or order.And, term " including ", "comprising", not only including those key elements, and And also include other key elements being not expressly set out, or also include for this process, method, article or equipment institute inherently Key element.In the absence of more restrictions, the key element for being limited by sentence " including ... ", it is not excluded that wanting including described The process of element, method, also there is other identical element in article or equipment.

As shown in figure 1, the data filtering method of one embodiment of the invention, can apply to Industry Control fire wall and comes real Between existing client and server, the filtration of transmission data, the threat data included in transmission data is leached, it is ensured that work The security of control system.Industry Control fire wall receiving data bag, then carries out protocol detection, invocation protocol identification to packet Process carries out agreement and distinguishes, calls different decoder modules according to different type to specific agreement, depth detection data flow it is interior Hold, then data flow is filtered.Industry Control fire wall will be according to predefined rule (for example, white list) to packet It is compared, compares and processed to filtering content (prevent or let pass) with reference to thickness granularity and algorithm.

As shown in figure 1, the data filtering method of the embodiment of the present invention, sends to second terminal for filtering first terminal Threat data bag in packet, methods described include：

S11, the tcp data bag for being received from the first terminal is converted into into data flow；

S12, the data flow is analyzed according to preset rules to filter the threat number included in the data flow According to；

S13, the data in the data flow in addition to the threat data are packaged into into continuous tcp data bag；

S14, the continuous tcp data bag is sent successively to the second terminal.

The data filtering method of the embodiment of the present invention is converted by the tcp data bag sent first terminal to second terminal For the data that impended after data flow again identification with filter, and send after remaining secure data is then converted to TCP bags to Second terminal, so as to the tcp data bag sent to second terminal is also assures that in the case where the filtration to threat data is realized Continuity, it is to avoid the interruption of connection, it is ensured that the Stability and dependability of Industry Control.It should be noted that of the invention In embodiment, first terminal can be client or server end, and second terminal can be server end or client.That is, The method of the embodiment of the present invention is can apply between filtering client, between client and server, server and client Between and server and server between the packet that transmitted.

The quantity of the tcp data bag in step S11 is at least one.In above-described embodiment, step S12 is according to preset rules It can be white name the data flow to be analyzed with the preset rules filtered in the threat data included in the data flow It is single.In data flow whether there is threat data to determine with white list by comparing data flow.When it is determined that a certain in data flow The threat data for determining is deleted from data flow when being threat data by section or multiple segment datas.By the number in step S13 Continuous tcp data bag is packaged into according to the data in stream in addition to the threat data is：With reference to tcp protocol stack in linux The new data flow deleted after threat data is packaged as new tcp data bag by the implementation in kernel, so as to obtain Continuous multiple tcp data bags.

Data filtering method to cause the embodiment of the present invention becomes apparent from, and we send sequence with client As a example by row number is for five tcp data bags of 1-5.According to the method for the embodiment of the present invention first by this five tcp data bag conversions For continuous data flow, then data flow is analyzed so as to by threat number that may be present in data flow according to preset rules According to deletion.If it is determined that the one piece of data in data flow is threat data, then this section of threat data is deleted and generate new number According to flowing and export.New data flow is packaged as multiple new by the implementation referring next to tcp protocol stack in linux kernel Tcp data bag.If it is determined that threat data corresponding in original five tcp data bags, such as Serial No. 4 Tcp data bag, the then sequence number of the new tcp data bag for generating are respectively 1-4 (that is, by corresponding to original Serial No. 5 The data of tcp data bag are converted into the tcp data bag of new Serial No. 4), it is seen that ensure that transmission to server end TCP bags it is successional.

In certain embodiments, the tcp data bag of the first terminal is received from step S11 to be directed at least one Multiple packets of business.The data filtering method of the present embodiment can more thoroughly identify threat data, and then be lifted The level of security of industrial control system.Because inventor has found that threat data is more than being present in single tcp data bag in practice In, it is also possible to it is hidden in and is directed in continuous multiple tcp data bags of same business.If judging each one by one Whether tcp data bag is this kind of threat data of None- identified if threat data, and multiple packets are converted into continuous number This kind of hiding threat data can be effectively identified just according to stream.Therefore, present embodiment ensure that to such threat data Identification, improves the level of security of whole industrial control system.

When tcp data bag is directed to a kind of business, can be according to corresponding to packet in the basic service of this business Multiple packets are at least divided into one group by function, and are converted at least one data flow accordingly.Each group of tcp data bag is directed to In a basic service function of the business.For example, the business of OPC agreement queries data, client send to service end and connect The port that inquiry data are opened is determined in data, and here connection；This is a data stream, port of the client according to exploitation, To server lookup industrial control data, this is another data stream.And generate two data streams accordingly to impend number According to filtration.

When tcp data bag is directed to multiple business, can be grouped and be converted in the packet of each business For at least one data flow of different business.For example, tcp data bag is directed to two kinds of business, then for the first business Multiple packets are at least divided into one group according to the basic service function corresponding to the first business by packet, and are converted accordingly For at least one data flow；Again will according to the basic service function that business is planted corresponding to for the packet of second business Multiple packets are at least divided into one group, and are converted at least one data flow accordingly.

The data filtering method of the embodiment of the present invention a plurality of data flow for processing above-described embodiment determination parallel again, so Improve the treatment effeciency to communication data between the first client and the second client.

As shown in Figure 2 in certain embodiments, the tcp data bag for being received from the first terminal is converted into by step S11 Data flow includes：

S21, the packet header of each packet for being parsed in the plurality of packet successively are determining described each data The data start bit of bag；

S22, the data start bit of each packet according to determining obtain the number included by each packet Data flow is generated according to this.

From the form of tcp data bag, tcp data bag includes packet header and data two parts.Wherein header part is recorded There is the packet header length of this tcp data bag.Therefore, the packet header for parsing packet by step S21 in the present embodiment can determine that Data start bit of the data division in whole tcp data bag, such that it is able to the data division for accurately obtaining tcp data bag. Step S21 in the present embodiment parses its packet header to determine each TCP to the multiple tcp data bags for receiving respectively successively The data start bit of packet.Then corresponding TCP is obtained respectively further according to the data start bit having determined in step S22 The data division of packet, and the multiple data divisions for obtaining are converted into into data flow.

In certain embodiments, the tcp data bag for being received from the first terminal is converted into data flow and is also wrapped by step S11 Include：The multiple tcp data bags for belonging to a data flow are determined according to the header packet information of tcp data bag.Can be with root in the present embodiment According to the five-tuple in the header packet information of tcp data bag：Source IP address, source port, purpose IP address, destination interface and transport layer association Discuss to determine whether tcp data bag belongs to a data flow.Tcp data bag five-tuple consistent with each other is sorted out in the present embodiment It is the packet for generating a data stream.Avoided by the method for the present embodiment and will belong to the TCP numbers of other data flows It is categorized in current data flow according to bag, it is therefore prevented that belong to mutually harassing between the tcp data bag of different data streams.

In certain embodiments, also include to before the server end sending the continuous tcp data bag successively： The size of the tcp data bag obtained according to packing updates the transmission sliding window size of the tcp data bag.

The size of sliding window represents server end during the tcp data of client transmission is received to client The byte number for receiving is needed before feedback ack.In an embodiment of the present invention, setting up between client and server TCP has been synchronized the size of sliding window according to the availability of network congestion situation and resource when connecting.But due to this As the packet that the tcp data bag of transmission has threat data being deleted in embodiment, so needing to update again slip The size of window.To avoid server end interior can not receiving between Preset Time from initially setting up window synchronous when TCP connects Byte number required for mouthful size and judge current TCP connections error, cause the disconnection of current TCP connections.Therefore, the present embodiment Ensure that TCP transmission the size of new tcp data bag that obtains after according to filtration by way of updating sliding window can By property and stability, the level of security of industrial control system is improved.

It should be noted that for aforesaid each method embodiment, in order to be briefly described, therefore which is all expressed as a series of Action merge, but those skilled in the art should know, the present invention do not limited by described sequence of movement because According to the present invention, some steps can adopt other orders or while carry out.Secondly, those skilled in the art should also know Know, embodiment described in this description belongs to preferred embodiment, involved action and module are not necessarily of the invention It is necessary.

In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion described in detail in certain embodiment Point, may refer to the associated description of other embodiment.

A kind of data filtering device 300 of one embodiment of the application offer is provided, is sent out for filtering first terminal The threat data bag in the packet of second terminal is delivered to, described device includes：

Data flow conversion module 310, for the tcp data bag for being received from the first terminal is converted into data flow；

Data filtering module 320, for being analyzed to filter the data flow according to preset rules to the data flow Included in threat data；

Data packing block 330, for the data in the data flow in addition to the threat data are packaged into company Continuous tcp data bag；

Packet sending module 340, for sending the continuous tcp data bag successively to the second terminal.

The data filtering device of the embodiment of the present invention is converted by the tcp data bag sent first terminal to second terminal For the data that impended after data flow again identification with filter, and send after remaining secure data is then converted to TCP bags to Second terminal, so as to the tcp data bag sent to second terminal is also assures that in the case where the filtration to threat data is realized Continuity, it is to avoid the interruption of connection, it is ensured that the Stability and dependability of Industry Control.It should be noted that of the invention In embodiment, first terminal can be client or server end, and second terminal can be server end or client.That is, The device of the embodiment of the present invention is can apply between filtering client, between client and server, server and client Between and server and server between the packet that transmitted.

In certain embodiments, the tcp data bag for being received from the client is to be directed at least one business Multiple packets.

The data filtering method of the present embodiment can more thoroughly identify threat data, and then lift industrial control system Level of security.Because inventor has found that threat data is more than being present in single tcp data bag in practice, it is also possible to It is hidden in and is directed in continuous multiple tcp data bags of same business.If whether judging each tcp data bag one by one For this kind of threat data of None- identified if threat data, and multiple packets are converted into into continuous data flow just can be effective Identify this kind of hiding threat data.Therefore, present embodiment ensure that identification to such threat data, improves whole The level of security of industrial control system.As shown in figure 4, in certain embodiments, the data flow conversion module 310 includes：

Data start bit determining unit 311, for parsing the bag of each packet in the plurality of packet successively Head is determining the data start bit of each packet；

Data flow acquiring unit 312, the data start bit for each packet according to determining obtain each The data included by individual packet are generating data flow.

From the form of tcp data bag, tcp data bag includes packet header and data two parts.Wherein header part is recorded There is the packet header length of this tcp data bag.Therefore, the packet header for parsing packet by step S21 in the present embodiment can determine that Data start bit of the data division in whole tcp data bag, such that it is able to the data division for accurately obtaining tcp data bag. Multiple tcp data bags that data start bit determining unit 311 pairs in the present embodiment is received, parse its packet header respectively successively with Determine the data start bit of each tcp data bag.Then further according to the data having determined in data flow acquiring unit 312 Start bit obtains the data division of corresponding tcp data bag respectively, and the multiple data divisions for obtaining are converted into data flow.

In certain embodiments, data filtering device 300 of the invention also includes：

Sliding window update module, for sending the continuous tcp data bag successively to before the second terminal, The size of the tcp data bag obtained according to packing updates the transmission sliding window size of the tcp data bag.

The size of sliding window represents second terminal during the tcp data of first terminal transmission is received to first The byte number for receiving is needed before terminal feedback ack.In an embodiment of the present invention, first terminal and second terminal are being set up Between TCP the size of sliding window has been synchronized according to the availability of network congestion situation and resource when connecting.But Due in the present embodiment as the packet that the tcp data bag of transmission has threat data being deleted, so need again more The size of new sliding window.With avoid second terminal between Preset Time in can not receive initially set up TCP connect when it is same Byte number required for the window size of step and judge current TCP connections error, cause the disconnection of current TCP connections.Therefore, originally Embodiment ensure that TCP the size of new tcp data bag that obtains after according to filtration and pass by way of updating sliding window Defeated reliability and stability, improve the level of security of industrial control system.

The data filtering device of the embodiments of the present invention can be used for the data filtering method for performing the embodiment of the present invention, and The technique effect reached by the data filtering method of the embodiments of the present invention is reached accordingly, is repeated no more here.

Correlation function mould can be realized by hardware processor (hardware processor) in the embodiment of the present invention Block.

On the other hand, the embodiment of the present invention provides a kind of non-volatile computer readable storage medium storing program for executing, the storage medium In be stored with that one or more include the program of execute instruction, the execute instruction can be by electronic equipment (including but not limited to Computer, server, or network equipment etc.) read and perform, for performing the correlation step in said method embodiment, For example：The tcp data bag for being received from first terminal is converted into into data flow；The data flow is analyzed according to preset rules To filter the threat data included in the data flow；Data in the data flow in addition to the threat data are beaten It is bundled into continuous tcp data bag；The continuous tcp data bag is sent successively to second terminal.

On the other hand, the embodiment of the present invention is also disclosed a kind of electronic equipment, and the electronic equipment includes：

At least one memory, for depositing computer-managed instruction；

At least one processor, for performing the computer-managed instruction of the memory storage, to perform：To be received from The tcp data bag of first terminal is converted into data flow；The data flow is analyzed according to preset rules to filter the number According to the threat data included in stream；Data in the data flow in addition to the threat data are packaged into continuously Tcp data bag；The continuous tcp data bag is sent successively to second terminal.

Fig. 5 is that the hardware configuration of the electronic equipment of the execution data filtering method that another embodiment of the application is provided is illustrated Figure, as shown in figure 5, the equipment includes：

One or more processors 510 and memory 520, in Fig. 5 by taking a processor 510 as an example.

The equipment for performing data filtering method can also include：Input unit 530 and output device 540.

Processor 510, memory 520, input unit 530 and output device 540 can pass through bus or other modes Connection, in Fig. 5 as a example by being connected by bus.

Memory 520 can be used to store non-volatile software journey as a kind of non-volatile computer readable storage medium storing program for executing Sequence, non-volatile computer executable program and module, the such as corresponding program of the data filtering method in the embodiment of the present application Instruction/module.Processor 510 is stored in the non-volatile software program in memory 520, instruction and module by operation, So as to various function application and the data processing of execute server, that is, realize said method embodiment data filtering method.

Memory 520 can include storing program area and storage data field, wherein, storing program area can store operation system Application program required for system, at least one function；Storage data field can be stored and be created according to using for data filtering device Data etc..Additionally, memory 520 can include high-speed random access memory, nonvolatile memory, example can also be included Such as at least one disk memory, flush memory device or other non-volatile solid state memory parts.In certain embodiments, deposit Reservoir 520 is optional including relative to the remotely located memory of processor 510, and these remote memories can pass through network connection To data filtering device.The example of above-mentioned network includes but is not limited to internet, intranet, LAN, mobile radio communication And combinations thereof.

Input unit 530 can receives input numeral or character information, and produce and set with the user of data filtering device Put and the input of key signals that function control is relevant.Output device 540 may include the display devices such as display screen.

One or more of modules are stored in the memory 520, when by one or more of processors During 510 execution, the data filtering method in above-mentioned any means embodiment is performed.

The method provided by the executable the embodiment of the present application of the said goods, possesses the corresponding functional module of execution method and has Beneficial effect.Ins and outs of detailed description in the present embodiment, not can be found in the method provided by the embodiment of the present application.

The electronic equipment of the embodiment of the present application is present in a variety of forms, including but not limited to fire wall, the composition of fire wall Including processor, hard disk, internal memory, system bus etc., fire wall is similar with general computer architecture, but due to needing to provide Highly reliable service, therefore require at aspects such as disposal ability, stability, reliability, security, extensibility, manageabilitys It is higher.

Device embodiment described above is only schematic, wherein the unit as separating component explanation can To be or may not be physically separate, as the part that unit shows can be or may not be physics list Unit, you can local to be located at one, or can also be distributed on multiple NEs.Which is selected according to the actual needs can In some or all of module realizing the purpose of this embodiment scheme.

Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can By software plus general hardware platform mode realizing, naturally it is also possible to by hardware.Based on such understanding, above-mentioned technology The part that scheme is substantially contributed to correlation technique in other words can be embodied in the form of software product, the computer Software product can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD etc., including some instructions to So that computer equipment (can be personal computer, server, or network equipment etc.) perform each embodiment or Method described in some parts of embodiment.

Finally it should be noted that：Above example only to illustrate the technical scheme of the application, rather than a limitation；Although With reference to the foregoing embodiments the application has been described in detail, it will be understood by those within the art that：Which still may be used To modify to the technical scheme described in foregoing embodiments, or equivalent is carried out to which part technical characteristic； And these modifications or replace, do not make the essence of appropriate technical solution depart from each embodiment technical scheme of the application spirit and Scope.

Claims (9)

1. a kind of data filtering method, sends the threat data bag into the packet of second terminal for filtering first terminal, Methods described includes：

The tcp data bag for being received from the first terminal is converted into into data flow；

The data flow is analyzed according to preset rules to filter the threat data included in the data flow；

Data in the data flow in addition to the threat data are packaged into into continuous tcp data bag；

The continuous tcp data bag is sent successively to the second terminal.

2. method according to claim 1, wherein, the tcp data bag for being received from the first terminal is to be directed to Multiple packets of at least one business.

3. method according to claim 2, wherein, it is described that the tcp data bag for being received from the first terminal is converted into Data flow includes：

The packet header of each packet in the plurality of packet is parsed successively to determine the data of each packet Start bit；

The data start bit of each packet according to determining obtains data that each packet included to generate Data flow.

4. the method according to claim 1-3, wherein, the continuous tcp data bag is being sent successively to described second Also include before terminal：The transmission sliding window that the size of the tcp data bag obtained according to packing updates the tcp data bag is big It is little.

5. a kind of data filtering device, sends the threat data bag into the packet of second terminal for filtering first terminal, Described device includes：

Data flow conversion module, for the tcp data bag for being received from the first terminal is converted into data flow；

Data filtering module, for being analyzed to filter included in the data flow according to preset rules to the data flow Threat data；

Data packing block, for the data in the data flow in addition to the threat data are packaged into continuous TCP Packet；

Packet sending module, for sending the continuous tcp data bag successively to the second terminal.

6. device according to claim 5, wherein, the tcp data bag for being received from the first terminal is to be directed to Multiple packets of at least one business.

7. device according to claim 6, wherein, the data flow conversion module includes：

Data start bit determining unit, for parsing the packet header of each packet in the plurality of packet successively to determine The data start bit of each packet；

Data flow acquiring unit, the data start bit for each packet according to determining obtain each packet Comprising data generating data flow.

8. the device according to claim 5-7, wherein, also include：

Sliding window update module, for sending the continuous tcp data bag successively to before the second terminal, according to The size of the tcp data bag that packing is obtained updates the transmission sliding window size of the tcp data bag.

9. a kind of electronic equipment, including：

At least one processor, and

The memory being connected with least one processor communication, wherein, the memory storage has can be by described at least one The instruction of individual computing device, the instruction by least one computing device so that at least one processor energy It is enough to perform：

The tcp data bag for being received from first terminal is converted into into data flow；

The data flow is analyzed according to preset rules to filter the threat data included in the data flow；

Data in the data flow in addition to the threat data are packaged into into continuous tcp data bag；

The continuous tcp data bag is sent successively to second terminal.