CN109462503A - A kind of data detection method and device - Google Patents

A kind of data detection method and device Download PDF

Info

Publication number
CN109462503A
CN109462503A CN201811328648.6A CN201811328648A CN109462503A CN 109462503 A CN109462503 A CN 109462503A CN 201811328648 A CN201811328648 A CN 201811328648A CN 109462503 A CN109462503 A CN 109462503A
Authority
CN
China
Prior art keywords
value
rogue program
data
data flow
data detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811328648.6A
Other languages
Chinese (zh)
Other versions
CN109462503B (en
Inventor
姜楠
马铮
高枫
俞播
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201811328648.6A priority Critical patent/CN109462503B/en
Publication of CN109462503A publication Critical patent/CN109462503A/en
Application granted granted Critical
Publication of CN109462503B publication Critical patent/CN109462503B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment provides a kind of data detection method and devices, are related to field of communication technology, solve the problems, such as that rogue program can not detect the rogue program before being transmitted in the prior art.This method includes obtaining the first MD5 value of each data packet in specified data flow;According to the first MD5 value of each data packet at least one the 2nd MD5 value of rogue program and specified data flow, matching ratio is determined;Wherein, matching ratio is equal toα indicates the first MD5 value and identical first sum of the 2nd MD5 value, and β indicates the second sum of the 2nd MD5 value that rogue program includes;When determine matching ratio be greater than or equal to preset ratio, generate warning message;Wherein, there are rogue programs for prompting in specified data flow for warning message.The embodiment of the present invention is used for the detection of rogue program.

Description

A kind of data detection method and device
Technical field
The present invention relates to field of communication technology more particularly to a kind of data detection methods and device.
Background technique
Current a networked society is early had become as the various rogue programs of representative using programs such as virus, wooden horses and endangers public network An important factor for network security context, these rogue programs are propagated by public internet, to the information system or terminal of victim Equipment causes damages, and drastically influences the normal legal operation of computer system used in Internet user and various industries. And with the appearance of various cyberspace vulnerabilities, be also evolving using the rogue program of different loopholes, daily all there are many New rogue program occurs and propagates, and often there is hysteresis quality to the monitoring of these rogue programs and interception in network side, It can be just found after waiting rogue program to be completely transmitted or even execute on the target system, this considerably increases timely discoveries simultaneously Intercept the difficulty of rogue program.
It can be seen from the above, how to be just able to detect that the rogue program before rogue program is transmitted, become one Urgent problem to be solved.
Summary of the invention
The embodiment of the present invention provides a kind of data detection method and device, solves rogue program in the prior art and is passing The problem of rogue program can not be detected before being finished into.
In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that
First aspect, the embodiment of the present invention provide a kind of data detection method, comprising: obtain each in specified data flow First MD5 value of data packet;Wherein, the first MD5 value calculates what data packet determined by Message Digest 5, specifies every in data flow The source IP of a data packet, destination IP and No. session are all the same;According at least one the 2nd MD5 value of rogue program and specify The first MD5 value of each data packet, determines matching ratio in data flow;Wherein, matching ratio is equal toα indicates the first MD5 value Identical first sum with the 2nd MD5 value, β indicate the second sum of the 2nd MD5 value that rogue program includes;Ratio is matched when determining Example is greater than or equal to preset ratio, generates warning message;Wherein, there are malice journeys for prompting in specified data flow for warning message Sequence.
It can be seen from the above, the data detection method that the embodiment of the present invention provides, by each of specified data flow First MD5 value of data packet and at least one the 2nd MD5 value of rogue program are compared, and may thereby determine that matching ratio; When the matching ratio is greater than or equal to preset ratio, illustrates rogue program in the specified data flow and generate corresponding alarm signal Breath, to realize detection of the specified data flow in transmission process to the rogue program transmitted, and then staff can be with Rogue program is intercepted according to the warning message, to ensure that public network security context;It solves in the prior art Rogue program can not detect the problem of rogue program before being transmitted.
Second aspect, the embodiment of the present invention provide a kind of data detection device, comprising: acquiring unit refers to for obtaining Determine the first MD5 value of each data packet in data flow;Wherein, the first MD5 value calculates what data packet determined by Message Digest 5, The source IP of each data packet, destination IP and No. session are all the same in specified data flow;Processing unit, for according to malice journey First MD5 value of each data packet in the specified data flow that at least one the 2nd MD5 value and acquiring unit of sequence obtain, determining With ratio;Wherein, matching ratio is equal toα indicates the first MD5 value and identical first sum of the 2nd MD5 value, and β indicates malice Second sum of the 2nd MD5 value that program includes;Processing unit is also used to be greater than or equal to default ratio when determining matching ratio Example generates warning message;Wherein, there are rogue programs for prompting in specified data flow for warning message.
The third aspect, the embodiment of the present invention provide a kind of computer storage medium, including instruction, when its on computers When operation, so that computer executes the described in any item data detection methods provided such as above-mentioned first aspect.
Fourth aspect, the embodiment of the present invention provide a kind of data detection device, comprising: communication interface, processor, storage Device, bus;For storing computer executed instructions, processor is connect with memory by bus memory, when Data Detection fills When setting operation, processor executes the computer executed instructions of memory storage, so that data detection device executes such as above-mentioned first Described in any item data detection methods that aspect provides.
It is to be appreciated that any data detection device of above-mentioned offer is for executing first aspect pair presented above The method answered, therefore, the attainable beneficial effect method that can refer to first aspect above and embodiment party in detail below The beneficial effect of corresponding scheme in formula, details are not described herein again.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of one of the flow diagram for data detection method that the embodiment of the present invention provides;
Fig. 2 is the two of the flow diagram for a kind of data detection method that the embodiment of the present invention provides;
Fig. 3 is the three of the flow diagram for a kind of data detection method that the embodiment of the present invention provides;
Fig. 4 is a kind of one of the structural schematic diagram for data detection device that the embodiment of the present invention provides;
Fig. 5 is a kind of second structural representation for data detection device that the embodiment of the present invention provides.
Appended drawing reference:
Data detection device -10;
Acquiring unit -101;Processing unit -102.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
For the ease of clearly describing the technical solution of the embodiment of the present invention, in an embodiment of the present invention, use " the One ", the printed words such as " second " distinguish function and the essentially identical identical entry of effect or similar item, and those skilled in the art can To understand that the printed words such as " first ", " second " are not to be defined to quantity and execution order.
In embodiments of the present invention, " illustrative " or " such as " etc. words for indicate make example, illustration or explanation.This Be described as in inventive embodiments " illustrative " or " such as " any embodiment or design scheme be not necessarily to be construed as comparing Other embodiments or design scheme more preferably or more advantage.Specifically, use " illustrative " or " such as " etc. words purport Related notion is being presented in specific ways.
In the description of the embodiment of the present invention, unless otherwise indicated, the meaning of " plurality " is refer to two or more.Example Such as, multiple networks refer to two or more networks.
The terms "and/or", only a kind of incidence relation for describing affiliated partner, indicates that there may be three kinds of passes System, for example, A and/or B, can indicate: individualism A exists simultaneously A and B, these three situations of individualism B.Symbol herein Number "/" indicates that affiliated partner is that relationship such as A/B perhaps indicates A or B.
In the prior art, to there are mainly two types of the discovery modes of rogue program:
One, restore rogue program by traffic monitoring: related monitoring system needs to monitor occurent session content simultaneously Store the data packet all transmitted, and restore transmitted file upon completion of the transmission, by with one it is found that malice journey The sample of sequence is compared, and then finds the dissemination of rogue program.
Two, by being monitored in terminal to the behavior of program, when there may be higher for the behavior for finding a certain program Security threat or when matching with the characteristic behavior of known malicious program, then it is assumed that have found the presence of rogue program.
Although these technical solutions can effectively find the presence and propagation of rogue program, it is difficult to complete in rogue program It is transmitted preceding just effectively discovery entirely, and provides corresponding foundation for subsequent interception disposition, so preventing user's quilt malice The aspect effect of program harm is limited.
To solve the above problems, the embodiment of the present invention provides a kind of data detection method, for detecting in communication process Rogue program, thereby may be ensured that public network security context, specific implementation is as follows:
Embodiment one
It is as shown in Figure 1 that the embodiment of the present invention provides a kind of data detection method, comprising:
S101, the first message digest algorithm (full name in English: Message for obtaining each data packet in specified data flow Digest Algorithm MD5, referred to as: MD5) value;Wherein, the first MD5 value calculates data packet by Message Digest 5 and determines , the agreement (full name in English: Internet Protocol, letter interconnected between the source network of each data packet in specified data flow Claim: IP), destination IP and a session session it is all the same.
Optionally, it obtains in specified data flow before the first MD5 value of each data packet, this method as shown in Figure 2 further include:
S104, the sample information for obtaining at least one rogue program.
S105, according to the sample information of Message Digest 5 and each rogue program, determine each rogue program at least One the 2nd MD5 value.
It should be noted that the data detection method that can be provided the embodiment of the present invention is answered in actual application For each data transmission nodal, the total data flow by the node is monitored and is divided for each transmission node Analysis, and obtain the MD5 value of data in the load in entire packet not comprising header data.
The content of the type of service and data packet that are carried due to different data flows is all different, every therefore, it is necessary to distinguish Data stream, area's method for distinguishing is to be distinguished according to the source IP of data packet, destination IP and No. session, if the source of data packet IP, destination IP and No. session are all the same, then the data packet for meeting this condition is the carrying of same data flow, i.e., by source IP, mesh IP and No. session identical data packet be considered as primary transmission.
Meanwhile the sample information of known malicious program can be obtained by modes such as user's report, other enterprises notifications;By It is had differences in the sample information of each rogue program, therefore according to for maximum transmission unit (English common in existing network environment Literary full name: Maximum Transmission Unit, referred to as: MTU) value, when being sliced to rogue program obtained, by It is not necessarily identical in the actual size of each rogue program, cause the number of sections generated after being sliced to it different;Due to each The number of sections of rogue program is different, therefore when calculating by slice of the Message Digest 5 to each rogue program, gives birth to At the 2nd MD5 value quantity it is also not necessarily identical;Wherein, slice size can be according to practical situation sets itself;Example Property, slice size includes at least any one of 128 bytes, 256 bytes, 512 bytes, 1480 bytes.
S102, according to the first MD5 of each data packet at least one the 2nd MD5 value of rogue program and specified data flow Value, determines matching ratio;Wherein, matching ratio is equal toα indicates the first MD5 value and identical first sum of the 2nd MD5 value, β Indicate the second sum of the 2nd MD5 value that rogue program includes.
S103, when determine matching ratio be greater than or equal to preset ratio, generate warning message;Wherein, warning message is used for There are rogue programs in the specified data flow of prompt.
It should be noted that in actual application, need the first MD5 of data packet each in specified data flow and complete The 2nd MD5 value of each rogue program is compared in portion's known malicious program, and searching wherein whether there is and known malicious journey The identical content of MD5 value of sequence slice;When matching ratio is greater than or equal to preset ratio, then it is assumed that have found the malice journey Sequence, and generate corresponding warning message.
Illustratively, which can be 30%.
Optionally, this method as shown in Figure 3 further include:
S106, when determine matching ratio be less than preset ratio, continue to test other specified data flows.
Illustratively, it is assumed that preset ratio 30%, it is known that 3 rogue programs, respectively to 3 rogue program slices Afterwards, after calculating according to Message Digest 5 each slice, determine that the 2nd MD5 value of the first rogue program is respectively 1,3, 5,7 and 10, it determines that the 2nd MD5 value of the second rogue program is respectively 2,8,15 and 30, determines the 2nd MD5 of third rogue program Value is respectively 11,15,22,33,60,77 and 90;Simultaneously according to Message Digest 5 to each data in each specified data flow After packet is calculated, determine that the first MD5 value of each data packet in the specified data flow is respectively 1,3,5,9,11,22 and 30; The data detection method that embodiment according to the present invention provides determines the first MD5 value of each data packet in the specified data flow Matching ratio with the 2nd MD5 value of the first rogue program is 60%, determines the first MD5 of each data packet in specified data flow The matching ratio of value and the 2nd MD5 value of the second rogue program is 25%, determines first of each data packet in specified data flow The matching ratio of MD5 value and the 2nd MD5 value of third rogue program is 28.6%, since this specifies each data packet in data flow The first MD5 value and the first rogue program the 2nd MD5 value matching ratio be 60% be greater than preset ratio be 30%, then it is assumed that It has found first rogue program, and generates corresponding warning message.
It can be seen from the above, the data detection method that the embodiment of the present invention provides, by each of specified data flow First MD5 value of data packet and at least one the 2nd MD5 value of rogue program are compared, and may thereby determine that matching ratio; When the matching ratio is greater than or equal to preset ratio, illustrates rogue program in the specified data flow and generate corresponding alarm signal Breath, to realize detection of the specified data flow in transmission process to the rogue program transmitted, and then staff can be with Rogue program is intercepted according to the warning message, to ensure that public network security context;It solves in the prior art Rogue program can not detect the problem of rogue program before being transmitted.
Embodiment two
The embodiment of the present invention provides a kind of data detection device 10, includes: as shown in Figure 4
Acquiring unit 101, for obtaining the first MD5 value of each data packet in specified data flow;Wherein, the first MD5 value It calculates what data packet determined by Message Digest 5, specifies the source IP of each data packet, destination IP and No. session in data flow It is all the same.
Processing unit 102, the finger for being obtained according at least one the 2nd MD5 value and acquiring unit 101 of rogue program The first MD5 value for determining each data packet in data flow, determines matching ratio;Wherein, matching ratio is equal toα indicates the first MD5 Value identical first sum with the 2nd MD5 value, β indicate the second sum of the 2nd MD5 value that rogue program includes.
Processing unit 102 is also used to be greater than or equal to preset ratio when determining matching ratio, generates warning message;Wherein, There are rogue programs for prompting in specified data flow for warning message.
Optionally, acquiring unit 101 are also used to obtain the sample information of at least one rogue program;Processing unit 102, The sample information for each rogue program for being also used to be obtained according to Message Digest 5 and acquiring unit 101, determines each malice At least one the 2nd MD5 value of program.
Optionally, processing unit 102 are also used to be less than preset ratio when determining matching ratio, continue to test other specified Data flow.
Wherein, all related contents for each step that above method embodiment is related to can quote corresponding function module Function description, effect details are not described herein.
Using integrated module, data detection device includes: storage unit, processing unit and obtains single Member.Processing unit is for carrying out control management to the movement of data detection device, for example, processing unit is for supporting Data Detection Device executes process S101, S102 and S103 in Fig. 1;Acquiring unit is used to support the letter of data detection device and other equipment Breath interaction.Storage unit, for storing data program code and data of detection device.
Wherein, using processing unit as processor, storage unit is memory, and acquiring unit is for communication interface.Wherein, Referring to fig. 5, including communication interface 501, processor 502, memory 503 and bus 504, communication connects data detection device Mouth 501, processor 502 are connected by bus 504 with memory 503.
Processor 502 can be a general central processor (Central Processing Unit, CPU), micro process Device, application-specific integrated circuit (Application-Specific Integrated Circuit, ASIC) or one or more A integrated circuit executed for controlling application scheme program.
Memory 503 can be read-only memory (Read-Only Memory, ROM) or can store static information and instruction Other kinds of static storage device, random access memory (Random Access Memory, RAM) or letter can be stored The other kinds of dynamic memory of breath and instruction, is also possible to Electrically Erasable Programmable Read-Only Memory (Electrically Erasable Programmable Read-only Memory, EEPROM), CD-ROM (Compact Disc Read- Only Memory, CD-ROM) or other optical disc storages, optical disc storage (including compression optical disc, laser disc, optical disc, digital universal Optical disc, Blu-ray Disc etc.), magnetic disk storage medium or other magnetic storage apparatus or can be used in carrying or store to have referring to Enable or data structure form desired program code and can by any other medium of computer access, but not limited to this. Memory, which can be, to be individually present, and is connected by bus with processor.Memory can also be integrated with processor.
Wherein, memory 503 is used to store the application code for executing application scheme, and is controlled by processor 502 System executes.Communication interface 501 is used to carry out information exchange, such as the information exchange with remote controler with other equipment.Processor 502 For executing the application code stored in memory 503, to realize method described in the embodiment of the present application.
In addition, a kind of calculating storage media (or medium) is also provided, including carrying out in above-described embodiment when executed The instruction for the method operation that data detection device executes.In addition, also providing a kind of computer program product, including above-mentioned calculating is deposited It stores up media (or medium).
It should be understood that in various embodiments of the present invention, magnitude of the sequence numbers of the above procedures are not meant to execute suitable Sequence it is successive, the execution of each process sequence should be determined by its function and internal logic, the implementation without coping with the embodiment of the present invention Process constitutes any restriction.
Those of ordinary skill in the art may be aware that list described in conjunction with the examples disclosed in the embodiments of the present disclosure Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually It is implemented in hardware or software, the specific application and design constraint depending on technical solution.Professional technician Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed The scope of the present invention.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method, it can be with It realizes by another way.For example, apparatus embodiments described above are merely indicative, for example, the unit It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of equipment or unit It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product It is stored in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially in other words The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a People's computer, server or network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention. And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (full name in English: read-only memory, English letter Claim: ROM), random access memory (full name in English: random access memory, English abbreviation: RAM), magnetic disk or light The various media that can store program code such as disk.
It is to be appreciated that any data detection device of above-mentioned offer is used to execute embodiment a pair presented above The method answered, therefore, the attainable beneficial effect method that can refer to foregoing embodiments one and embodiment party in detail below The beneficial effect of corresponding scheme in formula, details are not described herein again.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.

Claims (8)

1. a kind of data detection method characterized by comprising
Obtain the first MD5 value of each data packet in specified data flow;Wherein, the first MD5 value is by Message Digest 5 meter Calculate what the data packet determined, the source IP of each data packet, destination IP and No. session are all the same in the specified data flow;
According to the first MD5 value of each data packet at least one the 2nd MD5 value of rogue program and the specified data flow, really Determine matching ratio;Wherein, the matching ratio is equal toα indicates the first MD5 value and identical first sum of the 2nd MD5 value, β Indicate the second sum of the 2nd MD5 value that the rogue program includes;
When determine the matching ratio be greater than or equal to preset ratio, generate warning message;Wherein, the warning message is for mentioning Show that there are the rogue programs in the specified data flow.
2. data detection method according to claim 1, which is characterized in that described to obtain each data in specified data flow Before first MD5 value of packet, the method also includes:
Obtain the sample information of at least one rogue program;
According to the sample information of the Message Digest 5 and each rogue program, each rogue program is determined extremely A few 2nd MD5 value.
3. data detection method according to claim 1, which is characterized in that the method also includes:
When determine the matching ratio be less than the preset ratio, continue to test other specified data flows.
4. a kind of data detection device characterized by comprising
Acquiring unit, for obtaining the first MD5 value of each data packet in specified data flow;Wherein, the first MD5 value is by disappearing Breath digest algorithm calculates what the data packet determined, the source IP of each data packet in the specified data flow, destination IP and No. session all the same;
Processing unit, for being specified according at least one the 2nd MD5 value of rogue program and the described of acquiring unit acquisition The first MD5 value of each data packet, determines matching ratio in data flow;Wherein, the matching ratio is equal toα indicates first MD5 value and identical first sum of the 2nd MD5 value, β indicate the second sum of the 2nd MD5 value that the rogue program includes;
The processing unit is also used to be greater than or equal to preset ratio when the determining matching ratio, generates warning message;Its In, there are the rogue programs for prompting in the specified data flow for the warning message.
5. data detection device according to claim 4, which is characterized in that the acquiring unit is also used to obtain at least The sample information of one rogue program;
The processing unit is also used to according to each of the Message Digest 5 and the acquiring unit acquisition malice journey The sample information of sequence determines at least one the 2nd MD5 value of each rogue program.
6. data detection device according to claim 4, which is characterized in that the processing unit is also used to when determining institute Matching ratio is stated less than the preset ratio, continues to test other specified data flows.
7. a kind of computer storage medium, including instruction, when run on a computer, so that computer executes such as above-mentioned power Benefit requires the described in any item data detection methods of 1-3.
8. a kind of data detection device, comprising: communication interface, processor, memory, bus;Memory is for storing computer It executes instruction, processor is connect with memory by bus, and when data detection device operation, processor executes memory storage Computer executed instructions so that data detection device is executed such as the described in any item Data Detection sides the claims 1-3 Method.
CN201811328648.6A 2018-11-09 2018-11-09 Data detection method and device Active CN109462503B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811328648.6A CN109462503B (en) 2018-11-09 2018-11-09 Data detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811328648.6A CN109462503B (en) 2018-11-09 2018-11-09 Data detection method and device

Publications (2)

Publication Number Publication Date
CN109462503A true CN109462503A (en) 2019-03-12
CN109462503B CN109462503B (en) 2022-04-26

Family

ID=65609816

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811328648.6A Active CN109462503B (en) 2018-11-09 2018-11-09 Data detection method and device

Country Status (1)

Country Link
CN (1) CN109462503B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114328313A (en) * 2021-12-31 2022-04-12 联想长风科技(北京)有限公司 Information transmission method and system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110138465A1 (en) * 2009-12-03 2011-06-09 International Business Machines Corporation Mitigating malicious file propagation with progressive identifiers
CN104252595A (en) * 2013-06-28 2014-12-31 贝壳网际(北京)安全技术有限公司 Application program analysis method and device and client
US20160269437A1 (en) * 2015-03-12 2016-09-15 Forcepoint Federal Llc Systems and methods for malware analysis of network traffic
CN106302531A (en) * 2016-09-30 2017-01-04 北京金山安全软件有限公司 Safety protection method and device and terminal equipment
CN107145780A (en) * 2017-03-31 2017-09-08 腾讯科技(深圳)有限公司 Malware detection method and device
CN108073815A (en) * 2017-12-29 2018-05-25 哈尔滨安天科技股份有限公司 Family's determination method, system and storage medium based on code slice
US9998484B1 (en) * 2016-03-28 2018-06-12 EMC IP Holding Company LLC Classifying potentially malicious and benign software modules through similarity analysis
US10061921B1 (en) * 2017-02-13 2018-08-28 Trend Micro Incorporated Methods and systems for detecting computer security threats

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110138465A1 (en) * 2009-12-03 2011-06-09 International Business Machines Corporation Mitigating malicious file propagation with progressive identifiers
CN104252595A (en) * 2013-06-28 2014-12-31 贝壳网际(北京)安全技术有限公司 Application program analysis method and device and client
US20160269437A1 (en) * 2015-03-12 2016-09-15 Forcepoint Federal Llc Systems and methods for malware analysis of network traffic
US9998484B1 (en) * 2016-03-28 2018-06-12 EMC IP Holding Company LLC Classifying potentially malicious and benign software modules through similarity analysis
CN106302531A (en) * 2016-09-30 2017-01-04 北京金山安全软件有限公司 Safety protection method and device and terminal equipment
US10061921B1 (en) * 2017-02-13 2018-08-28 Trend Micro Incorporated Methods and systems for detecting computer security threats
CN107145780A (en) * 2017-03-31 2017-09-08 腾讯科技(深圳)有限公司 Malware detection method and device
CN108073815A (en) * 2017-12-29 2018-05-25 哈尔滨安天科技股份有限公司 Family's determination method, system and storage medium based on code slice

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114328313A (en) * 2021-12-31 2022-04-12 联想长风科技(北京)有限公司 Information transmission method and system

Also Published As

Publication number Publication date
CN109462503B (en) 2022-04-26

Similar Documents

Publication Publication Date Title
US20200304390A1 (en) Synthetic data for determining health of a network security system
US11647039B2 (en) User and entity behavioral analysis with network topology enhancement
KR102183897B1 (en) An apparatus for anomaly detecting of network based on artificial intelligent and method thereof, and system
US20240179153A1 (en) System for monitoring and managing datacenters
US20200210424A1 (en) Query engine for remote endpoint information retrieval
US8990938B2 (en) Analyzing response traffic to detect a malicious source
US20070050777A1 (en) Duration of alerts and scanning of large data stores
US9584533B2 (en) Performance enhancements for finding top traffic patterns
US20130305370A1 (en) Detection of intrusion in a wireless network
KR20140106547A (en) A streaming method and system for processing network metadata
CN109983735B (en) Method, device and storage device for monitoring network topology
WO2013185483A1 (en) Method for processing a signature rule, server and intrusion prevention system
AU2006259409A1 (en) Duration of alerts and scanning of large data stores
CN109561097B (en) Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
Qiu et al. Global Flow Table: A convincing mechanism for security operations in SDN
Prashanth et al. Using random forests for network-based anomaly detection at active routers
CN109462503A (en) A kind of data detection method and device
KR20130093841A (en) Intrusion prevention system using correlation attack pattern and method thereof
US8438637B1 (en) System, method, and computer program product for performing an analysis on a plurality of portions of potentially unwanted data each requested from a different device
CN113678419A (en) Port scan detection
US20120110665A1 (en) Intrusion Detection Within a Distributed Processing System
EP4262144A1 (en) Network threat processing method and communication apparatus
TW201928747A (en) Server and monitoring method thereof
CN113328976A (en) Security threat event identification method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant