CN109462503A - A kind of data detection method and device - Google Patents
A kind of data detection method and device Download PDFInfo
- Publication number
- CN109462503A CN109462503A CN201811328648.6A CN201811328648A CN109462503A CN 109462503 A CN109462503 A CN 109462503A CN 201811328648 A CN201811328648 A CN 201811328648A CN 109462503 A CN109462503 A CN 109462503A
- Authority
- CN
- China
- Prior art keywords
- value
- rogue program
- data
- data flow
- data detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment provides a kind of data detection method and devices, are related to field of communication technology, solve the problems, such as that rogue program can not detect the rogue program before being transmitted in the prior art.This method includes obtaining the first MD5 value of each data packet in specified data flow;According to the first MD5 value of each data packet at least one the 2nd MD5 value of rogue program and specified data flow, matching ratio is determined;Wherein, matching ratio is equal toα indicates the first MD5 value and identical first sum of the 2nd MD5 value, and β indicates the second sum of the 2nd MD5 value that rogue program includes;When determine matching ratio be greater than or equal to preset ratio, generate warning message;Wherein, there are rogue programs for prompting in specified data flow for warning message.The embodiment of the present invention is used for the detection of rogue program.
Description
Technical field
The present invention relates to field of communication technology more particularly to a kind of data detection methods and device.
Background technique
Current a networked society is early had become as the various rogue programs of representative using programs such as virus, wooden horses and endangers public network
An important factor for network security context, these rogue programs are propagated by public internet, to the information system or terminal of victim
Equipment causes damages, and drastically influences the normal legal operation of computer system used in Internet user and various industries.
And with the appearance of various cyberspace vulnerabilities, be also evolving using the rogue program of different loopholes, daily all there are many
New rogue program occurs and propagates, and often there is hysteresis quality to the monitoring of these rogue programs and interception in network side,
It can be just found after waiting rogue program to be completely transmitted or even execute on the target system, this considerably increases timely discoveries simultaneously
Intercept the difficulty of rogue program.
It can be seen from the above, how to be just able to detect that the rogue program before rogue program is transmitted, become one
Urgent problem to be solved.
Summary of the invention
The embodiment of the present invention provides a kind of data detection method and device, solves rogue program in the prior art and is passing
The problem of rogue program can not be detected before being finished into.
In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that
First aspect, the embodiment of the present invention provide a kind of data detection method, comprising: obtain each in specified data flow
First MD5 value of data packet;Wherein, the first MD5 value calculates what data packet determined by Message Digest 5, specifies every in data flow
The source IP of a data packet, destination IP and No. session are all the same;According at least one the 2nd MD5 value of rogue program and specify
The first MD5 value of each data packet, determines matching ratio in data flow;Wherein, matching ratio is equal toα indicates the first MD5 value
Identical first sum with the 2nd MD5 value, β indicate the second sum of the 2nd MD5 value that rogue program includes;Ratio is matched when determining
Example is greater than or equal to preset ratio, generates warning message;Wherein, there are malice journeys for prompting in specified data flow for warning message
Sequence.
It can be seen from the above, the data detection method that the embodiment of the present invention provides, by each of specified data flow
First MD5 value of data packet and at least one the 2nd MD5 value of rogue program are compared, and may thereby determine that matching ratio;
When the matching ratio is greater than or equal to preset ratio, illustrates rogue program in the specified data flow and generate corresponding alarm signal
Breath, to realize detection of the specified data flow in transmission process to the rogue program transmitted, and then staff can be with
Rogue program is intercepted according to the warning message, to ensure that public network security context;It solves in the prior art
Rogue program can not detect the problem of rogue program before being transmitted.
Second aspect, the embodiment of the present invention provide a kind of data detection device, comprising: acquiring unit refers to for obtaining
Determine the first MD5 value of each data packet in data flow;Wherein, the first MD5 value calculates what data packet determined by Message Digest 5,
The source IP of each data packet, destination IP and No. session are all the same in specified data flow;Processing unit, for according to malice journey
First MD5 value of each data packet in the specified data flow that at least one the 2nd MD5 value and acquiring unit of sequence obtain, determining
With ratio;Wherein, matching ratio is equal toα indicates the first MD5 value and identical first sum of the 2nd MD5 value, and β indicates malice
Second sum of the 2nd MD5 value that program includes;Processing unit is also used to be greater than or equal to default ratio when determining matching ratio
Example generates warning message;Wherein, there are rogue programs for prompting in specified data flow for warning message.
The third aspect, the embodiment of the present invention provide a kind of computer storage medium, including instruction, when its on computers
When operation, so that computer executes the described in any item data detection methods provided such as above-mentioned first aspect.
Fourth aspect, the embodiment of the present invention provide a kind of data detection device, comprising: communication interface, processor, storage
Device, bus;For storing computer executed instructions, processor is connect with memory by bus memory, when Data Detection fills
When setting operation, processor executes the computer executed instructions of memory storage, so that data detection device executes such as above-mentioned first
Described in any item data detection methods that aspect provides.
It is to be appreciated that any data detection device of above-mentioned offer is for executing first aspect pair presented above
The method answered, therefore, the attainable beneficial effect method that can refer to first aspect above and embodiment party in detail below
The beneficial effect of corresponding scheme in formula, details are not described herein again.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of one of the flow diagram for data detection method that the embodiment of the present invention provides;
Fig. 2 is the two of the flow diagram for a kind of data detection method that the embodiment of the present invention provides;
Fig. 3 is the three of the flow diagram for a kind of data detection method that the embodiment of the present invention provides;
Fig. 4 is a kind of one of the structural schematic diagram for data detection device that the embodiment of the present invention provides;
Fig. 5 is a kind of second structural representation for data detection device that the embodiment of the present invention provides.
Appended drawing reference:
Data detection device -10;
Acquiring unit -101;Processing unit -102.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
For the ease of clearly describing the technical solution of the embodiment of the present invention, in an embodiment of the present invention, use " the
One ", the printed words such as " second " distinguish function and the essentially identical identical entry of effect or similar item, and those skilled in the art can
To understand that the printed words such as " first ", " second " are not to be defined to quantity and execution order.
In embodiments of the present invention, " illustrative " or " such as " etc. words for indicate make example, illustration or explanation.This
Be described as in inventive embodiments " illustrative " or " such as " any embodiment or design scheme be not necessarily to be construed as comparing
Other embodiments or design scheme more preferably or more advantage.Specifically, use " illustrative " or " such as " etc. words purport
Related notion is being presented in specific ways.
In the description of the embodiment of the present invention, unless otherwise indicated, the meaning of " plurality " is refer to two or more.Example
Such as, multiple networks refer to two or more networks.
The terms "and/or", only a kind of incidence relation for describing affiliated partner, indicates that there may be three kinds of passes
System, for example, A and/or B, can indicate: individualism A exists simultaneously A and B, these three situations of individualism B.Symbol herein
Number "/" indicates that affiliated partner is that relationship such as A/B perhaps indicates A or B.
In the prior art, to there are mainly two types of the discovery modes of rogue program:
One, restore rogue program by traffic monitoring: related monitoring system needs to monitor occurent session content simultaneously
Store the data packet all transmitted, and restore transmitted file upon completion of the transmission, by with one it is found that malice journey
The sample of sequence is compared, and then finds the dissemination of rogue program.
Two, by being monitored in terminal to the behavior of program, when there may be higher for the behavior for finding a certain program
Security threat or when matching with the characteristic behavior of known malicious program, then it is assumed that have found the presence of rogue program.
Although these technical solutions can effectively find the presence and propagation of rogue program, it is difficult to complete in rogue program
It is transmitted preceding just effectively discovery entirely, and provides corresponding foundation for subsequent interception disposition, so preventing user's quilt malice
The aspect effect of program harm is limited.
To solve the above problems, the embodiment of the present invention provides a kind of data detection method, for detecting in communication process
Rogue program, thereby may be ensured that public network security context, specific implementation is as follows:
Embodiment one
It is as shown in Figure 1 that the embodiment of the present invention provides a kind of data detection method, comprising:
S101, the first message digest algorithm (full name in English: Message for obtaining each data packet in specified data flow
Digest Algorithm MD5, referred to as: MD5) value;Wherein, the first MD5 value calculates data packet by Message Digest 5 and determines
, the agreement (full name in English: Internet Protocol, letter interconnected between the source network of each data packet in specified data flow
Claim: IP), destination IP and a session session it is all the same.
Optionally, it obtains in specified data flow before the first MD5 value of each data packet, this method as shown in Figure 2 further include:
S104, the sample information for obtaining at least one rogue program.
S105, according to the sample information of Message Digest 5 and each rogue program, determine each rogue program at least
One the 2nd MD5 value.
It should be noted that the data detection method that can be provided the embodiment of the present invention is answered in actual application
For each data transmission nodal, the total data flow by the node is monitored and is divided for each transmission node
Analysis, and obtain the MD5 value of data in the load in entire packet not comprising header data.
The content of the type of service and data packet that are carried due to different data flows is all different, every therefore, it is necessary to distinguish
Data stream, area's method for distinguishing is to be distinguished according to the source IP of data packet, destination IP and No. session, if the source of data packet
IP, destination IP and No. session are all the same, then the data packet for meeting this condition is the carrying of same data flow, i.e., by source IP, mesh
IP and No. session identical data packet be considered as primary transmission.
Meanwhile the sample information of known malicious program can be obtained by modes such as user's report, other enterprises notifications;By
It is had differences in the sample information of each rogue program, therefore according to for maximum transmission unit (English common in existing network environment
Literary full name: Maximum Transmission Unit, referred to as: MTU) value, when being sliced to rogue program obtained, by
It is not necessarily identical in the actual size of each rogue program, cause the number of sections generated after being sliced to it different;Due to each
The number of sections of rogue program is different, therefore when calculating by slice of the Message Digest 5 to each rogue program, gives birth to
At the 2nd MD5 value quantity it is also not necessarily identical;Wherein, slice size can be according to practical situation sets itself;Example
Property, slice size includes at least any one of 128 bytes, 256 bytes, 512 bytes, 1480 bytes.
S102, according to the first MD5 of each data packet at least one the 2nd MD5 value of rogue program and specified data flow
Value, determines matching ratio;Wherein, matching ratio is equal toα indicates the first MD5 value and identical first sum of the 2nd MD5 value, β
Indicate the second sum of the 2nd MD5 value that rogue program includes.
S103, when determine matching ratio be greater than or equal to preset ratio, generate warning message;Wherein, warning message is used for
There are rogue programs in the specified data flow of prompt.
It should be noted that in actual application, need the first MD5 of data packet each in specified data flow and complete
The 2nd MD5 value of each rogue program is compared in portion's known malicious program, and searching wherein whether there is and known malicious journey
The identical content of MD5 value of sequence slice;When matching ratio is greater than or equal to preset ratio, then it is assumed that have found the malice journey
Sequence, and generate corresponding warning message.
Illustratively, which can be 30%.
Optionally, this method as shown in Figure 3 further include:
S106, when determine matching ratio be less than preset ratio, continue to test other specified data flows.
Illustratively, it is assumed that preset ratio 30%, it is known that 3 rogue programs, respectively to 3 rogue program slices
Afterwards, after calculating according to Message Digest 5 each slice, determine that the 2nd MD5 value of the first rogue program is respectively 1,3,
5,7 and 10, it determines that the 2nd MD5 value of the second rogue program is respectively 2,8,15 and 30, determines the 2nd MD5 of third rogue program
Value is respectively 11,15,22,33,60,77 and 90;Simultaneously according to Message Digest 5 to each data in each specified data flow
After packet is calculated, determine that the first MD5 value of each data packet in the specified data flow is respectively 1,3,5,9,11,22 and 30;
The data detection method that embodiment according to the present invention provides determines the first MD5 value of each data packet in the specified data flow
Matching ratio with the 2nd MD5 value of the first rogue program is 60%, determines the first MD5 of each data packet in specified data flow
The matching ratio of value and the 2nd MD5 value of the second rogue program is 25%, determines first of each data packet in specified data flow
The matching ratio of MD5 value and the 2nd MD5 value of third rogue program is 28.6%, since this specifies each data packet in data flow
The first MD5 value and the first rogue program the 2nd MD5 value matching ratio be 60% be greater than preset ratio be 30%, then it is assumed that
It has found first rogue program, and generates corresponding warning message.
It can be seen from the above, the data detection method that the embodiment of the present invention provides, by each of specified data flow
First MD5 value of data packet and at least one the 2nd MD5 value of rogue program are compared, and may thereby determine that matching ratio;
When the matching ratio is greater than or equal to preset ratio, illustrates rogue program in the specified data flow and generate corresponding alarm signal
Breath, to realize detection of the specified data flow in transmission process to the rogue program transmitted, and then staff can be with
Rogue program is intercepted according to the warning message, to ensure that public network security context;It solves in the prior art
Rogue program can not detect the problem of rogue program before being transmitted.
Embodiment two
The embodiment of the present invention provides a kind of data detection device 10, includes: as shown in Figure 4
Acquiring unit 101, for obtaining the first MD5 value of each data packet in specified data flow;Wherein, the first MD5 value
It calculates what data packet determined by Message Digest 5, specifies the source IP of each data packet, destination IP and No. session in data flow
It is all the same.
Processing unit 102, the finger for being obtained according at least one the 2nd MD5 value and acquiring unit 101 of rogue program
The first MD5 value for determining each data packet in data flow, determines matching ratio;Wherein, matching ratio is equal toα indicates the first MD5
Value identical first sum with the 2nd MD5 value, β indicate the second sum of the 2nd MD5 value that rogue program includes.
Processing unit 102 is also used to be greater than or equal to preset ratio when determining matching ratio, generates warning message;Wherein,
There are rogue programs for prompting in specified data flow for warning message.
Optionally, acquiring unit 101 are also used to obtain the sample information of at least one rogue program;Processing unit 102,
The sample information for each rogue program for being also used to be obtained according to Message Digest 5 and acquiring unit 101, determines each malice
At least one the 2nd MD5 value of program.
Optionally, processing unit 102 are also used to be less than preset ratio when determining matching ratio, continue to test other specified
Data flow.
Wherein, all related contents for each step that above method embodiment is related to can quote corresponding function module
Function description, effect details are not described herein.
Using integrated module, data detection device includes: storage unit, processing unit and obtains single
Member.Processing unit is for carrying out control management to the movement of data detection device, for example, processing unit is for supporting Data Detection
Device executes process S101, S102 and S103 in Fig. 1;Acquiring unit is used to support the letter of data detection device and other equipment
Breath interaction.Storage unit, for storing data program code and data of detection device.
Wherein, using processing unit as processor, storage unit is memory, and acquiring unit is for communication interface.Wherein,
Referring to fig. 5, including communication interface 501, processor 502, memory 503 and bus 504, communication connects data detection device
Mouth 501, processor 502 are connected by bus 504 with memory 503.
Processor 502 can be a general central processor (Central Processing Unit, CPU), micro process
Device, application-specific integrated circuit (Application-Specific Integrated Circuit, ASIC) or one or more
A integrated circuit executed for controlling application scheme program.
Memory 503 can be read-only memory (Read-Only Memory, ROM) or can store static information and instruction
Other kinds of static storage device, random access memory (Random Access Memory, RAM) or letter can be stored
The other kinds of dynamic memory of breath and instruction, is also possible to Electrically Erasable Programmable Read-Only Memory (Electrically
Erasable Programmable Read-only Memory, EEPROM), CD-ROM (Compact Disc Read-
Only Memory, CD-ROM) or other optical disc storages, optical disc storage (including compression optical disc, laser disc, optical disc, digital universal
Optical disc, Blu-ray Disc etc.), magnetic disk storage medium or other magnetic storage apparatus or can be used in carrying or store to have referring to
Enable or data structure form desired program code and can by any other medium of computer access, but not limited to this.
Memory, which can be, to be individually present, and is connected by bus with processor.Memory can also be integrated with processor.
Wherein, memory 503 is used to store the application code for executing application scheme, and is controlled by processor 502
System executes.Communication interface 501 is used to carry out information exchange, such as the information exchange with remote controler with other equipment.Processor 502
For executing the application code stored in memory 503, to realize method described in the embodiment of the present application.
In addition, a kind of calculating storage media (or medium) is also provided, including carrying out in above-described embodiment when executed
The instruction for the method operation that data detection device executes.In addition, also providing a kind of computer program product, including above-mentioned calculating is deposited
It stores up media (or medium).
It should be understood that in various embodiments of the present invention, magnitude of the sequence numbers of the above procedures are not meant to execute suitable
Sequence it is successive, the execution of each process sequence should be determined by its function and internal logic, the implementation without coping with the embodiment of the present invention
Process constitutes any restriction.
Those of ordinary skill in the art may be aware that list described in conjunction with the examples disclosed in the embodiments of the present disclosure
Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually
It is implemented in hardware or software, the specific application and design constraint depending on technical solution.Professional technician
Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed
The scope of the present invention.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method, it can be with
It realizes by another way.For example, apparatus embodiments described above are merely indicative, for example, the unit
It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components
It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or
The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of equipment or unit
It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially in other words
The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a
People's computer, server or network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention.
And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (full name in English: read-only memory, English letter
Claim: ROM), random access memory (full name in English: random access memory, English abbreviation: RAM), magnetic disk or light
The various media that can store program code such as disk.
It is to be appreciated that any data detection device of above-mentioned offer is used to execute embodiment a pair presented above
The method answered, therefore, the attainable beneficial effect method that can refer to foregoing embodiments one and embodiment party in detail below
The beneficial effect of corresponding scheme in formula, details are not described herein again.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.
Claims (8)
1. a kind of data detection method characterized by comprising
Obtain the first MD5 value of each data packet in specified data flow;Wherein, the first MD5 value is by Message Digest 5 meter
Calculate what the data packet determined, the source IP of each data packet, destination IP and No. session are all the same in the specified data flow;
According to the first MD5 value of each data packet at least one the 2nd MD5 value of rogue program and the specified data flow, really
Determine matching ratio;Wherein, the matching ratio is equal toα indicates the first MD5 value and identical first sum of the 2nd MD5 value, β
Indicate the second sum of the 2nd MD5 value that the rogue program includes;
When determine the matching ratio be greater than or equal to preset ratio, generate warning message;Wherein, the warning message is for mentioning
Show that there are the rogue programs in the specified data flow.
2. data detection method according to claim 1, which is characterized in that described to obtain each data in specified data flow
Before first MD5 value of packet, the method also includes:
Obtain the sample information of at least one rogue program;
According to the sample information of the Message Digest 5 and each rogue program, each rogue program is determined extremely
A few 2nd MD5 value.
3. data detection method according to claim 1, which is characterized in that the method also includes:
When determine the matching ratio be less than the preset ratio, continue to test other specified data flows.
4. a kind of data detection device characterized by comprising
Acquiring unit, for obtaining the first MD5 value of each data packet in specified data flow;Wherein, the first MD5 value is by disappearing
Breath digest algorithm calculates what the data packet determined, the source IP of each data packet in the specified data flow, destination IP and
No. session all the same;
Processing unit, for being specified according at least one the 2nd MD5 value of rogue program and the described of acquiring unit acquisition
The first MD5 value of each data packet, determines matching ratio in data flow;Wherein, the matching ratio is equal toα indicates first
MD5 value and identical first sum of the 2nd MD5 value, β indicate the second sum of the 2nd MD5 value that the rogue program includes;
The processing unit is also used to be greater than or equal to preset ratio when the determining matching ratio, generates warning message;Its
In, there are the rogue programs for prompting in the specified data flow for the warning message.
5. data detection device according to claim 4, which is characterized in that the acquiring unit is also used to obtain at least
The sample information of one rogue program;
The processing unit is also used to according to each of the Message Digest 5 and the acquiring unit acquisition malice journey
The sample information of sequence determines at least one the 2nd MD5 value of each rogue program.
6. data detection device according to claim 4, which is characterized in that the processing unit is also used to when determining institute
Matching ratio is stated less than the preset ratio, continues to test other specified data flows.
7. a kind of computer storage medium, including instruction, when run on a computer, so that computer executes such as above-mentioned power
Benefit requires the described in any item data detection methods of 1-3.
8. a kind of data detection device, comprising: communication interface, processor, memory, bus;Memory is for storing computer
It executes instruction, processor is connect with memory by bus, and when data detection device operation, processor executes memory storage
Computer executed instructions so that data detection device is executed such as the described in any item Data Detection sides the claims 1-3
Method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811328648.6A CN109462503B (en) | 2018-11-09 | 2018-11-09 | Data detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811328648.6A CN109462503B (en) | 2018-11-09 | 2018-11-09 | Data detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109462503A true CN109462503A (en) | 2019-03-12 |
CN109462503B CN109462503B (en) | 2022-04-26 |
Family
ID=65609816
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811328648.6A Active CN109462503B (en) | 2018-11-09 | 2018-11-09 | Data detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109462503B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114328313A (en) * | 2021-12-31 | 2022-04-12 | 联想长风科技(北京)有限公司 | Information transmission method and system |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110138465A1 (en) * | 2009-12-03 | 2011-06-09 | International Business Machines Corporation | Mitigating malicious file propagation with progressive identifiers |
CN104252595A (en) * | 2013-06-28 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Application program analysis method and device and client |
US20160269437A1 (en) * | 2015-03-12 | 2016-09-15 | Forcepoint Federal Llc | Systems and methods for malware analysis of network traffic |
CN106302531A (en) * | 2016-09-30 | 2017-01-04 | 北京金山安全软件有限公司 | Safety protection method and device and terminal equipment |
CN107145780A (en) * | 2017-03-31 | 2017-09-08 | 腾讯科技(深圳)有限公司 | Malware detection method and device |
CN108073815A (en) * | 2017-12-29 | 2018-05-25 | 哈尔滨安天科技股份有限公司 | Family's determination method, system and storage medium based on code slice |
US9998484B1 (en) * | 2016-03-28 | 2018-06-12 | EMC IP Holding Company LLC | Classifying potentially malicious and benign software modules through similarity analysis |
US10061921B1 (en) * | 2017-02-13 | 2018-08-28 | Trend Micro Incorporated | Methods and systems for detecting computer security threats |
-
2018
- 2018-11-09 CN CN201811328648.6A patent/CN109462503B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110138465A1 (en) * | 2009-12-03 | 2011-06-09 | International Business Machines Corporation | Mitigating malicious file propagation with progressive identifiers |
CN104252595A (en) * | 2013-06-28 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Application program analysis method and device and client |
US20160269437A1 (en) * | 2015-03-12 | 2016-09-15 | Forcepoint Federal Llc | Systems and methods for malware analysis of network traffic |
US9998484B1 (en) * | 2016-03-28 | 2018-06-12 | EMC IP Holding Company LLC | Classifying potentially malicious and benign software modules through similarity analysis |
CN106302531A (en) * | 2016-09-30 | 2017-01-04 | 北京金山安全软件有限公司 | Safety protection method and device and terminal equipment |
US10061921B1 (en) * | 2017-02-13 | 2018-08-28 | Trend Micro Incorporated | Methods and systems for detecting computer security threats |
CN107145780A (en) * | 2017-03-31 | 2017-09-08 | 腾讯科技(深圳)有限公司 | Malware detection method and device |
CN108073815A (en) * | 2017-12-29 | 2018-05-25 | 哈尔滨安天科技股份有限公司 | Family's determination method, system and storage medium based on code slice |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114328313A (en) * | 2021-12-31 | 2022-04-12 | 联想长风科技(北京)有限公司 | Information transmission method and system |
Also Published As
Publication number | Publication date |
---|---|
CN109462503B (en) | 2022-04-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20200304390A1 (en) | Synthetic data for determining health of a network security system | |
US11647039B2 (en) | User and entity behavioral analysis with network topology enhancement | |
KR102183897B1 (en) | An apparatus for anomaly detecting of network based on artificial intelligent and method thereof, and system | |
US20240179153A1 (en) | System for monitoring and managing datacenters | |
US20200210424A1 (en) | Query engine for remote endpoint information retrieval | |
US8990938B2 (en) | Analyzing response traffic to detect a malicious source | |
US20070050777A1 (en) | Duration of alerts and scanning of large data stores | |
US9584533B2 (en) | Performance enhancements for finding top traffic patterns | |
US20130305370A1 (en) | Detection of intrusion in a wireless network | |
KR20140106547A (en) | A streaming method and system for processing network metadata | |
CN109983735B (en) | Method, device and storage device for monitoring network topology | |
WO2013185483A1 (en) | Method for processing a signature rule, server and intrusion prevention system | |
AU2006259409A1 (en) | Duration of alerts and scanning of large data stores | |
CN109561097B (en) | Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language | |
US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
Qiu et al. | Global Flow Table: A convincing mechanism for security operations in SDN | |
Prashanth et al. | Using random forests for network-based anomaly detection at active routers | |
CN109462503A (en) | A kind of data detection method and device | |
KR20130093841A (en) | Intrusion prevention system using correlation attack pattern and method thereof | |
US8438637B1 (en) | System, method, and computer program product for performing an analysis on a plurality of portions of potentially unwanted data each requested from a different device | |
CN113678419A (en) | Port scan detection | |
US20120110665A1 (en) | Intrusion Detection Within a Distributed Processing System | |
EP4262144A1 (en) | Network threat processing method and communication apparatus | |
TW201928747A (en) | Server and monitoring method thereof | |
CN113328976A (en) | Security threat event identification method, device and equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |