CN111447205B - Data processing method, system and related equipment - Google Patents

Data processing method, system and related equipment Download PDF

Info

Publication number
CN111447205B
CN111447205B CN202010213360.5A CN202010213360A CN111447205B CN 111447205 B CN111447205 B CN 111447205B CN 202010213360 A CN202010213360 A CN 202010213360A CN 111447205 B CN111447205 B CN 111447205B
Authority
CN
China
Prior art keywords
target
file
sender
terminal
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010213360.5A
Other languages
Chinese (zh)
Other versions
CN111447205A (en
Inventor
李伟清
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010213360.5A priority Critical patent/CN111447205B/en
Publication of CN111447205A publication Critical patent/CN111447205A/en
Application granted granted Critical
Publication of CN111447205B publication Critical patent/CN111447205B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/24Negotiation of communication capabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the invention provides a data processing method, a data processing system and related equipment, which are used for realizing virus searching and killing in an SMB protocol file transmission process under a multi-process architecture and a multi-channel scene. The method provided by the embodiment of the invention is used for virus detection in a data transmission process based on an SMB protocol under a process architecture, and the data processing method comprises the following steps: if the received current data packet is a negotiation request message based on a preset version of SMB protocol, extracting a unique identity of a terminal where a sender of the current data packet is located; inquiring whether a scheduled second target process exists in the terminal where the sender is located or not in a preset mapping table according to the unique identity, and if so, processing all data packets of the terminal where the sender is located by adopting the second target process; and recovering the complete files transmitted in the same process, and executing a preset virus detection strategy on each complete file.

Description

Data processing method, system and related equipment
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a data processing method, system, and related device.
Background
Most firewall devices today have imperfect properties for multiple channels, and especially for multiple channel transmission based on the SMB (Server Message Block) protocol, some firewall devices even explicitly do not support multiple channel transmission.
How to carry out virus searching and killing in SMB protocol file transmission under the scene of opening multiple channels becomes a problem to be solved urgently.
Disclosure of Invention
The embodiment of the invention provides a data processing method, a data processing system and related equipment, which are used for realizing virus searching and killing in an SMB protocol file transmission process under a multi-process architecture and a multi-channel scene.
A first aspect of the embodiments of the present invention provides a data processing method, which is used for performing virus detection in a data transmission process based on an SMB protocol under a process architecture, where the data processing method includes:
if the received current data packet is a negotiation request message based on a preset version of SMB protocol, extracting a unique identity of a terminal where a sender of the current data packet is located;
inquiring whether a scheduled second target process exists in the terminal where the sender is located or not in a preset mapping table according to the unique identity, and if so, processing all data packets of the terminal where the sender is located by adopting the second target process;
and recovering the complete files transmitted in the same process, and executing a preset virus detection strategy on each complete file.
Optionally, as a possible implementation manner, the data processing method in the embodiment of the present invention may further include:
if the second target process is not inquired, calling a third target process to process all data packets of the terminal where the sender is located, and recording the mapping relation between the unique identity and the third target process to the preset mapping table.
Optionally, as a possible implementation manner, in the data processing method in the embodiment of the present invention, before querying, according to the unique identity, in the mapping table, whether the target connection has a scheduled second target process, the method further includes:
extracting a quintuple corresponding to the target connection to which the current data packet belongs;
and inquiring whether a scheduled first target process exists in the target connection according to the quintuple, if so, recording the mapping relation between the unique identity and the first target process to a preset mapping table, and scheduling the first target process to process all data packets of the terminal where the sender is located.
Optionally, as a possible implementation manner, the data processing method in the embodiment of the present invention may further include:
if the received current data packet is a read request or a write request message, a target file identifier is formed according to a target file name in the read request or the write request message and the unique identity identifier of the terminal where the sender is located;
and inquiring whether the target file identifier is stored in a file identifier cache, if so, not executing a corresponding read request or write request, and storing a file identifier corresponding to the toxic file in the file identifier cache.
Optionally, as a possible implementation manner, the data processing method in the embodiment of the present invention may further include:
if the target file identification is not stored in the file identification cache, storing a target file corresponding to the current data packet, and executing a preset virus detection strategy on the target file;
and if the target file is determined to be toxic, storing the target file identifier into a file identifier cache.
A second aspect of the embodiments of the present invention provides a data processing system, which is applied to an SMB protocol in a multi-channel scenario to perform data processing in a data transmission process, where the data processing system includes:
the first processing unit is used for extracting the unique identity of the terminal where the sender of the current data packet is located if the received current data packet is a negotiation request message based on a preset version of SMB protocol;
the second processing unit is used for inquiring whether a scheduled second target process exists in the terminal where the sender is located in a preset mapping table according to the unique identity, and if so, processing all data packets of the terminal where the sender is located by adopting the second target process;
and the detection unit is used for recovering the complete files transmitted in the same process and executing a preset virus detection strategy on each complete file.
Optionally, as a possible implementation manner, the data processing system in the embodiment of the present invention may further include:
and if the second target process is not inquired, the third processing unit calls a third target process to process all data packets of the terminal where the sender is located, and records the mapping relation between the unique identity and the third target process to the preset mapping table.
Optionally, as a possible implementation manner, the data processing system in the embodiment of the present invention may further include:
the extracting unit is used for extracting a quintuple corresponding to the target connection to which the current data packet belongs;
and the fourth processing unit is used for inquiring whether the target connection has a scheduled first target process according to the quintuple, recording the mapping relation between the unique identity and the first target process to a preset mapping table if the target connection has the scheduled first target process, and scheduling the first target process to process all data packets of the terminal where the sender is located.
Optionally, as a possible implementation manner, the data processing system in the embodiment of the present invention may further include:
a fifth processing unit, configured to, if the received current data packet is a read request or a write request message, form a target file identifier according to a target file name in the read request or the write request message and a unique identity identifier of a terminal where the sender is located;
and the query unit is used for querying whether the target file identifier is stored in the file identifier cache, if so, the corresponding read request or write request is not executed, and the file identifier corresponding to the toxic file is stored in the file identifier cache.
Optionally, as a possible implementation manner, the data processing system in the embodiment of the present invention may further include:
and the sixth processing unit is used for storing the target file corresponding to the current data packet and executing a preset virus detection strategy on the target file if the target file identifier is not stored in the file identifier cache, and storing the target file identifier into the file identifier cache if the target file identifier is determined to be toxic.
A third aspect of embodiments of the present invention provides a computer apparatus, which includes a processor, and the processor is configured to implement the steps in any one of the possible implementation manners of the first aspect and the first aspect when executing a computer program stored in a memory.
A fourth aspect of embodiments of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in any one of the possible implementations of the first aspect and the first aspect.
According to the technical scheme, the embodiment of the invention has the following advantages:
in the embodiment of the invention, if the received current data packet is a negotiation request message based on an SMB protocol of a preset version, the data processing system can extract the unique identity of the terminal where the sender of the current data packet is located, inquire whether a scheduled second target process exists in the terminal where the sender is located in a preset mapping table according to the unique identity, if so, adopt the second target process to process all data packets of the terminal where the sender is located, map original multiple processes in the same file transmission process to the same process, finally recover complete files transmitted in the same process, and execute a preset virus detection strategy on each complete file, namely, virus checking and killing in the SMB protocol file transmission process under a multi-process architecture and a multi-channel scene are realized.
Drawings
FIG. 1 is a diagram of an embodiment of a data processing method according to an embodiment of the present invention;
FIG. 2 is a diagram of another embodiment of a data processing method according to an embodiment of the present invention;
FIG. 3 is a diagram of an embodiment of a data processing method according to the present invention;
FIG. 4 is a diagram of a data processing system in accordance with one embodiment of the present invention;
FIG. 5 is a diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a data processing method, a data processing system and related equipment, which are used for realizing virus searching and killing in an SMB protocol file transmission process under a multi-process architecture and a multi-channel scene.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The multi-channel is a new characteristic introduced after the version 3.0 of the SMB protocol, and supports simultaneous transmission of a file in a plurality of connections so as to achieve the purposes of high performance and high availability. Most firewall devices today have imperfect properties for multiple channels, and especially for multiple channel transmission based on the SMB protocol, some firewall devices even explicitly do not support multiple channel transmission. How to carry out virus searching and killing in SMB protocol file transmission under the scene of starting multiple channels becomes a problem to be solved urgently. Wherein the connection means that: a session (uniquely identified by source IP, destination IP, source port, destination port, protocol number), and all its packets that interact back and forth.
For convenience of understanding, a specific flow in the embodiment of the present invention is described below, and referring to fig. 1, an embodiment of a data processing method in the embodiment of the present invention may include:
101. if the received current data packet is a negotiation request message based on an SMB protocol of a preset version, extracting a unique identity of a terminal where a sender of the current data packet is located;
the data processing system in the embodiment of the invention can be used as a firewall or a part of the firewall and is used for virus detection in the data transmission process based on the SMB protocol under a process architecture. The data processing system may be deployed in the gateway device or in the clients of both data transmission parties, and the specific deployment location is not limited herein.
The existing SMB protocol mainly has three versions, namely a first version, a second version and a third version, wherein the first version of the SMB protocol is easily distinguished from the second and third versions of the SMB protocol by a negotiation request (negotiate request) message. If the received current data packet is based on the negotiation request message of the first version of the SMB protocol, the process scheduling can be directly carried out according to the source IP and the target IP by referring to the existing scheme, and the association relation between the successfully scheduled process number and the connection corresponding to the negotiation request message of the first version of the SMB protocol is stored.
If the received current data packet is a negotiation request message based on an SMB protocol of a preset version (for example, the second version or the third version), the data processing system may extract a unique identity of a terminal where a sender of the current data packet is located, which is referred to as a unique identity for convenience of distinguishing. The terminal where the sender is located in the present application may be a software client, or may also be a mobile terminal, a server, and the like, for example, the unique identity of the client may be a GUID. The GUID is a unique global unique identifier which is generated for each client by an SMB protocol and cannot be used for uniquely identifying the same client by an IP (Internet protocol) under a multi-channel environment.
102. Inquiring whether a scheduled second target process exists in a terminal where the sender is located or not in a preset mapping table according to the unique identity, and if so, processing all data packets of the terminal where the sender is located by adopting the second target process;
when file transmission is carried out under the existing multi-process architecture, the existing firewall is often difficult to recover complete files, and further virus checking and killing can not be carried out based on the complete files. In view of the above, the applicant has noted that multiple process transfers of the same file can be mapped to the same process for processing, so as to recover the complete file.
For this purpose, the mapping relationship between the GUID of the client and the process number of the scheduled process of the client needs to be stored in a preset mapping table. After the unique identity of the terminal where the sender of the current data packet is located is identified, whether a scheduled second target process exists in the terminal where the sender is located can be inquired in a preset mapping table, and if the scheduled second target process exists, all data packets or all data packets sent by the terminal where the sender is located in a subsequent preset time period are processed by adopting the second target process. For example, the second target process is used to process all read requests or write requests sent by the terminal where the sender is located, so as to recover the complete file.
103. And recovering the complete files transmitted in the same process, and executing a preset virus detection strategy on each complete file.
After the file transfer is completed, the data processing system may restore the complete files transferred in the same process and execute a preset virus detection policy on each complete file. Specifically, the process of recovering the complete file transmitted in the same process may refer to the existing scheme, and the specific virus detection policy may be reasonably set according to the requirements of the user, which is not limited herein.
In the embodiment of the invention, if the received current data packet is a negotiation request message based on a preset version of an SMB protocol, the data processing system can extract the unique identity of the terminal where the sender of the current data packet is located, query whether a scheduled second target process exists in the terminal where the sender is located in a preset mapping table according to the unique identity, if so, process all data packets of the terminal where the sender is located by adopting the second target process, map original multiple processes in the same file transmission process to the same process, finally recover complete files transmitted in the same process, and execute a preset virus detection strategy on each complete file, namely, virus checking and killing in the SMB protocol file transmission process under a multi-process architecture and a multi-channel scene are realized.
On the basis of the embodiment shown in fig. 1, if the corresponding second target process is not queried, the data processing system may invoke the third target process to process all data packets of the terminal where the sender is located, and record the mapping relationship between the unique identity and the third target process to the preset mapping table. In the subsequent process, after other data packets of the terminal where the sender is located corresponding to the unique identity are continuously received, the third target process may be directly invoked to process all the data packets of the terminal where the sender is located, in the manner in the embodiment shown in fig. 1.
On the basis of the above embodiment, in practical application, before data transmission under the SMB protocol is performed, a negotiation request under multiple versions of the SMB protocol may be involved, for example, after data transmission is performed based on the first version of the SMB protocol, a terminal where the same sender is located may use the preset version of the SMB protocol to perform data transmission again, and a process may be rescheduled in an existing scheme, resulting in a virus killing failure. Therefore, after the connection is established based on the first version of the SMB protocol for data transmission, the mapping relationship between the five-tuple of the established connection and the process number of its calling process may be recorded. Referring to fig. 2, another embodiment of a data processing method according to the present invention may include:
201. if the received current data packet is a negotiation request message based on an SMB protocol of a preset version, extracting a unique identity of a terminal where a sender of the current data packet is located;
202. extracting a quintuple corresponding to a target connection to which the current data packet belongs;
if the received current data packet is a negotiation request message based on the preset version of the SMB protocol, in order to prevent the client corresponding to the unique identifier from using the first version of the SMB protocol, the quintuple corresponding to the target connection to which the current data packet belongs needs to be extracted.
203. Inquiring whether a first scheduled target process exists in the target connection according to the quintuple;
204. recording the mapping relation between the unique identity and the first target process to a preset mapping table, and scheduling the first target process to process all data packets of a terminal where a sender is located;
after extracting the quintuple corresponding to the target connection to which the current data packet belongs, the data processing system can inquire whether the scheduled first target process exists in the target connection according to the quintuple, if so, record the mapping relation between the unique identity and the first target process to a preset mapping table, and schedule the first target process to process all data packets of the terminal where the sender is located, or schedule the first target process to process all read requests and write requests of the terminal where the sender is located. If the first target process does not exist, proceed to step 205.
205. Inquiring whether a terminal where a sender is located has a scheduled second target process in a preset mapping table according to the unique identity;
206. processing all data packets of the terminal where the sender is located by adopting a second target process;
and if the scheduled second target process exists in the terminal where the sender is located according to the unique identity, the second target process is adopted to process all data packets of the terminal where the sender is located.
207. Calling a third target process to process all data packets of the terminal where the sender is located, and recording the mapping relation between the unique identity and the third target process to a preset mapping table;
if the corresponding second target process is not inquired, the data processing system can call a third target process to process all data packets of the terminal where the sender is located, and record the mapping relation between the unique identity and the third target process to a preset mapping table;
208. and recovering the complete files transmitted in the same process, and executing a preset virus detection strategy on each complete file.
It can be understood that, in this embodiment, the contents described in steps 201 and 208 are similar to the contents described in steps 101 and 102 in fig. 1, and specific reference is made to steps 101 and 102, which are not described again here.
If the transmission of the complete file is completed, the complete file is detected to be toxic, only part of small packets in the toxic file are toxic, most of the small packets are non-toxic, malicious persons can retransmit the toxic small packets and even the complete file, if the toxic small packets are retransmitted according to the existing scheme, the complete file needs to be received again for virus detection, and time and labor are wasted.
In order to solve the problem, the applicant proposes that a way of adopting the unique identity (such as GUID) + file name of the terminal where the sender is located can ensure that the antivirus result of one file is uniquely identified and remains unchanged in a multi-channel scene. The file identifier cache may be stored locally in advance, and the file identifier corresponding to the detected toxic file is stored in the file identifier cache.
On the basis of the embodiments shown in fig. 1 or fig. 2, in another embodiment of the data processing method in the embodiments of the present invention, a file identifier cache may be stored locally in advance, and a file identifier corresponding to the detected toxic file is stored in the file identifier cache. If the received current data packet is a read request or a write request message, a target file identifier is formed according to a target file name in the read request or the write request message and the unique identity identifier of the terminal where the sender is located; and inquiring whether the target file identifier is stored in the file identifier cache, and if so, not executing the corresponding read request or write request. And storing the file identification corresponding to the toxic file in the file identification cache. By adopting the antivirus result caching method in the embodiment, if the same toxic file is intercepted, if the toxic file is retransmitted, the antivirus strategy does not need to be repeatedly executed on the toxic file, and only the file identifier of the toxic file is required to be inquired in the file identifier cache, so that the antivirus efficiency is effectively improved.
For convenience of understanding, referring to fig. 5, the following describes a data processing method in an embodiment of the present invention with reference to a specific application embodiment, which may specifically include the following steps:
1. judging whether the received data packet is an SMBV1 neighbor request message or not;
if the SMBV1 neighbor request message is available, the firewall can directly use the source Ip/destination Ip for scheduling.
2. Judging whether the received data packet is an SMBV2/V3 neighbor message or not;
in the case of SMBV2/v3 neighbor message, two cases can be distinguished:
A. it is determined whether the connection has been previously scheduled based on the quintuple. If the scheduling is finished, it means that there is a previous process based on the SMBv1 protocol negotiation, and here, it is necessary to extract the client GUID in the message, and store the previous scheduling result (process number) and the GUID in the mapping table.
B. If the connection is judged not to be scheduled before based on the quintuple, the client GUID in the message needs to be extracted first, and the GUID is used for searching the mapping table. If the connection is found, the connection is dispatched to the found target process. If the mapping table is not found, scheduling is required to be carried out once according to the source IP/the destination IP, and the GUID and the scheduling result are stored in the mapping table.
3. And recovering the complete file, and after antivirus, if the result is toxic, caching the result to the local.
In this embodiment, the antivirus cache result cannot adopt the IP + file name mode, because multiple connections for transmitting the same file in the SMB multi-channel scenario may be completely different between the source IP and the destination IP. A mode of GUID + file name is required to be adopted, so that one file can be uniquely identified and is kept unchanged in a multi-channel scene. After the file is killed or poisoned and the blocking policy is executed, the SMB client may attempt to retransmit the file several times and retransmit only the blocked block. Through the URL (file identification) caching mode, the retransmission processing only needs to search the table once, and great benefits are achieved in effect and performance.
Referring to fig. 4, an embodiment of the present invention further provides a data processing system, which is applied to an SMB protocol in a multi-channel scenario to perform data processing in a data transmission process, where the data processing system includes:
a first processing unit 401, if the received current data packet is a negotiation request message based on a preset version of the SMB protocol, extracting a unique identity of a terminal where a sender of the current data packet is located;
a second processing unit 402, configured to query, according to the unique identity, in a preset mapping table, whether a scheduled second target process exists in the terminal where the sender is located, and if so, process all data packets of the terminal where the sender is located by using the second target process;
the detecting unit 403 recovers the complete files transmitted in the same process, and executes a preset virus detection policy on each complete file.
In the embodiment of the invention, if the received current data packet is a negotiation request message based on a preset version of an SMB protocol, the data processing system can extract the unique identity of the terminal where the sender of the current data packet is located, query whether a scheduled second target process exists in the terminal where the sender is located in a preset mapping table according to the unique identity, if so, process all data packets of the terminal where the sender is located by adopting the second target process, map original multiple processes in the same file transmission process to the same process, finally recover complete files transmitted in the same process, and execute a preset virus detection strategy on each complete file, namely, virus checking and killing in the SMB protocol file transmission process under a multi-process architecture and a multi-channel scene are realized.
Optionally, as a possible implementation manner, the data processing system in the embodiment of the present invention may further include:
and if the second target process is not inquired, the third processing unit calls the third target process to process all data packets of the terminal where the sender is located, and records the mapping relation between the unique identity and the third target process to a preset mapping table.
Optionally, as a possible implementation manner, the data processing system in the embodiment of the present invention may further include:
the extraction unit is used for extracting a quintuple corresponding to a target connection to which the current data packet belongs;
and the fourth processing unit is used for inquiring whether the scheduled first target process exists in the target connection according to the quintuple, recording the mapping relation between the unique identity and the first target process to a preset mapping table if the scheduled first target process exists in the target connection, and scheduling the first target process to process all data packets of the terminal where the sender is located.
Optionally, as a possible implementation manner, the data processing system in the embodiment of the present invention may further include:
a fifth processing unit, configured to, if the received current data packet is a read request or a write request message, form a target file identifier according to a target file name in the read request or the write request message and a unique identity identifier of a terminal where the sender is located;
and the query unit is used for querying whether the target file identifier is stored in the file identifier cache, if so, the corresponding read request or write request is not executed, and the file identifier corresponding to the toxic file is stored in the file identifier cache.
Optionally, as a possible implementation manner, the data processing system in the embodiment of the present invention may further include:
and the sixth processing unit is used for storing the target file corresponding to the current data packet and executing a preset virus detection strategy on the target file if the target file identifier is not stored in the file identifier cache, and storing the target file identifier into the file identifier cache if the target file identifier is determined to be toxic.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The network diagram editor in the embodiment of the present invention is described above from the perspective of the modular functional entity, please refer to fig. 5, and the computer apparatus in the embodiment of the present invention is described below from the perspective of hardware processing:
the computer device 1 may include a memory 11, a processor 12 and an input output bus 13. The processor 11, when executing the computer program, implements the steps in the above-described data processing method embodiment shown in fig. 1, such as steps 101 to 103 shown in fig. 1. Alternatively, the processor, when executing the computer program, implements the functions of each module or unit in the above-described apparatus embodiments.
In some embodiments of the present invention, the processor is specifically configured to implement the following steps:
if the received current data packet is a negotiation request message based on a preset version of SMB protocol, extracting a unique identity of a terminal where a sender of the current data packet is located;
inquiring whether a scheduled second target process exists in a terminal where the sender is located or not in a preset mapping table according to the unique identity, and if so, processing all data packets of the terminal where the sender is located by adopting the second target process;
and recovering the complete files transmitted in the same process, and executing a preset virus detection strategy on each complete file.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
and if the second target process is not inquired, calling a third target process to process all data packets of the terminal where the sender is located, and recording the mapping relation between the unique identity and the third target process to a preset mapping table.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
extracting a quintuple corresponding to a target connection to which the current data packet belongs;
and inquiring whether the target connection has a scheduled first target process according to the quintuple, if so, recording the mapping relation between the unique identity and the first target process to a preset mapping table, and scheduling the first target process to process all data packets of the terminal where the sender is located.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
if the received current data packet is a read request or a write request message, a target file identifier is formed according to a target file name in the read request or the write request message and the unique identity identifier of the terminal where the sender is located;
and inquiring whether the target file identifier is stored in the file identifier cache, if so, not executing the corresponding read request or write request, and storing the file identifier corresponding to the toxic file in the file identifier cache.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
if the target file identifier is not stored in the file identifier cache, storing a target file corresponding to the current data packet, and executing a preset virus detection strategy on the target file;
and if the target file is determined to be toxic, storing the target file identifier into a file identifier cache.
The memory 11 includes at least one type of readable storage medium, and the readable storage medium includes a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a magnetic memory, a magnetic disk, an optical disk, and the like. The memory 11 may in some embodiments be an internal storage unit of the computer device 1, for example a hard disk of the computer device 1. The memory 11 may also be an external storage device of the computer apparatus 1 in other embodiments, such as a plug-in hard disk provided on the computer apparatus 1, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 11 may also include both an internal storage unit and an external storage device of the computer apparatus 1. The memory 11 may be used not only to store application software installed in the computer device 1 and various types of data, such as codes of the computer program 01, but also to temporarily store data that has been output or is to be output.
The processor 12 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor or other data Processing chip in some embodiments, and is used for executing program codes stored in the memory 11 or Processing data, such as executing the computer program 01.
The input/output bus 13 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc.
Further, the computer apparatus may further comprise a wired or wireless network interface 14, and the network interface 14 may optionally comprise a wired interface and/or a wireless interface (such as a WI-FI interface, a bluetooth interface, etc.), which are generally used for establishing a communication connection between the computer apparatus 1 and other electronic devices.
Optionally, the computer device 1 may further include a user interface, the user interface may include a Display (Display), an input unit such as a Keyboard (Keyboard), and optionally, the user interface may further include a standard wired interface and a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable, among other things, for displaying information processed in the computer device 1 and for displaying a visualized user interface.
Fig. 5 shows only the computer device 1 with the components 11-14 and the computer program 01, and it will be understood by a person skilled in the art that the structure shown in fig. 5 does not constitute a limitation of the computer device 1, but may comprise fewer or more components than shown in the figures, or a combination of certain components, or a different arrangement of components.
The present invention also provides a computer-readable storage medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the computer program can implement the following steps:
if the received current data packet is a negotiation request message based on an SMB protocol of a preset version, extracting a unique identity of a terminal where a sender of the current data packet is located;
inquiring whether a scheduled second target process exists in a terminal where the sender is located or not in a preset mapping table according to the unique identity, and if so, processing all data packets of the terminal where the sender is located by adopting the second target process;
and recovering the complete files transmitted in the same process, and executing a preset virus detection strategy on each complete file.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
and if the second target process is not inquired, calling a third target process to process all data packets of the terminal where the sender is located, and recording the mapping relation between the unique identity and the third target process to a preset mapping table.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
extracting a quintuple corresponding to a target connection to which the current data packet belongs;
and inquiring whether the target connection has a scheduled first target process according to the quintuple, if so, recording the mapping relation between the unique identity and the first target process to a preset mapping table, and scheduling the first target process to process all data packets of the terminal where the sender is located.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
if the received current data packet is a read request or a write request message, a target file identifier is formed according to a target file name in the read request or the write request message and the unique identity identifier of the terminal where the sender is located;
and inquiring whether the target file identifier is stored in the file identifier cache, if so, not executing the corresponding read request or write request, and storing the file identifier corresponding to the toxic file in the file identifier cache.
Optionally, as a possible implementation manner, the processor may be further configured to implement the following steps:
if the target file identification is not stored in the file identification cache, storing a target file corresponding to the current data packet, and executing a preset virus detection strategy on the target file;
and if the target file is determined to be toxic, storing the target file identifier into a file identifier cache.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (9)

1. A data processing method is used for virus detection in a data transmission process based on an SMB protocol under a multi-process architecture, and comprises the following steps:
if the received current data packet is a negotiation request message based on a SMB protocol of a preset version, extracting a unique identity of a terminal where a sender of the current data packet is located, wherein the preset version is not a first version of the SMB protocol;
extracting a quintuple corresponding to the target connection to which the current data packet belongs, and inquiring whether the target connection has a scheduled first target process according to the quintuple, wherein the first target process is generated according to a negotiation request message based on the SMB protocol of the first version;
if the first target process exists, recording the mapping relation between the unique identity and the first target process to a preset mapping table, and scheduling the first target process to process all data packets of the terminal where the sender is located;
if the first target process does not exist, whether a scheduled second target process exists in a terminal where the sender is located is inquired in a preset mapping table according to the unique identity, and if the scheduled second target process exists, all data packets of the terminal where the sender is located are processed by adopting the second target process;
and recovering the complete files transmitted in the same process, and executing a preset virus detection strategy on each complete file.
2. The method of claim 1, further comprising:
if the second target process is not inquired, calling a third target process to process all data packets of the terminal where the sender is located, and recording the mapping relation between the unique identity and the third target process to the preset mapping table.
3. The method of any of claims 1-2, further comprising:
if the received current data packet is a read request or a write request message, a target file identifier is formed according to a target file name in the read request or the write request message and the unique identity identifier of the terminal where the sender is located;
and inquiring whether the target file identification is stored in a file identification cache, if so, not executing a corresponding read request or write request, and storing a file identification corresponding to the toxic file in the file identification cache.
4. The method of claim 3, further comprising:
if the target file identification is not stored in the file identification cache, storing a target file corresponding to the current data packet, and executing a preset virus detection strategy on the target file;
and if the target file is determined to be toxic, storing the target file identifier into a file identifier cache.
5. A data processing system is characterized in that the data processing system is applied to an SMB protocol under a multi-channel scene to perform data processing in a data transmission process, and comprises:
the first processing unit is used for extracting the unique identity of the terminal where the sender of the current data packet is located if the received current data packet is a negotiation request message based on a SMB protocol with a preset version, wherein the preset version is not the first version of the SMB protocol;
the extraction unit is used for extracting a quintuple corresponding to a target connection to which the current data packet belongs;
a fourth processing unit, configured to query whether a scheduled first target process exists in the target connection according to the quintuple, record a mapping relationship between the unique identity and the first target process to a preset mapping table if the scheduled first target process exists, and schedule the first target process to process all data packets of the terminal where the sender is located
The second processing unit is used for inquiring whether a scheduled second target process exists in a terminal where the sender is located in a preset mapping table according to the unique identity if the first target process does not exist; if so, processing all data packets of the terminal where the sender is located by adopting the second target process;
and the detection unit is used for recovering the complete files transmitted in the same process and executing a preset virus detection strategy on each complete file.
6. The system of claim 5, further comprising:
a fifth processing unit, configured to, if the received current data packet is a read request or a write request message, form a target file identifier according to a target file name in the read request or the write request message and a unique identity identifier of a terminal where the sender is located;
and the query unit is used for querying whether the target file identifier is stored in the file identifier cache, if so, the corresponding read request or write request is not executed, and the file identifier corresponding to the toxic file is stored in the file identifier cache.
7. The system of claim 6, further comprising:
and the sixth processing unit is used for storing the target file corresponding to the current data packet and executing a preset virus detection strategy on the target file if the target file identifier is not stored in the file identifier cache, and storing the target file identifier into the file identifier cache if the target file identifier is determined to be toxic.
8. A computer arrangement, characterized in that the computer arrangement comprises a processor for implementing the steps of the method according to any one of claims 1 to 4 when executing a computer program stored in a memory.
9. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program when executed by a processor implementing the steps of the method according to any one of claims 1 to 4.
CN202010213360.5A 2020-03-24 2020-03-24 Data processing method, system and related equipment Active CN111447205B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010213360.5A CN111447205B (en) 2020-03-24 2020-03-24 Data processing method, system and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010213360.5A CN111447205B (en) 2020-03-24 2020-03-24 Data processing method, system and related equipment

Publications (2)

Publication Number Publication Date
CN111447205A CN111447205A (en) 2020-07-24
CN111447205B true CN111447205B (en) 2022-11-22

Family

ID=71654247

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010213360.5A Active CN111447205B (en) 2020-03-24 2020-03-24 Data processing method, system and related equipment

Country Status (1)

Country Link
CN (1) CN111447205B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243604A (en) * 2014-09-28 2014-12-24 北京奇虎科技有限公司 File disabling method and device
CN105045651A (en) * 2015-06-26 2015-11-11 广州华多网络科技有限公司 Service processing system and method
CN106341282A (en) * 2016-11-10 2017-01-18 广东电网有限责任公司电力科学研究院 Malicious code behavior analyzer
CN107196848A (en) * 2017-05-09 2017-09-22 腾讯科技(深圳)有限公司 Information push method and device
CN109309631A (en) * 2018-08-15 2019-02-05 新华三技术有限公司成都分公司 A kind of method and device based on universal network file system write-in data

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1304616B1 (en) * 2001-10-18 2010-03-17 Sun Microsystems, Inc. Method for processing a data file using a plug-in
US9003430B2 (en) * 2011-01-20 2015-04-07 International Business Machines Corporation Dynamic transfer of selected business process instance state
US9386352B1 (en) * 2014-02-11 2016-07-05 Time Warner Cable Enterprises Llc Methods and apparatus for determining a normalized time for use in resuming content playback
CN107295676B (en) * 2016-03-31 2019-07-23 中兴通讯股份有限公司 Data transmission method and device
CN108400845A (en) * 2017-02-06 2018-08-14 中兴通讯股份有限公司 Determine the method, apparatus and system of retransmission process number

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243604A (en) * 2014-09-28 2014-12-24 北京奇虎科技有限公司 File disabling method and device
CN105045651A (en) * 2015-06-26 2015-11-11 广州华多网络科技有限公司 Service processing system and method
CN106341282A (en) * 2016-11-10 2017-01-18 广东电网有限责任公司电力科学研究院 Malicious code behavior analyzer
CN107196848A (en) * 2017-05-09 2017-09-22 腾讯科技(深圳)有限公司 Information push method and device
CN109309631A (en) * 2018-08-15 2019-02-05 新华三技术有限公司成都分公司 A kind of method and device based on universal network file system write-in data

Also Published As

Publication number Publication date
CN111447205A (en) 2020-07-24

Similar Documents

Publication Publication Date Title
EP2393255B1 (en) Method and device for identifying an SCTP packet
CN101009607B (en) Systems and methods for detecting and preventing flooding attacks in a network environment
WO2017004947A1 (en) Method and apparatus for preventing domain name hijacking
US20160072847A1 (en) Internet mediation
CN107360247B (en) The method and the network equipment of processing business
CN107241344A (en) Intercept method, apparatus and system of the client to the access of hostile network server
EP2710776A1 (en) Anonymous signalling
CN104320378B (en) Intercept the method and system of web data
US8490173B2 (en) Unauthorized communication detection method
CN101378396A (en) Phishing notification service
CN114124929A (en) Cross-network data processing method and device
CN106549989A (en) A kind of data transmission method and its system, user terminal, application server
US10225358B2 (en) Page push method, device, server and system
WO2015027931A1 (en) Method and system for realizing cross-domain remote command
CN113873057A (en) Data processing method and device
CN111447205B (en) Data processing method, system and related equipment
CN105959248B (en) The method and device of message access control
CN116723020A (en) Network service simulation method and device, electronic equipment and storage medium
CN103036895A (en) Method and system for state tracking
CN114244610B (en) File transmission method and device, network security equipment and storage medium
WO2020233412A1 (en) Data leakage prevention
CN110868360A (en) Flow statistical method, electronic device, system and medium
CN115514799A (en) TCP connection method, system, network device and storage medium
CN109218374B (en) Application interaction method and device
CN112565217A (en) Protocol-based confusion communication method, client terminal, server and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant