CN114095412B - Safety equipment testing method and device, electronic equipment and storage medium - Google Patents

Safety equipment testing method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114095412B
CN114095412B CN202111375935.4A CN202111375935A CN114095412B CN 114095412 B CN114095412 B CN 114095412B CN 202111375935 A CN202111375935 A CN 202111375935A CN 114095412 B CN114095412 B CN 114095412B
Authority
CN
China
Prior art keywords
file
sample file
safety equipment
sample
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111375935.4A
Other languages
Chinese (zh)
Other versions
CN114095412A (en
Inventor
张云禄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202111375935.4A priority Critical patent/CN114095412B/en
Publication of CN114095412A publication Critical patent/CN114095412A/en
Application granted granted Critical
Publication of CN114095412B publication Critical patent/CN114095412B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/20Support for services
    • H04L49/208Port mirroring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a safety device testing method, a safety device testing device, electronic equipment and a storage medium, which are used for solving the problem that the accuracy rate of testing the file restoring function of the safety device is low. The method comprises the following steps: acquiring a sample file and extracting first abstract information of the sample file; acquiring and sending the network flow of the sample file to the safety equipment so that the safety equipment restores the network flow of the sample file to obtain a restored file, and extracting and returning second abstract information of the restored file; and receiving second abstract information sent by the safety equipment, and determining a test result of the safety equipment according to a comparison result of the first abstract information and the second abstract information, wherein the test result represents whether a file flowing out of the network of the sample file by the safety equipment is correct or not.

Description

Safety equipment testing method and device, electronic equipment and storage medium
Technical Field
The application relates to the technical field of computer security and network security, in particular to a security device testing method, a security device testing device, electronic equipment and a storage medium.
Background
The network security appliance (Network Security Device), also referred to as simply a security appliance, refers to a set of software and hardware devices deployed between a dispatch intranet and an extranet, between a private network and a public network, for forming a protective barrier at interfaces between the intranet and the extranet, and between the private network and the public network. Common security devices are for example: an anti-virus gateway device or a network protection device, etc.
At present, file restoration tests are carried out on security devices, wherein the security devices are tested by manually simulating transmission of virus files, and the security devices in a test environment can easily and correctly restore and detect the virus files. However, in the actual production environment, the situations of numerous file transmission protocols, file splitting caused by limitation of data frame format size, difficulty in manually verifying restored files, complicated manual file verification and the like occur, so that the accuracy of file restoration test on the security equipment is low.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method, an apparatus, an electronic device, and a storage medium for testing a security device, which are used for improving the problem of low accuracy in testing a file restoring function of the security device.
The embodiment of the application provides a safety equipment testing method, which comprises the following steps: acquiring a sample file and extracting first abstract information of the sample file; acquiring and sending the network flow of the sample file to the safety equipment so that the safety equipment restores the network flow of the sample file to obtain a restored file, and extracting and returning second abstract information of the restored file; and receiving second abstract information sent by the safety equipment, and determining a test result of the safety equipment according to a comparison result of the first abstract information and the second abstract information, wherein the test result represents whether a file flowing out of the network of the sample file by the safety equipment is correct or not. In the implementation process, the network flow of the sample file is obtained and sent to the safety device, so that the safety device restores the network flow of the sample file, extracts and returns the second abstract information of the restored file, and then determines the test result of the safety device according to the comparison result of the first abstract information of the sample file and the second abstract information of the restored file of the safety device, thereby avoiding the problems of complex analysis of network transmission protocol, analysis of file transmission protocol, manual difficult verification of restored file, manual verification of file and the like, and effectively improving the accuracy of testing the file restoring function of the safety device.
Optionally, in an embodiment of the present application, acquiring and sending the network traffic of the sample file to the security device includes: acquiring the network flow of a sample file, wherein the network flow of the sample file is recorded in the process of uploading the sample file to a server or downloading the sample file from the server; and sending the network traffic of the sample file to the security device. In the implementation process, the network flow for realizing the recorded sample file is used, and the network flow of the sample file is sent to the safety equipment, so that the situation that the safety is tested by manually and repeatedly sending or downloading the sample file in real time is avoided, the operation steps of the safety equipment in the test process are effectively simplified, and the test efficiency of the safety equipment is improved.
Optionally, in an embodiment of the present application, acquiring and sending the network traffic of the sample file to the security device includes: and uploading the sample file to a server through the switch, so that the switch forwards the network traffic of the sample file to the security device in a port mirroring mode. In the implementation process, the sample file is uploaded to the server through the switch by an automatic program on the electronic equipment, so that the switch forwards the network flow of the sample file to the safety equipment in a port mirror image mode, the situation that the safety is tested by manually and repeatedly sending or downloading the sample file in real time is avoided, the operation steps of the safety equipment in the test process are effectively simplified, and the test efficiency of the safety equipment is improved.
Optionally, in an embodiment of the present application, acquiring and sending the network traffic of the sample file to the security device includes: the sample file is downloaded from the server through the switch such that the switch forwards network traffic of the sample file to the security device in a port mirrored manner. In the implementation process, the sample file is downloaded from the server through the switch by an automatic program on the electronic equipment, so that the switch forwards the network flow of the sample file to the safety equipment in a port mirror image mode, the situation that the safety is tested by manually and repeatedly sending or downloading the sample file in real time is avoided, the operation steps of the safety equipment in the test process are effectively simplified, and the test efficiency of the safety equipment is improved.
Optionally, in an embodiment of the present application, after determining a test result of the security device according to a comparison result of the first digest information and the second digest information, the method further includes: and if the test result indicates that the file restored from the network flow of the sample file is correct, carrying out regression test, virus test and/or leakage test on the sample file. In the implementation process, after the test result represents that the file restored from the network flow of the sample file is correct, the regression test, the virus test and/or the leakage test are carried out on the sample file, so that the operation steps of the safety equipment in the test process are effectively simplified, and the test efficiency of the safety equipment is improved.
Optionally, in an embodiment of the present application, determining a test result of the security device according to a comparison result of the first summary information and the second summary information includes: comparing the first abstract information with the second abstract information to obtain a comparison result; judging whether the comparison results are identical; if yes, determining the test result of the safety equipment as passing, otherwise, determining the test result of the safety equipment as not passing. In the implementation process, the test result of the safety equipment is determined according to the comparison result of the first abstract information and the second abstract information, the unique file characteristic can be determined by using the abstract information, and the operation steps of the safety equipment in the test process are effectively simplified, so that the test efficiency of the safety equipment is improved.
Optionally, in an embodiment of the present application, extracting the first summary information of the sample file includes: and calculating the sample file by using an SHA1 algorithm, an SHA256 algorithm, an MD5 algorithm or a national secret SM3 algorithm to obtain first abstract information of the sample file.
Optionally, in an embodiment of the present application, the security device includes: an anti-virus gateway device, a security audit device, an intrusion detection device, and/or a data anti-leakage device.
The embodiment of the application also provides a safety equipment testing device, which comprises: the abstract information extraction module is used for obtaining a sample file and extracting first abstract information of the sample file; the network flow sending module is used for obtaining and sending the network flow of the sample file to the safety equipment so that the safety equipment restores the network flow of the sample file to obtain a restored file, and extracting and returning second abstract information of the restored file; the test result determining module is used for receiving the second abstract information sent by the security device, determining the test result of the security device according to the comparison result of the first abstract information and the second abstract information, and representing whether the file flowing out of the network of the sample file by the security device is correct or not.
Optionally, in an embodiment of the present application, the network traffic sending module includes: the network flow acquisition module is used for acquiring the network flow of the sample file, wherein the network flow of the sample file is recorded in the process of uploading the sample file to the server or downloading the sample file from the server; and the network traffic sending module is used for sending the network traffic of the sample file to the security device.
Optionally, in an embodiment of the present application, the network traffic sending module includes: and the uploading flow mirroring module is used for uploading the sample file to the server through the switch so that the switch forwards the network flow of the sample file to the safety equipment in a port mirroring mode.
Optionally, in an embodiment of the present application, the network traffic sending module includes: and the downloading flow mirroring module is used for downloading the sample file from the server through the switch so that the switch forwards the network flow of the sample file to the safety equipment in a port mirroring mode.
Optionally, in an embodiment of the present application, the test result determining module includes: the comparison result obtaining module is used for comparing the first abstract information with the second abstract information to obtain a comparison result; the comparison result judging module is used for judging whether the comparison results are identical; the test result affirmation module is used for determining the test result of the safety equipment to pass if the comparison results are identical; and the test result negation module is used for determining that the test result of the safety equipment is not passed if the comparison result is not identical.
Optionally, in an embodiment of the present application, after determining a test result of the security device according to a comparison result of the first digest information and the second digest information, the method further includes: and the virus leakage test module is used for carrying out regression test, virus test and/or leakage test on the sample file if the test result represents that the file restored from the network flow of the sample file is correct.
Optionally, in an embodiment of the present application, the summary information extraction module includes: and the sample file calculation module is used for calculating the sample file by using an SHA1 algorithm, an SHA256 algorithm, an MD5 algorithm or a national secret SM3 algorithm to obtain first abstract information of the sample file.
Optionally, in an embodiment of the present application, the security device includes: an anti-virus gateway device, a security audit device, an intrusion detection device, and/or a data anti-leakage device.
The embodiment of the application also provides electronic equipment, which comprises: a processor and a memory storing machine-readable instructions executable by the processor to perform the method as described above when executed by the processor.
Embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method as described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application, and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort to a person having ordinary skill in the art.
Fig. 1 is a schematic flow chart of a method for testing a security device according to an embodiment of the present application;
FIG. 2 is a network schematic diagram of a first network traffic restoration according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a second network for restoring network traffic according to an embodiment of the present application;
FIG. 4 is a network schematic diagram of a third network traffic restoration provided in an embodiment of the present application;
fig. 5 is a schematic structural diagram of a security device testing apparatus according to an embodiment of the present application.
Detailed Description
The following description of the technical solutions in the embodiments of the present application will be clearly and completely described with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Accordingly, the following detailed description of the embodiments of the present application, which is provided in the accompanying drawings, is not intended to limit the scope of the claimed embodiments of the present application, but is merely representative of selected embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to fall within the scope of the embodiments of the present application.
Before describing the security device testing method provided in the embodiments of the present application, some concepts involved in the embodiments of the present application are described first:
hash functions (Hash functions), also known as hashing algorithms, hash algorithms, or Hash functions, are a method of creating small digital fingerprints from any kind of data; the hash function compresses the information or data into a digest, so that the data quantity is reduced, and the format of the data is fixed; the hash function mixes the data in a random manner, recreating a fingerprint called a hash value (hash values, hash codes, hash sums or hashes); hash values are typically represented by a string of short random letters and numbers, and common hash algorithms include: MD5, SHA-256/224, SHA-512/384, WHIRRLPOOL, etc.
It should be noted that, the method for testing a security device provided in the embodiments of the present application may be executed by an electronic device, where the electronic device refers to a device terminal or a server having a function of executing a computer program, where the device terminal is for example: smart phones, personal computers, tablet computers, personal digital assistants, or mobile internet appliances, etc. The server is for example: an x86 server and a non-x 86 server, the non-x 86 server comprising: mainframe, minicomputer, and UNIX servers.
Application scenarios to which the security device testing method is applicable are described below, where the application scenarios include, but are not limited to: the security device testing method is used in complex network environments, where complex network environments such as: the network types in the network propagation process are numerous, the file transmission protocols are numerous, the limitation of the format size of the data frame causes numerous file splitting and the restored file format to be numerous, and the like, wherein the limitation of the format size of the data frame causes specific situations of file splitting such as: when a complete file is transmitted in a computer network, the transmitted file is split into a plurality of data frames due to the limitation of the format of the data frames in the network, and is transmitted in a data frame format, transmission mode and/or coding mode of different protocols. Therefore, the file restoration test is carried out on various network safety devices based on the network original flow, and the file restoration function of the safety devices can be effectively tested. Among other things, the security devices herein include, but are not limited to: the system comprises a transverse isolation device, a longitudinal encryption authentication device, a firewall device, an anti-virus gateway device, a security audit device, an intrusion detection device and/or a data leakage prevention device. An intrusion detection device refers to a device running an intrusion detection system (Intrusion Detection System, IDS) or an intrusion protection system (Intrusion Protection System, IPS).
Please refer to fig. 1, which is a schematic flow chart of a security device testing method according to an embodiment of the present application; the main idea of the safety device testing method is that the safety device is used for restoring the network flow of the sample file by acquiring and sending the network flow of the sample file to the safety device, extracting and returning the second abstract information of the restored file, and then determining the testing result of the safety device according to the comparison result of the first abstract information of the sample file and the second abstract information of the restored file of the safety device, thereby avoiding the problems of complex analysis of network transmission protocol, analysis of file transmission protocol, manual difficult verification of the restored file, manual verification of the file and the like, and effectively improving the accuracy of testing the file restoring function of the safety device. The above-mentioned security device testing method may include:
step S110: the electronic equipment acquires the sample file and extracts first abstract information of the sample file.
The embodiment of step S110 described above is, for example: the electronic device obtains the sample file, and the specific obtaining mode may be original obtaining (using a video camera, a video recorder, a color camera, or the like to obtain), receiving the sample file sent by other terminal devices, and the like; the sample file herein may be a file such as text, image, video or audio. And calculating the sample file by using a Hash (Hash) algorithm such as SHA1 algorithm, SHA256 algorithm, MD5 algorithm or SM3 cryptographic algorithm and the like to obtain first summary information of the sample file. Thus, the first summary information of the sample file may be a hash value calculated by a hash algorithm such as SHA1 algorithm, SHA256 algorithm, MD5 algorithm, or national secret SM3 algorithm, and taking the MD5 algorithm as an example, assuming that the content of the sample file is 1, the 16-bit value of the calculation result of MD5 of the sample file is A0B923820DCC509A.
After step S110, step S120 is performed: the electronic equipment acquires and sends the network flow of the sample file to the safety equipment so that the safety equipment restores the network flow of the sample file to obtain a restored file, and extracts and returns second abstract information of the restored file.
Wherein the security device may comprise: the system comprises a transverse isolation device, a longitudinal encryption authentication device, a firewall device, an anti-virus gateway device, a security audit device, an intrusion detection device and/or a data leakage prevention device.
The above-mentioned embodiments of recovering the network traffic in step S120 are various, including but not limited to the following:
for a first implementation manner of restoring network traffic, please refer to fig. 2, which illustrates a network schematic diagram of the first restoration network traffic provided in the embodiment of the present application; in an application scenario in an offline mode (i.e. the security device is not connected to a server), the pre-recorded network traffic may be sent to the security device, where the embodiment may specifically include:
step S121: the electronic device obtains the network traffic of the sample file.
The embodiment of step S121 described above is, for example: when the electronic device uploads the sample file to the server, the network flow recording program is used for recording at the same time, so as to obtain the network flow of the sample file, specifically for example: the WinPcap network packet capturing software records to obtain the network traffic in the pcap format. Or when the electronic equipment downloads the sample file from the server to the local, recording by using the network traffic recording program at the same time to obtain the network traffic of the sample file. Thus, the network traffic for the sample file may be recorded during the uploading of the sample file to or downloading from the server.
Step S122: the electronic device sends the network traffic of the sample file to the security device, so that the security device restores the network traffic of the sample file to obtain a restored file, and extracts and returns second abstract information of the restored file.
The embodiment of step S122 described above is, for example: because the electronic equipment records the network flow of the sample file in advance, the electronic equipment can directly send the network flow which is recorded in advance to the safety equipment; the network traffic here may be network traffic of various protocol types, specifically, hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP), file transfer protocol (File Transfer Protocol, FTP), simple mail transfer protocol (Simple Mail Transfer Protocol, SMTP), internet information access protocol (Internet Message Access Protocol, IMAP), and the like. After the security device receives the network traffic of the sample file, the security device may parse and restore the network traffic of the sample file to obtain a restored file, and extract a hash value of the restored file by using a hash algorithm such as SHA1 algorithm, SHA256 algorithm, MD5 algorithm, or national secret SM3 algorithm, to obtain second summary information of the restored file. After the security device obtains the second summary information of the restored file, the security device may directly return the second summary information of the restored file to the electronic device, or may, of course, manually log into the security device to download the second summary information of the restored file. And the electronic equipment receives the second abstract information of the restored file sent by the safety equipment, and the second abstract information of the restored file can be obtained.
For a second implementation of restoring network traffic, please refer to fig. 3, which illustrates a network schematic diagram of the second restoration network traffic provided in the embodiment of the present application; port mirroring network traffic of a downloaded sample file from a server using a switch such that a security device obtains the network traffic from a mirrored port of the switch may include:
step S123: the electronic device uploads the sample file to the server through the switch, so that the switch forwards the network traffic of the sample file to the security device in a port mirroring mode.
The embodiment of step S123 described above is, for example: an automation program on the electronic equipment sends a file uploading request to a server through a switch, wherein the file uploading request comprises the following steps: sample file. When the switch receives the network traffic of the sample file sent by the electronic device (particularly, a three-layer switch can be used, when the file uploading request is not analyzed, the switch is regarded as the network traffic of the sample file), the network traffic of the sample file is forwarded to the security device in a port mirroring mode, that is, the network traffic originally sent to the server is copied to be sent to the security device through a mirroring port of the switch. After the security device receives the network traffic of the sample file sent by the switch through the mirror port, the security device can analyze and restore the network traffic of the sample file to obtain a restored file, and extract a hash value of the restored file by using a hash algorithm such as an SHA1 algorithm, an SHA256 algorithm, an MD5 algorithm or a national secret SM3 algorithm to obtain second summary information of the restored file. After the security device obtains the second summary information of the restored file, the security device may directly return the second summary information of the restored file to the electronic device, or may, of course, manually log into the security device to download the second summary information of the restored file. And the electronic equipment receives the second abstract information of the restored file sent by the safety equipment, and the second abstract information of the restored file can be obtained.
In a third embodiment, please refer to fig. 4, which illustrates a network schematic diagram of a third network traffic restoration provided in the embodiment of the present application; port mirroring network traffic of an uploaded sample file from a server using a switch such that a security device obtains the network traffic from a mirrored port of the switch may include:
step S124: the sample file is downloaded from the server through the switch such that the switch forwards network traffic of the sample file to the security device in a port mirrored manner.
The embodiment of step S124 described above is, for example: an automation program on the electronic device sends a sample file download request to the server via the switch. After receiving the sample file downloading request sent by the electronic equipment, the switch forwards the sample file downloading request to the server. After receiving a sample file downloading request sent by the electronic equipment through the switch, the server sends a sample file to the electronic equipment through the switch. After receiving the sample file sent by the server (particularly, a three-layer switch can be adopted, namely, whether the upper layer protocol comprises the sample file or not can be analyzed), the switch forwards the network traffic of the sample file to the security device in a port mirroring mode. After the security device receives the network traffic of the sample file, the security device may parse and restore the network traffic of the sample file to obtain a restored file, and extract a hash value of the restored file by using a hash algorithm such as SHA1 algorithm, SHA256 algorithm, MD5 algorithm, or national secret SM3 algorithm, to obtain second summary information of the restored file. After the security device obtains the second summary information of the restored file, the security device may directly return the second summary information of the restored file to the electronic device, or may, of course, manually log into the security device to download the second summary information of the restored file. And the electronic equipment receives the second abstract information of the restored file sent by the safety equipment, and the second abstract information of the restored file can be obtained.
In a fourth embodiment, in the second and third embodiments above, a three-layer switch may be used, where an automation program in the three-layer switch performs port mirroring when detecting network traffic of a sample file, and forwards the network traffic of the sample file to a security device in a port mirroring manner. In practice, the two-layer switch can also be directly used, and the communication process between the electronic device and the server is directly forwarded to the security device in a port mirror image mode, so that the security device can obtain the network traffic of the sample file as long as the sample file is sent between the electronic device and the server.
After step S120, step S130 is performed: the electronic equipment receives the second abstract information sent by the safety equipment, and determines the test result of the safety equipment according to the comparison result of the first abstract information and the second abstract information.
The embodiment of step S130 may include: the electronic device receives the second summary information sent by the security device. The electronic device compares the first abstract information with the second abstract information by using a programming language to obtain a comparison result, specifically for example: the electronic equipment judges whether the comparison result is identical or not by using a programming language; if the comparison results are identical, the electronic equipment determines the test result of the safety equipment as passing; if the comparison results are different, the electronic device determines that the test result of the safety device is not passed. Wherein the test results characterize whether the file streamed by the security device from the network of sample files is correct, programming languages such as: C. c++, java, BASIC, javaScript, LISP, shell, perl, ruby, python, PHP, etc.
Optionally, after determining the test result of the security device according to the comparison result of the first summary information and the second summary information, the method further includes: and if the test result indicates that the file restored from the network flow of the sample file is correct, carrying out regression test, virus test and/or leakage test on the sample file. Regression testing is a test of software testing, the main purpose of which is to verify whether the original functions of the software remain intact after modification. The virus test refers to a test result for checking whether the sample file includes a virus, the disclosure test refers to a test result for checking whether the sample file includes a disclosure-related information, and whether a disclosure phenomenon exists or not is determined according to the test result. If the test result indicates that the file restored from the network flow of the sample file is incorrect, repairing the file recovery function of the safety equipment, and testing the safety equipment again after repairing. In the implementation process, the test result of the safety equipment is determined according to the comparison result of the first abstract information and the second abstract information, and after the test result represents that the file restored from the network flow of the sample file is correct, the sample file is subjected to regression test, virus test and/or leakage test, so that the operation steps of the safety equipment in the test process are effectively simplified, and the test efficiency of the safety equipment is improved.
In the implementation process, the network flow of the sample file is obtained and sent to the safety device, so that the safety device restores the network flow of the sample file, extracts and returns the second abstract information of the restored file, and then determines the test result of the safety device according to the comparison result of the first abstract information of the sample file and the second abstract information of the restored file of the safety device, thereby avoiding the problems of complex analysis of network transmission protocol, analysis of file transmission protocol, manual difficult verification of restored file, manual verification of file and the like, and effectively improving the accuracy of testing the file restoring function of the safety device.
Please refer to fig. 5, which illustrates a schematic structural diagram of a security device testing apparatus according to an embodiment of the present application. The embodiment of the application provides a safety device testing apparatus 200, including:
the summary information extraction module 210 is configured to obtain a sample file and extract first summary information of the sample file.
The network traffic sending module 220 is configured to obtain and send the network traffic of the sample file to the security device, so that the security device restores the network traffic of the sample file, obtains a restored file, and extracts and returns second summary information of the restored file.
The test result determining module 230 is configured to receive the second summary information sent by the security device, and determine a test result of the security device according to a comparison result between the first summary information and the second summary information, where the test result characterizes whether a file flowing out of the network of the sample file by the security device is correct.
Optionally, in an embodiment of the present application, the network traffic sending module includes:
and the network flow acquisition module is used for acquiring the network flow of the sample file, wherein the network flow of the sample file is recorded in the process of uploading the sample file to the server or downloading the sample file from the server.
And the network traffic sending module is used for sending the network traffic of the sample file to the security device.
Optionally, in an embodiment of the present application, the network traffic sending module includes:
and the uploading flow mirroring module is used for uploading the sample file to the server through the switch so that the switch forwards the network flow of the sample file to the safety equipment in a port mirroring mode.
Optionally, in an embodiment of the present application, the network traffic sending module includes:
and the downloading flow mirroring module is used for downloading the sample file from the server through the switch so that the switch forwards the network flow of the sample file to the safety equipment in a port mirroring mode.
Optionally, in an embodiment of the present application, the safety device testing apparatus may further include:
and the virus leakage test module is used for carrying out regression test, virus test and/or leakage test on the sample file if the test result represents that the file restored from the network flow of the sample file is correct.
Optionally, in an embodiment of the present application, the test result determining module includes:
the comparison result obtaining module is used for comparing the first abstract information with the second abstract information to obtain a comparison result.
And the comparison result judging module is used for judging whether the comparison results are identical.
And the test result affirmation module is used for determining the test result of the safety equipment as passing if the comparison results are identical.
And the test result negation module is used for determining that the test result of the safety equipment is not passed if the comparison result is not identical.
Optionally, in an embodiment of the present application, the summary information extraction module includes:
and the sample file calculation module is used for calculating the sample file by using an SHA1 algorithm, an SHA256 algorithm, an MD5 algorithm or a national secret SM3 algorithm to obtain first abstract information of the sample file.
Optionally, in an embodiment of the present application, the security device includes: an anti-virus gateway device, a security audit device, an intrusion detection device, and/or a data anti-leakage device.
It should be understood that, corresponding to the above-mentioned embodiment of the method for testing the safety device, the apparatus is capable of executing the steps involved in the above-mentioned embodiment of the method, and specific functions of the apparatus may be referred to in the above description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy. The device includes at least one software functional module that can be stored in memory in the form of software or firmware (firmware) or cured in an Operating System (OS) of the device.
An electronic device provided in an embodiment of the present application includes: a processor and a memory storing machine-readable instructions executable by the processor, which when executed by the processor perform the method as above.
Embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method as above.
The computer readable storage medium may be implemented by any type or combination of volatile or nonvolatile Memory devices, such as static random access Memory (Static Random Access Memory, SRAM for short), electrically erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM for short), erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM for short), programmable Read-Only Memory (Programmable Read-Only Memory, PROM for short), read-Only Memory (ROM for short), magnetic Memory, flash Memory, magnetic disk, or optical disk.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
In addition, the functional modules of the embodiments in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The foregoing description is merely an optional implementation of the embodiments of the present application, but the scope of the embodiments of the present application is not limited thereto, and any person skilled in the art may easily think about changes or substitutions within the technical scope of the embodiments of the present application, and the changes or substitutions should be covered in the scope of the embodiments of the present application.

Claims (9)

1. A method of testing a security device, comprising:
acquiring a sample file and extracting first abstract information of the sample file;
acquiring and sending the network flow of the sample file to the safety equipment so that the safety equipment restores the network flow of the sample file to obtain a restored file, and extracting and returning second abstract information of the restored file;
receiving the second abstract information sent by the safety equipment, and determining a test result of the safety equipment according to a comparison result of the first abstract information and the second abstract information, wherein the test result represents whether a file flowing out of the network of the sample file by the safety equipment is correct or not;
wherein after determining the test result of the security device according to the comparison result of the first summary information and the second summary information, the method further comprises: if the test result represents that the file restored from the network flow of the sample file is correct, carrying out regression test, virus test and/or leakage test on the sample file; and if the test result represents that the file restored from the network flow of the sample file is incorrect, repairing the file recovery function of the safety equipment, and testing the safety equipment again after repairing.
2. The method of claim 1, wherein the obtaining and sending the network traffic of the sample file to a secure device comprises:
acquiring the network traffic of the sample file, wherein the network traffic of the sample file is recorded in the process of uploading the sample file to a server or downloading the sample file from the server;
and sending the network traffic of the sample file to the security device.
3. The method of claim 1, wherein the obtaining and sending the network traffic of the sample file to a secure device comprises:
and uploading the sample file to a server through a switch, so that the switch forwards the network traffic of the sample file to the security device in a port mirroring mode.
4. The method of claim 1, wherein the obtaining and sending the network traffic of the sample file to a secure device comprises:
and downloading the sample file from a server through a switch, so that the switch forwards the network traffic of the sample file to the security device in a port mirroring mode.
5. The method of any of claims 1-4, wherein the extracting the first summary information of the sample file comprises:
and calculating the sample file by using an SHA1 algorithm, an SHA256 algorithm, an MD5 algorithm or a national secret SM3 algorithm to obtain first abstract information of the sample file.
6. The method of any one of claims 1-4, wherein the security device comprises: an anti-virus gateway device, a security audit device, an intrusion detection device, and/or a data anti-leakage device.
7. A safety device testing apparatus, comprising:
the abstract information extraction module is used for obtaining a sample file and extracting first abstract information of the sample file;
the network flow sending module is used for obtaining and sending the network flow of the sample file to the safety equipment so that the safety equipment restores the network flow of the sample file to obtain a restored file, and extracting and returning second abstract information of the restored file;
the test result determining module is used for receiving the second abstract information sent by the safety equipment and determining a test result of the safety equipment according to a comparison result of the first abstract information and the second abstract information, wherein the test result represents whether a file flowing out of the network of the sample file by the safety equipment is correct or not;
wherein after determining the test result of the security device according to the comparison result of the first summary information and the second summary information, the method further comprises: if the test result represents that the file restored from the network flow of the sample file is correct, carrying out regression test, virus test and/or leakage test on the sample file; and if the test result represents that the file restored from the network flow of the sample file is incorrect, repairing the file recovery function of the safety equipment, and testing the safety equipment again after repairing.
8. An electronic device, comprising: a processor and a memory storing machine-readable instructions executable by the processor to perform the method of any one of claims 1 to 6 when executed by the processor.
9. A computer readable storage medium, characterized in that it has stored thereon a computer program which, when executed by a processor, performs the method according to any of claims 1 to 6.
CN202111375935.4A 2021-11-19 2021-11-19 Safety equipment testing method and device, electronic equipment and storage medium Active CN114095412B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111375935.4A CN114095412B (en) 2021-11-19 2021-11-19 Safety equipment testing method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111375935.4A CN114095412B (en) 2021-11-19 2021-11-19 Safety equipment testing method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114095412A CN114095412A (en) 2022-02-25
CN114095412B true CN114095412B (en) 2023-07-04

Family

ID=80302219

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111375935.4A Active CN114095412B (en) 2021-11-19 2021-11-19 Safety equipment testing method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114095412B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017181817A1 (en) * 2016-04-19 2017-10-26 中兴通讯股份有限公司 Server testing method, device, and system, and storage medium
CN113347184A (en) * 2021-06-01 2021-09-03 国家计算机网络与信息安全管理中心 Method, device, equipment and medium for testing network flow security detection engine

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100481835C (en) * 2004-12-17 2009-04-22 上海证券通信有限责任公司 Data concentrated backup method, reduction method and system thereof
CN107800663B (en) * 2016-08-31 2020-04-28 华为数字技术(苏州)有限公司 Method and device for detecting flow offline file
US20190278669A1 (en) * 2018-03-06 2019-09-12 International Business Machines Corporation Method for restore and backup of application containers in a shared file system
CN110362994B (en) * 2018-03-26 2023-06-20 华为技术有限公司 Malicious file detection method, device and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017181817A1 (en) * 2016-04-19 2017-10-26 中兴通讯股份有限公司 Server testing method, device, and system, and storage medium
CN113347184A (en) * 2021-06-01 2021-09-03 国家计算机网络与信息安全管理中心 Method, device, equipment and medium for testing network flow security detection engine

Also Published As

Publication number Publication date
CN114095412A (en) 2022-02-25

Similar Documents

Publication Publication Date Title
US8108536B1 (en) Systems and methods for determining the trustworthiness of a server in a streaming environment
KR101043299B1 (en) Method, system and computer readable recording medium for detecting exploit code
KR101972825B1 (en) Method and apparatus for automatically analyzing vulnerable point of embedded appliance by using hybrid analysis technology, and computer program for executing the method
CN110968872A (en) File vulnerability detection processing method and device, electronic equipment and storage medium
CN110768951B (en) Method and device for verifying system vulnerability, storage medium and electronic device
CN111857965A (en) Intranet threat detection method, device, equipment and computer equipment
CN108200095B (en) Method and device for determining vulnerability of Internet boundary security policy
CN114095412B (en) Safety equipment testing method and device, electronic equipment and storage medium
CN106919844B (en) A kind of android system vulnerability of application program detection method
CN115795484B (en) Vulnerability detection method, device and equipment of Internet of things equipment
CN111079140B (en) Method, device and system for preventing cheating
CN114979109B (en) Behavior track detection method, behavior track detection device, computer equipment and storage medium
CN115051874B (en) Multi-feature CS malicious encrypted traffic detection method and system
Rezaei et al. A novel automated framework for modeling and evaluating covert channel algorithms
CN115935356A (en) Software security testing method, system and application
CN113596600B (en) Security management method, device, equipment and storage medium for live broadcast embedded program
US11921862B2 (en) Systems and methods for rules-based automated penetration testing to certify release candidates
CN108270730A (en) A kind of application layer detection method, device and electronic equipment for extending fire wall
CN111722943B (en) Big data processing method based on edge computing and central cloud server
CN109688108B (en) Security system for defending file uploading vulnerability and implementation method thereof
CN111259400B (en) Vulnerability detection method, device and system
CN113922992A (en) Attack detection method based on HTTP session
Årnes et al. Using a virtual security testbed for digital forensic reconstruction
KR101604985B1 (en) A method for processing detail checking using hash value of file in compressed files
Karahoca et al. Forensic benchmarking for android messenger applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant