CN114244610A - File transmission method and device, network security equipment and storage medium - Google Patents
File transmission method and device, network security equipment and storage medium Download PDFInfo
- Publication number
- CN114244610A CN114244610A CN202111552297.9A CN202111552297A CN114244610A CN 114244610 A CN114244610 A CN 114244610A CN 202111552297 A CN202111552297 A CN 202111552297A CN 114244610 A CN114244610 A CN 114244610A
- Authority
- CN
- China
- Prior art keywords
- fingerprint information
- file
- flow message
- malicious
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 75
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012545 processing Methods 0.000 claims abstract description 76
- 241000700605 Viruses Species 0.000 claims description 63
- 238000001514 detection method Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 7
- 230000008569 process Effects 0.000 description 9
- 238000012546 transfer Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 244000035744 Hura crepitans Species 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/146—Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a file transmission method, a file transmission device, network security equipment and a storage medium. The method comprises the following steps: receiving a flow message which is sent by a first terminal and carries a network data block; acquiring fingerprint information in the flow message; the fingerprint information is used for identifying a file to which the network data block belongs, the file is divided into a plurality of network data blocks, and the network data blocks are transmitted in a breakpoint continuous transmission mode; inquiring whether the malicious fingerprint information stored locally contains fingerprint information; the malicious fingerprint information is fingerprint information corresponding to the identified malicious file; and when the malicious fingerprint information contains fingerprint information, processing the flow message based on a first preset processing mode. By the method, even if the file is transmitted in a breakpoint continuous transmission mode, the network data blocks which are continuously transmitted after the interruption can be effectively identified, and further the continuous transmission of the malicious file is blocked.
Description
Technical Field
The present application relates to the field of data transmission technologies, and in particular, to a file transmission method and apparatus, a network security device, and a storage medium.
Background
The network security devices such as the prior firewall, the next-generation firewall and the like have the functions of intrusion detection, virus scanning, content filtering, sandbox protection and the like. The method can perform security detection on the files transmitted by the network, and can prevent the files from being spread when the files are found to contain characteristics, viruses or specific keywords, so as to achieve the purpose of protecting the network security or preventing data information from being leaked.
In order to ensure effective transmission of files, the current file transmission mode generally divides a large file into a plurality of network data blocks for transmission. When the network security equipment detects, each network data block is detected in sequence. Because the character strings constituting the virus may be distributed in different network data blocks, the network security device will determine that the file is a malicious file only after detecting all the character strings constituting the virus. The file transmission method can ensure that the receiving end receives part of network data blocks which possibly carry virus character strings, and at the moment, the transmission can be interrupted to prevent all the character strings forming the virus from being transmitted to the receiving end. However, in the research of the inventor, if a breakpoint continuous transmission mode is adopted in the file transmission process, when the receiving end requests to transmit the file for the second time, the transmitting end transmits the remaining network data blocks, and does not transmit the successfully transmitted network data blocks any more. Because the breakpoint continuous transmission mode is equivalent to reestablishing a session, the network security device can use the remaining network data block as a new file during detection, and further the remaining network data block carrying the virus character string can be transmitted to the receiving end, so that the receiving end is attacked by the malicious file.
Disclosure of Invention
An object of the embodiments of the present application is to provide a file transmission method and apparatus, a network security device, and a storage medium, which are used to block malicious files from being received by a receiving end in a breakpoint continuous transmission manner.
The invention is realized by the following steps:
in a first aspect, an embodiment of the present application provides a file transmission method, which is applied to a network security device, and includes: receiving a flow message which is sent by a first terminal and carries a network data block; acquiring fingerprint information in the flow message; the fingerprint information is used for identifying a file to which the network data block belongs, and the file is split into a plurality of network data blocks and is transmitted in a breakpoint continuous transmission mode; inquiring whether the malicious fingerprint information stored locally contains the fingerprint information; the malicious fingerprint information is fingerprint information corresponding to the identified malicious file; and when the malicious fingerprint information contains the fingerprint information, processing the flow message based on a first preset processing mode.
In the embodiment of the application, the network security device stores the fingerprint information corresponding to the malicious file in advance, and then after receiving the traffic message carrying the network data block and sent by the first terminal, whether the network data block belongs to the malicious file or not can be judged through the fingerprint information carried by the traffic message, and if so, the received traffic message is correspondingly processed. By the method, even if the file is transmitted in a breakpoint continuous transmission mode, the network data blocks which are continuously transmitted after the interruption can be effectively identified, and further the continuous transmission of the malicious file is blocked.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, the processing the traffic packet based on the first preset processing manner includes: and processing the flow message based on a processing mode corresponding to malicious fingerprint information which is the same as the fingerprint information.
In the embodiment of the application, the traffic message is processed based on the processing mode corresponding to the malicious fingerprint information which is the same as the fingerprint information, so that the processing flow of the traffic message can be accelerated, and the processing efficiency is improved.
With reference to the technical solution provided by the first aspect, in some possible implementations, the method further includes: when the malicious fingerprint information does not contain the fingerprint information, detecting the flow message; when the detection result of the flow message indicates that the file is a malicious file, processing the flow message based on a second preset processing mode, and storing the fingerprint information and the processing mode of the flow message; and when the detection result of the flow message represents that the file is a non-malicious file, forwarding the flow message to a second terminal corresponding to the flow message.
In the embodiment of the application, when the malicious fingerprint information does not contain the fingerprint information of the flow message, the flow message is detected, and if the file corresponding to the flow message is detected to be a malicious file, the flow message is processed, and the fingerprint information and the processing mode of the flow message are stored, so that subsequent network security equipment can rapidly process the flow message when receiving the same fingerprint information.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, the processing the traffic packet based on a second preset processing manner includes: replacing the virus character strings in the flow message; and sending the flow message after the virus character string is replaced to the second terminal.
In the embodiment of the application, if it is detected that the file corresponding to the traffic message is a malicious file, the virus character string in the traffic message may be replaced to remove the virus character string in the network data block, so that the second terminal is not attacked by the virus after the network data block is continuously transmitted to the second terminal.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, when the traffic packet is a TCP protocol packet or a UDP protocol packet carried by an IP protocol, the acquiring fingerprint information in the traffic packet includes: acquiring a source IP address, a destination IP address and a destination port in the flow message; and the source IP address, the destination IP address and the destination port in the flow message are the fingerprint information.
In the embodiment of the present application, when the traffic message is a TCP protocol message or a UDP protocol message carried by an IP protocol, a source IP address, a destination IP address, and a destination port in the traffic message are extracted as fingerprint information, so as to effectively identify a network data block of the TCP protocol message or the UDP protocol message carried by the IP protocol.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, when the traffic packet is a packet of an HTTP protocol, the acquiring fingerprint information in the traffic packet includes: acquiring a uniform resource locator, a destination terminal address, a file coding mode and a file type in the flow message; the fingerprint information comprises a uniform resource locator, a destination terminal address, a file name, a file coding mode and a file type in the flow message.
In the embodiment of the application, when the traffic message is a message of an HTTP protocol, the uniform resource locator, the destination terminal address, the file name, the file encoding method, and the file type in the traffic message are extracted, so as to effectively identify the network data block in the traffic message of the HTTP protocol.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, when the traffic packet is a packet of an FTP protocol, the acquiring the fingerprint information in the traffic packet includes: analyzing the flow message to obtain a transmission path and a file name of the flow message; and the transmission path of the flow message and the file name are the fingerprint information.
In the embodiment of the application, when the traffic message is a message of the FTP protocol, the transmission path and the file name of the traffic message are extracted as fingerprint information, so that the network data block in the traffic message of the FTP protocol can be effectively identified.
In a second aspect, an embodiment of the present application provides a file transmission apparatus, which is applied to a network security device, and includes: the receiving module is used for receiving a flow message which is sent by a first terminal and carries a network data block; the acquisition module acquires fingerprint information in the flow message; the fingerprint information is used for identifying a file to which the network data block belongs, and the file is split into a plurality of network data blocks and is transmitted in a breakpoint continuous transmission mode; the query module is used for querying whether the malicious fingerprint information stored locally contains the fingerprint information; the malicious fingerprint information is fingerprint information corresponding to the identified malicious file; and the processing module is used for processing the flow message based on a first preset processing mode when the malicious fingerprint information contains the fingerprint information.
In a third aspect, an embodiment of the present application provides a network security device, including: a processor and a memory, the processor and the memory connected; the memory is used for storing programs; the processor is configured to invoke a program stored in the memory to perform a method as provided in the above-described first aspect embodiment and/or in combination with some possible implementations of the above-described first aspect embodiment.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, performs the method as set forth in the above first aspect embodiment and/or in combination with some possible implementations of the above first aspect embodiment.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic diagram of file breakpoint resuming provided in the prior art.
Fig. 2 is a block diagram of a network system according to an embodiment of the present disclosure.
Fig. 3 is a block diagram of a network security device according to an embodiment of the present application.
Fig. 4 is a flowchart of a file transmission method according to an embodiment of the present application.
Fig. 5 is a block diagram of a file transfer device according to an embodiment of the present disclosure.
Icon: 10-a network system; 100-network security devices; 110-a processor; 120-a memory; 200-a first terminal; 300-a second terminal; 400-file transfer means; 410-a receiving module; 420-an acquisition module; 430-a query module; 440-processing module.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
First, a method for file breakpoint resuming provided in the prior art is explained. In order to ensure effective transmission of files, the current file transmission mode generally divides a large file into a plurality of network data blocks for transmission. Referring to fig. 1, fig. 1 illustrates a process of transferring a file (for example, a virus file) from a first terminal to a second terminal. Suppose that the virus file is divided into ten network data blocks for transmission, which are respectively represented by sequence numbers 1-10, for example, the first transmitted network data block is network data block 1, the second transmitted network data block is network data block 2, and so on, the tenth transmitted network data block is network data block 10. Three virus strings A, B, C constituting a virus in the virus file are distributed in the network data block 1, the network data block 3, and the network data block 4, respectively.
It should be noted that if a virus is to function in the second terminal, the complete file needs to be acquired at the second terminal, and the file contains all virus strings constituting the virus. That is, the second terminal can only function after receiving the complete file containing three virus strings A, B, C (virus string A, B, C can be used to indicate that the file is a malicious file or a virus file), whereas the second terminal cannot function if it only includes any two of the three virus strings, or only includes one virus string. Therefore, when the network security device detects, only after all the character strings forming the virus are identified, the corresponding file is determined to be the virus file. As shown in fig. 1, the network data blocks are transmitted sequentially through the network and then detected by the network security device. Wherein the network data block 1 has arrived at the second terminal, i.e. the network data block 1 is successfully received by the second terminal; the network data block 2 and the network data block 3 are in the transmission process from the network security equipment to the second terminal; the network data block 4 is being detected by the network security device; the network data block 5-8 is in the transmission process from the first terminal to the network security device, that is, the network data block 5-8 has not yet reached the network security device; while the network data block 9 and the network data block 10 have not yet been transmitted from the first terminal.
When the network security device detects the network data block 4, since the virus string A, B, C has been detected, the network security device blocks transmission of all network data blocks that have not yet reached the second terminal, so that the network data blocks 2-10 do not reach the second terminal. However, in the research of the inventor, if the breakpoint continuous transmission mode is adopted in the file transmission process, when the second terminal requests to transmit the file for the second time, the first terminal transmits the remaining network data blocks (for example, in the second transmission process in fig. 1, transmission is started from the network data block 2), and does not transmit the network data block (the network data block 1) that has been successfully transmitted. The breakpoint continuous transmission mode is equivalent to re-establishing a session, so that the network security device may use the remaining network data blocks (network data block 2 to network data block 10) as a new file when detecting, at this time, since the network security device cannot detect the virus character string a, the file determined as safe by the network data block 2 to the network data block 10 is transmitted to the second terminal, and then the network data block carrying the virus character strings B and C is also transmitted to the second terminal, since the second terminal has successfully received the network data block carrying the virus character string a before, all the network data blocks are merged into a file, and then a malicious file including three virus character strings A, B, C is formed, so that the second terminal is attacked by the virus.
In view of the above problems, the present application provides the following embodiments to solve the above problems.
Referring to fig. 2, an embodiment of the present application provides a network system 10, which includes a network security device 100, a first terminal 200, and a second terminal 300.
The network security device 100 is communicatively connected to the first terminal 200 and the second terminal 300, respectively.
The network security device 100 may have intrusion detection, virus scanning, content filtering, sandbox protection, etc. In this embodiment, the network security device 100 is mainly used to detect a traffic packet carrying a network data block, which is sent from the first terminal 200 to the second terminal 300.
The network security device 100 may be, but is not limited to, a router, a gateway device, a firewall.
Referring to fig. 3, structurally, the network security appliance 100 may include a processor 110 and a memory 120.
The processor 110 and the memory 120 are electrically connected directly or indirectly to enable data transmission or interaction, for example, the components may be electrically connected to each other via one or more communication buses or signal lines. The file transfer means includes at least one software module which may be stored in the memory 120 in the form of software or Firmware (Firmware) or solidified in an Operating System (OS) of the network security device 100. The processor 110 is configured to execute executable modules stored in the memory 120, such as software functional modules and computer programs included in the file transfer apparatus, so as to implement the file transfer method. The processor 110 may execute the computer program upon receiving the execution instruction.
The processor 110 may be an integrated circuit chip having signal processing capabilities. The Processor 110 may also be a general-purpose Processor, for example, a Central Processing Unit (CPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a discrete gate or transistor logic device, or a discrete hardware component, which may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present Application. Further, a general purpose processor may be a microprocessor or any conventional processor or the like.
The Memory 120 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), and an electrically Erasable Programmable Read-Only Memory (EEPROM). The memory 120 is used for storing a program, and the processor 110 executes the program after receiving the execution instruction.
It should be noted that the structure shown in fig. 3 is merely an illustration, and the network security device 100 provided in the embodiment of the present application may also have fewer or more components than those shown in fig. 3, or have a different configuration than that shown in fig. 3. Further, the components shown in fig. 3 may be implemented by software, hardware, or a combination thereof.
The first terminal 200 may be configured to transmit the traffic message to the second terminal 300. For example, the second terminal 300 requests the first terminal 200 to acquire the target file, the first terminal 200 splits the target file into a plurality of network data blocks, and then sequentially sends a traffic message carrying the network data blocks to the second terminal 300.
In this embodiment, the first terminal 200 may be a terminal or a server, and the terminal may be, but is not limited to, a Personal Computer (PC), a smart phone, a tablet Computer, a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), and the like. The server may be, but is not limited to, a web server, a database server, a cloud server, or a server assembly composed of a plurality of sub-servers, etc. The second terminal 300 may be, but is not limited to, a personal computer, a smart phone, a tablet computer, etc.
Of course, the above-listed hardware devices are only used for facilitating understanding of the embodiments of the present application, and should not be taken as limiting the embodiments.
Referring to fig. 4, fig. 4 is a flowchart of a file transmission method according to an embodiment of the present application, where the file transmission method is applied to the network security device 100 shown in fig. 3. It should be noted that, the file transmission method provided in the embodiment of the present application is not limited by the sequence shown in fig. 4 and the following, and the method includes: step S101-step S104.
Step S101: and receiving a flow message which is sent by the first terminal and carries the network data block.
Step S102: and acquiring fingerprint information in the flow message.
The fingerprint information is used for identifying the file to which the network data block belongs. The file is split into a plurality of network data blocks by the first terminal, and the file is transmitted in a breakpoint continuous transmission mode.
Step S103: and inquiring whether the malicious fingerprint information stored locally contains fingerprint information.
And the malicious fingerprint information is fingerprint information corresponding to the identified malicious file. The network security can store the fingerprint information corresponding to the malicious file in advance, and then when a flow message carrying the network data block is received, whether the file to which the network data block carried by the flow message belongs to the malicious file can be directly determined according to the fingerprint information of the flow message.
Step S104: and when the malicious fingerprint information contains fingerprint information, processing the flow message based on a first preset processing mode.
When the malicious fingerprint information includes the fingerprint information of the flow message, it is indicated that a file to which a network data block carried by the flow message belongs to a malicious file, and at this time, the flow message can be processed according to a first preset processing mode.
The first preset processing mode is a processing mode formulated for the malicious file. The first predetermined processing manner is explained later.
In summary, in the embodiment of the present application, the network security device may pre-store fingerprint information corresponding to a malicious file, and then after receiving a traffic message carrying a network data block and sent by the first terminal, can determine whether the network data block belongs to the malicious file according to the fingerprint information carried in the traffic message, and if so, perform corresponding processing on the received traffic message. By the method, even if the file is transmitted in a breakpoint continuous transmission mode, the network data blocks which are continuously transmitted after the interruption can be effectively identified, and further the continuous transmission of the malicious file is blocked.
The above steps are described below with reference to specific examples.
In the embodiment of the present application, the fingerprint information corresponding to the traffic messages of different protocols is different.
In an embodiment, the traffic message may be a TCP (Transmission Control Protocol) Protocol message or a UDP (User Datagram Protocol) Protocol message carried by an IP (Internet Protocol). When the traffic message is a TCP protocol message or a UDP protocol message carried by an IP protocol, the step S102 may specifically include: and acquiring a source IP address, a destination IP address and a destination port in the flow message.
Wherein, the source IP address, the destination IP address and the destination port in the flow message are fingerprint information. Correspondingly, the malicious fingerprint information stored locally is a source IP address, a destination IP address and a destination port corresponding to the malicious file.
It can be seen that, in the embodiment of the present application, when the traffic message is a TCP protocol message or a UDP protocol message carried by an IP protocol, the source IP address, the destination IP address, and the destination port in the traffic message are extracted as fingerprint information, so as to effectively identify the network data block in the TCP protocol message or the UDP protocol message carried by the IP protocol.
In another embodiment, the traffic packet may be a packet of a Hyper Text Transfer Protocol (HTTP) Protocol. When the traffic message is a message of the HTTP protocol, the step S102 may specifically include: the uniform resource locator, the destination terminal Address (e.g., a Media Access Control (MAC) Address of the second terminal), the file name, the file encoding method, and the file type in the traffic message are obtained.
The fingerprint information comprises a uniform resource locator, a destination terminal address, a file name, a file coding mode and a file type in the flow message. Correspondingly, the malicious fingerprint information stored locally is a uniform resource locator, a destination terminal address, a file name, a file coding mode and a file type corresponding to the malicious file.
It can be seen that, in the embodiment of the present application, when the traffic message is a message of the HTTP protocol, the uniform resource locator, the destination terminal address, the file name, the file encoding manner, and the file type in the traffic message are extracted, so as to effectively identify the network data block in the traffic message of the HTTP protocol.
In another embodiment, the traffic message may be a File Transfer Protocol (FTP) Protocol message. When the flow packet is a packet of the FTP protocol, step S102 may specifically include: and analyzing the flow message to obtain a transmission path and a file name of the flow message.
The transmission path and the file name of the traffic message are referred to as fingerprint information. Correspondingly, the malicious fingerprint information stored locally is a transmission path and a file name corresponding to the malicious file.
It should be noted that, in the traffic message of the FTP protocol, since the data flow and the control flow are separated, the fingerprint information extraction of the traffic message is mainly in the control flow. The network security appliance may extract a transmission path by parsing a directory switching command (cd), extract a file name by parsing a file acquisition command (get), and then combine the transmission path and the file name into fingerprint information.
Therefore, in the embodiment of the application, when the traffic message is a message of the FTP protocol, the transmission path and the file name of the traffic message are extracted as fingerprint information, so that the network data block in the traffic message of the FTP protocol can be effectively identified.
In addition, the traffic packet may also be a packet of an SMB (Server Message Block) protocol. The fingerprint information corresponding to the messages of the above protocols may also be determined according to the implementation situation, and the present application is not limited. In addition, when the traffic message is transmitted in different protocols, the network security device needs to identify which protocol the traffic message is, and then extract the fingerprint information of the traffic message according to the configured fingerprint information corresponding to the protocol message.
In an embodiment, the processing the traffic packet based on the first preset processing manner in step S104 specifically includes: replacing virus character strings in the flow message; and sending the flow message after the virus character string is replaced to the second terminal.
Continuing with fig. 1 as an example, if the network data block carried in the traffic packet sent by the first terminal is the network data block 4, the network security device replaces the virus character string after recognizing the virus character string C in the network data block 4. Here, the replacement may be to replace the virus string C with any string other than the string C. The form of the character string is not limited in this application. After the network security device replaces the virus character string C, the network security device may send the flow packet to the second terminal. Since the network data block does not contain the character string C, the file content is destroyed, and the virus fails, so that the second terminal is not attacked by the virus when the network data block 4 is sent to the second terminal.
Of course, if the flow message does not include the virus character string, the flow message may be directly sent to the second terminal. And if the network data block carried by the flow message sent by the current first terminal is the network data block 2, the network security equipment directly sends the flow message to the second terminal.
In an embodiment, the processing the traffic packet based on the first preset processing manner in step S104 specifically includes: and blocking the sending of the flow message.
Continuing to use fig. 1 as an example, if the network data block carried in the traffic packet sent by the current first terminal is the network data block 4, the network security device may interrupt transmission of the network data block 4 at this time.
Of course, it is also possible to block the transmission of all network data blocks that have not yet reached the second terminal at this point. If the network data block carried in the traffic message sent by the current first terminal is the network data block 4, the network security device interrupts the transmission of the network data blocks 2 to 4 at this time.
In an embodiment, the processing the traffic packet based on the first preset processing manner in step S104 specifically includes: and processing the flow message based on a processing mode corresponding to malicious fingerprint information which is the same as the fingerprint information.
That is, the network security device may locally store the processing mode corresponding to the malicious fingerprint information. And then the flow message can be processed directly based on the processing mode corresponding to the malicious fingerprint information which is the same as the fingerprint information.
Here, the processing method of the malicious fingerprint information may be two implementation manners in the foregoing embodiments. For example, if the malicious fingerprint information that is the same as the fingerprint information corresponds to a processing mode of replacing a virus character string, the virus character string in the traffic message is replaced, and if the traffic message does not include the virus character string, the traffic message is directly sent to the second terminal. For another example, if the malicious fingerprint information that is the same as the fingerprint information corresponds to a processing mode that blocks sending of the traffic message, the network security device interrupts transmission of the traffic message at this time.
Therefore, in the embodiment of the application, the traffic message is processed based on the processing mode corresponding to the malicious fingerprint information which is the same as the fingerprint information, so that the processing flow of the traffic message can be accelerated, and the processing efficiency is improved.
Certainly, when the malicious fingerprint information does not include the fingerprint information, the file transmission method further includes: and detecting the flow message.
And when the detection result of the flow message represents that the file is a non-malicious file, forwarding the flow message to a second terminal corresponding to the flow message.
That is, the network security device may identify the virus character string in the flow packet, and if the file corresponding to the flow packet does not include all virus character strings constituting the virus, determine that the file corresponding to the flow packet is a non-malicious file, and at this time, directly forward the flow packet.
And when the detection result of the flow message represents that the file is a malicious file, processing the flow message based on a second preset processing mode, and storing the fingerprint information and the processing mode of the flow message.
Continuing with the example of FIG. 1, assume that the file carrying the virus string A, B, C at this time is Q. The network security equipment receives the message corresponding to the file Q for the first time. When the network security equipment detects the flow message carrying the network data blocks 1-3, the file Q is not determined to be a malicious file. When the traffic message carrying the network data block 4 is detected, the file Q is determined to be a malicious file because the virus character string A, B, C is detected. At this time, the network security device processes the traffic message based on the second preset processing mode, and stores the fingerprint information and the processing mode of the traffic message.
The second preset processing manner may be, but is not limited to, replacing a virus string and blocking sending of a traffic message in the foregoing embodiment.
Taking the second preset processing mode as an example for replacing the virus character string, at this time, the network security device replaces the virus character string C in the network data block 4. Here, the replacement may be to replace the virus string C with any string other than the string C. The form of the character string is not limited in this application. After the network security device replaces the virus character string C, the network security device may send the flow packet to the second terminal. Because the network data block does not contain the character string C, the file content is damaged, and the virus fails, so that the second terminal cannot be attacked by the virus after the network data block 4 is sent to the second terminal. After the network security equipment processes the fingerprint information of the file Q and the processing mode of the flow message are stored.
When the network security device receives the flow message corresponding to the file Q again, for example, when the network security device receives the flow message carrying the network data block 3 again, the virus character string B in the network data block 3 may be directly replaced, and then the flow message is sent to the second terminal.
Taking the second preset processing mode as an example of blocking the sending of the traffic message, at this time, the network security device interrupts the transmission of the traffic message carrying the network data block 4. After the network security equipment processes the fingerprint information of the file Q and the processing mode of the flow message are stored.
When the network security device receives the traffic message corresponding to the file Q again, for example, when the network security device receives the traffic message carrying the network data block 2 again, the transmission of the traffic message carrying the network data block 2 may be directly interrupted, that is, the method may effectively prevent the first terminal in fig. 1 from continuously transmitting the file Q to the second terminal at the breakpoint.
It should be noted that, in the embodiment of the present application, the interruption manner of the breakpoint resume may be transmission interruption triggered by the first terminal or the second terminal, or may also be interruption after the network security device detects a malicious file, or transmission interruption caused by a poor network signal, but regardless of the interruption manner, the file transmission method may be adopted to block the malicious file from being received by the second terminal in the breakpoint resume manner.
Referring to fig. 5, based on the same inventive concept, an embodiment of the present application further provides a file transmission apparatus 400, including:
the receiving module 410 is configured to receive a traffic message carrying a network data block and sent by a first terminal.
An obtaining module 420, configured to obtain fingerprint information in the traffic message; the fingerprint information is used for identifying a file to which the network data block belongs, and the file is split into a plurality of network data blocks and is transmitted in a breakpoint continuous transmission mode.
The query module 430 is configured to query whether the locally stored malicious fingerprint information includes the fingerprint information; and the malicious fingerprint information is fingerprint information corresponding to the identified malicious file.
The processing module 440 is configured to, when the malicious fingerprint information includes the fingerprint information, process the traffic packet based on a first preset processing manner.
Optionally, the processing module 440 is further configured to process the traffic packet based on a processing manner corresponding to malicious fingerprint information that is the same as the fingerprint information.
Optionally, the apparatus further comprises a detection module.
The detection module is used for detecting the flow message when the malicious fingerprint information does not contain the fingerprint information; when the detection result of the flow message indicates that the file is a malicious file, processing the flow message based on a second preset processing mode, and storing the fingerprint information and the processing mode of the flow message; and when the detection result of the flow message represents that the file is a non-malicious file, forwarding the flow message to a second terminal corresponding to the flow message.
Optionally, the detection module is further specifically configured to replace a virus character string in the flow packet; and sending the flow message after the virus character string is replaced to the second terminal.
Optionally, when the traffic message is a TCP protocol message or a UDP protocol message carried by an IP protocol, the obtaining module 420 is specifically configured to obtain a source IP address, a destination IP address, and a destination port in the traffic message; and the source IP address, the destination IP address and the destination port in the flow message are the fingerprint information.
Optionally, when the traffic message is a message of an HTTP protocol, the obtaining module 420 is specifically configured to obtain a uniform resource locator, a destination terminal address, a file encoding mode, and a file type in the traffic message; the fingerprint information comprises a uniform resource locator, a destination terminal address, a file name, a file coding mode and a file type in the flow message.
Optionally, when the traffic message is a message of an FTP protocol, the obtaining module 420 is specifically configured to analyze the traffic message to obtain a transmission path and a file name of the traffic message; and the transmission path of the flow message and the file name are the fingerprint information.
It should be noted that, as those skilled in the art can clearly understand, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
Based on the same inventive concept, embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed, the computer program performs the methods provided in the above embodiments.
The storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more integrated servers, data centers, and the like. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A file transmission method is applied to network security equipment and comprises the following steps:
receiving a flow message which is sent by a first terminal and carries a network data block;
acquiring fingerprint information in the flow message; the fingerprint information is used for identifying a file to which the network data block belongs, and the file is split into a plurality of network data blocks and is transmitted in a breakpoint continuous transmission mode;
inquiring whether the malicious fingerprint information stored locally contains the fingerprint information; the malicious fingerprint information is fingerprint information corresponding to the identified malicious file;
and when the malicious fingerprint information contains the fingerprint information, processing the flow message based on a first preset processing mode.
2. The method according to claim 1, wherein the processing the traffic packet based on the first preset processing manner includes:
and processing the flow message based on a processing mode corresponding to malicious fingerprint information which is the same as the fingerprint information.
3. The method of claim 2, further comprising:
when the malicious fingerprint information does not contain the fingerprint information, detecting the flow message;
when the detection result of the flow message indicates that the file is a malicious file, processing the flow message based on a second preset processing mode, and storing the fingerprint information and the processing mode of the flow message;
and when the detection result of the flow message represents that the file is a non-malicious file, forwarding the flow message to a second terminal corresponding to the flow message.
4. The method according to claim 3, wherein the processing the traffic packet based on the second preset processing manner includes:
replacing the virus character strings in the flow message;
and sending the flow message after the virus character string is replaced to the second terminal.
5. The method according to claim 1, wherein when the traffic packet is a TCP protocol packet or a UDP protocol packet carried by an IP protocol, the obtaining the fingerprint information in the traffic packet includes:
acquiring a source IP address, a destination IP address and a destination port in the flow message; and the source IP address, the destination IP address and the destination port in the flow message are the fingerprint information.
6. The method according to claim 1, wherein when the traffic message is a message of an HTTP protocol, the obtaining fingerprint information in the traffic message includes:
acquiring a uniform resource locator, a destination terminal address, a file coding mode and a file type in the flow message; the fingerprint information comprises a uniform resource locator, a destination terminal address, a file name, a file coding mode and a file type in the flow message.
7. The method according to claim 1, wherein when the traffic packet is a packet of an FTP protocol, the obtaining fingerprint information in the traffic packet includes:
analyzing the flow message to obtain a transmission path and a file name of the flow message; and the transmission path of the flow message and the file name are the fingerprint information.
8. A file transmission device is applied to network security equipment and comprises:
the receiving module is used for receiving a flow message which is sent by a first terminal and carries a network data block;
the acquisition module acquires fingerprint information in the flow message; the fingerprint information is used for identifying a file to which the network data block belongs, and the file is split into a plurality of network data blocks and is transmitted in a breakpoint continuous transmission mode;
the query module is used for querying whether the malicious fingerprint information stored locally contains the fingerprint information; the malicious fingerprint information is fingerprint information corresponding to the identified malicious file;
and the processing module is used for processing the flow message based on a first preset processing mode when the malicious fingerprint information contains the fingerprint information.
9. A network security device, comprising: a processor and a memory, the processor and the memory connected;
the memory is used for storing programs;
the processor is configured to execute a program stored in the memory to perform the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when executed by a computer, performs the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111552297.9A CN114244610B (en) | 2021-12-17 | 2021-12-17 | File transmission method and device, network security equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111552297.9A CN114244610B (en) | 2021-12-17 | 2021-12-17 | File transmission method and device, network security equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114244610A true CN114244610A (en) | 2022-03-25 |
| CN114244610B CN114244610B (en) | 2024-05-03 |
Family
ID=80758027
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111552297.9A Active CN114244610B (en) | 2021-12-17 | 2021-12-17 | File transmission method and device, network security equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114244610B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116471109A (en) * | 2022-12-01 | 2023-07-21 | 黄建邦 | Data transmission method, system, first end and control equipment |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101626319A (en) * | 2009-08-03 | 2010-01-13 | 成都市华为赛门铁克科技有限公司 | Method, device and system for detecting gateway virus |
| CN101800754A (en) * | 2010-03-25 | 2010-08-11 | 中国科学院计算技术研究所 | Method for distributing patch |
| CN103425927A (en) * | 2012-05-16 | 2013-12-04 | 腾讯科技(深圳)有限公司 | Device and method for removing viruses of computer documents |
| US9202050B1 (en) * | 2012-12-14 | 2015-12-01 | Symantec Corporation | Systems and methods for detecting malicious files |
| US20170060936A1 (en) * | 2015-08-26 | 2017-03-02 | Ultralight Technologies Inc. | Monitoring alignment of computer file states across a group of users |
| CN111953668A (en) * | 2020-07-30 | 2020-11-17 | 中国工商银行股份有限公司 | Network security information processing method and device |
| CN112272212A (en) * | 2020-09-30 | 2021-01-26 | 新华三信息安全技术有限公司 | File transmission method and device |
| US20210026959A1 (en) * | 2018-03-26 | 2021-01-28 | Huawei Technologies Co., Ltd. | Malicious File Detection Method, Device, and System |
| CN112417437A (en) * | 2020-10-28 | 2021-02-26 | 北京八分量信息科技有限公司 | Trusted cloud platform based program white list generation method |
-
2021
- 2021-12-17 CN CN202111552297.9A patent/CN114244610B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101626319A (en) * | 2009-08-03 | 2010-01-13 | 成都市华为赛门铁克科技有限公司 | Method, device and system for detecting gateway virus |
| CN101800754A (en) * | 2010-03-25 | 2010-08-11 | 中国科学院计算技术研究所 | Method for distributing patch |
| CN103425927A (en) * | 2012-05-16 | 2013-12-04 | 腾讯科技(深圳)有限公司 | Device and method for removing viruses of computer documents |
| US9202050B1 (en) * | 2012-12-14 | 2015-12-01 | Symantec Corporation | Systems and methods for detecting malicious files |
| US20170060936A1 (en) * | 2015-08-26 | 2017-03-02 | Ultralight Technologies Inc. | Monitoring alignment of computer file states across a group of users |
| US20210026959A1 (en) * | 2018-03-26 | 2021-01-28 | Huawei Technologies Co., Ltd. | Malicious File Detection Method, Device, and System |
| CN111953668A (en) * | 2020-07-30 | 2020-11-17 | 中国工商银行股份有限公司 | Network security information processing method and device |
| CN112272212A (en) * | 2020-09-30 | 2021-01-26 | 新华三信息安全技术有限公司 | File transmission method and device |
| CN112417437A (en) * | 2020-10-28 | 2021-02-26 | 北京八分量信息科技有限公司 | Trusted cloud platform based program white list generation method |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116471109A (en) * | 2022-12-01 | 2023-07-21 | 黄建邦 | Data transmission method, system, first end and control equipment |
| CN116760566A (en) * | 2022-12-01 | 2023-09-15 | 黄建邦 | Data transmission method, system, first end, intermediate network device and control device |
| WO2023151354A3 (en) * | 2022-12-01 | 2023-10-05 | 黄建邦 | Data transmission method and system, and first end, intermediate network device and control device |
| CN116471109B (en) * | 2022-12-01 | 2024-03-05 | 黄建邦 | Data transmission method, system, first end and control equipment |
| CN116760566B (en) * | 2022-12-01 | 2024-07-09 | 黄建邦 | Data transmission method, system, first end, intermediate network device and control device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114244610B (en) | 2024-05-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3171572B1 (en) | Network security protection method and device | |
| CN114145004B (en) | System and method for using DNS messages to selectively collect computer forensic data | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| US11290484B2 (en) | Bot characteristic detection method and apparatus | |
| US9055096B2 (en) | Apparatus and method for detecting an attack in a computer network | |
| JP4195480B2 (en) | An apparatus and method for managing and controlling the communication of a computer terminal connected to a network. | |
| CN106778229B (en) | VPN-based malicious application downloading interception method and system | |
| JPWO2008084729A1 (en) | Application chain virus and DNS attack source detection device, method and program thereof | |
| CA3159619C (en) | Packet processing method and apparatus, device, and computer-readable storage medium | |
| US10091225B2 (en) | Network monitoring method and network monitoring device | |
| CN111314328A (en) | Network attack protection method and device, storage medium and electronic equipment | |
| EP3242240B1 (en) | Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program | |
| CN106656966B (en) | Method and device for intercepting service processing request | |
| JP2014179025A (en) | Connection destination information extraction device, connection destination information extraction method, and connection destination information extraction program | |
| JP6592196B2 (en) | Malignant event detection apparatus, malignant event detection method, and malignant event detection program | |
| CN104796386B (en) | Botnet detection method, device and system | |
| CN113923008B (en) | Malicious website interception method, device, equipment and storage medium | |
| CN114244610B (en) | File transmission method and device, network security equipment and storage medium | |
| CN112491836B (en) | Communication system, method, device and electronic equipment | |
| CN116723020A (en) | Network service simulation method and device, electronic equipment and storage medium | |
| KR101983997B1 (en) | System and method for detecting malignant code | |
| JP6635029B2 (en) | Information processing apparatus, information processing system, and communication history analysis method | |
| JP6476853B2 (en) | Network monitoring system and method | |
| KR102156600B1 (en) | System and method for creating association between packets collected in network and processes in endpoint computing device | |
| CN110445799B (en) | Method and device for determining intrusion stage and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |