CN114338112A - System file protection method and device based on network security and electronic equipment - Google Patents
System file protection method and device based on network security and electronic equipment Download PDFInfo
- Publication number
- CN114338112A CN114338112A CN202111567223.2A CN202111567223A CN114338112A CN 114338112 A CN114338112 A CN 114338112A CN 202111567223 A CN202111567223 A CN 202111567223A CN 114338112 A CN114338112 A CN 114338112A
- Authority
- CN
- China
- Prior art keywords
- external data
- virtual space
- local system
- file
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000012795 verification Methods 0.000 claims abstract description 23
- 230000005540 biological transmission Effects 0.000 claims description 12
- 239000000284 extract Substances 0.000 claims description 6
- 238000010200 validation analysis Methods 0.000 claims description 2
- 238000001514 detection method Methods 0.000 description 14
- 241000700605 Viruses Species 0.000 description 11
- 238000004458 analytical method Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 6
- 230000002265 prevention Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 230000007704 transition Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000001537 neural effect Effects 0.000 description 1
- 238000007493 shaping process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Abstract
The embodiment of the invention discloses a system file protection method and device based on network security and electronic equipment, and relates to the technical field of network security. The method is invented for solving the problem that the probability of system files being damaged is high. The system file protection method based on network security comprises the following steps: establishing a first virtual space on a local system; the first virtual space receives external data transmitted to a local system; the first virtual space carries out security verification on the received external data and determines whether the external data can threaten data in a local system; if the first virtual space determines that the external data threatens data in a local system, alarm information is sent to the local system; and the local system deletes the first virtual space and the data in the first virtual space based on the alarm information. The method is suitable for application scenes for preventing system files from being damaged.
Description
Technical Field
The invention relates to the technical field of network security. In particular, to a method and an apparatus for protecting a system file based on network security, and an electronic device.
Background
The network attack refers to an attack on hardware and software of a system and data in the system by using vulnerabilities and security flaws existing in the system. Computers may be subject to cyber attacks during their everyday use. Because the network attack occurs in the computer system, in the process of defending the system against the network attack, the data of the part subjected to the network attack can be damaged, thereby causing economic loss.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for protecting a system file based on network security, and an electronic device, which can reduce the probability of system file damage to a certain extent.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, an embodiment of the present invention provides a system file protection method based on network security, including: establishing a first virtual space on a local system; the first virtual space receives external data transmitted to a local system; the first virtual space carries out security verification on the received external data and determines whether the external data can threaten data in a local system; if the first virtual space determines that the external data threatens data in a local system, alarm information is sent to the local system; and the local system deletes the first virtual space and the data in the first virtual space based on the alarm information.
According to a specific implementation manner of the embodiment of the present invention, the performing security verification on the received external data by the first virtual space, and determining whether the external data threatens data inside the local system includes: reading the file name of the external data; reading a head and a tail field of a predetermined length of the external data, and beginning and ending command characters; and performing security verification on the external data based on the file name of the external data, the head and tail word sections with preset lengths of the external data and the command characters of the beginning and the end.
According to a specific implementation manner of the embodiment of the present invention, after the first virtual space receives external data transmitted to a local system, the method further includes: temporarily storing the external data to a first storage position in the first virtual space; after the first virtual space determines that the external data threatens data internal to a local system, the method further comprises: and putting the external data into a first low-rate channel so as to transmit the external data from the first storage position to a target storage position in the first virtual space through the first low-rate channel.
According to a specific implementation manner of the embodiment of the present invention, before the external data is transmitted from the first storage location to the target storage location in the first virtual space, the method further includes: the local system generates a first virtual file and transmits the first virtual file to the target storage position in the first virtual space, wherein the file name of the first virtual file is the same as that of the external data.
According to a specific implementation manner of the embodiment of the present invention, after the first virtual space receives external data transmitted to a local system, the method further includes: the first virtual space reads a head and a tail byte section of a predetermined length of the external data, and command characters of a start and a tail; sending the read head and tail word segments with preset length of the external data and the command characters of the beginning and the end to the local system; wherein the local system generates a first virtual file comprising: and the local system generates a first virtual file according to the head and tail word segments with preset lengths of the external data and the command characters of the start and the tail based on the alarm information, and transmits the first virtual file to a target storage position in the first virtual space.
According to a specific implementation manner of the embodiment of the present invention, the generating, by the local system, a first virtual file according to the first and last word segments of the external data with the predetermined length and the command characters of the start and end based on the alarm information includes: the local system extracts a first byte section with a preset length from a local junk file based on the alarm information; randomly extracting bytes in the first byte section; randomly and continuously copying the randomly extracted bytes to obtain a second byte section; and adding a head byte section and a tail byte section of a preset length of the external data and command characters of a start and a tail into a second byte section to form the first virtual file.
In a second aspect, an embodiment of the present invention provides a system file protection device based on network security, including: the first virtual space establishing module is used for establishing a first virtual space on a local system; the external data receiving module is used for receiving external data transmitted to a local system by the first virtual space; the security verification module is used for performing security verification on the received external data by the first virtual space and determining whether the external data can threaten data in a local system; the alarm module is used for sending alarm information to a local system if the first virtual space determines that the external data can threaten data in the local system; and the first virtual space deleting module is used for deleting the first virtual space and the data in the first virtual space by the local system based on the alarm information.
According to a specific implementation manner of the embodiment of the present invention, the security verification module is specifically configured to read a file name of the external data; reading a head and a tail field of a predetermined length of the external data, and beginning and ending command characters; and performing security verification on the external data based on the file name of the external data, the head and tail word sections with preset lengths of the external data and the command characters of the beginning and the end.
According to a specific implementation manner of the embodiment of the present invention, the apparatus further includes an external data temporary storage module, after the first virtual space receives external data transmitted to a local system, the external data temporary storage module is specifically configured to temporarily store the external data to a first storage location in the first virtual space; the system further comprises a low-rate transmission module, and after the first virtual space determines that the external data can threaten data inside a local system, the low-rate transmission module is specifically configured to put the external data into a first low-rate channel, so as to transmit the external data from the first storage location to a target storage location in the first virtual space through the first low-rate channel.
According to a specific implementation manner of the embodiment of the present invention, the apparatus further includes a first virtual file transfer module, before the external data is transmitted from the first storage location to the target storage location in the first virtual space, the first virtual file transfer module is configured to generate a first virtual file by the local system, and transfer the first virtual file to the target storage location in the first virtual space, where a file name of the first virtual file is the same as a file name of the external data.
According to a specific implementation manner of the embodiment of the present invention, the apparatus further includes a first virtual file generation module, after the first virtual space receives external data transmitted to a local system, the first virtual file generation module is configured to read a head field and a tail field of the external data with a predetermined length, and command characters at a beginning and a tail of the external data in the first virtual space; sending the read head and tail word segments with preset length of the external data and the command characters of the beginning and the end to the local system; wherein the local system generates a first virtual file comprising: and the local system generates a first virtual file according to the head and tail word segments with preset lengths of the external data and the command characters of the start and the tail based on the alarm information, and transmits the first virtual file to a target storage position in the first virtual space.
According to a specific implementation manner of the embodiment of the present invention, the first virtual file generating module is specifically configured to: the local system extracts a first byte section with a preset length from a local junk file based on the alarm information; randomly extracting bytes in the first byte section; randomly and continuously copying the randomly extracted bytes to obtain a second byte section; and adding a head byte section and a tail byte section of a preset length of the external data and command characters of a start and a tail into a second byte section to form the first virtual file.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing the system file protection method based on network security in any one of the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, where one or more programs are stored, and the one or more programs are executable by one or more processors to implement the method for protecting a system file based on network security according to any one of the foregoing first aspects.
According to the system file protection method, device and electronic equipment based on network security, provided by the embodiment of the invention, the first virtual space is established, and the external data transmitted to the local system is received, so that the local system is prevented from directly receiving the external data; the local system determines that external data can threaten data inside the local system, and deletes the first virtual space and the data in the first virtual space, so that direct contact between the local system and the data threatening inside the local system is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart illustrating a system file protection method based on network security according to an embodiment of the present invention;
fig. 2 is a schematic flowchart illustrating a process of performing security verification on external data according to a system file protection method based on network security according to an embodiment of the present invention;
fig. 3 is a schematic flowchart illustrating a process of forming a first virtual file according to a system file protection method based on network security according to an embodiment of the present invention;
FIG. 4 is a block diagram of a system file protection method and apparatus for network security according to an embodiment of the present invention;
fig. 5 is a block diagram of an electronic device according to an embodiment of the invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
The network attack refers to an attack on hardware and software of a local system and data in the system by using bugs and security flaws existing in the local system. The means of attack include password intrusion, e-mail attack, attacking other nodes through one node, network interception, hacking software attack, security hole attack, port scanning attack, and the like. When the system is attacked and succeeded by the external network, the system is not only controlled, but also the data file in the system is stolen, thereby causing economic loss.
At present, the defense modes for attack include improving safety awareness, using firewall software for virus prevention and black prevention and the like, setting a proxy server, hiding an IP address of the proxy server, working the virus prevention and black prevention regularly as a day, updating a virus prevention component regularly, keeping the virus prevention software in a resident state and the like. Since hackers often launch attacks on specific dates, computer users should be alerted during this period, have strict protection for important personal data, and have a habit of backing up data, etc.
Referring to fig. 1, an embodiment of the present invention provides a system file protection method based on network security, including:
s101, establishing a first virtual space on a local system.
And connecting the first virtual space with a network while establishing the first virtual space, so as to install the latest virus library file into the first virtual space.
The first virtual space can also be called a first virtual host, which is a special software technology used for dividing a computer host into virtual hosts, each virtual host has an independent domain name and an IP address and has a complete Internet server function, and the key role of the first virtual space is that different server programs opened for a plurality of users run on the same hardware and the same operating system without interference.
S102, the first virtual space receives external data transmitted to a local system.
S103, the first virtual space carries out security verification on the received external data and determines whether the external data can threaten data inside a local system.
And S104, if the first virtual space determines that the external data threatens the data in the local system, sending alarm information to the local system.
S105, the local system deletes the first virtual space and the data in the first virtual space based on the alarm information.
The embodiment of the invention provides a system file protection method based on network security, which receives external data transmitted to a local system by establishing a first virtual space, so that the local system is prevented from directly receiving the external data; the local system determines that external data can threaten data inside the local system, and deletes the first virtual space and the data in the first virtual space, so that direct contact between the local system and the data threatening inside the local system is avoided.
Referring to fig. 2, in an embodiment, the security validation of the received external data by the first virtual space, and the determination of whether the external data threatens the data inside the local system include:
and S1031, reading the file name of the external data.
S1032, reading the head and tail word segments with the preset length of the external data and the command characters of the beginning and the end.
S1033, performing security verification on the external data based on the file name of the external data, the head and tail sections with preset lengths of the external data and the command characters of the beginning and the end.
The security verification of the external data means that the file name, the head and tail word segments with preset lengths and the command characters at the beginning and the end of the external data are judged by capturing a data packet at a data link layer of a TCP/IP (Transmission Control Protocol/Internet Protocol) Protocol cluster for detection analysis and capturing the data packet at an OSI (Open System Interconnection Reference) application layer for detection analysis. Therefore, the judgment effect of the virus library file on the external data can be improved, and the identification strength of whether the external data can threaten the data in the local system or not by the first virtual space is improved. The method comprises the steps of capturing a data packet at an Open System Interconnection Reference (OSI) application layer for detection and analysis, and based on the latest virus library file installed in the first virtual space.
The detection analysis is carried out by capturing the data packet at the data link layer of the TCP/IP protocol cluster, and the content of the external data received by the virtual space can be judged by adopting Snort. The formula judged by Snort is as follows: in the character set Σ, a text string T [1 … N ] of length N is given]And a pattern string P of length Mi[1…M]Wherein the number of pattern sets is denoted by k and the pattern sets are denoted by P ═ P1,p2,…,pkDenotes that if for 1. ltoreq. S.ltoreq.N, there is T [ S +1 … S + M]=P[1…M]If the pattern P appears at the position S of the virtual space T, namely the pattern is matched with the text, the intrusion behavior is established, and after the intrusion behavior is successful, the external data received by the virtual space is judged to have security threat.
The data packets are captured at the application layer of the OSI model for detection and analysis, and the captured data packets can be detected and analyzed by adopting the deep packet detection technology of the Aho-Corasick algorithm, so that the multi-mode string matching between the external data and the virus library file is realized. Specifically, the method comprises the following steps: a goto table, a fail table and an output table are constructed, then, the state S is represented by S '═ goto (S, C), the state S is converted to the state S' through the condition C, fail (S) represents the fail table value of the state S, and output (S) represents the output table value of the state S. When the external data is matched with the virus library and the matching is successful, the threat of the external data is indicated. The goto table reflects valid state transition, the fail table reflects the state to which the transition should be rolled back when the transition fails, and the Output table determines which matching mode is Output in which state. Assuming that the current state is S and the condition is C, the question is how to find the next determination state S'. If goto (S, C) succeeds, S' ═ goto (S, C); otherwise, let S '═ goto (fail (S), C), if S' is valid and not 0, S 'is that definite state, at which time the relationship of S' ═ goto (S, C) should be added to the goto table.
The data link layer of the TCP/IP protocol cluster captures a data packet for detection analysis and captures the data packet at an OSI model application layer for detection analysis, and the external data is judged in a multinomial association manner, wherein the external data can be judged by using Snort firstly, and then the external data which does not threaten the data in the local system under the judgment of the Snort is judged by using a deep packet detection technology.
The Snort is a powerful network intrusion detection/defense system with characteristics of multiple platforms, real-time flow analysis, network IP data packet recording and the like, namely NIDS (network intrusion detection system)/NIPS (conference and work on Neural Information Processing systems), and captures and decodes network data packets at a data link layer of a TCP/IP protocol cluster, and simultaneously detects and analyzes the invaded data packets, detects according to rules and responds.
The deep Packet inspection technology, i.e. DPI (deep Packet inspection) technology, is a flow inspection and Control technology based on application layer, when IP (internet protocol) data Packet, tcp (transmission Control protocol) or udp (user data protocol) data stream passes through a bandwidth management system based on DPI technology, the system recombines application layer information in OSI seven-layer protocol by deeply reading the content of IP data Packet load, thereby obtaining the content of the whole application program, and then performs shaping operation on flow according to the management strategy defined by the system.
The Aho-Corasick algorithm is called AC algorithm for short, is a classic multi-mode string matching algorithm, uses the idea of KMP (Knuth Morris Pratt) algorithm for reference, and can be represented by a finite state machine.
In an embodiment, after the first virtual space receives external data transmitted to a local system, the method further comprises: temporarily storing the external data to a first storage position in the first virtual space; after the first virtual space determines that the external data threatens data internal to a local system, the method further comprises: and putting the external data into a first low-rate channel so as to transmit the external data from the first storage position to a target storage position in the first virtual space through the first low-rate channel.
And if the first virtual space determines that the external data does not threaten the data in the local system, putting the external data into the transmission channel, and transmitting the external data from the first storage position to a target storage position in the first virtual space at a preset speed through the transmission channel. The first virtual space obtains a copy of the external data based on the external data at the target storage location and transmits the copy of the external data into the local system.
The first storage position is arranged to receive external data and verify the external data, and the target storage position is arranged to receive data threatening the inside of the local system, so that the first virtual space can be used for receiving the external data, and whether the external data can threaten the data in the local system is verified, and the direct contact between the data threatening the inside of the local system and the local system is avoided. In addition, external data threatening the internal data of the local system is transmitted through the first low-rate channel, so that the local system can generate a first virtual file and transmit the first virtual file to a target storage position conveniently.
Wherein the transmission rate of the first low rate channel may be 1b per second.
Additionally, the first virtual space may store identification information in a log file that determines whether external data would threaten data internal to the local system.
In an embodiment, before transmitting the external data from the first storage location to the target storage location within the first virtual space, the method further comprises: the local system generates a first virtual file and transmits the first virtual file to the target storage position in the first virtual space, wherein the file name of the first virtual file is the same as that of the external data.
According to the above knowledge, the data threatening the inside of the local system is transmitted to the target storage location in the first virtual space through the first low-rate channel, so that the first virtual file is transmitted to the target storage location in the first virtual space first, and then the data threatening the inside of the local system is transmitted to the target storage location in the first virtual space. Since the file name of the first virtual file is the same as the file name of the external data, the transfer of the data inside the local system to the target storage location in the first virtual space will fail, i.e. the external data inside the local system will be threatened to be saved only at the first storage location. Then, by deleting the virtual space and all the data in the virtual space, direct contact with the local system of external data which threatens the inside of the local system can be prevented.
When the external data are placed in the first low-rate channel, the first virtual space reads the file name of the external data and sends the file name of the external data to the local system; disconnecting the first virtual space from the network while deleting the first virtual space, and after deleting the first virtual space, reestablishing a second virtual space by the system to receive external data; the log file is sent to the local system before all data of the first virtual space is deleted.
In an embodiment, after the first virtual space receives external data transmitted to a local system, the method further comprises: the first virtual space reads a head and a tail byte section of a predetermined length of the external data, and command characters of a start and a tail; sending the read head and tail word segments with preset length of the external data and the command characters of the beginning and the end to the local system; wherein the local system generates a first virtual file comprising: and the local system generates a first virtual file according to the head and tail word segments with preset lengths of the external data and the command characters of the start and the tail based on the alarm information, and transmits the first virtual file to a target storage position in the first virtual space.
The first virtual file generated based on the head and tail fields of the external data of a predetermined length and the command characters of the start and end has a higher similarity with the external data than the first virtual file having only the same file name. After detecting that the file names of the first virtual file and the external data are the same, further detecting the content of the first virtual file and the content of the external data, and when the similarity between the first virtual file and the external data is higher, failing to transmit the data in the local system to the target storage position in the first virtual space.
The alarm information is a warning signal sent by the first virtual space to the local system when the external data received by the first virtual space is judged to threaten the data in the local system, so that the system generates a warning reaction after receiving the warning signal, namely, a first virtual file is generated, and the first virtual file is transmitted to a target storage position in the first virtual space.
Referring to fig. 3, in an embodiment, the local system generates a first virtual file according to a predetermined length of a head field, a tail field, and start and end command characters of the external data based on the alarm information, including:
s201, the local system extracts a first byte section with a preset length from a local junk file based on the alarm information.
S202, randomly extracting the bytes in the first byte section.
S203, randomly and continuously copying the randomly extracted bytes to obtain a second byte section.
S204, adding the head and tail word segments with the preset length of the external data and the command characters of the beginning and the end into a second word segment to form the first virtual file.
Randomly extracting the bytes in the first byte section may make the bytes a character with no meaning. The randomly extracted bytes are randomly and continuously copied, so that the difficulty of restoring the characters without meaning into the first sub-stage can be further increased, and the leakage of the local junk files caused by the fact that the first virtual files are acquired by an attacker due to network attack is avoided.
The extracting of the first byte section with the predetermined length may be intercepting the last four bits of the local junk file.
Example two
Referring to fig. 4, an embodiment of the present invention provides a system file protection device based on network security, including: a first virtual space establishing module 201, configured to establish a first virtual space on a local system; an external data receiving module 202, configured to receive, by the first virtual space, external data transmitted to a local system; the security verification module 203 is configured to perform security verification on the received external data in the first virtual space, and determine whether the external data may threaten data inside a local system; an alarm module 204, configured to send alarm information to a local system if it is determined that the external data threatens data inside the local system in the first virtual space; a first virtual space deleting module 205, configured to delete, by the local system, the first virtual space and the data in the first virtual space based on the alarm information.
The embodiment of the invention provides a system file protection device based on network security, which receives external data transmitted to a local system by establishing a first virtual space, so that the local system is prevented from directly receiving the external data; the local system determines that external data can threaten data in the local system, and deletes the first virtual space and the data in the first virtual space, so that direct contact between the local system and the data threatening the local system is avoided.
In an embodiment, the security verification module 203 is specifically configured to read a file name of the external data; reading a head and a tail field of a predetermined length of the external data, and beginning and ending command characters; and performing security verification on the external data based on the file name of the external data, the head and tail word sections with preset lengths of the external data and the command characters of the beginning and the end.
The security verification of the external data means that the file name, the head and tail word segments with preset lengths and the command characters at the beginning and the end of the external data are judged by capturing a data packet at a data link layer of a TCP/IP (Transmission Control Protocol/Internet Protocol) Protocol cluster for detection analysis and capturing the data packet at an OSI (Open System Interconnection Reference) application layer for detection analysis. Therefore, the judgment effect of the virus library file on the external data can be improved, and the identification strength of whether the external data can threaten the data in the local system or not by the first virtual space is improved. The method comprises the steps of capturing a data packet at an Open System Interconnection Reference (OSI) application layer for detection and analysis, and based on the latest virus library file installed in the first virtual space.
In an embodiment, the system further includes an external data temporary storage module, after the first virtual space receives external data transmitted to a local system, the external data temporary storage module is specifically configured to temporarily store the external data to a first storage location in the first virtual space; the system further comprises a low-rate transmission module, and after the first virtual space determines that the external data can threaten data inside a local system, the low-rate transmission module is specifically configured to put the external data into a first low-rate channel, so as to transmit the external data from the first storage location to a target storage location in the first virtual space through the first low-rate channel.
The first storage position is arranged to receive external data and verify the external data, and the target storage position is arranged to receive data threatening the inside of the local system, so that the first virtual space can be used for receiving the external data, and whether the external data can threaten the data in the local system is verified, and the direct contact between the data threatening the inside of the local system and the local system is avoided. In addition, external data threatening the internal data of the local system is transmitted through the first low-rate channel, so that the local system can generate a first virtual file and transmit the first virtual file to a target storage position conveniently.
In an embodiment, the local system further includes a first virtual file transfer module, before the external data is transmitted from the first storage location to the target storage location in the first virtual space, the first virtual file transfer module is configured to generate a first virtual file by the local system, and transfer the first virtual file to the target storage location in the first virtual space, where a file name of the first virtual file is the same as a file name of the external data.
According to the above knowledge, the data threatening the inside of the local system is transmitted to the target storage location in the first virtual space through the first low-rate channel, so that the first virtual file is transmitted to the target storage location in the first virtual space first, and then the data threatening the inside of the local system is transmitted to the target storage location in the first virtual space. Since the file name of the first virtual file is the same as the file name of the external data, the transfer of the data inside the local system to the target storage location in the first virtual space will fail, i.e. the external data inside the local system will be threatened to be saved only at the first storage location. Then, by deleting the virtual space and all the data in the virtual space, direct contact with the local system of external data which threatens the inside of the local system can be prevented.
In an embodiment, the system further comprises a first virtual file generation module, after the first virtual space receives external data transmitted to a local system, the first virtual file generation module is used for reading a head segment and a tail segment of a preset length of the external data and command characters of a start and a tail in the first virtual space; sending the read head and tail word segments with preset length of the external data and the command characters of the beginning and the end to the local system; wherein the local system generates a first virtual file comprising: and the local system generates a first virtual file according to the head and tail word segments with preset lengths of the external data and the command characters of the start and the tail based on the alarm information, and transmits the first virtual file to a target storage position in the first virtual space.
The first virtual file generated based on the head and tail fields of the external data of a predetermined length and the command characters of the start and end has a higher similarity with the external data than the first virtual file having only the same file name. After detecting that the file names of the first virtual file and the external data are the same, further detecting the content of the first virtual file and the content of the external data, and when the similarity between the first virtual file and the external data is higher, failing to transmit the data in the local system to the target storage position in the first virtual space.
In an embodiment, the first virtual file generating module is specifically configured to: the local system extracts a first byte section with a preset length from a local junk file based on the alarm information; randomly extracting bytes in the first byte section; randomly and continuously copying the randomly extracted bytes to obtain a second byte section; and adding a head byte section and a tail byte section of a preset length of the external data and command characters of a start and a tail into a second byte section to form the first virtual file.
Randomly extracting the bytes in the first byte section may make the bytes a character with no meaning. The randomly extracted bytes are randomly and continuously copied, so that the difficulty of restoring the characters without meaning into the first sub-stage can be further increased, and the leakage of the local junk files caused by the fact that the first virtual files are acquired by an attacker due to network attack is avoided.
EXAMPLE III
Referring to fig. 5, an embodiment of the present invention provides an electronic device, including: the device comprises a shell 301, a processor 302, a memory 303, a circuit board 304 and a power circuit 305, wherein the circuit board 304 is arranged inside a space enclosed by the shell 301, and the processor 302 and the memory 303 are arranged on the circuit board 304; a power supply circuit 305 for supplying power to each circuit or device of the electronic apparatus; memory 303 is used to store executable program code; the processor 302 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 303, so as to execute the system file protection method based on network security according to any one of the foregoing embodiments.
Example four
The embodiment of the invention provides a computer-readable storage medium, which stores one or more programs, and the one or more programs can be executed by one or more processors to implement the system file protection method based on network security according to any one of the foregoing embodiments.
The invention provides a system file protection method, a system file protection device and electronic equipment based on network security. When it is determined that external data can threaten data in the local system, the first virtual space transmits the external data to a target storage location through a first low-rate channel, and simultaneously transmits a file name, a head-tail byte segment and start and tail command symbols of the external data to the local system. And finally deleting the first virtual space, eliminating external data, and establishing a second virtual space, so that the probability of system files being damaged can be reduced to a certain extent.
The first virtual space is established to receive and judge the external data, so that the direct contact between the external data and the local system can be avoided when the network attack is suffered, the security of a system file is improved, meanwhile, a file name which is the same as the file name of the data which can threaten the inside of the local system is generated in the local system, the external data is rejected through the same file name, the external data cannot be stored in the virtual space, and the external data is eliminated when the first virtual space is deleted.
It should be noted that, in this document, the emphasis points of the solutions described in the embodiments are different, but there is a certain correlation between the embodiments, and in understanding the solution of the present invention, the embodiments may be referred to each other; moreover, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (14)
1. A system file protection method based on network security is characterized by comprising the following steps:
establishing a first virtual space on a local system;
the first virtual space receives external data transmitted to a local system;
the first virtual space carries out security verification on the received external data and determines whether the external data can threaten data in a local system;
if the first virtual space determines that the external data threatens data in a local system, alarm information is sent to the local system;
and the local system deletes the first virtual space and the data in the first virtual space based on the alarm information.
2. The method according to claim 1, wherein the security validation of the received external data by the first virtual space, and the determination of whether the external data threatens data inside the local system, comprises:
reading the file name of the external data;
reading a head and a tail field of a predetermined length of the external data, and beginning and ending command characters;
and performing security verification on the external data based on the file name of the external data, the head and tail word sections with preset lengths of the external data and the command characters of the beginning and the end.
3. The system file protection method according to claim 1, wherein after the first virtual space receives external data transmitted to a local system, the method further comprises:
temporarily storing the external data to a first storage position in the first virtual space;
after the first virtual space determines that the external data threatens data internal to a local system, the method further comprises:
and putting the external data into a first low-rate channel so as to transmit the external data from the first storage position to a target storage position in the first virtual space through the first low-rate channel.
4. The system file protection method of claim 3, wherein prior to transferring the external data from the first storage location to the target storage location within the first virtual space, the method further comprises:
the local system generates a first virtual file and transmits the first virtual file to the target storage position in the first virtual space, wherein the file name of the first virtual file is the same as that of the external data.
5. The system file protection method according to claim 4, wherein after the first virtual space receives external data transmitted to a local system, the method further comprises:
the first virtual space reads a head and a tail byte section of a predetermined length of the external data, and command characters of a start and a tail; sending the read head and tail word segments with preset length of the external data and the command characters of the beginning and the end to the local system;
wherein the local system generates a first virtual file comprising:
and the local system generates a first virtual file according to the head and tail word segments with preset lengths of the external data and the command characters of the start and the tail based on the alarm information, and transmits the first virtual file to a target storage position in the first virtual space.
6. The system file protection method according to claim 5, wherein the local system generates a first virtual file based on the alarm information according to a predetermined length of first and last fields of the external data and command characters of start and end, including:
the local system extracts a first byte section with a preset length from a local junk file based on the alarm information;
randomly extracting bytes in the first byte section;
randomly and continuously copying the randomly extracted bytes to obtain a second byte section;
and adding a head byte section and a tail byte section of a preset length of the external data and command characters of a start and a tail into a second byte section to form the first virtual file.
7. A system file protection device based on network security is characterized by comprising:
the first virtual space establishing module is used for establishing a first virtual space on a local system;
the external data receiving module is used for receiving external data transmitted to a local system by the first virtual space;
the security verification module is used for performing security verification on the received external data by the first virtual space and determining whether the external data can threaten data in a local system;
the alarm module is used for sending alarm information to a local system if the first virtual space determines that the external data can threaten data in the local system;
and the first virtual space deleting module is used for deleting the first virtual space and the data in the first virtual space by the local system based on the alarm information.
8. The system file protection device according to claim 7, wherein the security verification module is specifically configured to
Reading the file name of the external data;
reading a head and a tail field of a predetermined length of the external data, and beginning and ending command characters;
and performing security verification on the external data based on the file name of the external data, the head and tail word sections with preset lengths of the external data and the command characters of the beginning and the end.
9. The system file protection device according to claim 7, further comprising an external data staging module, after the external data transmitted to the local system is received by the first virtual space, the external data staging module being specifically configured to stage the external data transmitted to the local system
Temporarily storing the external data to a first storage position in the first virtual space;
the system further comprises a low-rate transmission module, wherein after the first virtual space determines that the external data can threaten the data in the local system, the low-rate transmission module is specifically used for
And putting the external data into a first low-rate channel so as to transmit the external data from the first storage position to a target storage position in the first virtual space through the first low-rate channel.
10. The system file protection device of claim 9, further comprising a first virtual file transfer module, before transferring the external data from the first storage location to the target storage location in the first virtual space, for transferring the external data to the target storage location in the first virtual space
The local system generates a first virtual file and transmits the first virtual file to the target storage position in the first virtual space, wherein the file name of the first virtual file is the same as that of the external data.
11. The system file protection device according to claim 10, further comprising a first virtual file generation module, after the first virtual space receives external data transmitted to a local system, configured to generate the first virtual file
The first virtual space reads a head and a tail byte section of a predetermined length of the external data, and command characters of a start and a tail; sending the read head and tail word segments with preset length of the external data and the command characters of the beginning and the end to the local system;
wherein the local system generates a first virtual file comprising:
and the local system generates a first virtual file according to the head and tail word segments with preset lengths of the external data and the command characters of the start and the tail based on the alarm information, and transmits the first virtual file to a target storage position in the first virtual space.
12. The system file protection device according to claim 11, wherein the first virtual file generation module is specifically configured to:
the local system extracts a first byte section with a preset length from a local junk file based on the alarm information;
randomly extracting bytes in the first byte section;
randomly and continuously copying the randomly extracted bytes to obtain a second byte section;
and adding a head byte section and a tail byte section of a preset length of the external data and command characters of a start and a tail into a second byte section to form the first virtual file.
13. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing the system file protection method based on network security according to any one of the preceding claims 1 to 6.
14. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the network security based system file protection method of any of the preceding claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111567223.2A CN114338112B (en) | 2021-12-20 | 2021-12-20 | System file protection method and device based on network security, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111567223.2A CN114338112B (en) | 2021-12-20 | 2021-12-20 | System file protection method and device based on network security, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338112A true CN114338112A (en) | 2022-04-12 |
| CN114338112B CN114338112B (en) | 2024-03-19 |
Family
ID=81055485
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111567223.2A Active CN114338112B (en) | 2021-12-20 | 2021-12-20 | System file protection method and device based on network security, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338112B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20120111973A (en) * | 2011-03-30 | 2012-10-11 | 주식회사 윈스테크넷 | Security audit service system and method among virtual machines in the virtualization environment |
| US9542554B1 (en) * | 2014-12-18 | 2017-01-10 | Palo Alto Networks, Inc. | Deduplicating malware |
| CN106845214A (en) * | 2016-12-29 | 2017-06-13 | 北京瑞星信息技术股份有限公司 | Based on safety protecting method and system under virtualized environment |
| CN107608752A (en) * | 2016-07-12 | 2018-01-19 | 中国科学院信息工程研究所 | The threat information response examined oneself based on virtual machine and method of disposal and system |
| CN112748987A (en) * | 2021-01-19 | 2021-05-04 | 北京智仁智信安全技术有限公司 | Behavior security processing method and device based on virtual host |
-
2021
- 2021-12-20 CN CN202111567223.2A patent/CN114338112B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20120111973A (en) * | 2011-03-30 | 2012-10-11 | 주식회사 윈스테크넷 | Security audit service system and method among virtual machines in the virtualization environment |
| US9542554B1 (en) * | 2014-12-18 | 2017-01-10 | Palo Alto Networks, Inc. | Deduplicating malware |
| CN107608752A (en) * | 2016-07-12 | 2018-01-19 | 中国科学院信息工程研究所 | The threat information response examined oneself based on virtual machine and method of disposal and system |
| CN106845214A (en) * | 2016-12-29 | 2017-06-13 | 北京瑞星信息技术股份有限公司 | Based on safety protecting method and system under virtualized environment |
| CN112748987A (en) * | 2021-01-19 | 2021-05-04 | 北京智仁智信安全技术有限公司 | Behavior security processing method and device based on virtual host |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338112B (en) | 2024-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Alshamrani et al. | A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities | |
| US7752662B2 (en) | Method and apparatus for high-speed detection and blocking of zero day worm attacks | |
| Osanaiye | Short Paper: IP spoofing detection for preventing DDoS attack in Cloud Computing | |
| RU2634181C1 (en) | System and method for detecting harmful computer systems | |
| US20110030059A1 (en) | Method for testing the security posture of a system | |
| Kaur et al. | Efficient hybrid technique for detecting zero-day polymorphic worms | |
| Vidalis et al. | Assessing identity theft in the Internet of Things | |
| Ireland | Intrusion detection with genetic algorithms and fuzzy logic | |
| Fu et al. | Detecting software keyloggers with dendritic cell algorithm | |
| CN112532631A (en) | Equipment safety risk assessment method, device, equipment and medium | |
| Just et al. | Learning unknown attacks—A start | |
| CN107911219A (en) | A kind of anti-CC methods of API based on key signature | |
| Mishra et al. | Intelligent phishing detection system using similarity matching algorithms | |
| Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
| BalaGanesh et al. | Smart devices threats, vulnerabilities and malware detection approaches: a survey | |
| CN113746781A (en) | Network security detection method, device, equipment and readable storage medium | |
| CN113726825B (en) | Network attack event countercheck method, device and system | |
| KR20110131627A (en) | Apparatus for detecting malicious code using structure and characteristic of file, and terminal thereof | |
| CN109474567B (en) | DDOS attack tracing method and device, storage medium and electronic equipment | |
| CN113645181A (en) | Distributed protocol attack detection method and system based on isolated forest | |
| CN104796386B (en) | Botnet detection method, device and system | |
| CN109729084B (en) | Network security event detection method based on block chain technology | |
| CN111901286B (en) | APT attack detection method based on flow log | |
| EP3252645B1 (en) | System and method of detecting malicious computer systems | |
| CN114338112A (en) | System file protection method and device based on network security and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |