CN114338112B - System file protection method and device based on network security, electronic equipment and storage medium - Google Patents
System file protection method and device based on network security, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114338112B CN114338112B CN202111567223.2A CN202111567223A CN114338112B CN 114338112 B CN114338112 B CN 114338112B CN 202111567223 A CN202111567223 A CN 202111567223A CN 114338112 B CN114338112 B CN 114338112B
- Authority
- CN
- China
- Prior art keywords
- external data
- virtual space
- local system
- file
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000012795 verification Methods 0.000 claims abstract description 20
- 230000005540 biological transmission Effects 0.000 claims description 12
- 239000000284 extract Substances 0.000 claims description 6
- 238000001514 detection method Methods 0.000 description 15
- 238000004458 analytical method Methods 0.000 description 12
- 241000700605 Viruses Species 0.000 description 7
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 230000007123 defense Effects 0.000 description 4
- 238000007689 inspection Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 239000002574 poison Substances 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000002354 daily effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000001537 neural effect Effects 0.000 description 1
- 238000007493 shaping process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Abstract
The embodiment of the invention discloses a system file protection method and device based on network security and electronic equipment, and relates to the technical field of network security. The invention aims to solve the problem that the probability of damaging the system file is high. The system file protection method based on network security comprises the following steps: establishing a first virtual space on a local system; the first virtual space receives external data transmitted to a local system; the first virtual space performs security verification on the received external data and determines whether the external data threatens the data in the local system; if the first virtual space determines that the external data threatens the data in the local system, sending alarm information to the local system; and deleting the first virtual space and the data in the first virtual space by the local system based on the alarm information. The method is suitable for application scenes for preventing the system files from being damaged.
Description
Technical Field
The invention relates to the technical field of network security. In particular to a system file protection method and device based on network security and electronic equipment.
Background
Network attacks refer to attacks on hardware, software of a system and data in the system by utilizing loopholes and security defects existing in the system. Computers may encounter network attacks during everyday use. Because network attacks occur in computer systems, the data of the portion subject to the network attack may be damaged during the defense of the system against the network attack, resulting in economic loss.
Disclosure of Invention
Therefore, the embodiment of the invention provides a system file protection method and device based on network security and electronic equipment, which can reduce the probability of damaging the system file to a certain extent.
In order to achieve the above purpose, the embodiment of the present invention adopts the following technical scheme:
in a first aspect, an embodiment of the present invention provides a method for protecting a system file based on network security, including: establishing a first virtual space on a local system; the first virtual space receives external data transmitted to a local system; the first virtual space performs security verification on the received external data and determines whether the external data threatens the data in the local system; if the first virtual space determines that the external data threatens the data in the local system, sending alarm information to the local system; and deleting the first virtual space and the data in the first virtual space by the local system based on the alarm information.
According to a specific implementation manner of the embodiment of the present invention, the security verification of the received external data by the first virtual space, and determining whether the external data threatens the data inside the local system, includes: reading the file name of the external data; reading beginning and ending byte segments of predetermined length, and beginning and ending command characters of the external data; the external data is security verified based on a file name of the external data, a beginning and ending byte section of a predetermined length of the external data, and command characters of beginning and ending.
According to a specific implementation manner of the embodiment of the present invention, after the first virtual space receives the external data transmitted to the local system, the method further includes: temporarily storing the external data to a first storage position in the first virtual space; after the first virtual space determines that the external data threatens data internal to the local system, the method further comprises: and placing the external data into a first low-rate channel so as to transmit the external data from the first storage position to a target storage position in the first virtual space through the first low-rate channel.
According to a specific implementation of an embodiment of the present invention, before the external data is transferred from the first storage location to the target storage location in the first virtual space, the method further includes: the local system generates a first virtual file and transmits the first virtual file to the target storage location in the first virtual space, wherein the file name of the first virtual file is the same as the file name of the external data.
According to a specific implementation manner of the embodiment of the present invention, after the first virtual space receives the external data transmitted to the local system, the method further includes: the first virtual space reads the beginning and ending byte segments of the predetermined length of the external data, and the beginning and ending command characters; and transmitting the read beginning and ending byte segments of the predetermined length of the external data, and the beginning and ending command characters to the local system; wherein the local system generates a first virtual file comprising: the local system generates a first virtual file based on the alarm information according to a first byte segment, a last byte segment, and command characters of a start and a last byte segment of the predetermined length of the external data, and transmits the first virtual file to a target storage position in the first virtual space.
According to a specific implementation manner of the embodiment of the present invention, the local system generates, based on the alarm information, a first virtual file according to a first byte segment, a last byte segment, and command characters of a start and a last byte segment of the predetermined length of the external data, including: the local system extracts a first byte section with a preset length from a local junk file based on the alarm information; randomly extracting bytes in the first byte section; randomly and continuously copying the randomly extracted bytes to obtain a second byte section; and adding the first byte section, the tail byte section and command characters of the beginning and the tail of the preset length of the external data into a second byte section to form the first virtual file.
In a second aspect, an embodiment of the present invention provides a system file protection device based on network security, including: the first virtual space establishing module is used for establishing a first virtual space on the local system; the external data receiving module is used for receiving external data transmitted to the local system by the first virtual space; the security verification module is used for performing security verification on the received external data in the first virtual space and determining whether the external data threatens the data in the local system or not; the alarm module is used for sending alarm information to the local system if the first virtual space determines that the external data threatens the data in the local system; the first virtual space deleting module is used for deleting the first virtual space and the data in the first virtual space based on the alarm information by the local system.
According to a specific implementation manner of the embodiment of the present invention, the security verification module is specifically configured to read a file name of the external data; reading beginning and ending byte segments of predetermined length, and beginning and ending command characters of the external data; the external data is security verified based on a file name of the external data, a beginning and ending byte section of a predetermined length of the external data, and command characters of beginning and ending.
According to a specific implementation manner of the embodiment of the present invention, the system further includes an external data temporary storage module, where after the first virtual space receives external data transmitted to the local system, the external data temporary storage module is specifically configured to temporarily store the external data in a first storage location in the first virtual space; the system further comprises a low-rate transmission module, wherein the low-rate transmission module is specifically used for placing the external data into a first low-rate channel after the first virtual space determines that the external data threatens the data in the local system, so that the external data is transmitted from the first storage position to a target storage position in the first virtual space through the first low-rate channel.
According to a specific implementation manner of the embodiment of the present invention, the method further includes a first virtual file transfer module, where before the external data is transferred from the first storage location to the target storage location in the first virtual space, the first virtual file transfer module is configured to generate a first virtual file by using the local system, and transfer the first virtual file to the target storage location in the first virtual space, where a file name of the first virtual file is the same as a file name of the external data.
According to a specific implementation manner of the embodiment of the present invention, the system further includes a first virtual file generation module, after the first virtual space receives the external data transmitted to the local system, the first virtual file generation module is configured to read, by the first virtual space, a header byte segment and a trailer byte segment with predetermined lengths, and start and end command characters of the external data; and transmitting the read beginning and ending byte segments of the predetermined length of the external data, and the beginning and ending command characters to the local system; wherein the local system generates a first virtual file comprising: the local system generates a first virtual file based on the alarm information according to a first byte segment, a last byte segment, and command characters of a start and a last byte segment of the predetermined length of the external data, and transmits the first virtual file to a target storage position in the first virtual space.
According to a specific implementation manner of the embodiment of the present invention, the first virtual file generation module is specifically configured to: the local system extracts a first byte section with a preset length from a local junk file based on the alarm information; randomly extracting bytes in the first byte section; randomly and continuously copying the randomly extracted bytes to obtain a second byte section; and adding the first byte section, the tail byte section and command characters of the beginning and the tail of the preset length of the external data into a second byte section to form the first virtual file.
In a third aspect, an embodiment of the present invention provides an electronic device, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing the network security based system file protection method according to any one of the preceding first aspects.
In a fourth aspect, an embodiment of the present invention provides a computer readable storage medium storing one or more programs executable by one or more processors to implement the network security based system file protection method according to any one of the first aspects.
According to the system file protection method and device based on network security and the electronic equipment, the first virtual space is established to receive the external data transmitted to the local system, so that the local system is prevented from directly receiving the external data; the local system determines that external data threatens the data in the local system, deletes the first virtual space and the data in the first virtual space, and avoids direct contact between the local system and the data threatening the data in the local system.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a system file protection method based on network security according to an embodiment of the present invention;
FIG. 2 is a flow chart of security verification for external data based on a system file protection method of network security according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for protecting system files based on network security according to an embodiment of the present invention;
FIG. 4 is a schematic block diagram illustrating an apparatus for protecting a system file with network security according to an embodiment of the present invention;
fig. 5 is a schematic block diagram of an electronic device according to an embodiment of the invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
Network attacks refer to attacks on the hardware, software and data in the system of a local system by utilizing vulnerabilities and security flaws existing in the local system. Means of attack include password intrusion, email attacks, attacks on other nodes through one node, network interception, hacking, security hole attacks, port scan attacks, etc. When the system is attacked by external network and succeeds, the system can be controlled, and data files in the system can be stolen, so that economic loss is caused.
The current defending modes include improving security awareness, using firewall software such as anti-poison and anti-black, setting proxy servers, hiding own IP addresses, enabling anti-poison and anti-black to work as daily routine, updating anti-poison components regularly, keeping the anti-poison software in a resident state and the like. Since hackers often launch attacks on specific dates, computer users should be particularly alerted during this period, protect important personal data tightly, and develop data backup habits, etc.
Referring to fig. 1, a system file protection method based on network security according to an embodiment of the present invention includes:
s101, a first virtual space is established on a local system.
And connecting the first virtual space with a network while establishing the first virtual space, so as to install the latest virus library file into the first virtual space.
The first virtual space can also be called a first virtual host, which is a host for dividing a computer host into a virtual host by using a special software technology, each virtual host has independent domain name and IP address and has complete Internet server function, and the key function of the first virtual space is that even if different server programs opened for a plurality of users run on the same hardware and the same operating system, the different server programs do not interfere with each other.
S102, the first virtual space receives external data transmitted to a local system.
S103, the first virtual space performs security verification on the received external data, and determines whether the external data threatens the data in the local system.
And S104, if the first virtual space determines that the external data threatens the data in the local system, sending alarm information to the local system.
S105, the local system deletes the first virtual space and the data in the first virtual space based on the alarm information.
The embodiment of the invention provides a system file protection method based on network security, which is used for receiving external data transmitted to a local system by establishing a first virtual space, so that the local system is prevented from directly receiving the external data; the local system determines that external data threatens the data in the local system, deletes the first virtual space and the data in the first virtual space, and avoids direct contact between the local system and the data threatening the data in the local system.
Referring to fig. 2, in one embodiment, the first virtual space performs security verification on received external data to determine whether the external data threatens to data inside a local system, including:
s1031, reading the file name of the external data.
S1032 reads the beginning and ending byte segments of the predetermined length of the external data, and the beginning and ending command characters.
S1033, based on the file name of the external data, the beginning and ending byte segments of the preset length of the external data and command characters of the beginning and the ending, carrying out security verification on the external data.
The security verification of external data refers to performing detection analysis on a data link layer grabbing data packet of a TCP/IP (Transmission Control Protocol/Internet Protocol) protocol cluster and detection analysis on an application layer grabbing data packet of an OSI model (Open System Interconnection Reference Model), and performing multi-correlation judgment on a file name, a head byte section, a tail byte section and command characters of a beginning and a tail of a preset length of the external data. Therefore, the judging effect of the virus library file on the external data can be improved, and the recognition strength of the first virtual space on the external data, which threatens the data in the local system, is improved. The application layer of the OSI model (Open System Interconnection Reference Model) grabs the data packet for detection and analysis, and the detection and analysis are based on the latest virus library file installed in the first virtual space.
The data packets are captured at the data link layer of the TCP/IP protocol cluster for detection and analysis, so that the content of the external data received by the virtual space can be judged by adopting Snort. The formula for judging by Snort is as follows: on the character set Sigma, a text character string T [1 … N ] with the length of N is given]And a pattern string P of length M i [1…M]Where the number of pattern sets is denoted by k and the pattern set by p= { P 1 ,p 2 ,…,p k Expressed as T [ S+ … S+M ] if S.ltoreq.N is 1.ltoreq.S]=P[1…M]And if the intrusion behavior is successful, judging that the external data received by the virtual space has security threat.
The detection and analysis can be carried out on the grabbed data packet by adopting the deep packet detection technology of the Aho-Corasick algorithm, so as to realize the multi-mode string matching between the external data and the virus library file. Specific: the goto table, the fail table and the output table are constructed first, and then state S is converted to state S 'by S' =goto (S, C) via condition C, fail (S) represents the fail table value of state S, and output (S) represents the output table value of state S. When the external data and the virus library are matched and the matching is successful, the threat exists in the external data. Wherein the goto table reflects the valid state transitions, the fail table reflects the state to which the transition should fall back when failed, and the Output table outputs which exactly matching pattern when which state. Let the current state be S and the condition be C, the question is how to find the next determination state S'. If goto (S, C) is successful, S' =goto (S, C); otherwise, let S '=goto (S, C), if S' is valid and not 0, S 'is that determination state, at which point the relation S' =goto (S, C) should be added to the goto table.
The detection analysis is carried out on the data link layer grabbing data packet of the TCP/IP protocol cluster and the detection analysis is carried out on the grabbing data packet of the OSI model application layer, and the polynomial association judgment is carried out on external data, namely the external data can be judged by utilizing Snort, and then the external data which does not threaten the data in the local system under the Snort judgment can be judged by utilizing the deep packet inspection technology.
The Snort is a powerful network intrusion detection/defense system with the characteristics of multiple platforms, real-time flow analysis, network IP data packet recording and the like, namely NIDS ((network intrusion detection system)/NIPS (Conference and Workshop on Neural Information Processing Systems)), and the Snort captures and decodes network data packets at a data link layer of a TCP/IP protocol cluster, and detects and analyzes the intruded data packets, and detects and responds according to rules.
The deep packet inspection technology, i.e. DPI (Deep Packet Inspection) technology, is an application layer-based traffic inspection and control technology, and when IP (Internet Protocol) packets, TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) are streamed through a bandwidth management system based on DPI technology, the system reorganizes application layer information in OSI seven-layer protocols by deep reading the content of IP packet payload, so as to obtain the content of the whole application program, and then performs shaping operation on the traffic according to a management policy defined by the system.
The Aho-Corasick algorithm is abbreviated as an AC algorithm, is a classical multi-mode string matching algorithm, and can be represented by a finite state machine by referring to the idea of KMP (Knuth Morris Pratt) algorithm.
In an embodiment, after the first virtual space receives the external data transmitted to the local system, the method further comprises: temporarily storing the external data to a first storage position in the first virtual space; after the first virtual space determines that the external data threatens data internal to the local system, the method further comprises: and placing the external data into a first low-rate channel so as to transmit the external data from the first storage position to a target storage position in the first virtual space through the first low-rate channel.
If the first virtual space determines that the external data does not threaten the data in the local system, the external data is put into a transmission channel, and the external data is transmitted from the first storage position to a target storage position in the first virtual space through the transmission channel at a preset rate. The first virtual space obtains a copy of the external data based on the external data at the target storage location and transfers the copy of the external data to the local system.
By setting the first storage position to receive external data and verifying the external data, setting the target storage position to receive data which threatens the interior of the local system, the first virtual space can be utilized to receive the external data and verify whether the external data threatens the interior of the local system or not, so that the data which threatens the interior of the local system is prevented from being in direct contact with the local system. In addition, external data which threatens the internal data of the local system is transmitted through the first low-rate channel, so that the local system can conveniently generate a first virtual file and transmit the first virtual file to a target storage position.
Wherein the transmission rate of the first low rate channel may be 1b per second.
Further, the first virtual space may store identification information in the log file that determines whether external data would threaten data internal to the local system.
In an embodiment, before transferring the external data from the first storage location to the target storage location within the first virtual space, the method further comprises: the local system generates a first virtual file and transmits the first virtual file to the target storage location in the first virtual space, wherein the file name of the first virtual file is the same as the file name of the external data.
According to the method, the data which threatens the interior of the local system is transmitted to the target storage position in the first virtual space through the first low-speed channel, so that the first virtual file is firstly transmitted to the target storage position in the first virtual space, and then the data which threatens the interior of the local system is transmitted to the target storage position in the first virtual space. Because the file name of the first virtual file is the same as the file name of the external data, it threatens that the transfer of the data inside the local system to the target storage location in the first virtual space will fail, i.e. it threatens that the external data inside the local system is only stored at the first storage location. Then by deleting the virtual space and all data in the virtual space, it is possible to prevent external data that would threaten the inside of the local system from directly contacting the local system.
The method comprises the steps that when external data are placed in a first low-speed channel, a first virtual space reads the file name of the external data, and the file name of the external data is sent to a local system; disconnecting the first virtual space from the network while deleting the first virtual space, and reestablishing a second virtual space by the system after deleting the first virtual space to receive external data; the log file is sent to the local system before all data of the first virtual space is deleted.
In an embodiment, after the first virtual space receives the external data transmitted to the local system, the method further comprises: the first virtual space reads the beginning and ending byte segments of the predetermined length of the external data, and the beginning and ending command characters; and transmitting the read beginning and ending byte segments of the predetermined length of the external data, and the beginning and ending command characters to the local system; wherein the local system generates a first virtual file comprising: the local system generates a first virtual file based on the alarm information according to a first byte segment, a last byte segment, and command characters of a start and a last byte segment of the predetermined length of the external data, and transmits the first virtual file to a target storage position in the first virtual space.
The first virtual file generated based on the first and last byte segments of a predetermined length and the command characters of the beginning and end of the external data has a higher similarity with the external data than the first virtual file having only the same file name. After detecting that the file names of the first virtual file and the external data are the same, further detecting the content of the first virtual file and the content of the external data, and when the similarity between the first virtual file and the external data is high, enabling the data in the local system to be threatened to be failed to be transmitted to a target storage position in the first virtual space.
When external data received by the first virtual space is judged to threaten the data in the local system, the first virtual space sends an alarm signal to the local system, so that the system generates an alarm reaction after receiving the alarm signal, namely, the first virtual file is generated, and the first virtual file is transmitted to a target storage position in the first virtual space.
Referring to fig. 3, in one embodiment, the local system generates a first virtual file based on the alert information from a beginning and ending byte section of a predetermined length of the external data, and command characters of beginning and ending, including:
s201, the local system extracts a first byte section with a preset length from a local junk file based on the alarm information.
S202, randomly extracting bytes in the first byte section.
And S203, randomly extracting bytes, and carrying out random continuous copying to obtain a second byte section.
S204, adding the first byte section, the tail byte section and command characters of the beginning and the tail of the preset length of the external data into a second byte section to form the first virtual file.
Randomly extracting the bytes in the first byte section may change the bytes into literal characters. The random extracted bytes are subjected to random continuous copying, so that the difficulty of restoring the character without meaning into the first sub-stage can be further increased, and the problem that the local junk file is leaked because the first virtual file is acquired by an attacker due to network attack is avoided.
The first byte segment with the preset length is extracted, and the last four bits of the local junk file can be intercepted.
Example two
Referring to fig. 4, an embodiment of the present invention provides a system file protection device based on network security, including: a first virtual space establishing module 201, configured to establish a first virtual space on a local system; an external data receiving module 202, configured to receive external data transmitted to a local system by using the first virtual space; the security verification module 203 is configured to perform security verification on the received external data in the first virtual space, and determine whether the external data threatens the data in the local system; an alarm module 204, configured to send alarm information to a local system if the first virtual space determines that the external data threatens the data inside the local system; the first virtual space deleting module 205 is configured to delete the first virtual space and data in the first virtual space based on the alarm information by the local system.
The embodiment of the invention provides a system file protection device based on network security, which is used for receiving external data transmitted to a local system by establishing a first virtual space, so that the local system is prevented from directly receiving the external data; the local system determines that external data threatens the data in the local system, deletes the first virtual space and the data in the first virtual space, and avoids direct contact between the local system and the data threatening the local system, so that the data damage possibly generated in the security defense process also occurs in the first virtual space by placing the security defense process in the first virtual space, thereby reducing the probability of damaging the system file to a certain extent.
In an embodiment, the security verification module 203 is specifically configured to read a file name of the external data; reading beginning and ending byte segments of predetermined length, and beginning and ending command characters of the external data; the external data is security verified based on a file name of the external data, a beginning and ending byte section of a predetermined length of the external data, and command characters of beginning and ending.
The security verification of external data refers to performing detection analysis on a data link layer grabbing data packet of a TCP/IP (Transmission Control Protocol/Internet Protocol) protocol cluster and detection analysis on an application layer grabbing data packet of an OSI model (Open System Interconnection Reference Model), and performing multi-correlation judgment on a file name, a head byte section, a tail byte section and command characters of a beginning and a tail of a preset length of the external data. Therefore, the judging effect of the virus library file on the external data can be improved, and the recognition strength of the first virtual space on the external data, which threatens the data in the local system, is improved. The application layer of the OSI model (Open System Interconnection Reference Model) grabs the data packet for detection and analysis, and the detection and analysis are based on the latest virus library file installed in the first virtual space.
In an embodiment, the system further includes an external data temporary storage module, where after the first virtual space receives external data transmitted to the local system, the external data temporary storage module is specifically configured to temporarily store the external data to a first storage location in the first virtual space; the system further comprises a low-rate transmission module, wherein the low-rate transmission module is specifically used for placing the external data into a first low-rate channel after the first virtual space determines that the external data threatens the data in the local system, so that the external data is transmitted from the first storage position to a target storage position in the first virtual space through the first low-rate channel.
By setting the first storage position to receive external data and verifying the external data, setting the target storage position to receive data which threatens the interior of the local system, the first virtual space can be utilized to receive the external data and verify whether the external data threatens the interior of the local system or not, so that the data which threatens the interior of the local system is prevented from being in direct contact with the local system. In addition, external data which threatens the internal data of the local system is transmitted through the first low-rate channel, so that the local system can conveniently generate a first virtual file and transmit the first virtual file to a target storage position.
In an embodiment, the method further includes a first virtual file transfer module, before the external data is transferred from the first storage location to the target storage location in the first virtual space, the first virtual file transfer module being configured to generate a first virtual file by the local system and transfer the first virtual file to the target storage location in the first virtual space, where a file name of the first virtual file is the same as a file name of the external data.
According to the method, the data which threatens the interior of the local system is transmitted to the target storage position in the first virtual space through the first low-speed channel, so that the first virtual file is firstly transmitted to the target storage position in the first virtual space, and then the data which threatens the interior of the local system is transmitted to the target storage position in the first virtual space. Because the file name of the first virtual file is the same as the file name of the external data, it threatens that the transfer of the data inside the local system to the target storage location in the first virtual space will fail, i.e. it threatens that the external data inside the local system is only stored at the first storage location. Then by deleting the virtual space and all data in the virtual space, it is possible to prevent external data that would threaten the inside of the local system from directly contacting the local system.
In one embodiment, the system further comprises a first virtual file generation module, after the first virtual space receives the external data transmitted to the local system, the first virtual file generation module is used for reading a head word segment and a tail word segment with the preset length of the external data and command characters of the beginning and the end of the external data by the first virtual space; and transmitting the read beginning and ending byte segments of the predetermined length of the external data, and the beginning and ending command characters to the local system; wherein the local system generates a first virtual file comprising: the local system generates a first virtual file based on the alarm information according to a first byte segment, a last byte segment, and command characters of a start and a last byte segment of the predetermined length of the external data, and transmits the first virtual file to a target storage position in the first virtual space.
The first virtual file generated based on the first and last byte segments of a predetermined length and the command characters of the beginning and end of the external data has a higher similarity with the external data than the first virtual file having only the same file name. After detecting that the file names of the first virtual file and the external data are the same, further detecting the content of the first virtual file and the content of the external data, and when the similarity between the first virtual file and the external data is high, enabling the data in the local system to be threatened to be failed to be transmitted to a target storage position in the first virtual space.
In an embodiment, the first virtual file generation module is specifically configured to: the local system extracts a first byte section with a preset length from a local junk file based on the alarm information; randomly extracting bytes in the first byte section; randomly and continuously copying the randomly extracted bytes to obtain a second byte section; and adding the first byte section, the tail byte section and command characters of the beginning and the tail of the preset length of the external data into a second byte section to form the first virtual file.
Randomly extracting the bytes in the first byte section may change the bytes into literal characters. The random extracted bytes are subjected to random continuous copying, so that the difficulty of restoring the character without meaning into the first sub-stage can be further increased, and the problem that the local junk file is leaked because the first virtual file is acquired by an attacker due to network attack is avoided.
Example III
Referring to fig. 5, an embodiment of the present invention provides an electronic device including: the device comprises a shell 301, a processor 302, a memory 303, a circuit board 304 and a power circuit 305, wherein the circuit board 304 is arranged in a space surrounded by the shell 301, and the processor 302 and the memory 303 are arranged on the circuit board 304; a power supply circuit 305 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 303 is used for storing executable program codes; the processor 302 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 303, for executing the network security based system file protection method according to any one of the foregoing embodiments.
Example IV
An embodiment of the present invention provides a computer readable storage medium storing one or more programs executable by one or more processors to implement the network security based system file protection method according to any one of the preceding embodiments.
The invention provides a system file protection method, a device and an electronic device based on network security. When it is determined that external data threatens the data within the local system, the first virtual space transfers the external data to the target storage location through the first low-rate channel, and simultaneously transfers the file name, beginning and ending byte segments, and beginning and ending command symbols of the external data to the local system, the local system generates a first virtual file based on the file name, beginning and ending byte segments, and beginning and ending command symbols of the external data, and transfers the first virtual file to the target storage location in the first virtual space, such that the first virtual space fails to transfer the external data to the target storage location. And finally deleting the first virtual space, eliminating external data, and establishing a second virtual space, so that the probability of damaging the system file can be reduced to a certain extent.
The first virtual space is established to receive and judge the external data, so that the external data can be prevented from being directly contacted with the local system when being attacked by the network, the security of the system file is improved, meanwhile, the file name which is the same as the file name of the data which threatens the interior of the local system is generated in the local system, the external data is repelled through the same file name, the external data cannot be stored in the virtual space, and the external data is eliminated together when the first virtual space is deleted.
It should be noted that, in this document, emphasis on the solutions described between the embodiments is different, but there is a certain interrelation between the embodiments, and when understanding the solution of the present invention, the embodiments may refer to each other; additionally, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (10)
1. A system file protection method based on network security, comprising:
establishing a first virtual space on a local system;
the first virtual space receives external data transmitted to a local system;
the first virtual space performs security verification on the received external data and determines whether the external data threatens the data in the local system;
if the first virtual space determines that the external data threatens the data in the local system, sending alarm information to the local system;
the local system deletes the first virtual space and the data in the first virtual space based on the alarm information;
after the first virtual space receives the external data transmitted to the local system, the method further comprises:
Temporarily storing the external data to a first storage position in the first virtual space;
after the first virtual space determines that the external data threatens data internal to the local system, the method further comprises:
placing the external data into a first low-rate channel to transmit the external data from the first storage location to a target storage location in the first virtual space through the first low-rate channel;
before transferring the external data from the first storage location to the target storage location within the first virtual space, the method further comprises:
the local system generates a first virtual file and transmits the first virtual file to the target storage location in the first virtual space, wherein the file name of the first virtual file is the same as the file name of the external data.
2. The system file protection method according to claim 1, wherein the first virtual space performs security verification on the received external data, and determining whether the external data threatens to data inside the local system includes:
reading the file name of the external data;
Reading beginning and ending byte segments of predetermined length, and beginning and ending command characters of the external data;
the external data is security verified based on a file name of the external data, a beginning and ending byte section of a predetermined length of the external data, and command characters of beginning and ending.
3. The system file protection method of claim 1, wherein after the first virtual space receives external data transmitted to a local system, the method further comprises:
the first virtual space reads the beginning and ending byte segments of the predetermined length of the external data, and the beginning and ending command characters; and transmitting the read beginning and ending byte segments of the predetermined length of the external data, and the beginning and ending command characters to the local system;
wherein the local system generates a first virtual file comprising:
the local system generates a first virtual file based on the alarm information according to a first byte segment, a last byte segment, and command characters of a start and a last byte segment of the predetermined length of the external data, and transmits the first virtual file to a target storage position in the first virtual space.
4. A system file protection method according to claim 3, wherein the local system generates a first virtual file based on the alarm information from a beginning and ending byte section of a predetermined length of the external data, and command characters of beginning and ending, comprising:
the local system extracts a first byte section with a preset length from a local junk file based on the alarm information;
randomly extracting bytes in the first byte section;
randomly and continuously copying the randomly extracted bytes to obtain a second byte section;
and adding the first byte section, the tail byte section and command characters of the beginning and the tail of the preset length of the external data into a second byte section to form the first virtual file.
5. A network security based system file protection device, comprising:
the first virtual space establishing module is used for establishing a first virtual space on the local system;
the external data receiving module is used for receiving external data transmitted to the local system by the first virtual space;
the security verification module is used for performing security verification on the received external data in the first virtual space and determining whether the external data threatens the data in the local system or not;
The alarm module is used for sending alarm information to the local system if the first virtual space determines that the external data threatens the data in the local system;
the first virtual space deleting module is used for deleting the first virtual space and the data in the first virtual space based on the alarm information by the local system;
the system also comprises an external data temporary storage module, which is particularly used for receiving the external data transmitted to the local system after the first virtual space receives the external data
Temporarily storing the external data to a first storage position in the first virtual space;
the system further comprises a low-rate transmission module, which is specifically used for after the first virtual space determines that the external data threatens the data inside the local system
Placing the external data into a first low-rate channel to transmit the external data from the first storage location to a target storage location in the first virtual space through the first low-rate channel;
and a first virtual file transfer module for transferring the external data from the first storage location to the target storage location in the first virtual space
The local system generates a first virtual file and transmits the first virtual file to the target storage location in the first virtual space, wherein the file name of the first virtual file is the same as the file name of the external data.
6. The system file protection device of claim 5, wherein the security verification module is specifically configured to
Reading the file name of the external data;
reading beginning and ending byte segments of predetermined length, and beginning and ending command characters of the external data;
the external data is security verified based on a file name of the external data, a beginning and ending byte section of a predetermined length of the external data, and command characters of beginning and ending.
7. The system file protection device of claim 1, further comprising a first virtual file generation module for, after the first virtual space receives external data for transmission to a local system
The first virtual space reads the beginning and ending byte segments of the predetermined length of the external data, and the beginning and ending command characters; and transmitting the read beginning and ending byte segments of the predetermined length of the external data, and the beginning and ending command characters to the local system;
Wherein the local system generates a first virtual file comprising:
the local system generates a first virtual file based on the alarm information according to a first byte segment, a last byte segment, and command characters of a start and a last byte segment of the predetermined length of the external data, and transmits the first virtual file to a target storage position in the first virtual space.
8. The system file protection device of claim 7, wherein the first virtual file generation module is specifically configured to:
the local system extracts a first byte section with a preset length from a local junk file based on the alarm information;
randomly extracting bytes in the first byte section;
randomly and continuously copying the randomly extracted bytes to obtain a second byte section;
and adding the first byte section, the tail byte section and command characters of the beginning and the tail of the preset length of the external data into a second byte section to form the first virtual file.
9. An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the network security based system file protection method of any of the preceding claims 1-4.
10. A computer readable storage medium storing one or more programs executable by one or more processors to implement the network security based system file protection method of any of the preceding claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111567223.2A CN114338112B (en) | 2021-12-20 | 2021-12-20 | System file protection method and device based on network security, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111567223.2A CN114338112B (en) | 2021-12-20 | 2021-12-20 | System file protection method and device based on network security, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338112A CN114338112A (en) | 2022-04-12 |
| CN114338112B true CN114338112B (en) | 2024-03-19 |
Family
ID=81055485
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111567223.2A Active CN114338112B (en) | 2021-12-20 | 2021-12-20 | System file protection method and device based on network security, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338112B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20120111973A (en) * | 2011-03-30 | 2012-10-11 | 주식회사 윈스테크넷 | Security audit service system and method among virtual machines in the virtualization environment |
| US9542554B1 (en) * | 2014-12-18 | 2017-01-10 | Palo Alto Networks, Inc. | Deduplicating malware |
| CN106845214A (en) * | 2016-12-29 | 2017-06-13 | 北京瑞星信息技术股份有限公司 | Based on safety protecting method and system under virtualized environment |
| CN107608752A (en) * | 2016-07-12 | 2018-01-19 | 中国科学院信息工程研究所 | The threat information response examined oneself based on virtual machine and method of disposal and system |
| CN112748987A (en) * | 2021-01-19 | 2021-05-04 | 北京智仁智信安全技术有限公司 | Behavior security processing method and device based on virtual host |
-
2021
- 2021-12-20 CN CN202111567223.2A patent/CN114338112B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20120111973A (en) * | 2011-03-30 | 2012-10-11 | 주식회사 윈스테크넷 | Security audit service system and method among virtual machines in the virtualization environment |
| US9542554B1 (en) * | 2014-12-18 | 2017-01-10 | Palo Alto Networks, Inc. | Deduplicating malware |
| CN107608752A (en) * | 2016-07-12 | 2018-01-19 | 中国科学院信息工程研究所 | The threat information response examined oneself based on virtual machine and method of disposal and system |
| CN106845214A (en) * | 2016-12-29 | 2017-06-13 | 北京瑞星信息技术股份有限公司 | Based on safety protecting method and system under virtualized environment |
| CN112748987A (en) * | 2021-01-19 | 2021-05-04 | 北京智仁智信安全技术有限公司 | Behavior security processing method and device based on virtual host |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338112A (en) | 2022-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7752662B2 (en) | Method and apparatus for high-speed detection and blocking of zero day worm attacks | |
| CN110730175B (en) | Botnet detection method and detection system based on threat information | |
| Yen et al. | Traffic aggregation for malware detection | |
| US8561188B1 (en) | Command and control channel detection with query string signature | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| Van Gundy et al. | Catch Me, If You Can: Evading Network Signatures with Web-based Polymorphic Worms. | |
| Prasse et al. | Malware detection by analysing network traffic with neural networks | |
| US10182070B2 (en) | System and method for detecting a compromised computing system | |
| US7873998B1 (en) | Rapidly propagating threat detection | |
| KR20000054538A (en) | System and method for intrusion detection in network and it's readable record medium by computer | |
| Kaur et al. | Automatic attack signature generation systems: A review | |
| WO2018076697A1 (en) | Method and apparatus for detecting zombie feature | |
| Just et al. | Learning unknown attacks—A start | |
| Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
| JP2007325293A (en) | System and method for attack detection | |
| CN113726825B (en) | Network attack event countercheck method, device and system | |
| RU2285287C1 (en) | Method for protecting computer networks from computer attacks | |
| CN113746781A (en) | Network security detection method, device, equipment and readable storage medium | |
| CN104796386B (en) | Botnet detection method, device and system | |
| CN114338112B (en) | System file protection method and device based on network security, electronic equipment and storage medium | |
| US20060107055A1 (en) | Method and system to detect a data pattern of a packet in a communications network | |
| Seo et al. | Abnormal behavior detection to identify infected systems using the APChain algorithm and behavioral profiling | |
| Ghafir et al. | Defending against the advanced persistent threat: Detection of disguised executable files | |
| Li | M-ISDS: A Mobilized Intrusion and Spam Detection System | |
| CN117375911A (en) | Mimicry anti-unloading network isolation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |