CN115622911A - Performance test method of network security detection equipment - Google Patents

Performance test method of network security detection equipment Download PDF

Info

Publication number
CN115622911A
CN115622911A CN202211247644.1A CN202211247644A CN115622911A CN 115622911 A CN115622911 A CN 115622911A CN 202211247644 A CN202211247644 A CN 202211247644A CN 115622911 A CN115622911 A CN 115622911A
Authority
CN
China
Prior art keywords
file
test
detection
value
log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211247644.1A
Other languages
Chinese (zh)
Inventor
李永辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN202211247644.1A priority Critical patent/CN115622911A/en
Publication of CN115622911A publication Critical patent/CN115622911A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a performance test method of network security detection equipment, wherein the network security detection equipment is deployed in a test environment by-pass, and the performance test method comprises the following steps: generating a test file; transmitting the test file from the first terminal equipment to the second terminal equipment by using the network equipment to generate mirror image flow; detecting the mirror image flow by using safety detection equipment to generate a detection log; acquiring a transmitted file received by second terminal equipment; if the file after transmission is consistent with the test file and the detection log comprises log information corresponding to the test file, acquiring a virus retention file from the detection log; and if the virus retention file is consistent with the virus sample file, outputting a test result as success. The performance testing method uses the mirror image flow of the network equipment as testing data, does not need to capture replay messages, and jointly confirms the testing result according to the transmitted files, the testing files, the detection logs, the virus retention files and the like, thereby improving the testing accuracy.

Description

Performance test method of network security detection equipment
Technical Field
The application relates to the field of computer network security, in particular to a performance test method of network security detection equipment.
Background
Network security detection equipment deployed by a bypass, such as a Total flow forensics system (TFS), is used as an important component unit for network security protection, and a virus detection function is a necessary service module. As a device deployed by a bypass, the TFS is characterized by receiving only traffic and not forwarding traffic, so that the TFS cannot be directly connected in series between a client and a server for testing.
At present, the test of the virus detection performance of the TFS mainly depends on the replay of the message. Firstly, a tester needs to simulate a client to send a test file including a virus sample file to a server or download the test file from the server, and then collects a complete data message generated in the transmission process. And inputting the complete data message into a TFS (transport format server) for virus detection, and obtaining a test result according to the result of the detection log. However, if the message capture is incomplete, TFS false report or undetected report may be caused, and the test result is inaccurate. Therefore, the accuracy of the test result obtained by the test method is low.
Disclosure of Invention
In order to solve the problem that if the message capturing is incomplete in the existing performance testing method of the network security detection device, TFS false alarm or undetected report may be caused, and further the testing result is inaccurate, the present application provides a performance testing method of the network security detection device, a terminal device, and a computer readable storage medium through the following aspects.
A first aspect of the present application provides a performance testing method for a network security detection device, where the network security detection device is deployed in a testing environment by-pass, the testing environment includes a first terminal device, a network device, and a second terminal device, and the performance testing method includes:
generating a test file, wherein the test file comprises a virus sample file;
transmitting the test file from the first terminal equipment to the second terminal equipment by using the network equipment, generating mirror image flow and sending the mirror image flow to the network security detection equipment;
detecting the mirror image flow of the network equipment by using network security detection equipment to generate a detection log;
acquiring a transmitted file, wherein the transmitted file is a file received by the second terminal equipment;
judging whether the MD5 value of the transmitted file is equal to the MD5 value of the test file;
if the MD5 value of the transmitted file is equal to the MD5 value of the test file, judging whether the detection log comprises log information corresponding to the test file;
if the detection log comprises log information corresponding to the test file, acquiring a virus retention file from the detection log;
judging whether the MD5 value of the virus retention file is equal to the MD5 value of the virus sample file;
and if the MD5 value of the virus retention file is equal to the MD5 value of the virus sample file, outputting the test result as success.
In some embodiments, the performance testing method further comprises:
if the MD5 value of the transmitted file is not equal to the MD5 value of the test file, adding one to the invalid times, wherein the initial value of the invalid times is zero;
judging whether the invalid times are smaller than a preset threshold value or not;
and if the invalid times are less than the preset threshold value, continuing to execute the step of generating the test file.
In some embodiments, the performance testing method further comprises:
and if the invalid times are greater than or equal to the preset threshold value, outputting the test result as failure.
In some embodiments, the test files include a white list test file and a black list test file, wherein the white list test file and the black list test file both include a virus sample file, the file type of the black list test file is a preset type, and the file type of the white list test file is different from the preset type;
the network security detection device is configured to detect a preset type of file;
wherein, judge whether including the test file in the detection log, if include the test file in the detection log, then obtain the virus from the detection log and preserve the file, include:
judging whether the detection log comprises log information corresponding to the blacklist test file or not;
if the detection log comprises log information corresponding to the blacklist test file, judging whether the detection log comprises log information corresponding to the white list test file;
and if the detection log does not comprise log information corresponding to the white list test file, acquiring the virus retention file from the detection log.
In some embodiments, the performance testing method further comprises:
and if the log information corresponding to the blacklist test file is not included in the detection log, outputting the test result as failure.
In some embodiments, the performance testing method further comprises:
and if the detection log comprises log information corresponding to the white list test file, outputting the test result as failure.
In some embodiments, the performance testing method further comprises:
and if the MD5 value of the virus retention file is not equal to the MD5 value of the virus sample file, outputting the test result as failure.
In some embodiments, the first terminal device is a client, and the second terminal device is a server; or the first terminal is a server, and the second terminal device is a client.
A second aspect of the present application provides a terminal apparatus, including: at least one processor and memory; the memory to store program instructions; the processor is configured to call and execute the program instructions stored in the memory, so as to enable the terminal device to execute the performance testing method of the network security detection apparatus according to the first aspect of the present application.
A third aspect of the present application provides a computer-readable storage medium, which stores instructions that, when executed on a computer, cause the computer to execute a performance testing method of a network security detection apparatus according to the first aspect of the present application.
The application provides a performance test method for network security detection equipment, wherein a bypass of the network security detection equipment is deployed in a test environment, the test environment comprises a first terminal device, network equipment and a second terminal device, and the performance test method comprises the following steps: generating a test file; transmitting the test file from the first terminal equipment to the second terminal equipment by using the network equipment, generating mirror image flow and sending the mirror image flow to the network security detection equipment; detecting the mirror image flow of the network equipment by using the network security detection equipment to generate a detection log; acquiring a transmitted file received by a second terminal; if the MD5 value of the transmitted file is equal to the MD5 value of the test file, judging whether the detection log comprises log information corresponding to the test file; if the virus retention file is obtained from the detection log, comparing the virus retention file with the MD5 value of the virus sample file; and if the MD5 value of the virus retention file is equal to the MD5 value of the virus sample file, outputting a test result as success. The performance testing method uses the mirror flow of the network equipment as test data, does not need to capture replay messages, and confirms the test result according to the transmitted files, the test files, the detection logs, the virus retention files and the like so as to improve the test accuracy.
Drawings
FIG. 1 illustrates a testing environment to which embodiments of the present application are applicable;
fig. 2 is a schematic interface diagram illustrating functional switches of a network security detection device to which an embodiment of the present application is applied;
fig. 3 is a schematic workflow diagram illustrating a performance testing method of a network security detection device according to an embodiment of the present application;
fig. 4 illustrates a testing environment to which the embodiments of the present application are applicable.
Detailed Description
In order to solve the problem that in the existing performance testing method of the network security detection device, if the replay message is incompletely captured, the network security detection device may be misreported, and the testing result is inaccurate, the present application provides a performance testing method of the network security detection device through the following embodiments.
The performance testing method provided by the embodiment of the application is used for testing the virus detection performance of the network security detection equipment, and the network security detection equipment is deployed in a testing environment by-pass, wherein the testing environment comprises first terminal equipment, network equipment and second terminal equipment. In the present application, a Total flow forensics system (TFS) is taken as an example of a network security detection device, and an embodiment of the provided test method is described. Referring to fig. 1, a schematic structural diagram of a test environment to which an embodiment of the present application is applicable is exemplarily given. As shown in fig. 1, the network device may be SW (Switch). In this embodiment, a port mirror is configured in the SW, and a packet mirror transmitted between the client and the server is sent to the TFS to be tested, so as to test the virus detection performance of the TFS.
In some embodiments, the first terminal device may be a PC (client), correspondingly, the second terminal device may be a server, and the corresponding messaging procedure may be file upload. In some embodiments, the first terminal device may be a server, correspondingly, the second terminal device may be a client, and the corresponding messaging process may be file downloading. In some embodiments, the test environment further comprises a management PC controlling the devices under test TFS, the client and the server via SSH (Secure Shell) connections. By way of example only and not limitation, the first terminal device and the second terminal device may be at least one of a server, a personal computer, a smart phone, and a tablet computer, and as to what kind of device the first terminal device and the second terminal device are, the embodiment of the present application is not particularly limited as long as a complete message transmission process can be implemented between the first terminal device and the second terminal device.
When the test environment is configured, deploying HTTP, FTP, mailbox and Samba services on the server, providing related services to the outside, and ensuring that the client can normally use each service provided on the server; the virus sample file to be tested (containing a plurality of samples containing viruses and not containing viruses) is respectively stored in a pre-designated directory, namely an upload _ virus directory, of the server and the client. Adding a TFS virus detection strategy master switch, a service (protocol or application) starting function, a service action (uploading and downloading) and a file type into a parameter pool as configuration parameters; referring to fig. 2, a schematic diagram of each functional switch on the TFS is exemplarily given.
Referring to fig. 3, the performance testing method provided herein includes steps 101-109.
Step 101, generating a test file, wherein the test file comprises a virus sample file. In some embodiments, parameter configurations of the parameter pool are combined to obtain a group of test case sets, each test case is sequentially executed, and the virus sample files are compressed according to file types in the test cases to generate corresponding test files. Correspondingly, the network security detection equipment is configured according to the configuration parameters in the test case.
And 102, transmitting the test file from the first terminal device to a second terminal device by using the network device, generating mirror image flow and sending the mirror image flow to the network security detection device. And controlling the test PC client to upload or download the test sample file according to the services (HTTP, FTP, mailbox (SMTP, IMAP, POP 3), SMB) and the service actions in the test case.
And 103, detecting the mirror image flow of the network equipment by using the network security detection equipment to generate a detection log. In the embodiment of the application, the security detection device detects the mirror flow of the network device without capturing the replay message.
And 104, acquiring a transmitted file, wherein the transmitted file is the file received by the second terminal device.
Step 105, judging whether the MD5 value of the transmitted file is equal to the MD5 value of the test file. In the embodiment of the application, whether the file received by the second terminal device is complete is judged by inquiring the MD5 value of your price and the MD5 value of the test file after transmission, so as to determine whether the transmission process is normal.
And 106, if the MD5 value of the transmitted file is equal to the MD5 value of the test file, determining whether the detection log includes log information corresponding to the test file. In this embodiment of the present application, only when the MD5 value of the file after transmission is equal to the MD5 value of the test file, that is, the transmission process is normal, it is determined whether the detection log generated by the network security detection device includes log information corresponding to the test file.
In an implementation manner, whether the log information corresponding to the test file is included in the detection log may be determined by comparing whether the file name and the file MD5 value recorded in the detection log are consistent with the test file.
And 107, if the detection log comprises log information corresponding to the test file, acquiring a virus retention file from the detection log. In the existing testing method, generally, only the detection log of the network security detection device is used as a judgment basis for a testing result, but the log is usually only one aspect of visually showing the result, and the log is taken as the final judgment result to be relatively compared. In the embodiment of the application, the detection log is used as a judgment basis, and the virus retention file in the detection log is further downloaded for analysis. Illustratively, the detection log query and the downloading of the virus retention file may be performed by calling a full-traffic aggregation device log API interface.
In some embodiments, it may occur that the detection log includes log information corresponding to the test file, but the detection log cannot acquire the corresponding virus retention file, and at this time, the test is considered to have failed, and the test result is output as a failure.
Step 108, judging whether the MD5 value of the virus retention file is equal to the MD5 value of the virus sample file.
And step 109, if the MD5 value of the virus retention file is equal to the MD5 value of the virus sample file, outputting a test result as success.
In some embodiments, the performance testing method comprises: if the MD5 value of the virus retention file is not equal to the MD5 value of the virus sample file, perform step 110: and outputting the test result as failure.
In this embodiment of the application, if the MD5 value of the file after transmission is not equal to the MD5 value of the test file, it is determined that there is an abnormality in the transmission process, and the corresponding test result is not trusted. In some embodiments, for a test file with an exception in the transmission process, the file is transmitted again, and a corresponding test is performed. In these embodiments, the performance testing method further includes steps 111-113.
Step 111, if the MD5 value of the transmitted file is not equal to the MD5 value of the test file, adding one to the invalid time, where the initial value of the invalid time is zero.
And 112, judging whether the invalid times are smaller than a preset threshold value.
And if the invalid times are smaller than the preset threshold value, continuing to execute the step 101 to generate a test file. In some embodiments, the test case corresponding to the test file may be placed in the test case set to be tested again and executed again.
In some embodiments, the performance testing method further comprises: if the invalid times is greater than or equal to the preset threshold, step 110 is executed, the test result is output as a failure, and the execution of the current performance test method is terminated. At this time, it may be stated that the setting of the test environment or the setting of the network device has a defect, and a corresponding adjustment is required.
In some embodiments, after step 109 or step 110, that is, after the test result is output, the next test case may be executed continuously, and the test file is generated and the network security detection device is configured accordingly. And when all the test cases in the test case set are executed, generating a test report according to the test record, and automatically sending the test report to a tester through an email.
As can be seen from fig. 2, the network security detection device can detect different file types. Thus, in some embodiments, a black list test file and a white list test file may be set for a file type in a test case, where the white list test file and the black list test file both include a virus sample file, the file type of the black list test file is a preset type, and the file type of the white list test file is different from the preset type; correspondingly, the network security detection device is configured to detect the preset type of file.
For example, in the current test case, if the preset type is ". Exe", the generated blacklist test file is a ". Exe" type file containing a virus sample file, and the generated whitelist test file is a non ". Exe" type file containing a virus sample file, which may be a ".7z" type file or a ". Com" type file; the network security detection device is configured to detect virus sample files of the ". Exe" type.
In these embodiments, steps 106-107 further include:
step 201, determining whether the detection log includes log information corresponding to the blacklist test file.
Step 202, if the detection log includes log information corresponding to the blacklist test file, determining whether the detection log includes log information corresponding to the whitelist test file.
Step 203, if the detection log does not include log information corresponding to the white list test file, acquiring a virus retention file from the detection log.
In some embodiments, steps 106-107 further include: step 204, if the detection log does not include the log information corresponding to the blacklist test file, outputting a test result as failure.
In some embodiments, steps 106-107 further comprise: step 205, if the detection log includes log information corresponding to the white list test file, outputting a test result as failure.
The embodiment of the application provides a performance test method of network security detection equipment, wherein the network security detection equipment is deployed in a test environment in a bypass mode, the test environment comprises first terminal equipment, network equipment and second terminal equipment, and the performance test method comprises the following steps: generating a test file; transmitting the test file from the first terminal equipment to the second terminal equipment by using the network equipment, generating mirror image flow and sending the mirror image flow to the network security detection equipment; detecting the mirror image flow of the network equipment by using the network security detection equipment to generate a detection log; acquiring a transmitted file received by a second terminal; if the MD5 value of the transmitted file is equal to the MD5 value of the test file, judging whether the detection log comprises log information corresponding to the test file; if the virus retention file is obtained from the detection log, comparing the virus retention file with the MD5 value of the virus sample file; and if the MD5 value of the virus retention file is equal to the MD5 value of the virus sample file, outputting a test result as success. According to the performance testing method, the mirror image flow of the network equipment is used as testing data, a replay message does not need to be captured, and the testing result is confirmed jointly according to the transmitted file, the testing file, the detection log, the virus retention file and the like, so that the testing accuracy is improved.
Further, the performance testing method provided by the above embodiment combines with the characteristics of the TFS device, and whether the retention of the virus sample file is successful or not and whether the virus retention file is correct or not are taken as the judgment basis for the success of the test, so that a result closed loop is formed for the whole test, and the success or failure of the test result is considered from the perspective of the user, thereby improving the overall test quality.
The performance testing method provided by the embodiment can be combined with the test case set, and the management PC is used for sequentially executing each test case, so that the manual operation is liberated, the overall testing efficiency is improved, and the daily version test of the network safety detection equipment can be better protected; effectively improve the number of test samples, the complex combination degree of the test suite and the like. Furthermore, the performance test method has strong expandability; after the functions of the network security detection device are expanded, for example, after more transmission protocols or file types are supported, verification of new functions can be achieved only by adding corresponding tool sets to the first terminal device and the second terminal device appropriately.
Referring to fig. 4, in some embodiments, the performance testing method may simultaneously test a plurality of network security detection devices deployed in a test environment by a bypass, where the test environment further includes a shunting device; and the shunting equipment shunts the mirror image traffic generated by the network equipment (SW) to each network security detection equipment. And each network safety detection device carries out safety detection according to the received mirror image flow and generates a corresponding detection log respectively.
An embodiment of the present application further provides a terminal device, including: at least one processor and memory; the memory to store program instructions; the processor is configured to call and execute the program instructions stored in the memory, so as to enable the terminal device to execute the performance testing method of the network security detection apparatus provided in the foregoing embodiment.
In a specific implementation manner, an embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the computer is enabled to execute the performance testing method of the network security detection device, which is provided in the foregoing embodiment. The storage medium of the computer readable medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
The steps of the performance testing method described in the embodiments of the present application may be directly embedded in hardware, a software unit executed by a processor, or a combination of the two. The software cells may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. For example, a storage medium may be coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC, which may be disposed in a UE. In the alternative, the processor and the storage medium may reside in different components in the UE.
It should be understood that, in the various embodiments of the present application, the sequence numbers of the processes do not mean the execution sequence, and the execution sequence of the processes should be determined by the functions and the inherent logic thereof, and should not constitute any limitation to the implementation process of the embodiments of the present application.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), among others.
The same and similar parts among the various embodiments of the present specification may be referred to one another, and each embodiment is described with emphasis on differences from the other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, and reference may be made to the description of the method embodiments for relevant points.
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be substantially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the performance testing method in the embodiments or some portions thereof.

Claims (10)

1. A performance test method of a network security detection device is characterized in that the network security detection device is deployed in a test environment by-pass, the test environment comprises a first terminal device, a network device and a second terminal device, and the performance test method comprises the following steps:
generating a test file, wherein the test file comprises a virus sample file;
transmitting the test file from the first terminal equipment to the second terminal equipment by using the network equipment, generating mirror image flow and sending the mirror image flow to the network security detection equipment;
detecting the mirror image flow of the network equipment by using the network security detection equipment to generate a detection log;
acquiring a transmitted file, wherein the transmitted file is a file received by the second terminal device;
judging whether the MD5 value of the transmitted file is equal to the MD5 value of the test file;
if the MD5 value of the transmitted file is equal to the MD5 value of the test file, judging whether the detection log comprises log information corresponding to the test file;
if the detection log comprises log information corresponding to the test file, acquiring a virus retention file from the detection log;
judging whether the MD5 value of the virus retention file is equal to the MD5 value of the virus sample file;
and if the MD5 value of the virus retention file is equal to the MD5 value of the virus sample file, outputting a test result as success.
2. The performance testing method of claim 1, further comprising:
if the MD5 value of the transmitted file is not equal to the MD5 value of the test file, adding one to the invalid times, wherein the initial value of the invalid times is zero;
judging whether the invalid times are smaller than a preset threshold value or not;
and if the invalid times are smaller than the preset threshold value, continuing to execute the step of generating the test file.
3. The performance testing method of claim 2, further comprising:
and if the invalid times are greater than or equal to the preset threshold value, outputting a test result as failure.
4. The performance testing method of claim 1, wherein the test files comprise a white list test file and a black list test file, wherein the white list test file and the black list test file both comprise a virus sample file, the file type of the black list test file is a preset type, and the file type of the white list test file is different from the preset type;
the network security detection device is configured to detect the preset type of file;
judging whether the test file is included in the detection log, and if the test file is included in the detection log, acquiring a virus retention file from the detection log, wherein the method comprises the following steps:
judging whether the detection log comprises log information corresponding to the blacklist test file or not;
if the detection log comprises log information corresponding to the blacklist test file, judging whether the detection log comprises the log information corresponding to the whitelist test file;
and if the detection log does not comprise log information corresponding to the white list test file, acquiring a virus retention file from the detection log.
5. The performance testing method of claim 4, further comprising:
and if the detection log does not comprise the log information corresponding to the blacklist test file, outputting a test result as failure.
6. The performance testing method of claim 4, further comprising:
and if the detection log comprises log information corresponding to the white list test file, outputting a test result as failure.
7. The performance testing method of claim 1, further comprising:
and if the MD5 value of the virus retention file is not equal to the MD5 value of the virus sample file, outputting a test result as failure.
8. The performance testing method according to claim 1, wherein the first terminal device is a client, and the second terminal device is a server;
or,
the first terminal device is a server, and the second terminal device is a client.
9. A terminal device, comprising: at least one processor and a memory;
the memory to store program instructions;
the processor is used for calling and executing the program instructions stored in the memory so as to enable the terminal device to execute the performance testing method of the network security detection equipment according to any one of claims 1-8.
10. A computer-readable storage medium, characterized in that,
the computer-readable storage medium has stored therein instructions that, when executed on a computer, cause the computer to execute the performance testing method of the network security detection apparatus according to any one of claims 1 to 8.
CN202211247644.1A 2022-10-12 2022-10-12 Performance test method of network security detection equipment Pending CN115622911A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211247644.1A CN115622911A (en) 2022-10-12 2022-10-12 Performance test method of network security detection equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211247644.1A CN115622911A (en) 2022-10-12 2022-10-12 Performance test method of network security detection equipment

Publications (1)

Publication Number Publication Date
CN115622911A true CN115622911A (en) 2023-01-17

Family

ID=84863195

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211247644.1A Pending CN115622911A (en) 2022-10-12 2022-10-12 Performance test method of network security detection equipment

Country Status (1)

Country Link
CN (1) CN115622911A (en)

Similar Documents

Publication Publication Date Title
US8844038B2 (en) Malware detection
KR20080026172A (en) Apparatus and methods for detection and management of unauthorized executable instructions on a wireless device
WO2015062541A1 (en) Cloud checking and killing method, device and system for combating anti-antivirus test
CN114222320A (en) Method, device, apparatus, storage medium, and program for testing communication device
CN113810408A (en) Network attack organization detection method, device, equipment and readable storage medium
CN117216772B (en) Fuzzy test case optimization method, device, equipment and readable medium
CN111224782B (en) Data verification method based on digital signature, intelligent device and storage medium
CN112769635B (en) Service identification method and device for multi-granularity feature analysis
CN112329024B (en) Vulnerability detection method and device
CN117499151A (en) Method and device for constructing network target range
CN115622911A (en) Performance test method of network security detection equipment
US11985149B1 (en) System and method for automated system for triage of cybersecurity threats
CN107959595B (en) Method, device and system for anomaly detection
CN112115060A (en) Audio test method and system based on terminal
CN111079140B (en) Method, device and system for preventing cheating
US8438637B1 (en) System, method, and computer program product for performing an analysis on a plurality of portions of potentially unwanted data each requested from a different device
CN115174245B (en) Test method and system based on DoIP protocol detection
CN113395235B (en) IoT system remote testing method, system and equipment
CN111259400B (en) Vulnerability detection method, device and system
CN114095412B (en) Safety equipment testing method and device, electronic equipment and storage medium
CN112948276A (en) Fuzzy test method and device and electronic equipment
US20060277270A1 (en) Record and playback of server conversations from a device
CN114285652B (en) Industrial protocol detection method and device, computer equipment and storage medium
CN115442226B (en) Log acquisition method, related device and storage medium
CN111475783A (en) Data detection method, system and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination