CN116015889A - Data stream forwarding method, device, network equipment and storage medium - Google Patents
Data stream forwarding method, device, network equipment and storage medium Download PDFInfo
- Publication number
- CN116015889A CN116015889A CN202211691216.8A CN202211691216A CN116015889A CN 116015889 A CN116015889 A CN 116015889A CN 202211691216 A CN202211691216 A CN 202211691216A CN 116015889 A CN116015889 A CN 116015889A
- Authority
- CN
- China
- Prior art keywords
- data stream
- data
- message
- forwarding
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The embodiment of the invention provides a data flow forwarding method, a device, network equipment and a storage medium, which belong to the field of data security, when a forwarding module of the network equipment receives a data flow to be sent, the data flow is analyzed, if the data flow is analyzed to have file data, the file data is sent to a filtering module for virus detection, the filtering module stores the obtained detection result in a session of the data flow, and when a message of the data flow is identified as a key message, the forwarding module forwards or discards the data flow according to a toilet cleaning result of the data flow stored in the session, and a parallel processing mechanism of the forwarding module for forwarding the message of the data flow and the filtering module for virus detection of the message of the data flow is realized, so that the forwarding performance of the network equipment is not influenced by the virus detection speed, and the real-time blocking and the forwarding performance of viruses are not reduced at the same time.
Description
Technical Field
The present invention relates to the field of data security, and in particular, to a data stream forwarding method, device, network equipment, and storage medium.
Background
The virus firewall performs real-time virus scanning on the file in the data transmission, and responds to the data according to the strategy corresponding to the scanning result to prevent the transmission of the virus. Typically, antivirus filtering is required for each message. However, the types and the number of viruses are huge, so that the scanning performance of the viruses is greatly lost, and the forwarding performance of the network equipment is seriously reduced when the real-time filtering is performed.
Aiming at the problem of forwarding performance degradation of network equipment caused by virus scanning, the following methods are available at present: the virus library size is reduced, and the virus library in the network equipment only contains active viruses by implementing online upgrade of the virus library. However, both of the two methods cannot achieve the effects of real-time blocking and no degradation of forwarding performance.
Disclosure of Invention
Accordingly, the present invention is directed to a data stream forwarding method, apparatus, network device and storage medium, which can improve the problem that the forwarding performance of the current network device is reduced due to virus scanning, so that both the real-time blocking of the virus and the forwarding performance of the current network device are not reduced.
In order to achieve the above object, the technical scheme adopted by the embodiment of the invention is as follows:
in a first aspect, an embodiment of the present invention provides a data stream forwarding method, where the method includes:
when a data stream to be sent is received, the data stream is analyzed;
if the data stream is analyzed to have file data, virus detection is carried out on the file data, and the obtained detection result is stored in a session of the data stream;
and inquiring the detection result stored in the session of the data flow when the message of the data flow is identified as the key message, and forwarding or discarding the key message according to the inquired detection result.
Further, the step of parsing the data stream includes:
and carrying out protocol analysis on the data stream, and identifying whether the data stream transmits file data.
Further, the specific method for identifying the message in the data stream as the key message comprises the following steps:
carrying out protocol analysis on the received message of the data stream by adopting a deep packet detection technology to obtain characteristic information of the message of the data stream;
and judging whether the message of the data flow is a key message according to the characteristic information.
Further, the characteristic information comprises the size of a file to be transmitted, which is carried by the data stream before the file is transmitted;
the step of judging whether the message of the data stream is a key message according to the characteristic information comprises the following steps:
judging whether the data size of the file in the received data stream plus the data size of the file in the current message of the data stream is larger than or equal to the acquired file size, if so, the message of the data stream is a key message, and if not, the message of the data stream is not a key message.
Further, the characteristic information includes a specific field value of a message in the data stream;
the step of judging whether the data stream is a key message according to the characteristic information comprises the following steps:
judging whether the specific field value indicates the last protocol message, if so, the message of the data stream is not a key message, and if not, the message of the data stream is a key message.
Further, the step of performing virus detection on the file data and storing the obtained detection result in the session of the data stream includes:
decompressing the file data, and decoding the decompressed data to obtain file content data;
detecting the file content data by adopting a preset virus detection rule to obtain a detection result; wherein the detection result comprises security data, virus data or detection;
and storing the identification corresponding to the detection result in the session of the data stream.
Further, the step of forwarding or discarding the key message according to the queried detection result includes:
if the detection result inquired from the session is virus data or in detection, discarding the key message;
and if the detection result inquired from the session is the safety data, forwarding the key message to the next-hop equipment.
In a second aspect, an embodiment of the present invention provides a data stream forwarding device, which is applied to a network device, where the data stream forwarding device includes a forwarding module and a filtering module;
the forwarding module is used for analyzing the data stream when receiving the data stream to be sent, and sending the file data to the filtering module if the file data exists in the data stream;
the filtering module is used for detecting viruses of the file data and storing the obtained detection result in the session of the data stream;
and the forwarding module is further configured to query the detection result stored in the session of the data flow when the packet of the data flow is identified as a key packet, and forward or discard the key packet according to the queried detection result.
In a third aspect, an embodiment of the present invention provides a network device, including a processor and a memory, where the memory stores machine executable instructions executable by the processor, the processor being capable of executing the machine executable instructions to implement the data stream forwarding method according to the first aspect.
In a fourth aspect, an embodiment of the present invention provides a storage medium having stored thereon a computer program which, when executed by a processor, implements a data stream forwarding method according to the first aspect.
According to the data flow forwarding method, the data flow forwarding device, the network equipment and the storage medium, when the network equipment receives any data flow to be sent, the data flow is analyzed, if the data flow is analyzed to have file data, virus detection is carried out on the file data, the obtained detection result is stored in a session of the data flow, when a message of the data flow is identified as a key message, forwarding or discarding is carried out on the message of the data flow according to the detection result inquired from the session, a parallel processing mechanism for forwarding the data flow and carrying out virus detection on the data flow is realized, and forwarding performance of the network equipment is not influenced by virus detection speed, so that real-time blocking and forwarding performance of viruses are not reduced.
In order to make the above objects, features and advantages of the present invention more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 shows a block schematic diagram of a data flow forwarding system according to an embodiment of the present invention.
Fig. 2 shows one of flow diagrams of a data stream forwarding method according to an embodiment of the present invention.
Fig. 3 shows a schematic structural diagram of forwarding a router data stream according to an embodiment of the present invention.
Fig. 4 shows a second flowchart of a data stream forwarding method according to an embodiment of the present invention.
Fig. 5 shows a schematic flow chart of a partial sub-step of step S13 in fig. 2 or fig. 4.
Fig. 6 is a schematic block diagram of a data flow forwarding device according to an embodiment of the present invention.
Fig. 7 is a block schematic diagram of a network device according to an embodiment of the present invention.
Reference numerals: 100-a data stream forwarding system; 110-a network device; 120-data stream forwarding means; 130-a forwarding module; 140-a filtration module.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by a person skilled in the art without making any inventive effort, are intended to be within the scope of the present invention.
It is noted that relational terms such as "first" and "second", and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
For the problem of forwarding performance degradation of network devices due to virus scanning, the following improvement methods have been proposed at present: the virus library size is reduced, the virus library in the network equipment only contains active viruses by implementing online upgrade of the virus library, and the scanning process can be accelerated by reducing the virus library. However, the virus blocking effect in this way is poor, resulting in an effect that cannot be achieved with both the virus blocking and forwarding performance.
Based on the above consideration, the embodiment of the invention provides a data stream forwarding method, which can improve the problems that the forwarding performance of the current network equipment is reduced due to virus scanning, so that the real-time blocking of viruses and the forwarding performance is not reduced cannot be considered. The data stream forwarding method will be described below.
The data stream forwarding method provided by the embodiment of the invention can be applied to the data stream forwarding system 100 shown in fig. 1, wherein the data stream forwarding system 100 comprises a plurality of network devices 110, and each network device 110 can be in communication connection with one or more network devices 110 through a network.
Wherein the network device 110 includes, but is not limited to: gateways, routers, switches, firewalls, and the like.
Each network device 110 may include a forwarding module and a filtering module, and under the synergistic effect of the forwarding module and the filtering module, the data stream forwarding method provided in the embodiment of the present invention may be implemented.
In a possible implementation manner, the embodiment of the present invention provides a data stream forwarding method, and referring to fig. 2, the method may include the following steps. In this embodiment, the data stream forwarding method is applied to one network device 110 in fig. 1 for illustration. For ease of distinction, in the following steps, the other network devices 110 are referred to as electronic devices.
S11, when the data stream to be sent is received, the data stream is analyzed.
It should be noted that, the data stream may be parsed to obtain file data, and there may be no file data. In one possible implementation, a deep packet inspection technique is used to perform protocol analysis on the data stream, so as to identify whether the data stream carries file data.
And S13, if the file data exists in the data stream, virus detection is carried out on the file data, and the obtained detection result is stored in the session of the data stream.
It should be noted that, a session of a data stream is created when a network device receives the data stream, and one data stream may have its unique corresponding session.
S15, when the message of the data flow is identified as the key message, inquiring the detection result stored in the session of the data flow, and forwarding or discarding the key message according to the inquired detection result.
Taking as an example that this method is applied to the router B (which may include a forwarding module and a filtering module) in fig. 3, the router a is an upstream device of the router B, and the router C and the router D are downstream devices of the router a. When the router B receives the downlink data stream sent by the router A, the router B creates a session of the data stream, meanwhile, a forwarding module of the router B analyzes the data stream, if the router B recognizes that file data exists, all the file data are sent to a filtering module, the filtering module detects viruses of the file data, and a detection result is stored in the session of the data stream.
When the forwarding module of the router B recognizes that the data stream has file data, but the message of the data stream is not recognized as a critical message, the forwarding module may directly forward the data stream to the router C or the router D (the router C or the router D may be a destination device of the data stream or may be merely an intermediate device).
When the forwarding module recognizes that file data exists in the data stream and a message of the data stream is recognized as a key message, the forwarding module queries a detection result of the data stream from a session of the data stream and forwards or discards the key message according to the detection result.
Compared with the traditional data stream virus detection and forwarding method, the data stream forwarding method provided by the embodiment of the invention realizes the forwarding of the data stream message and the parallel processing mechanism for carrying out virus detection on the data stream message, so that the forwarding performance is not influenced by the virus detection speed, and the real-time blocking and the forwarding performance of the virus are not reduced.
Further, referring to fig. 4, the data stream forwarding method provided by the embodiment of the present invention may further include the following S12 and S14, and step S15 is performed after step S14.
S12, adopting a deep packet inspection technology to carry out protocol analysis on the received message of the data stream, and obtaining the characteristic information of the message of the data stream.
S14, judging whether the data stream is a key message according to the characteristic information.
By adopting the deep packet inspection technology, the message of the data stream is subjected to protocol analysis, and the characteristic information of the data stream can be extracted, so that whether the data stream is a key message can be determined according to the characteristic information.
In one possible implementation, the characteristic information may include a specific field value of a message in the data stream. At this time, step S14 may be further implemented as: judging whether the specific field value indicates the last protocol message, if so, the message of the data stream is not a key message, and if not, the message of the data stream is a key message.
For example, the protocols used for the messages of the data stream are HTTP protocol, FTP protocol, etc., and the above manner can be adopted to determine whether the messages of the data stream are critical messages due to the fields or the identifiers representing the forwarding stage information of the messages.
When the protocol adopted by the data flow does not have a field or an identifier for representing the forwarding stage information of the message, the IP load limit of the last message is considered, so that the total load of the message is limited. Thus, in one possible implementation, the total number of bytes and the maximum payload value of the file data carried by the data stream are introduced. At this time, the characteristic information in step S12 may include the total number of bytes of the file data carried by the data stream.
The step S14 may be further implemented as: the data stream carries the size of the file to be transmitted before transmitting the file; judging whether the data size of the file in the received data stream plus the data size of the file in the current message of the data stream is larger than or equal to the acquired file size, if so, the message of the data stream is a key message, and if not, the message of the data stream is not a key message. The size of the file obtained here refers to the size of the file to be transmitted carried by the data stream before the file is transmitted.
In other embodiments, the destination address of the data flow may be resolved, so that the number of times of forwarding that the destination device corresponding to the destination address from the current network device needs to undergo may be determined according to the address and the destination address of the current network device and the forwarding table stored on the current network device, and further, whether the data flow is a protocol packet may be determined according to the number of times of forwarding.
Through the steps S12, S14 and further embodiments thereof, it can be quickly determined whether the data stream is a critical message.
If the message of the data stream is identified not to be the key message, the network device can directly forward the message in the data stream to the next-hop device, and then complete a confirmation mechanism of the message with the next-hop device when the detection result in the session of the data stream is the safety data, otherwise, do not perform the confirmation mechanism of the message with the next-hop device. And the next-hop equipment discards the received message when receiving the message but not receiving corresponding response information of the acknowledgement mechanism. Therefore, the data security in the forwarding process can also be improved.
In the data stream forwarding method provided in this embodiment, when a received packet of a data stream is not a key packet, the data stream is immediately forwarded, and when the received packet of the data stream is a key packet, forwarding or discarding is performed according to a detection result stored in a session of the data stream. Because most of data flows in the forwarding flow are non-critical messages, only a few critical messages need to be forwarded after the detection result of virus detection is obtained, and therefore the forwarding flow is not affected by the virus detection process basically, a parallel mechanism is realized, and forwarding performance can be improved greatly.
In step S11, the manner of analyzing the data stream may be flexibly set, for example, fitting analysis may be performed using a neural network, analysis may be performed according to a set rule, and identification may be performed by using a deep packet inspection technique, which is not particularly limited in this embodiment.
Further, in step S13, the manner of detecting the virus of the file data may be flexibly selected, for example, a hash algorithm may be used for detection, machine learning may be used for detection, and detection may be performed according to a preset rule, which is not particularly limited in this embodiment.
In a possible embodiment, referring to fig. 5, the above step S13 may be further implemented as the following steps.
S131, decompressing the file data, and decoding the decompressed data to obtain the file content data.
S132, detecting file content data by adopting a preset virus detection rule to obtain a detection result.
It should be noted that the detection result includes security data, virus data, or determination in detection, that is, the detection result will give a determination as to whether the detection result is security data, virus data, or whether the detection result is still in detection. Virus detection rules include, but are not limited to: keyword matching, file name matching and hash calculation.
And S133, storing the identification corresponding to the detection result in the session of the data stream.
The corresponding relation can be expressed in a binary group, a five-tuple or a key value mode.
For example, the network device may store the feature information such as the file names, keywords, and feature fields of all the identified network viruses in advance, so that after the file content data of the file data is parsed, the file content data is matched with the feature information of each network virus, and if the file content data is consistent with the feature information of each network virus, it may be determined that the file data is virus data, and also may be determined that the virus type is virus.
After the detection result is obtained, the data stream belonging to the key message to be controlled can be forwarded or discarded according to the processing strategy corresponding to the detection result.
The setting of the processing policy may be flexibly set, for example, discarding the virus data, forwarding the security data, or deleting the virus data and then forwarding the security data.
In one possible implementation, the processing strategy may be: discarding the virus data and forwarding the security data, that is, the manner of forwarding or discarding the key message in step S15 may be further implemented as follows: if the detection result inquired from the session is virus data or in detection, discarding the key message; and if the detection result inquired from the session is the safety data, forwarding the key message to the next hop device.
Further, the detection result may further include a virus type, and the network device may store a searching and killing policy corresponding to the virus type, and when determining that the detection result is virus data, may call the searching and killing policy corresponding to the virus type, search and kill the data stream, delete the virus data, and forward the data stream to the next device.
It should be appreciated that the above-described manner of killing a data stream can only be employed if both security information and virus data are present in the data stream.
It should be noted that, according to actual requirements, the filtering module can adopt a more flexible filtering means, support an oversized virus library and richer functions, and no consideration is required to influence performance.
In the data flow forwarding method provided by the embodiment of the invention, the forwarding module can block viruses in real time through the identification and blocking of the key messages, and the forwarding module and the filtering module are processed in parallel to realize decoupling, so that the performance of the forwarding module is not influenced by the filtering speed of the filtering module. In addition, the filtering module can perform virus filtering more finely and comprehensively, and the forwarding performance of the forwarding module is not affected.
In addition, the application range of the data flow forwarding method provided by the embodiment of the invention is wider, and the method can be deployed in network equipment (virtual equipment and entity equipment) such as a firewall, a gateway and a router.
Based on the same inventive concept as the above-mentioned data stream forwarding method, in a possible implementation manner, the embodiment of the present invention further provides a data stream forwarding device 120, which may be applied to any network device 110 in fig. 1. Referring to fig. 6, the network device 110 may include a forwarding module 130 and a filtering module 140.
And the forwarding module 130 is configured to parse the data stream when receiving the data stream to be sent, and send the file data to the filtering module if the parsed data stream has the file data.
And the filtering module 140 is used for detecting viruses of the file data and storing the detection result in the session of the data stream.
And the forwarding module 130 is further configured to query a detection result stored in the session of the data flow when the packet of the data flow is identified as the key packet, and forward or discard the key packet according to the queried detection result.
Further, the forwarding module 130 may be further configured to: carrying out protocol analysis on the received message of the data stream by adopting a deep packet detection technology to acquire the characteristic information of the message of the data stream; and judging whether the message of the data stream is a key message according to the characteristic information.
Further, the forwarding module 130 may include a first identification unit and a second identification unit.
The first identifying unit is configured to determine whether a received data size of the data stream belonging to the file in the packet of the current data stream plus a received data size of the data stream belonging to the file is greater than or equal to an acquired size of the file, if yes, the packet of the data stream is a key packet, and if no, the packet of the data stream is not a key packet.
The data stream carries the size of the file to be transmitted before the file is transferred.
And the second identification unit is used for judging whether the specific field value indicates the last protocol message, if so, the data stream is not a key message, and if not, the data stream is a key message.
In the above data stream forwarding device 120, a parallel processing mechanism of forwarding the data stream by the forwarding module 130 and performing virus detection on the data stream by the filtering module 140 is implemented by the cooperation of the forwarding module 130 and the filtering module 140, so that the forwarding performance of the network device 110 is not affected by the virus detection speed, and thus, the real-time blocking and forwarding performance of the virus can be simultaneously considered.
For specific limitation of the data stream forwarding device 120, reference may be made to limitation of the above data stream forwarding method, and details are not repeated herein, and each module in the above data stream forwarding device 120 may be implemented in whole or in part by software, hardware, and a combination thereof. The above modules may be embedded in hardware or independent of a processor in the electronic device, or may be stored in software in a memory of the electronic device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a network device 110 is provided, the internal structure of which may be as shown in FIG. 7. The network device 110 includes a processor, memory, communication interface, display screen and input means connected by a system bus. Wherein the processor of the network device 110 is configured to provide computing and control capabilities. The memory of the network device 110 includes a non-volatile storage medium, internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the network device 110 is used for performing wired or wireless communication with an external terminal, where the wireless communication may be implemented through WIFI, an operator network, near Field Communication (NFC), or other technologies. The computer program, when executed by a processor, implements the data stream forwarding method provided in the above embodiment.
The architecture shown in fig. 7 is merely a block diagram of a portion of the architecture associated with the inventive arrangements and is not limiting of the network device 110 to which the inventive arrangements are applied, and a particular network device 110 may include more or fewer components than shown in fig. 7, or may combine certain components, or have a different arrangement of components.
In one embodiment, the data stream forwarding device 120 provided by the present invention may be implemented as a computer program, which may run on the network device 110 as shown in fig. 7. The memory of the network device 110 may store various program modules constituting the data stream forwarding device 120, such as the forwarding module 130 and the filtering module 140 in fig. 6, where a computer program constituted by the various program modules causes a processor to execute the steps in the data stream forwarding method described in the present specification.
For example, the network device 110 shown in fig. 7 may perform step S11 through the forwarding module 130 in fig. 6. The network device 110 may perform step S13 through the filtering module 140. The network device 110 may perform step S15 through the forwarding module 130. Network device 110 may also perform steps SS12 and S14 via forwarding module 130.
In one embodiment, a network device 110 is provided that includes a memory storing machine-executable instructions and a processor that when executed performs the following steps: when a data stream to be sent is received, the data stream is analyzed; if the data stream is analyzed to have file data, virus detection is carried out on the file data, and the obtained detection result is stored in a session of the data stream; and when the message of the data stream is identified as the key message, inquiring the detection result stored in the session of the data stream, and forwarding or discarding the key message according to the inquired detection result.
In one embodiment, a storage medium having a computer program stored thereon is provided, which when executed by a processor, performs the steps of: when a data stream to be sent is received, the data stream is analyzed; if the data stream is analyzed to have file data, virus detection is carried out on the file data, and the obtained detection result is stored in a session of the data stream; and when the message of the data stream is identified as the key message, inquiring the detection result stored in the session of the data stream, and forwarding or discarding the key message according to the inquired detection result.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present invention may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, or a network device 110, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A data stream forwarding method, applied to a network device, the method comprising:
when a data stream to be sent is received, the data stream is analyzed;
if the data stream is analyzed to have file data, virus detection is carried out on the file data, and the obtained detection result is stored in a session of the data stream;
and inquiring the detection result stored in the session of the data flow when the message of the data flow is identified as the key message, and forwarding or discarding the key message according to the inquired detection result.
2. The data stream forwarding method of claim 1 wherein the step of parsing the data stream comprises:
and carrying out protocol analysis on the data stream, and identifying whether the data stream transmits file data.
3. The data stream forwarding method according to claim 1, wherein the specific method for identifying the message in the data stream as a critical message comprises:
carrying out protocol analysis on the received message of the data stream by adopting a deep packet detection technology to obtain characteristic information of the message of the data stream;
and judging whether the message of the data flow is a key message according to the characteristic information.
4. A data stream forwarding method according to claim 3 wherein the characteristic information comprises a size of a file to be transmitted carried by the data stream before the file is transmitted;
the step of judging whether the message of the data stream is a key message according to the characteristic information comprises the following steps:
judging whether the data size of the file in the received data stream plus the data size of the file in the current message of the data stream is larger than or equal to the acquired file size, if so, the message of the data stream is a key message, and if not, the message of the data stream is not a key message.
5. A data stream forwarding method according to claim 3 wherein the characteristic information comprises a specific field value of a message in the data stream;
the step of judging whether the message of the data stream is a key message according to the characteristic information comprises the following steps:
judging whether the specific field value indicates the last protocol message, if so, the message of the data stream is not a key message, and if not, the message of the data stream is a key message.
6. The data stream forwarding method according to any one of claims 1 to 5, wherein the step of performing virus detection on the file data and storing the obtained detection result in a session of the data stream comprises:
decompressing the file data, and decoding the decompressed data to obtain file content data;
detecting the file content data by adopting a preset virus detection rule to obtain a detection result; wherein the detection result comprises security data, virus data or detection;
and storing the identification corresponding to the detection result in the session of the data stream.
7. The method for forwarding a data stream according to any one of claims 1 to 5, wherein the step of forwarding or discarding the critical message according to the queried detection result includes:
if the detection result inquired from the session is virus data or in detection, discarding the key message;
and if the detection result inquired from the session is the safety data, forwarding the key message to the next-hop equipment.
8. The data stream forwarding device is characterized by being applied to network equipment and comprises a forwarding module and a filtering module;
the forwarding module is used for analyzing the data stream when receiving the data stream to be sent, and sending the file data to the filtering module if the file data exists in the data stream;
the filtering module is used for detecting viruses of the file data and storing the obtained detection result in the session of the data stream;
and the forwarding module is further configured to query the detection result stored in the session of the data flow when the packet of the data flow is identified as a key packet, and forward or discard the key packet according to the queried detection result.
9. A network device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor to implement the data stream forwarding method of any of claims 1 to 7.
10. A storage medium having stored thereon a computer program which, when executed by a processor, implements the data stream forwarding method according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211691216.8A CN116015889A (en) | 2022-12-27 | 2022-12-27 | Data stream forwarding method, device, network equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211691216.8A CN116015889A (en) | 2022-12-27 | 2022-12-27 | Data stream forwarding method, device, network equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116015889A true CN116015889A (en) | 2023-04-25 |
Family
ID=86031229
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211691216.8A Pending CN116015889A (en) | 2022-12-27 | 2022-12-27 | Data stream forwarding method, device, network equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116015889A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116781422A (en) * | 2023-08-18 | 2023-09-19 | 长扬科技(北京)股份有限公司 | Network virus filtering method, device, equipment and medium based on DPDK |
-
2022
- 2022-12-27 CN CN202211691216.8A patent/CN116015889A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116781422A (en) * | 2023-08-18 | 2023-09-19 | 长扬科技(北京)股份有限公司 | Network virus filtering method, device, equipment and medium based on DPDK |
| CN116781422B (en) * | 2023-08-18 | 2023-10-27 | 长扬科技(北京)股份有限公司 | Network virus filtering method, device, equipment and medium based on DPDK |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10735379B2 (en) | Hybrid hardware-software distributed threat analysis | |
| US10075338B2 (en) | Relay control unit, relay control system, relay control method, and relay control program | |
| EP3420487B1 (en) | Hybrid hardware-software distributed threat analysis | |
| US9001661B2 (en) | Packet classification in a network security device | |
| US8474043B2 (en) | Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing | |
| US9009830B2 (en) | Inline intrusion detection | |
| US7706378B2 (en) | Method and apparatus for processing network packets | |
| US8095683B2 (en) | Method and system for mirroring dropped packets | |
| US9392002B2 (en) | System and method of providing virus protection at a gateway | |
| US7596809B2 (en) | System security approaches using multiple processing units | |
| EP1632063B1 (en) | Method and appartus for packet claasification and rewriting | |
| US20080163333A1 (en) | Method and apparatus for dynamic anomaly-based updates to traffic selection policies in a switch | |
| CN108353068B (en) | SDN controller assisted intrusion prevention system | |
| JP2005506736A (en) | A method and apparatus for providing node security in a router of a packet network. | |
| WO2014020445A2 (en) | Systems and methods for deep packet inspection with a virtual machine | |
| CN116015889A (en) | Data stream forwarding method, device, network equipment and storage medium | |
| EP4293550A1 (en) | Traffic processing method and protection system | |
| JP3581345B2 (en) | Packet transfer device and packet transfer method | |
| CN113411350B (en) | Network system for defending DDOS attack | |
| US20150256469A1 (en) | Determination method, device and storage medium | |
| JP2004179999A (en) | Intrusion detector and method therefor | |
| KR102607050B1 (en) | Processing Method for security of Compressed packet and supporting device using the same | |
| WO2005050935A1 (en) | Intrusion detection device and method thereof | |
| JP4526566B2 (en) | Network device, data relay method, and program | |
| CN116016391A (en) | Message forwarding method and system based on NAT gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |