CN116506422A - File identification method, device, equipment and medium based on breakpoint continuous transmission - Google Patents
File identification method, device, equipment and medium based on breakpoint continuous transmission Download PDFInfo
- Publication number
- CN116506422A CN116506422A CN202310423562.6A CN202310423562A CN116506422A CN 116506422 A CN116506422 A CN 116506422A CN 202310423562 A CN202310423562 A CN 202310423562A CN 116506422 A CN116506422 A CN 116506422A
- Authority
- CN
- China
- Prior art keywords
- file
- identified
- server
- message
- header
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 230000005540 biological transmission Effects 0.000 title claims abstract description 48
- 241000700605 Viruses Species 0.000 claims abstract description 85
- 230000004044 response Effects 0.000 claims abstract description 46
- 238000012545 processing Methods 0.000 claims abstract description 21
- 238000004590 computer program Methods 0.000 claims description 8
- 230000002159 abnormal effect Effects 0.000 claims description 6
- 230000005856 abnormality Effects 0.000 claims description 5
- 238000010276 construction Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 230000009471 action Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 5
- 230000000903 blocking effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 3
- 230000006855 networking Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000032683 aging Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a file identification method, device, equipment and medium based on breakpoint continuous transmission, which are applied to network security equipment. When the network security equipment implements the method, a service message of a file to be identified, which is sent by a client side, is obtained; if the file to be identified is confirmed to be the file of breakpoint continuous transmission according to the service message, constructing a file header request message; sending the file header request message to a server; receiving a response result sent by the server; and if the response result comprises the requested file header, carrying out identification processing on the file to be identified according to the file header so as to identify whether viruses exist in the file to be identified. Therefore, the accuracy virus identification of the file which is continuously transmitted at the breakpoint is realized, and the excessive consumption of resources is avoided.
Description
Technical Field
The present disclosure relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a medium for identifying a file based on breakpoint continuous transmission.
Background
Sometimes, the user needs to upload/download the file for several hours, if the line is interrupted, the HTTP/FTP server or the download software without breakpoint continuous transmission can only retransmit from the beginning, thereby wasting time and resources. And the breakpoint resume function solves the above problems. The breakpoint continuous transmission is to restart downloading or uploading from the place where the file is interrupted last time, and to realize the function of breakpoint continuous transmission, the client is required to record the current downloading or uploading progress and notify the server of the content segment which needs to be downloaded or uploaded this time when the continuous transmission is required.
The identification of the partial file of the breakpoint resume increases the difficulty because the breakpoint resume may be uploaded or downloaded from the middle portion of the file, rather than from the header. The current file identification methods include feature string-based identification, full-text hash identification and the like, but the methods all need file headers of the file when the virus identification of the file is carried out, so that whether the file based on breakpoint continuous transmission has viruses cannot be effectively identified by the methods.
In the current virus identification corresponding to breakpoint resume, files transmitted before breakpoint resume and files transmitted before blocking respectively belong to two data streams, and because session information before blocking is deleted, corresponding file information cannot be obtained when a subsequent file is processed; however, when the file is downloaded by breakpoint resume, the name of the file is unchanged, and the corresponding url address is the same, so that when the virus identification is carried out on the subsequent file of the breakpoint resume, the blocking action information obtained when the file is processed can be recorded into a linked list according to the file name or url address as a key, thus the flow of the subsequent breakpoint resume is matched with the information recorded in the linked list by using the key, and if the flow is matched with the information, the flow is directly blocked. However, in the above method, when the file is relatively large, a lot of information may be recorded, which not only consumes resources, but also requires an aging mechanism for the recorded information, and if the breakpoint transmission is initiated after the information recorded by the device ages, the virus may possibly escape.
Therefore, how to accurately identify viruses for files with breakpoint continuous transmission and avoid excessive consumption of resources is one of the technical problems worth considering.
Disclosure of Invention
In view of this, the present application provides a method, apparatus, device and medium for identifying files based on breakpoint resume, which are used to accurately identify viruses for files with breakpoint resume, so as to avoid excessive consumption of resources.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of the present application, a method for identifying a file based on breakpoint continuous transmission is provided, and the method is applied to a network security device, and includes:
acquiring a service message of a file to be identified, which is sent by a client;
if the file to be identified is confirmed to be the file of breakpoint continuous transmission according to the service message, constructing a file header request message;
sending the file header request message to a server;
receiving a response result sent by the server;
and if the response result comprises the requested file header, carrying out identification processing on the file to be identified according to the file header so as to identify whether viruses exist in the file to be identified.
According to a second aspect of the present application, there is provided a file identification device based on breakpoint continuous transmission, which is disposed in a network security device, and the device includes:
the acquisition module is used for acquiring a service message of a file to be identified, which is sent by the client;
the construction module is used for constructing a file header request message if the file to be identified is confirmed to be a file with breakpoint continuous transmission according to the service message;
the sending module is used for sending the file header request message to a server;
the receiving module is used for receiving a response result sent by the server;
and the identification module is used for carrying out identification processing on the file to be identified according to the file header if the response result comprises the requested file header so as to identify whether viruses exist in the file to be identified.
According to a third aspect of the present application there is provided a network security device comprising a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method provided by the first aspect of the embodiments of the present application.
According to a fourth aspect of the present application there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method provided by the first aspect of the embodiments of the present application.
The beneficial effects of the embodiment of the application are that:
the file identification method, device, equipment and medium based on breakpoint continuous transmission acquire a service message of a file to be identified, which is sent by a client; if the file to be identified is confirmed to be the file of breakpoint continuous transmission according to the service message, constructing a file header request message; sending a file header request message to a server; receiving a response result sent by a server; if the response result includes the requested file header, identifying the file to be identified according to the file header so as to identify whether viruses exist in the file to be identified. Because the virus identification is only needed based on the acquired file header, the network security equipment can achieve the purpose of achieving whether the file to be identified is a virus file or not in breakpoint continuous transmission, processing resources of the network security equipment are saved, and meanwhile the condition that the file in breakpoint continuous transmission is hidden is avoided.
Drawings
Fig. 1 is a schematic flow chart of a file identification method based on breakpoint continuous transmission according to an embodiment of the present application;
fig. 2 is an application scenario schematic diagram of a file identification method based on breakpoint continuous transmission provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a file identification device based on breakpoint continuous transmission according to an embodiment of the present application;
fig. 4 is a schematic hardware structure diagram of a network security device implementing a file identification method based on breakpoint continuous transmission according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects as described herein.
The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first message may also be referred to as a second message, and similarly, a second message may also be referred to as a first message, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The file identification method based on breakpoint continuous transmission provided by the application is described in detail below.
Referring to fig. 1, fig. 1 is a flowchart of a file identification method based on breakpoint continuous transmission, which is provided in the present application, and the method may be applied to a network security device, where the network security device may be, but is not limited to, a security device such as a firewall that needs to perform virus identification. The network security appliance, when implementing the method, may include the following steps:
s101, acquiring a service message of a file to be identified, which is sent by a client.
In this step, the requested service of the service packet may depend on the source of the file to be identified. For example, the service message may be an upload request message of an upload service for uploading a file to the server, or the service message may be a file request message of a download service for downloading a file from the server, or the like. In order to ensure the safety of the equipment in the network, the network safety equipment can grab the service message which needs to execute the safety protection function. Based on the above, when the network security device is between the client and the server, that is, the message sent by the client to the server passes through the network security device, or the message returned by the server to the client passes through the network security device, therefore, when the client sends the service message of the file to be identified to the server, the network security device can receive the service message. In another embodiment, the network security device is a device other than an intermediate device that is externally connected to interact with the client and the server, and the network security device may capture a service packet sent by the client to the server.
S102, if the file to be identified is confirmed to be the file with the breakpoint transmission according to the service message, constructing a file header request message.
In this step, because the present application is to identify whether the file transmitted by the breakpoint is virus or not, after receiving the service message, it is determined whether the file to be identified is the file transmitted by the breakpoint or not based on the service message; when confirming that the file to be identified belongs to the file with breakpoint continuous transmission, the service message is not forwarded at the moment, and the method for identifying whether the file to be identified has viruses or not provided in the subsequent steps of the embodiment is executed.
Specifically, each service message of the file to be identified, which accords with the breakpoint continuous transmission, carries the same identifier to characterize the same file to be identified. For example, each service message carries identification information for representing a file to be identified, based on which, after the network security device receives the service message, the identification information (for example, a file name or a unique identifier randomly allocated to the file to be identified, etc.) can be analyzed from the service message, then whether the file name is consistent with the identification information of other service messages identified before, and when the file name is consistent with the identification information of other service messages, it is confirmed that the file to be identified corresponding to the service message received at this time is a file based on breakpoint continuous transmission, that is, the file to be identified is not a complete file, but a part of the file which is not uploaded before.
On the basis, in order to identify whether the currently acquired file to be identified based on breakpoint transmission has viruses or not, the network security device may construct a file header request message to request for acquiring a request header of the file to be identified. For example, the header request message may carry the identification information, so as to characterize the header of the file that obtains the identification information, that is, the header of the file that belongs to the same file.
It should be noted that, the header is generally in the first 2000 bytes of the file, so the format of the header request message constructed as described above may be as follows:
GET/test.zip HTTP/1.0
User-Agent:NetFox
RANGE:bytes=0-2000
…………
s103, sending the file header request message to a server.
In this step, after constructing the header request message, the network security device may send the header request message to the server to request to obtain the header of the file that is stored in the server and affiliated to the same file as the file to be identified. Therefore, after the server receives the file header request message, the server can acquire the identification information carried in the file header request message, then acquire the service message which contains the identification information and the file header from the server, and further analyze the file header from the service message. In general, the header is carried in the first several service messages of the file, so that the service message containing the identification information can be identified first, then the service message with the front serial number is searched, and the header is resolved from the corresponding service message.
S104, receiving a response result sent by the server.
In the step, after the server side analyzes the file header, the file header can be carried in a response result and fed back to the network security equipment; when the server side does not find the corresponding file header, the network security device may not be responded, or the response result may carry indication information that the requested file header is not found.
S105, if the response result comprises the requested file header, identifying the file to be identified according to the file header so as to identify whether viruses exist in the file to be identified.
In this step, after receiving the response result, the network security device may determine whether the response result carries the requested header, and when carrying the header, the network security device may perform virus identification processing on the file to be identified according to the header, so as to identify whether the file to be identified has a virus. When the file to be identified is identified to have viruses, the network security equipment can discard the file to be identified in order to ensure the security of equipment in the networking; when it is identified that the file to be identified does not have virus, the service message may be forwarded to the server, so that the server performs corresponding processing on the service message, for example, feeding back the file data requested by the server to the client.
Optionally, hash calculation can be performed on the file header to obtain a hash value corresponding to the file header; comparing the hash value with a virus hash feature library, and when the virus hash feature library contains the hash value of the file header, indicating that the file to be identified has viruses; and when the virus hash characteristic library does not contain the hash value of the file header, indicating that the file to be identified is not a virus file. It should be noted that, each hash value in the virus hash feature library is obtained by performing hash calculation based on the file header of the confirmed file with the corresponding virus. The virus hash feature library can be dynamically updated, and when a new virus is found, a hash value corresponding to the new virus can be calculated and updated into the virus hash feature library, so that the quick identification of the virus is ensured.
Acquiring a service message of a file to be identified sent by a client by implementing the file identification method based on breakpoint continuous transmission; if the file to be identified is confirmed to be the file of breakpoint continuous transmission according to the service message, constructing a file header request message; sending a file header request message to a server; receiving a response result sent by a server; if the response result includes the requested file header, identifying the file to be identified according to the file header so as to identify whether viruses exist in the file to be identified. Therefore, the network security equipment can achieve the purpose of achieving whether the file to be identified in breakpoint continuous transmission is a virus file or not, and the condition that the file in breakpoint continuous transmission is hidden is avoided.
Alternatively, the file to be identified may be, but is not limited to, a PE file under a Windows operating system. The PE file may be an executable file, where the header of the PE file includes an image header and an optional image header. On the basis, when the file to be identified which is continuously transmitted at the breakpoint is identified based on the file header, hash calculation processing can be performed based on the image file header and the optional image header in the file header to obtain a target hash value, then the target hash value is matched with the hash value in the virus Ha Xiku, and when the target hash value is identified to be contained in the virus Ha Xiku, the file to be identified is confirmed to be the virus file. Each hash value in the virus hash feature library is obtained by performing hash calculation based on the image file header and the optional image header in the file header of the confirmed file with the corresponding virus. And the virus hash feature library is dynamically updated, for example, when a virus is newly added, the hash value corresponding to the virus can be calculated according to the method and then updated into the virus hash feature library. In addition, the virus hash feature library may include a correspondence between viruses and hash values, so that when a hash value consistent with a target hash value is identified, a corresponding virus may be output based on the correspondence.
Alternatively, based on the above embodiment, the first agent and the second agent may be provided in the network security device in the present embodiment. On the basis, the first agent may execute step S101, and the second agent executes steps S102 to S105, that is, the first agent simulates the function of the server, to obtain the service message of the file to be identified sent by the client. In addition, the first agent can perform identification processing on the service message to identify whether the file to be identified is a file with breakpoint resume, and when the file with breakpoint resume is identified, an indication message is sent to the second agent to indicate the second agent to construct a file header request message. In this way, after the second agent receives the indication message, the function of the client can be simulated, a file header request message can be constructed and sent to the server, a response result fed back by the server is received, and after the response result is confirmed to include the requested file header, virus identification processing is performed on the file to be identified based on the file header, so that whether the file to be identified is a virus file or not is identified. Therefore, the identification of the breakpoint continuous file is realized by using the proxy, so that the accurate identification of the breakpoint continuous file can be realized, and the normal implementation of other services of the network security equipment can be ensured.
Optionally, based on the foregoing embodiment, the present embodiment further provides the following file identification method: if the file to be identified is identified to have viruses based on the file header, discarding the service message; sending a reset message or first prompt message to the client to prompt that the file to be identified is a virus file; and after the reset message or the first prompt message is sent, disconnecting the client.
Specifically, when the file to be identified has virus based on the file header, the network security device may discard the service packet in order to ensure the security of the devices in the network. Meanwhile, in order to enable the client to acquire the information, a reset message or first prompt message can be sent to the client to indicate that the file to be identified by the client is a malicious file, and the security risk exists currently. In addition, after the first promotion information or the reset message is sent, the connection with the client is disconnected, so that the aim of blocking the security risk is fulfilled.
It should be noted that, the first prompt message may be carried in a response message, and sent to the client through a form of the response message.
It should be noted that the virus hash feature library may further include an execution action of a virus, and when the hash value of a certain virus in the virus hash feature library is matched, the execution action of the virus may be confirmed; and when the execution action is discarding, discarding the service message.
Specifically, when the second agent identifies that the file to be identified is a virus file, the second agent may inform the first agent of the result, so that the first agent sends a reset message or first prompt information to the client, and disconnects the firewall device from the client.
Optionally, based on any one of the foregoing embodiments, the file identifying method provided in this embodiment may further include the following procedure: if the file to be identified is not identified to have virus based on the file header, the service message is forwarded to the server.
Specifically, when the network security device finds that the hash value calculated based on the file header is not included in the virus hash feature library, the network security device indicates that the file to be identified is not identified to have the virus, and further forwards the service message to the server, so that the client can execute normal service processing, such as continuously uploading the file which is not uploaded last time, or downloading the file which is not downloaded from the server, and the like.
It should be noted that, when the second agent recognizes that the file to be recognized is not a virus file, the second agent may forward the service packet that is not forwarded before to the server.
Optionally, based on any one of the foregoing embodiments, the file identifying method provided in this embodiment may further include the following procedure: if the response result does not comprise the requested file header or the response result fed back by the server is not received, feeding back second prompt information of abnormal request to the client.
Specifically, when the network security device does not analyze the requested file header from the response result, that is, the server feeds back the abnormal information, it indicates that the service message fed back by the current client may have an abnormality, so as to promote the network security device. In this way, after the network security device analyzes the abnormal information, in order to ensure the security of the device in the network, the network security device may send the second prompt information to the client, that is, feedback the second prompt information requesting for the abnormality, so that the client performs the corresponding operation, such as attempting to send again, and other operations. In addition, there may be a case that the server side does not feed back because of other cases, at this time, after the network security device sends the file header request message, a time may be set, when the set time arrives and the feedback response result of the server side is not received, which indicates that there is an abnormality in the request, and then abnormal second prompt information is fed back to the client side, so as to instruct the client side to execute corresponding operations, such as attempting to send again and other operations.
It should be noted that, if the second agent does not receive the response result, or the response result does not include the file header, the second agent may generate the second prompt information, and then forward the second prompt information to the first agent, so that the first agent forwards the second prompt information to the client; alternatively, the second agent may inform the first agent of the result to feed back a second hint information by the first agent to the client to indicate that an anomaly currently exists.
Optionally, based on any one of the foregoing embodiments, the file identifying method provided in this embodiment may further include the following procedure: and determining that the server side comprises the file header of the file to be identified.
Specifically, for the file downloading service, the complete file is stored in the server, and correspondingly, the file header is also stored in the server, so that the network security device can directly obtain the requested file header from the server. For the file uploading service, there may be file uploading abnormality to cause that the file header is not completely uploaded to the server, at this time, the server does not store the complete file header, so after the breakpoint continuous transmission begins, the service message received by the network security device at this time should be the first few service messages of the affiliated file. Therefore, to ensure the security of networking, the network security device may send a prompt message to the client to prompt the client to re-execute the uploading of the file. Based on this principle, after the network security device receives the service packet, if it is identified that the service packet is not the first several service packets of the corresponding file, it indicates that the header of the corresponding file has been uploaded to the server, so that it can be confirmed that the server includes the header of the file to be identified, and then step S102 is executed on this basis.
In order to better understand the present embodiment, an application scenario shown in fig. 2 is taken as an example, where in fig. 2, a firewall device is a network security device, tcpProxyServerSide set in the firewall device is a first agent, and TcpProxyClientSide is a second agent. After synchronous syn message and ack confirmation message are confirmed between Client and Server, the Client downloads file from Server for illustration, then interruption occurs in the process of downloading file from Server, because both Server and Client support breakpoint resume function, client can continue to request service of downloading file from last interruption position to Server, i.e. send service message of request data of file, in order to guarantee safety of Server, network security device can start first proxy to obtain service message, then identify the service message to confirm whether file corresponding to service message is breakpoint resume file; when the first agent identifies the file which is transmitted continuously at the breakpoint, the service message is not sent to the server temporarily, but a second agent is triggered, for example, the second agent is started, so that the second agent constructs a file header request message related to the file; and sending the file header request message to the server to acquire the file header of the file from the server.
On the basis, if the server side searches the file header of the file, the response result is fed back to the server side. The second agent in the firewall device receives the response result, if the requested file header is analyzed from the response result, the second agent performs hash calculation processing on the file header, and confirms whether the file is a virus file according to the method provided by the above. When the result is confirmed to be the virus file, the first agent is informed to send a reset message to the client to disconnect the connection between the client and the reset message, or the first agent can construct prompt information and send the prompt information to the client, namely the first prompt information, and then disconnect the connection between the client and the reset message.
When the second agent confirms that the file is not a virus file, the second agent can forward the service message which is not sent before to the server. Thus, after receiving the service message, the server may feed back the file transmission data requested by the client, that is, the real response data in fig. 2, to the second agent. The file transfer data is fed back to the client by the second agent via the first agent.
Therefore, the virus identification processing of the file with breakpoint continuous transmission is realized, and the situation that viruses are released is prevented. The network is protected from being attacked under the scene of higher security.
Based on the same inventive concept, the application also provides a file identification device based on breakpoint continuous transmission, which corresponds to the file identification method based on breakpoint continuous transmission. The implementation of the file identification device based on breakpoint resume can be specifically referred to the description of the file identification method based on breakpoint resume, which is not discussed here.
Referring to fig. 3, fig. 3 is a schematic diagram of a file identification device based on breakpoint continuous transmission according to an exemplary embodiment of the present application, which is disposed in a network security device, and the device includes:
the acquiring module 301 is configured to acquire a service packet of a file to be identified sent by a client;
a constructing module 302, configured to construct a file header request message if the file to be identified is confirmed to be a file with breakpoint resume according to the service message;
a first sending module 303, configured to send the header request packet to a server;
a receiving module 304, configured to receive a response result sent by the server;
and the identifying module 305 is configured to identify whether a virus exists in the file to be identified according to the file header if the response result includes the requested file header.
Optionally, based on the foregoing embodiment, the file identifying apparatus based on breakpoint continuous transmission provided in this embodiment further includes:
a discarding module (not shown in the figure) configured to discard the service packet if the identifying module 305 identifies that the file to be identified has a virus based on the file header;
a second sending module (not shown in the figure) configured to send a reset message or a first prompting message to the client to prompt the file to be identified to be a virus file;
a disconnection module (not shown in the figure) is configured to disconnect from the client after sending a reset message or sending the first prompt message.
Optionally, based on the foregoing embodiment, in this embodiment, the first sending module 303 is further configured to forward the service packet to the server if the identifying module does not identify that the file to be identified has a virus based on the file header.
Optionally, based on the foregoing embodiment, the file identifying apparatus based on breakpoint continuous transmission provided in this embodiment further includes:
and a third sending module (not shown in the figure) configured to, if the response result does not include the requested file header, or if the response result fed back by the server is not received, feed back a second prompt message of abnormal request to the client.
Optionally, based on the foregoing embodiment, the file identifying apparatus based on breakpoint continuous transmission provided in this embodiment further includes:
a determining module (not shown in the figure) is configured to determine that the server includes a header of the file to be identified.
By providing the file identification device based on breakpoint resume of any embodiment, the file identification device not only realizes the virus identification processing of the file with breakpoint resume, but also prevents the virus from being released. The network is protected from being attacked under the scene of higher security.
Based on the same inventive concept, the embodiments of the present application provide a network security device, as shown in fig. 4, which may include a processor 401 and a machine-readable storage medium 402, where the machine-readable storage medium 402 stores a computer program capable of being executed by the processor 401, and the processor 401 is caused by the computer program to perform the file identification method based on breakpoint resume provided in any embodiment of the present application. The network security device further comprises a communication interface 403 and a communication bus 404, wherein the processor 401, the communication interface 403, and the machine readable storage medium 402 communicate with each other via the communication bus 404.
The communication bus mentioned by the above network security device may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the network security device and other devices.
The machine-readable storage medium 402 may be a Memory, which may include random access Memory (Random Access Memory, RAM), DDR SRAM (Double Data Rate Synchronous Dynamic Random Access Memory, double rate synchronous dynamic random access Memory), or Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
For network security devices and machine-readable storage medium embodiments, the description is relatively simple, as far as reference is made to the part of the description of the method embodiments, since the method content involved is substantially similar to the method embodiments described above.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and roles of each unit/module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be repeated here.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The above described apparatus embodiments are merely illustrative, wherein the units/modules illustrated as separate components may or may not be physically separate, and the components shown as units/modules may or may not be physical units/modules, i.e. may be located in one place, or may be distributed over a plurality of network units/modules. Some or all of the units/modules may be selected according to actual needs to achieve the purposes of the present application. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the invention to the precise form disclosed, and any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention are intended to be included within the scope of the present invention.
Claims (12)
1. The file identification method based on breakpoint continuous transmission is characterized by being applied to network security equipment, and comprises the following steps:
acquiring a service message of a file to be identified, which is sent by a client;
if the file to be identified is confirmed to be the file of breakpoint continuous transmission according to the service message, constructing a file header request message;
sending the file header request message to a server;
receiving a response result sent by the server;
and if the response result comprises the requested file header, carrying out identification processing on the file to be identified according to the file header so as to identify whether viruses exist in the file to be identified.
2. The method as recited in claim 1, further comprising:
if the file to be identified has viruses based on the file header, discarding the service message; sending a reset message or first prompt message to the client to prompt that the file to be identified is a virus file;
and after the reset message or the first prompt message is sent, the connection with the client is disconnected.
3. The method as recited in claim 1, further comprising:
and if the file to be identified is not identified to have viruses based on the file header, forwarding the service message to the server.
4. The method as recited in claim 1, further comprising:
and if the response result does not comprise the requested file header or the response result fed back by the server is not received, feeding back second prompt information of abnormal request to the client.
5. The method of claim 1, further comprising, prior to constructing the header request message:
and determining that the server side comprises the file header of the file to be identified.
6. The method of claim 1, wherein the network security device is provided with a first agent and a second agent;
the method for obtaining the service message of the file to be identified, which is sent by the client, comprises the following steps:
the method comprises the steps that a first proxy obtains a service message of a file to be identified, which is sent by a client;
if the file to be identified is confirmed to be the file with breakpoint resume according to the service message, constructing a file header request message, wherein the file header request message comprises:
if the first agent confirms that the file to be identified is a file with breakpoint continuous transmission according to the service message, triggering a second agent to construct a file header request message;
sending the file header request message to a server, receiving a response result sent by the server, and if the response result comprises the requested file header, performing identification processing on the file to be identified according to the file header to identify whether viruses exist in the file to be identified, wherein the identification processing comprises the following steps:
and the second agent sends the file header request message to the server, receives a response result sent by the server, and if the response result comprises the requested file header, performs identification processing on the file to be identified according to the file header so as to identify whether viruses exist in the file to be identified.
7. A file identification device based on breakpoint resume, characterized in that the device is arranged in a network security device, and comprises:
the acquisition module is used for acquiring a service message of a file to be identified, which is sent by the client;
the construction module is used for constructing a file header request message if the file to be identified is confirmed to be a file with breakpoint continuous transmission according to the service message;
the first sending module is used for sending the file header request message to the server;
the receiving module is used for receiving a response result sent by the server;
and the identification module is used for carrying out identification processing on the file to be identified according to the file header if the response result comprises the requested file header so as to identify whether viruses exist in the file to be identified.
8. The apparatus as recited in claim 7, further comprising:
the discarding module is used for discarding the service message if the identifying module identifies that the file to be identified has viruses based on the file header;
the second sending module is used for sending a reset message or first prompt information to the client so as to prompt the file to be identified to be a virus file;
and the disconnection module is used for disconnecting the connection with the client after sending the reset message or the first prompt message.
9. The apparatus of claim 7, wherein,
the first sending module is further configured to send the service packet to the server if the identifying module does not identify that the file to be identified has a virus based on the file header.
10. The apparatus of claim 7, further comprising:
and the third sending module is used for feeding back second prompt information for requesting abnormality to the client if the response result does not comprise the requested file header or the response result fed back by the server is not received.
11. A network security appliance comprising a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method of any one of claims 1-6.
12. A machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310423562.6A CN116506422A (en) | 2023-04-14 | 2023-04-14 | File identification method, device, equipment and medium based on breakpoint continuous transmission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310423562.6A CN116506422A (en) | 2023-04-14 | 2023-04-14 | File identification method, device, equipment and medium based on breakpoint continuous transmission |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116506422A true CN116506422A (en) | 2023-07-28 |
Family
ID=87319538
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310423562.6A Pending CN116506422A (en) | 2023-04-14 | 2023-04-14 | File identification method, device, equipment and medium based on breakpoint continuous transmission |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116506422A (en) |
-
2023
- 2023-04-14 CN CN202310423562.6A patent/CN116506422A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10645145B2 (en) | Method and apparatus for accelerating data transmission in a network communication system | |
| CN106612284B (en) | Streaming data transmission method and device | |
| EP3382563B1 (en) | Communication device, communication system, communication method, and communication program | |
| US11218541B2 (en) | Data storage method, storage server, and storage medium and system | |
| CN108111509B (en) | Data transmission method | |
| CN106375139B (en) | Method, device and system for copying request | |
| CN107800663B (en) | Method and device for detecting flow offline file | |
| CN107204924B (en) | Link discovery method and device | |
| US9781222B2 (en) | Method, system and server device for transmitting a digital resource in a client-server communication system | |
| CN107547505B (en) | Message processing method and device | |
| US20150067066A1 (en) | Provisioning Communication Services using Proxy Server in a Cloud | |
| KR101650829B1 (en) | Method, apparatus, and system for acquiring object | |
| CN105281940B (en) | Method, equipment and system for HELLO message interaction based on NETCONF protocol | |
| WO2014032553A1 (en) | Network resource management method and device, client and system | |
| US9848050B2 (en) | Information processing device for packet and header inspection | |
| CN116506422A (en) | File identification method, device, equipment and medium based on breakpoint continuous transmission | |
| EP3408989B1 (en) | Detecting malware on spdy connections | |
| CN109688204B (en) | File downloading method, node and terminal based on NDN (named data networking) | |
| CN113890858A (en) | PMTU detection method and device | |
| CN111865884B (en) | Message processing method, device and equipment | |
| US20210168220A1 (en) | Hybrid proxying with user space hold | |
| CN107623562B (en) | Data transmission method and device and electronic equipment | |
| JP2010238101A (en) | Device, method, program and system of load distribution | |
| CN115134618B (en) | Live stream life cycle information processing method and device and computing equipment | |
| JP6836773B2 (en) | Information processing equipment, methods and programs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |