TW594472B - Computer virus scanning method for network data packet - Google Patents

Computer virus scanning method for network data packet Download PDF

Info

Publication number
TW594472B
TW594472B TW91125318A TW91125318A TW594472B TW 594472 B TW594472 B TW 594472B TW 91125318 A TW91125318 A TW 91125318A TW 91125318 A TW91125318 A TW 91125318A TW 594472 B TW594472 B TW 594472B
Authority
TW
Taiwan
Prior art keywords
virus
data packets
patent application
client
scope
Prior art date
Application number
TW91125318A
Other languages
Chinese (zh)
Inventor
Rung-Ren Shiue
Original Assignee
Ggreat Internat Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ggreat Internat Corp filed Critical Ggreat Internat Corp
Priority to TW91125318A priority Critical patent/TW594472B/en
Application granted granted Critical
Publication of TW594472B publication Critical patent/TW594472B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The computer virus scanning method of network data packet in the invention makes the anti-virus program resident in layer structure of customer premise network equipment. Thus, the invention can perform virus scanning process on input and output data packets with respect to customer premise network equipment. If no virus found, then regularly transmit data packet, if virus found, then modify infected portion and continue normal transmission of data packet or discard the data packet to stop the service. As a result, the web information containing virus will be totally expelled out of the customer premise network computer system.

Description

594472 五、發明說明Ο) 本發明網路資料封包(packet )之電腦病毒掃描方法 ,係應用於用戶端網路設備,可針對用戶端網路設備之輸 出與輸入的資料封包進行掃毒。 目前市面上的防毒掃描軟體,係為針對檔案形態 (F i 1 e )的掃毒的方法,當電腦使用者利用網際網路接收或 傳遞訊息時,面對已成為檔案形態的電腦病毒,多屬被動 的防禦模式。雖然使用者電腦已安裝防毒軟體,也會因為 使用者沒有正常啟動防毒軟體,或是防毒軟體沒即時更換 最新的版本,造成進入電腦的病毒有機可趁。 有鑑於此,本發明人遂竭其心智,憑其從事相關研究 多年經驗,終有本發明之產生。於是,本發明係提供一種 網路資料封包之電腦病毒掃描方法,該方法係利用在用戶 端的網路設備中常駐掃毒程式,該掃毒程式因此可以針對 用戶端網路設備之輸出與輸入的資料封包進行掃毒,藉由 本發明方法乃有別於目前的掃毒模式是在電腦病毒已進入 用戶端的電腦系統後,再進行電腦病毒之偵測與移除,可 以在電腦病毒尚未成為檔案型態時即將其去除。 由是,本發明之目的,即在於提供一種網路資料封包 之電腦病毒掃描方法’措由對資料封包進行電腦病毒之摘 測與移除,可以避免電腦病毒以檔案型態進入用戶端電腦 系統。 為達到上述目的,本發明是這樣實現的:一種網路資 料封包之電腦病毒掃描方法,係應用於用戶端網路設備, 依序至少包含下列步驟:594472 V. Description of the invention 0) The computer virus scanning method of the network data packet according to the present invention is applied to the client network equipment, and can scan the data packets output and input by the client network equipment. At present, the anti-virus scanning software on the market is a method for scanning files in the form of files (F i 1 e). When computer users use the Internet to receive or transmit messages, they face computer viruses that have become files. It is a passive defense mode. Although the user's computer has anti-virus software installed, it is also possible for the virus entering the computer to take advantage of the fact that the user did not start the anti-virus software normally or the anti-virus software did not change the latest version in real time. In view of this, the present inventors have exhausted their minds and relying on their many years of experience in related research, the invention has finally come into being. Therefore, the present invention provides a computer virus scanning method for network data packets. The method uses a resident virus scanning program resident in a network device on a client side. Therefore, the virus scanning program can target the output and input of the network device on the client side. Data packets are used for virus scanning. The method of the present invention is different from the current virus scanning mode by detecting and removing computer viruses after the computer virus has entered the client's computer system. The computer virus has not yet become a file type. The state is about to remove it. Therefore, the purpose of the present invention is to provide a computer virus scanning method for network data packets. The method is to extract and remove computer viruses from data packets, which can prevent computer viruses from entering the client computer system as files. . To achieve the above object, the present invention is implemented as follows: A computer virus scanning method for network data packets is applied to a client-side network device, and includes at least the following steps in order:

594472 五、發明說明(2) (a )常駐掃毒程式於用戶端網路設備之階層架構中,該 階層架構為下列之任一種: TCP / I P通訊協定之網路存取層; TCP / I P通訊協定之網際層; TCP/IP通訊協定之主機對主機之傳輸層; TCP/IP通訊協定之應用層; OSI標準之資料鏈結層; * OSI標準之網際層; OSI標準之傳輸層; OSI標準之交談層; OSI標準之表現層;或 OSI標準之應用層; (b )對於用戶端網路設備之輸出與輸入的資料封包進行 掃毒程序’ 一若無夾帶病毒,則正常傳送資料封包; 一若有夾帶病毒,則以下列方法之任一種處理: I.修改病毒; (i )修改資料封包中的病毒部份;與 (i i )繼續傳送修改後之資料封包; I I .丟棄資料封包,使該服務中斷, 藉此,同一個網域内的電腦不會收到有病毒的資料封 包,另且,從該網域傳出之封包,亦不會夾帶電腦病毒。 為使 貴審查委員進一步了解本發明之結構特徵及功 效,茲藉由下述具體之實施例,並配合所附之圖式,對本594472 V. Description of the invention (2) (a) The resident antivirus program is in the hierarchical structure of the client-side network equipment, which is one of the following: the network access layer of the TCP / IP protocol; TCP / IP Internet layer of communication protocol; Host-to-host transmission layer of TCP / IP communication protocol; Application layer of TCP / IP communication protocol; Data link layer of OSI standard; * Internet layer of OSI standard; Transport layer of OSI standard; OSI Standard conversation layer; OSI standard presentation layer; or OSI standard application layer; (b) Anti-virus program for data packets output and input from client network equipment 'If there is no virus, data packets will be transmitted normally If there is a virus, carry out any of the following methods: I. Modify the virus; (i) Modify the virus part of the data packet; and (ii) Continue to transmit the modified data packet; II. Discard the data packet So that the service is interrupted, so that computers in the same domain will not receive data packets with viruses, and in addition, packets sent from the domain will not carry computer viruses. In order for your reviewers to further understand the structural features and functions of the present invention, the following specific embodiments are used in conjunction with the accompanying drawings to

594472 五、發明說明(3) 發明做一詳細之說明,說明如后: 資料封包與通訊協定之階層架構 個人電腦能夠與他人電腦達到資源共享之目的,乃是 透過電腦主機(h 〇 s t )、閘道(g a t e w a y )、網路傳輸線 等硬體構件與TCP/IP通訊協定等軟體構件。TCP/IP通訊協 定適用於多種類型的網路架構,例如:乙太網路 (Ethernet )、記號環網路(tong ring)及 Χ·25 網路 等,使得全世界的網路通訊皆能相容,進而使不同網路架 構之網域互通資訊,除了帶來便利的網路傳訊,也給了電 腦病毒更快,更廣的傳播管道。 如第1圖所示,係為網際網路架構圖,不同的網路架 構透過T C Ρ / I Ρ通訊協定互通為網際網路,其中,内部網路 1 0由記號環網路1 6連接不同的電腦主機(ho s t ),而 區域網路2 0由乙太網路2 6連接不同的電腦主機,且内 部網路1 0與區域網路2 0分別經由閘道(g a t e w a y ) 1 4與閘道2 4連接X. 2 5網路。假設目前有一個檔案,要從 記號環網路1 6的第一用戶端1 2傳到乙太網路2 6的第 二用戶端2 2 ,則需依序經過記號環網路1 6 、X. 2 5網路 3 0與乙太網路2 6 ,其中,所使用的用戶端網路設備主 要包含電腦主機(12、22)與閘道(14、24)。 由於網域與網域間的通訊係透過軟體與硬體架構,而為使 不同用戶端之電腦系統能夠相互鏈結,目前業界乃有制定 標準可供軟體與硬體製造商或生產者遵行,例如·· 〇S I標594472 V. Description of the invention (3) The invention is explained in detail as follows: Hierarchical structure of data packets and communication protocols The personal computer can achieve the purpose of sharing resources with other people's computers through the computer host (h 0), Hardware components such as gateways and network transmission lines and software components such as TCP / IP communication protocols. The TCP / IP communication protocol is applicable to many types of network architectures, such as: Ethernet, tong ring, and X · 25 networks, etc., making network communications all over the world compatible. Content, so that information can be exchanged between domains of different network architectures, in addition to facilitating network communication, and also giving computer viruses a faster and wider channel of transmission. As shown in Figure 1, it is a diagram of the Internet architecture. Different network architectures communicate with each other through the TCP / IP protocol, and the internal network 10 is connected by the ring network 16 differently. Host computer (ho st), while LAN 2 0 is connected to different computer hosts by Ethernet 2 6, and internal network 10 and local network 2 0 pass through gateway 1 4 and gate respectively. Channel 2 4 is connected to the X. 2 5 network. Suppose there is a file currently. To transfer from the first client 1 2 of the token ring network 16 to the second client 2 2 of the Ethernet 2 6, you need to pass through the token ring network 1 6, X in order. . 2 5 network 30 and Ethernet 2 6. Among them, the client network equipment used mainly includes computer hosts (12, 22) and gateways (14, 24). Because the communication between the domain and the domain is through software and hardware architecture, in order to enable the computer systems of different clients to link to each other, the industry currently has standards for software and hardware manufacturers or producers to comply with For example ...

594472 五、發明說明(4) 準與TCP/IP通訊協定等。如表1所示,係為OSI標準與 TCP/ I P通訊協定之階層架構與相互對應之關係。 表1 OSI標準 應用層(Application Layer〉 應用層(Application Layer) (Presentation Layer) t機對主機之傳輸層 (Hbs卜to-host Transport Layer) 交鈸層(Session LayerO 傳檢層(Transport Layer〉 碑際看(Network Layer) 網際層(Network Layer) 資料4¾结廢(Date Lint Layer) 與S5·存取蜃Ole t work Access Layer) 實醴層0¾sicai Layer) 茲以第2圖TCP/IP通訊協定之階層架構說明網域與 網域間的通訊機制。如圖所示,當網域與網域間進行鏈結 通訊時,若以TCP/IP通訊協定而言,在電腦主機(1 2 、 2 2 )部份傳遞的資料包(datagram) ’必須通過應用層 4 1 、主機對主機之傳輸層4 2、網際層43與網路存取 層4 4 ;而在閘道(1 4 、2 4 )所傳遞的資料包,必須 通過網際層4 3與網路存取層4 4 ,因此利用網際網路傳 輸資料,至少都要經過TCP/IP通訊協定之網際層4 3與網 路存取層4 4 。該資料包之形成乃是因為各個不同的網路 架構皆有定義最大傳輸單位(Maximum Transmission594472 V. Description of the invention (4) Communication protocol with TCP / IP and so on. As shown in Table 1, it is the hierarchical structure and corresponding relationship between the OSI standard and the TCP / IP communication protocol. Table 1 OSI Standard Application Layer (Application Layer) (Application Layer) (Presentation Layer) t-host-to-host Transport Layer Session Layer (Transport Layer) stele Network Layer Network Layer Data 4¾ Date Lint Layer and S5 · Ole t work Access Layer (Real Layer 0¾sicai Layer) Figure 2 shows the TCP / IP protocol. The hierarchical structure describes the communication mechanism between the domain and the domain. As shown in the figure, when the domain and the domain are performing link communication, if the TCP / IP protocol is used, the host computer (1 2, 2 2 ) Partially passed datagrams must pass through the application layer 4 1, host-to-host transmission layer 4 2, internet layer 43 and network access layer 4 4; and in the gateway (1 4, 2 4) The transmitted data packets must pass through the Internet layer 4 3 and the network access layer 4 4. Therefore, to transmit data using the Internet, at least go through the Internet layer 4 3 and the network access layer 4 of the TCP / IP protocol. 4. The packet was formed because of different networks The architecture has a defined maximum transmission unit.

594472 五、發明說明(5) U n i t, Μ T U ),所以會將所要傳送的資料封包在網域内的 閘道中進行切割成為資料包,所經不同網路架構,亦要依 據不同的MTU對資料包進行調整。 請參考第3圖所示,以TCP/IP通訊協定而言,當用戶 端送出資料時,必須依序經過應用層4 1 、主機對主機之 傳輸層42 、網際層4 3與網路存取層44 ;而另一端用 戶在接收資料時,則是反向依序經過網路存取層4 4 、網 際層4 3、主機對主機之傳輸層4 2與應用層4 1。再請 參考第4圖所示,在網際網路資料之傳送過程中,每經過 一層則會在資料B前,加上一個表頭A,依此類推;另,在 接受過程中,每向上送一層,就會拆掉一個表頭A。 由前述得知,網際網路的傳輸過程係採取將檔案切割 為數個資料包的型式,且透過TCP / IP通訊協定時必須通過 網際層、網路存取層、主機對主機之傳輸層與應用層;同 理,透過OSI標準時則需通過資料鏈結層、網際層、傳輸 層、交談層、表現層、應用層與實體層。 由是本發明係將掃毒程式常駐於用戶端網路設備之階 層架構中(註:0S I標準之實體層除外,因其僅代表硬體 元件部份),藉此可在電腦病毒仍在資料包時即可彳貞測與 去除,避免電腦病毒以形成檔案型態侵入用戶端的電腦系 統中。 網路資料封包之掃毒 以T C P / I P通訊協定為例,常駐掃毒程式於用戶端電腦594472 V. Description of the invention (5) U nit, Μ TU), so the data packet to be transmitted is cut into gateways in the network domain into data packets, and the different network architectures must also use different MTU to data Package to adjust. Please refer to Figure 3, in terms of the TCP / IP communication protocol, when the client sends data, it must pass through the application layer 4 1, the host-to-host transmission layer 42, the Internet layer 4 3 and network access in order. Layer 44; and when the other end user receives data, they pass through the network access layer 4 4, the Internet layer 4 3, and the host-to-host transmission layer 4 2 and the application layer 41 in the reverse order. Please refer to Figure 4 again. During the transmission of Internet data, a header A is added before the data B after each layer, and so on; One level, one meter A will be removed. It is known from the foregoing that the transmission process of the Internet adopts the type of cutting the file into several data packets, and the TCP / IP communication protocol must pass the Internet layer, network access layer, and host-to-host transmission layer and application. Similarly, when passing the OSI standard, you need to pass the data link layer, internet layer, transmission layer, conversation layer, presentation layer, application layer and physical layer. Therefore, the present invention resides in the hierarchical structure of the client's network equipment on the antivirus program (Note: Except the physical layer of the OSI standard, as it only represents the hardware component part). The data packet can be detected and removed during the process to prevent computer viruses from intruding into the computer system of the client. Scanning Network Data Packets Take the TCP / IP protocol as an example. The resident virus scanner is on the client computer.

594472 五、發明說明(6) 没備之網路存取層中,當該階層架構在取到該資料包時, =會進行分析表頭所記錄的資訊並掃瞄資料部分,在掃瞄 :畢後]即可放行該資料包,因病毒檔案在網路傳遞過程 中’亦會被切f成數份,所以掃瞄病毒即要掃瞄數個資料 包’才會明確得知屬於同一個服務(HTTP, FTP,SMTP, P 〇 P 3 · · ·)是否夾帶病毒檔。 主@ : ίί某服務中夾帶有病毒檐案後,立即針對病 ,毋,,田案乂广進订清除的動作,例如將病毒部份改寫填入 〇 、。接著將β除過後乾淨的封包,再傳入網域内或傳出 =域。如此,可不改變或影響原本的Tcp/Ip通訊協定的傳 輸方向,又可在病毒檔案從各個資料包中清除。 如第5 、6及7圖所示。 辛、机% 請參考第5圖所示,當送入所有封包1 〇 〇後,將過 渡出所要掃瞒的服務封包丄1 〇 ,本系統將判斷是否為該 服務第一個封包1 2 〇 ,若否,則根據服務編號,將此^ 包送入所屬的掃毒程序1 3〇 ,再經由該服務是否結束 4 0步驟決定等待下一個封包1 5 〇或是結束掃毒^程工 6 0。在步驟1 2 0中,若服務是第一個封包,則將建立 新的掃毒排程1 7 0,其中,依是否為SMTP/P〇p3服務之 種類1 8 0 ,決定進入針對SMTP及POP3服務封包之步4驟 0 0或針對不屬SMTP及POP3服務封包之步驟3 〇 〇 接第6圖,若為針對SMTP及POP3服務之封包,則根 掃毒排程,該服務是否夾帶病毒2 1 0 ’若否,則針對 件編碼格式進行解碼2 2 0 ’再掃瞒解碼後的内容,判斷594472 V. Description of the invention (6) In the unavailable network access layer, when the hierarchical structure obtains the data packet, the information recorded in the header will be analyzed and the data part will be scanned. During scanning: [After completion], the data package can be released, because the virus file 'will be cut into several copies during the network transmission process, so scanning for viruses will need to scan several data packages' to know that they belong to the same service. (HTTP, FTP, SMTP, POP 3 · · ·) Whether virus files are entrained. Master @: ίί After a case with a virus eaves in a service, immediately address the disease. No, Tian Guanghuan will make a clearing action, such as rewriting the virus part and filling it into 〇. Then the β is divided into clean packets, and then passed into the domain or out = domain. In this way, the transmission direction of the original Tcp / Ip protocol is not changed or affected, and the virus file can be cleared from each data package. As shown in Figures 5, 6 and 7. Please refer to Figure 5 for details. After sending all the packets 1 00, the service packet to be concealed will be transitioned out 1 0, and the system will determine whether it is the first packet of the service 1 2 0. If not, then according to the service number, send this ^ packet to the corresponding anti-virus program 130, and then decide whether to wait for the next packet 1 50 or end the anti-virus process 6 through step 40 of whether the service ends. 0. In step 120, if the service is the first packet, a new anti-virus schedule 170 will be established. Among them, according to whether the type of the SMTP / P3 service is 180, it is decided to enter the SMTP and Step 4 of the POP3 service packet, step 0 0 or step 3 for the SMTP and POP3 service packets, then go to Figure 6. If it is a packet for the SMTP and POP3 service, the root scan schedule, whether the service is infected with a virus 2 1 0 'If not, decode the encoding format of the file 2 2 0' Then scan the decoded content and judge

594472 五、發明說明(7) , 該服務有無夾帶病毒檔2 3 0 ,若無夾帶病毒檔則正常傳 送封包2 4 0 ;若有夾帶病毒則修改該封包内容中為病毒 的部分2 5 0 ,例如改寫病毒的部分填入π 0 ” ,之後,再 傳送乾淨封包2 6 0,並於掃毒排程中,記錄該服務夾帶 ^ 病毒檔案2 7 0 ,在完成記錄後,將等待下一個封包進入 2 8 0° ' 在判斷服務是否夾帶病毒2 1 0步驟中,若該服務先 前之封包已被判斷夾帶有病毒,則系統將直接進入步驟2 . 5 0 ,修改該封包内容中為病毒的部分。 接第7圖,若為針對不屬SMTP及POP3服務之封包,貝‘ 根據掃毒排程,該服務是否夾帶病毒3 1 0,若否,則掃 φ 瞄該封包内容,判斷該服務有無夾帶病毒檔3 2 0 ,若無 夾帶病毒檔則正常傳送封包3 3 0 ;若有夾帶病毒則修改 該封包内容中為病毒的部分3 4 0 ,例如改寫病毒的部分 填入π 0π ,之後,再傳送乾淨封包3 5 0,並於掃毒排程 中,記錄該服務夾帶病毒檔案3 6 0 ,在完成記錄後,將 等待下一個封包進入3 7 0。 在判斷服務是否夾帶病毒3 1 0步驟中,若該服務先 前之封包已被判斷夾帶有病毒,則系統將直接進入步驟3 4 0 ,修改該封包内容中為病毒的部分。 在本發明方法之處理流程中,另可包含製作掃毒程序 結果之記錄表步驟,其中,製作掃毒程序結果之記錄表内 ❿ 容包含:排程編號、服務編號、服務屬性與中毒與否,如 表2所示。594472 V. Description of the invention (7), whether there is a virus file 2 3 0 in the service, if there is no virus file, the packet 2 4 0 is normally transmitted; if there is a virus, the part of the packet that is a virus 2 5 0 is modified, For example, rewrite the part of the virus and fill it with π 0 ”, and then send a clean packet 2 60 and record the service entrained ^ virus file 270 in the anti-virus schedule. After completing the recording, it will wait for the next packet Enter 2 80 ° 'In the step 2 10 of determining whether a service is infected with a virus, if the previous packet of the service has been determined to be infected with a virus, the system will directly proceed to step 2. 50 to modify the content of the packet to be a virus. Continued from Figure 7. If it is for packets that are not SMTP and POP3 services, if the service is infected with virus 3 1 0 according to the anti-virus schedule, if not, scan the contents of the packet to determine the service. If there is a virus file 3 2 0, if there is no virus file, the packet 3 3 0 is transmitted normally; if there is a virus, modify the part of the packet that is a virus 3 4 0. For example, rewrite the virus part and fill it with π 0π. , Then send Clean packet 3 50, and record virus files 3 60 0 in the anti-virus schedule. After the recording is completed, it will wait for the next packet to enter 3 7 0. In the step of determining whether the service is entrained with virus 3 1 0 If the previous packet of the service has been judged to be infected with a virus, the system will directly proceed to step 3 40 to modify the content of the packet as a virus. In the processing flow of the method of the present invention, it may further include making a virus scanning program. The step of recording the results, in which the contents of the record of the results of the anti-virus program include: schedule number, service number, service attribute and poisoning, as shown in Table 2.

第10頁 594472 五、發明說明(8) 表2 排程編號 服務編號 服務屬性 中毒與否 UU UU http, ftp, smtp ,Ρ〇ρ3 是,否Page 10 594472 V. Description of the invention (8) Table 2 Schedule number Service number Service attribute Poisoning or not UU UU http, ftp, smtp, P〇ρ3 Yes, no

前述實施例中,係以T CP / I P通訊協定之網路存取層說 明本發明掃毒程式常駐之所在,於實際應用上,可為 TCP/ IP通訊協定之網際層、主機對主機之傳輸層或應用層 之任一層;若是應用於0S I標準中,掃毒程式係常駐在資 料鏈結層、網際層、傳輸層、交談層、表現層或應用層之 任一層中。 另外,當本發明系統發現掃描之資料封包含有病毒時 ,亦可直接丟棄該資料封包,使該資料封包之傳輸服務中 斷,如第8圖與第9圖所示,分別為針對SMTP/P0P3與不 屬SMTP/POP3月艮務之資料封包之處理流程,與前述實施例 之不同點乃是當系統偵測服務之封包含有病毒時,直接丟 棄該封包(2 5 0 ’ 、3 4 0 ’),結束該程序 (2 6 0’、3 5 0’)。In the foregoing embodiment, the network access layer of the T CP / IP communication protocol is used to describe where the anti-virus program of the present invention resides. In practical applications, it can be the Internet layer of the TCP / IP communication protocol and host-to-host transmission. Or application layer; if it is applied in the OSI standard, the anti-virus program resides in any of the data link layer, internet layer, transmission layer, conversation layer, presentation layer or application layer. In addition, when the system finds that the scanned data packet contains a virus, it can also directly discard the data packet to interrupt the transmission service of the data packet. As shown in Figure 8 and Figure 9, respectively, for SMTP / P0P3 and The processing flow of the data packets that are not part of the SMTP / POP3 service is different from the previous embodiment in that when the system detection service contains a virus, the packet is directly discarded (2 50 ', 3 40') To end the program (2 6 0 ', 3 5 0').

而掃毒程式常駐之所在’係以用戶端網路設備為考量 ,若以TCP/ IP通訊協定為例,若要將掃毒程式常駐於網路 閘道時,由於該網路閘道僅包含網路存取層與網際層,所 以只能常駐於前述兩者之任一層中。The location of the anti-virus program is based on the client network equipment. If TCP / IP is used as an example, if the anti-virus program is to be resident in the network gateway, the network gateway only contains The network access layer and the internet layer can only reside in either layer.

第11頁 594472 五、發明說明(9) 承前所述,本發明網路資料封包之電腦病毒掃描方法 係將掃毒程式常駐於用戶端網路設備之階層架構中,該階 層架構係為TCP / I P通訊協定中網路存取層、網際層、主機 對主機之傳輸層或應用層之任一層;或是OSI標準中資料 鏈結層、網際層、傳輸層、交談層、表現層或應用層之任 一層。因此,本發明可對於用戶端網路設備之輸出與輸入 資料封包進行掃毒程序,若無病毒則正常傳送資料封包; 若有病毒則修改病毒部份,再繼續傳送無病毒之封包,由 是,含有病毒之網際網路資料將完全被屏除在用戶端電腦 系統之外,堪稱具創作性與進步性,符合發明專利之法定 要件,爰依法提出發明專利申請。 雖本發明以一較佳實施例揭露如上,但並非用以限定 本發明實施之範圍。任何熟習此項技藝者,在不脫離本發 明之精神和範圍内,當可作些許之更動與潤飾,即凡依本 發明所做的均等變化與修飾,應為本發明專利範圍所涵蓋 ,其界定應以申請專利範圍為準。Page 11 594472 V. Description of the invention (9) According to the foregoing description, the computer virus scanning method of the network data packet of the present invention resides in the hierarchical structure of the network equipment on the client side. The hierarchical structure is TCP / Either the network access layer, the Internet layer, the host-to-host transmission layer, or the application layer in the IP protocol; or the data link layer, the Internet layer, the transmission layer, the conversation layer, the presentation layer, or the application layer in the OSI standard Any layer. Therefore, the present invention can perform a virus scanning program on the output and input data packets of the client-side network equipment. If there is no virus, the data packet is normally transmitted; if there is a virus, the virus part is modified, and then the virus-free packet is continued to be transmitted. , Internet data containing viruses will be completely screened in the client computer system, which can be said to be creative and progressive, comply with the statutory requirements of invention patents, and file an invention patent application according to law. Although the present invention is disclosed as above with a preferred embodiment, it is not intended to limit the scope of implementation of the present invention. Anyone skilled in the art can make some changes and modifications without departing from the spirit and scope of the present invention. That is, all equal changes and modifications made in accordance with the present invention shall be covered by the scope of the patent of the present invention. The definition shall be based on the scope of patent application.

第12頁 594472 圖式簡單說明 第1圖係為網際網路架構示意圖。 第2圖係為TCP / I P通訊協定之階層架構。 第3圖係為TCP/IP通訊協定之資料傳輸示意圖一。 第4圖係為TCP/IP通訊協定之資料傳輸示意圖二。 第5圖係為本發明之流程示意圖一。 第6圖係為本發明之流程示意圖二。 第7圖係為本發明之流程示意圖三。 第8圖係為本發明之另一流程示意圖一。 第9圖係為本發明之另一流程示意圖二。 圖號簡單說明: 10· · •内部網路 12· ··第一用戶端(電腦主機) 1 4 · · ·閘道 1 6 · · ·記號環網路 2 0 · · ·區域網路 22 ···第二用戶端(電腦主機) 2 4 · · ·閘道 2 6 · · ·乙太網路 3 0· · · X · 2 5 網路 4 1· ••應用層Page 12 594472 Schematic description Figure 1 is a schematic diagram of the Internet architecture. Figure 2 shows the hierarchical structure of the TCP / IP protocol. Figure 3 is the first schematic diagram of data transmission of TCP / IP communication protocol. Figure 4 is the second schematic diagram of data transmission of TCP / IP communication protocol. FIG. 5 is a first schematic view of the process of the present invention. Figure 6 is the second schematic diagram of the process of the present invention. Fig. 7 is the third schematic diagram of the process of the present invention. FIG. 8 is another schematic view of the first process of the present invention. FIG. 9 is another schematic diagram 2 of the present invention. Brief description of drawing number: 10 · · · Intranet 12 · · · First client (computer host) 1 4 · · · Gateway 1 6 · · · Marked ring network 2 0 · · · LAN 22 · ·· Second client (computer host) 2 4 · · · Gateway 2 6 · · · Ethernet 3 0 · · · X · 2 5 Network 4 1 · •• Application layer

第13頁 594472 圖式簡單說明 4 2 参 · •傳 顆'J 層 4 3 • · •網 際 層 4 4 • · •網 路 存 取 層 1 0 0 · •送 入 所 有 封 包 1 1 0 · • 過 濾、 出 所 要 掃 的 服 務 封 包 1 2 0 · •是 否 為 該 服 務 第 一 個 封 包 1 3 0 · •將 此 封 包 送 入 所 屬 的 掃 毒 程序 1 4 0 · •該 服 務 是 否 結 束 1 5 0 · •等 待 下 一 個 封 包 1 6 0 · •結 束 掃 毒 排 程 1 7 0 · •建 立 新 的 掃 毒 排 程 1 8 0 · •是 否 為SMTP/P0P3服務之種類 2 0 0 · •針 對 SMTP 及 POP 3 服 務 封 包 之步 驟 2 1 0 · •該 服 務 是 否 夾 帶 病 毒 2 2 0 · •針 對 郵 件 編 碼 格 式 進 行 解 碼 2 3 0 · •判 斷 該 服 務 有 無 夾 帶 病 毒 槽 2 4 0 · •正 常 傳 送 封 包 2 5 0 · •修 改 該 封 包 内 容 中 為 病 毒 的部 分 2 6 0 · •傳 送 乾 淨 封 包 2 7 0 · •記 錄 該 服 務 夾 帶 病 毒 槽 案 2 8 0 · •等 待 下 一 個 封 包 進 入 2 5 0, ••丟棄該封包Page 13 594472 Brief description of the diagram 4 2 parameters 1. The service packet to be scanned by the agency 1 2 0 • • Whether it is the first packet of the service 1 3 0 • • Send this packet to the corresponding anti-virus program 1 4 0 • • Whether the service ends 1 5 0 • • Wait Next packet 1 6 0 • • End the anti-virus schedule 1 7 0 • • Create a new anti-virus schedule 1 8 0 • • Whether it is the type of SMTP / P0P3 service 2 0 0 • • For SMTP and POP 3 service packets Step 2 1 0 • • Whether the service is infected with a virus 2 2 0 • • Decodes the mail encoding format 2 3 0 • • Determines whether the service has a virus slot 2 4 0 • • Normally sends packets 2 5 0 • • Modify the The part of the packet that is a virus 2 6 0 Net packet 2 7 0 • • Record the case of this service with a virus slot 2 8 0 • • Wait for the next packet to enter 2 5 0, •• Discard the packet

第14頁 594472 圖式簡單說明 2 6 0, • · 結 束 該 程 序 3 0 0 · •針 對 不 屬 SMTP 及 POP3 服 務 封 包之步驟 3 1 0 · •是 否 夾 帶 病 毒 3 2 0 · •判 斷 該 服 務 有 無 夾 帶 病 毒 槽 3 3 0 · •正 常 傳 送 封 包 3 4 0 · •修 改 該 封 包 内 容 中 為 病 毒 的 部分 3 5 0 · •傳 送 乾 淨 封 包 3 6 0 · •記 錄 該 服 務 夾 帶 病 毒 檔 案 3 7 0 · •將 等 待 下 一 個 封 包 進 入 3 4 0’· ·丟棄該封包 3 5 0’· ·結束該程序Page 14 594472 Brief description of the diagram 2 6 0, • · End the program 3 0 0 · • Step 3 for non-SMTP and POP3 service packets 3 1 0 · • Whether the virus is entrained 3 2 0 · • Determine whether the service is entrained Virus slot 3 3 0 • • Normally transmit the packet 3 4 0 • • Modify the content of the packet as a virus 3 5 0 • • Transmit a clean packet 3 6 0 • • Record this service with a virus file 3 7 0 • • Will wait The next packet enters 3 4 0 '· · Drops the packet 3 5 0' · · Ends the program

第15頁Page 15

Claims (1)

594472 六、申請專利範圍 1 · 一種網路資料封包之電腦病毒掃描方法,係應用於用 戶端網路設備,依序至少包含下列步驟: (a )常駐掃毒程式於用戶端網路設備之階層架構中; (b )對於用戶端網路設備之輸出與輸入的資料封包進 行掃毒程序, 一若無夾帶病毒,則正常傳送資料封包; 一若有夾帶病毒,則 (i )修改資料封包中的病毒部份;與 (i i )繼續傳送修改後之資料封包, 藉此,同一個網域内的電腦不會收到有病毒的資料封 包,另且,從該網域傳出之封包,亦不會夾帶電腦病 毒。 2 ·如申請專利範圍第1項所述之網路資料封包之電腦病 毒掃描方法,其中,用戶端網路設備之階層架構係為 TCP/IP通訊協定之網路存取層。 3 ·如申請專利範圍第1項所述之網路資料封包之電腦病 毒掃描方法,其中,用戶端網路設備之階層架構係為 TCP/IP通訊協定之網際層。 4 ·如申請專利範圍第1項所述之網路資料封包之電腦病 毒掃描方法,其中,用戶端網路設備之階層架構係為 TCP/IP通訊協定之主機對主機之傳輸層。 5 ·如申請專利範圍第1項所述之網路貧料封包之電腦病 毒掃描方法,其中,用戶端網路設備之階層架構係為 TCP/IP通訊協定之應用層°594472 6. Scope of patent application1. A computer virus scanning method for network data packets, which is applied to client network equipment, and contains at least the following steps in order: (a) The hierarchy of resident virus scanners on the client network equipment In the framework; (b) Perform a virus scan procedure on the data packets output and input by the client-side network device. If there is no virus, the data packet is transmitted normally; if there is a virus, (i) modify the data packet. And (ii) continue to send modified data packets, whereby computers in the same domain will not receive virus-informed data packets, and packets sent from that domain will not Can carry computer viruses. 2 · The computer virus scanning method for network data packets as described in item 1 of the scope of the patent application, wherein the hierarchical structure of the client network equipment is the network access layer of the TCP / IP communication protocol. 3. The computer virus scanning method for network data packets as described in item 1 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the Internet layer of the TCP / IP communication protocol. 4 · The computer virus scanning method for network data packets as described in item 1 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the host-to-host transport layer of the TCP / IP communication protocol. 5 · The computer virus scanning method of the network lean packet described in item 1 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the application layer of the TCP / IP communication protocol ° 第16頁 594472 六、申請專利範圍 ·· 6 ·如申請專利範圍第1項所述之網路資料封包之電腦病 毒掃描方法,其中,用戶端網路設備之階層架構係為 OSI標準之資料鏈結層。 7 ·如申請專利範圍第1項所述之網路資料封包之電腦病 ·: 毒掃描方法,其中,用戶端網路設備之階層架構係為 0 SI標準之網際層。 · ' 8 ·如申請專利範圍第1項所述之網路資料封包之電腦病 毒掃描方法,其中,用戶端網路設備之階層架構係為 _ OSI標準之傳輸層。 9 ·如申請專利範圍第1項所述之網路資料封包之電腦病 - 毒掃描方法,其中,用戶端網路設備之階層架構係為 φ OSI標準之交談層。 1 0 ·如申請專利範圍第1項所述之網路資料封包之電腦 病毒掃描方法,其中,用戶端網路設備之階層架構 係為OSI標準之表現層。 1 1 ·如申請專利範圍第1項所述之網路資料封包之電腦 病毒掃描方法,其中,用戶端網路設備之階層架構 係為OSI標準之應用層。 1 2 ·如申請專利範圍第1項所述之網路資料封包之電腦 病毒掃描方法,其中,用戶端網路設備係為電腦主 機。 1 3 ·如申請專利範圍第1項所述之網路資料封包之電腦 籲 病毒掃描方法,其中’用戶端網路設備係為網路閘 道。Page 16 594472 6. Scope of Patent Application ·· 6 · The computer virus scanning method for network data packets as described in Item 1 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the data chain of the OSI standard Layer. 7 · Computer sickness of network data packets as described in item 1 of the scope of patent application:: The method of virus scanning, in which the hierarchical structure of the client network equipment is the Internet layer of the 0 SI standard. · '8 · The computer virus scanning method for network data packets as described in item 1 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the _ OSI standard transmission layer. 9 · The method of scanning for computer disease-virus of network data packets as described in the first item of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the conversation layer of the φ OSI standard. 10 · The method for scanning computer viruses for network data packets as described in item 1 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the presentation layer of the OSI standard. 1 1 · The computer virus scanning method for network data packets described in item 1 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the application layer of the OSI standard. 1 2 · The computer virus scanning method for network data packets as described in item 1 of the scope of patent application, wherein the client network device is the computer host. 1 3 · The computer for network data packets described in item 1 of the scope of patent application. Virus scanning method, in which the 'client network equipment is a network gateway. 第17頁 594472 六、申請專利範圍 1 4 ·如申請專利範圍第1項所述之網路資料封包之電腦 病毒掃描方法,其中,對於輸出與輸入的資料封包 進行掃毒程序時,若有夾帶病毒則以填入數字修改 資料封包中的病毒部份。 1 5 ·如申請專利範圍第1項所述之網路資料封包之電腦 病毒掃描方法,其中,對於輸出與輸入的資料封包 進行掃毒程序時,若有夾帶病毒則以填入符號修改 資料封包中的病毒部份。 1 6 ·如申請專利範圍第1項所述之網路資料封包之電腦Page 17 594472 VI. Patent Application Range 1 4 · The computer virus scanning method for network data packets as described in item 1 of the patent application range, wherein if the virus scanning process is performed on the output and input data packets, Viruses fill in the virus part of the data packet with digital filling. 1 5 · The computer virus scanning method for network data packets as described in item 1 of the scope of patent application, wherein when the virus scanning process is performed on the output and input data packets, if there is a virus, the data packets are modified by filling in the symbols In the virus section. 1 6 · Computer for network data packets as described in item 1 of the scope of patent application 病毒掃描方法,其中,更包含製作掃毒程序結果之 記錄表步驟。 1 7 ·如申請專利範圍第1 6項所述之網路資料封包之電 腦病毒掃描方法,其中,製作掃毒程序結果之記錄 表内容包含:排程編號、服務編號、服務屬性與中 毒與否。 1 8 · —種網路資料封包之電腦病毒掃描方法,係應用於 用戶端網路設備,依序至少包含下列步驟: (a )常駐掃毒程式於用戶端網路設備之階層架構中 , (b)對於用戶端網路設備之輸出與輸入的資料封包 進行掃毒程序,The virus scanning method further includes a step of preparing a record table of the results of the virus scanning program. 17 · The method for scanning computer viruses for network data packets as described in item 16 of the scope of patent application, wherein the contents of the record table for the results of the virus scan program include: schedule number, service number, service attribute, and poisoning or not . 1 8 — A computer virus scanning method for network data packets, which is applied to client network equipment and includes at least the following steps in order: (a) a resident virus scanner in the hierarchical structure of the client network equipment, ( b) anti-virus program for the data packets output and input by the client network equipment, 一若無夾帶病毒,則正常傳送資料封包; 一若有夾帶病毒,則退回該資料封包, 藉此,同一個網域内的電腦不會收到有病毒的資料If there is no virus, the data packet is transmitted normally; if there is a virus, the data packet is returned, so that computers in the same domain will not receive the virus data 第18頁 594472 六、申請專利範圍 封包,另且,從該網域傳出之封包,亦不會夾帶電 腦病毒。 1 9 ·如申請專利範圍第1 8項所述之網路資料封包之電 腦病毒掃描方法,其中,用戶端網路設備之階層架 構係為TCP/IP通訊協定之網路存取層。 2 0 ·如申請專利範圍第1 8項所述之網路資料封包之電 腦病毒掃描方法,其中,用戶端網路設備之階層架 構係為TCP/IP通訊協定之網際層。 2 1 ·如申請專利範圍第1 8項所述之網路資料封包之電 腦病毒掃描方法,其中,用戶端網路設備之階層架 構係為TCP/IP通訊協定之主機對主機之傳輸層。 2 2 ·如申請專利範圍第1 8項所述之網路資料封包之電 腦病毒掃描方法,其中,用戶端網路設備之階層架 構係為TCP/IP通訊協定之應用層。 2 3 ·如申請專利範圍第1 8項所述之網路資料封包之電 腦病毒掃描方法,其中,用戶端網路設備之階層架 構係為OSI標準之資料鏈結層。 2 4 ·如申請專利範圍第1 8項所述之網路資料封包之電 腦病毒掃描方法,其中,用戶端網路設備之階層架 構係為0 SI標準之網際層。 2 5 ·如申請專利範圍第1 8項所述之網路資料封包之電 腦病毒掃描方法,其中,用戶端網路設備之階層架 構係為OSI標準之傳輸層。 2 6 ·如申請專利範圍第1 8項所述之網路資料封包之電Page 18 594472 VI. Scope of patent application Packets, and packets sent from this domain will not carry encephalitis virus. 19 · The computer virus scanning method for network data packets as described in item 18 of the scope of the patent application, wherein the hierarchical structure of the client-side network equipment is the network access layer of the TCP / IP communication protocol. 20 • The method for scanning a computer virus for network data packets as described in item 18 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the Internet layer of the TCP / IP communication protocol. 2 1 · The computer virus scanning method for network data packets as described in item 18 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the host-to-host transmission layer of the TCP / IP communication protocol. 2 2 · The computer virus scanning method for network data packets as described in Item 18 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the application layer of the TCP / IP communication protocol. 2 3. The method for scanning computer viruses of network data packets as described in item 18 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the data link layer of the OSI standard. 24. The method for scanning computer viruses for network data packets as described in item 18 of the scope of the patent application, wherein the hierarchical structure of the client-side network equipment is the Internet layer of the 0 SI standard. 25 • The method for scanning a computer virus for network data packets as described in item 18 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the transport layer of the OSI standard. 2 6 · Electricity of network data packets as described in item 18 of the scope of patent application 第19頁 594472 六、申請專利範圍 腦病毒掃描方法,其中,用戶端網路設備之階層架 構係為OSI標準之交談層。 2 7 ·如申請專利範圍第1 8項所述之網路資料封包之電 腦病毒掃描方法,其中,用戶端網路設備之階層架 構係為0 SI標準之表現層。 2 8 ·如申請專利範圍第1 8項所述之網路資料封包之電 腦病毒掃描方法,其中,用戶端網路設備之階層架 構係為0 SI標準之應用層。 2 9 ·如申請專利範圍第1 8項所述之網路資料封包之電 腦病毒掃描方法,其中,用戶端網路設備係為電腦 主機。 3 0 ·如申請專利範圍第1 8項所述之網路資料封包之電 腦病毒掃描方法,其中,用戶端網路設備係為網路 閘道。 3 1 ·如申請專利範圍第1 8項所述之網路資料封包之電 腦病毒掃描方法,其中,更包含製作掃毒程序結果 之記錄表步驟。 3 2 ·如申請專利範圍第3 1項所述之網路資料封包之電 腦病毒掃描方法,其中,製作掃毒程序結果之記錄 表内容包含:排程編號、服務編號、服務屬性與中 毒與否。Page 19 594472 6. Scope of patent application Brain virus scanning method, in which the hierarchical structure of client-side network equipment is the conversation layer of the OSI standard. 27 • The method for scanning computer viruses for network data packets as described in item 18 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the presentation layer of the 0 SI standard. 2 8 · The computer virus scanning method for network data packets as described in item 18 of the scope of patent application, wherein the hierarchical structure of the client-side network equipment is the application layer of the 0 SI standard. 2 9 · The computer virus scanning method for network data packets as described in item 18 of the scope of patent application, wherein the client-side network equipment is a computer host. 30 • The method for scanning a computer virus in a network data packet as described in item 18 of the scope of patent application, wherein the client network device is a network gateway. 3 1 · The computer virus scanning method for network data packets as described in item 18 of the scope of patent application, further comprising the step of preparing a record table of the results of the virus scanning program. 3 2 · The computer virus scanning method for network data packets as described in item 31 of the scope of the patent application, wherein the contents of the record table for the results of the virus scanning program include: schedule number, service number, service attribute, and whether it is poisoned .
TW91125318A 2002-10-25 2002-10-25 Computer virus scanning method for network data packet TW594472B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW91125318A TW594472B (en) 2002-10-25 2002-10-25 Computer virus scanning method for network data packet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW91125318A TW594472B (en) 2002-10-25 2002-10-25 Computer virus scanning method for network data packet

Publications (1)

Publication Number Publication Date
TW594472B true TW594472B (en) 2004-06-21

Family

ID=34075607

Family Applications (1)

Application Number Title Priority Date Filing Date
TW91125318A TW594472B (en) 2002-10-25 2002-10-25 Computer virus scanning method for network data packet

Country Status (1)

Country Link
TW (1) TW594472B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7761915B2 (en) 2005-12-28 2010-07-20 Zyxel Communications Corp. Terminal and related computer-implemented method for detecting malicious data for computer network
CN101938482A (en) * 2010-09-06 2011-01-05 建汉科技股份有限公司 Asynchronous network device scanning method and device thereof
TWI510950B (en) * 2007-05-24 2015-12-01 Microsoft Technology Licensing Llc Method,system,and computer readable medium for anti-virus scanning of partially available content

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7761915B2 (en) 2005-12-28 2010-07-20 Zyxel Communications Corp. Terminal and related computer-implemented method for detecting malicious data for computer network
TWI510950B (en) * 2007-05-24 2015-12-01 Microsoft Technology Licensing Llc Method,system,and computer readable medium for anti-virus scanning of partially available content
CN101938482A (en) * 2010-09-06 2011-01-05 建汉科技股份有限公司 Asynchronous network device scanning method and device thereof
CN101938482B (en) * 2010-09-06 2013-05-22 建汉科技股份有限公司 Asynchronous network device scanning method and device thereof

Similar Documents

Publication Publication Date Title
EP1734718A2 (en) Computer-implemented method with real-time response mechanism for detecting viruses in data transfer on a stream basis
US7134142B2 (en) System and method for providing exploit protection for networks
US7873065B1 (en) Selectively enabling network packet concatenation based on metrics
CA2553102C (en) Preventing network data injection attacks
CA2548476C (en) Preventing network data injection attacks using duplicate-ack and reassembly gap approaches
TW200832180A (en) Method and apparatus for reduced redundant security screening
EP1122932B1 (en) Protection of computer networks against malicious content
CN110166480B (en) Data packet analysis method and device
TW200849926A (en) Method and apparatus for detecting port scans with fake source address
WO2012006885A1 (en) Anti-virus implementation method for proxy gateway, pre-classifier and proxy gateway
GB2394382A (en) Monitoring the propagation of viruses through an Information Technology network
Gilad et al. Fragmentation considered vulnerable: blindly intercepting and discarding fragments
US20230275924A1 (en) Network security protection method and protection device
Eddy Rfc 9293: Transmission control protocol (tcp)
JP2007179523A (en) Terminal device for detecting malicious data and relevant method
TW594472B (en) Computer virus scanning method for network data packet
JP4542053B2 (en) Packet relay apparatus, packet relay method, and packet relay program
FR2844124A1 (en) NETWORK INTERFACE CARD MINIMIZING THE NUMBER OF INTERRUPTIONS AND METHOD OF GENERATING INTERRUPTIONS
JP4027213B2 (en) Intrusion detection device and method
KR101104599B1 (en) Apparatus and method for defending TCP SYN flooding attacks
US20070083922A1 (en) Network session re-construction
JP2004343580A (en) Gateway
US20060005043A1 (en) Method of scanning computer virus within internet packet
Hussain et al. Dynamic MTU: Technique to reduce packet drops in IPv6 network resulted due to smaller path mtu size
Kiesel et al. Modeling and performance evaluation of transport protocols for firewall control

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees