CN114244610B - File transmission method and device, network security equipment and storage medium - Google Patents
File transmission method and device, network security equipment and storage medium Download PDFInfo
- Publication number
- CN114244610B CN114244610B CN202111552297.9A CN202111552297A CN114244610B CN 114244610 B CN114244610 B CN 114244610B CN 202111552297 A CN202111552297 A CN 202111552297A CN 114244610 B CN114244610 B CN 114244610B
- Authority
- CN
- China
- Prior art keywords
- fingerprint information
- file
- message
- flow message
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 77
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000012545 processing Methods 0.000 claims abstract description 75
- 241000700605 Viruses Species 0.000 claims description 61
- 238000001514 detection method Methods 0.000 claims description 21
- 238000012546 transfer Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 5
- 230000008569 process Effects 0.000 description 11
- 230000006870 function Effects 0.000 description 5
- 230000000903 blocking effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000006467 substitution reaction Methods 0.000 description 3
- 244000035744 Hura crepitans Species 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 238000013500 data storage Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/146—Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a file transmission method, a file transmission device, network security equipment and a storage medium. The method comprises the following steps: receiving a flow message carrying a network data block sent by a first terminal; acquiring fingerprint information in a flow message; the fingerprint information is used for identifying a file to which the network data block belongs, the file is split into a plurality of network data blocks, and the network data blocks are transmitted in a breakpoint continuous transmission mode; inquiring whether the locally stored malicious fingerprint information contains fingerprint information or not; the malicious fingerprint information is fingerprint information corresponding to the identified malicious file; when the malicious fingerprint information contains fingerprint information, processing the flow message based on a first preset processing mode. By the method, even if the file is transmitted in a breakpoint continuous transmission mode, network data blocks which are continuously transmitted after the interruption can be effectively identified, and further continuous transmission of malicious files is blocked.
Description
Technical Field
The present application relates to the field of data transmission technologies, and in particular, to a file transmission method and apparatus, a network security device, and a storage medium.
Background
The existing network security devices such as firewalls and next-generation firewalls have the functions of intrusion detection, virus scanning, content filtering, sandbox protection and the like. The method can carry out security detection on the files transmitted by the network, and can prevent the files from being spread when the files are found to contain features, viruses or specific keywords so as to achieve the purposes of protecting the network security or preventing data information from being leaked.
In order to ensure efficient file transmission, current file transmission methods generally split a larger file into a plurality of network data blocks for transmission. When the network security equipment detects, each network data block can be detected in sequence. Since the strings constituting the virus may be distributed in different network data blocks, the network security device determines that the file is a malicious file only after detecting all the strings constituting the virus. The file transmission mode can enable the receiving end to have partial network data blocks possibly carrying virus character strings to be received, and at the moment, the transmission can be interrupted to prevent all character strings forming viruses from being transmitted to the receiving end. However, the inventor found in the study that if the breakpoint continuous transmission mode is adopted in the file transmission process, when the receiving end requests the second file transmission, the sending end transmits the rest network data blocks, and the network data blocks which are successfully transmitted are not transmitted. Because the breakpoint continuous transmission mode is equivalent to reestablishing a session, the network security equipment takes the rest network data blocks as a new file during detection, and further the rest network data blocks carrying virus character strings can be transmitted to the receiving end, so that the receiving end is attacked by malicious files.
Disclosure of Invention
The embodiment of the application aims to provide a file transmission method, a file transmission device, network security equipment and a storage medium, which are used for blocking malicious files from being received by a receiving end in a breakpoint continuous transmission mode.
The invention is realized in the following way:
In a first aspect, an embodiment of the present application provides a file transmission method, which is applied to a network security device, including: receiving a flow message carrying a network data block sent by a first terminal; acquiring fingerprint information in the flow message; the fingerprint information is used for identifying a file to which the network data block belongs, and the file is split into a plurality of network data blocks and transmitted in a breakpoint continuous transmission mode; inquiring whether locally stored malicious fingerprint information contains the fingerprint information or not; the malicious fingerprint information is fingerprint information corresponding to the identified malicious file; when the malicious fingerprint information contains the fingerprint information, processing the flow message based on a first preset processing mode.
In the embodiment of the application, the network security equipment pre-stores the fingerprint information corresponding to the malicious file, and further after receiving the traffic message carrying the network data block sent by the first terminal, the network security equipment can judge whether the network data block belongs to the malicious file or not through the fingerprint information carried by the traffic message, and if so, the network security equipment correspondingly processes the received traffic message. By the method, even if the file is transmitted in a breakpoint continuous transmission mode, network data blocks which are continuously transmitted after the interruption can be effectively identified, and further continuous transmission of malicious files is blocked.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, the processing the flow packet based on the first preset processing manner includes: and processing the flow message based on a processing mode corresponding to the malicious fingerprint information which is the same as the fingerprint information.
In the embodiment of the application, the flow message is processed based on the processing mode corresponding to the malicious fingerprint information which is the same as the fingerprint information, so that the flow message processing flow can be quickened, and the processing efficiency is improved.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, the method further includes: detecting the flow message when the malicious fingerprint information does not contain the fingerprint information; when the detection result of the flow message represents that the file is a malicious file, processing the flow message based on a second preset processing mode, and storing the fingerprint information and the processing mode of the flow message; and when the detection result of the flow message indicates that the file is a non-malicious file, forwarding the flow message to a second terminal corresponding to the flow message.
In the embodiment of the application, when the malicious fingerprint information does not contain the fingerprint information of the flow message, the flow message is detected, if the file corresponding to the flow message is detected to be the malicious file, the flow message is processed, and the fingerprint information and the processing mode of the flow message are stored, so that the subsequent network security equipment can rapidly process when receiving the flow message with the same fingerprint information.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, the processing the flow packet based on the second preset processing manner includes: replacing the virus character string in the flow message; and sending the traffic message after the virus character string replacement to the second terminal.
In the embodiment of the application, if the file corresponding to the flow message is detected to be a malicious file, the virus character string in the flow message can be replaced to remove the virus character string in the network data block, so that the second terminal is not attacked by viruses after the network data block is continuously transmitted to the second terminal.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, when the flow packet is a TCP packet or a UDP packet carried by an IP protocol, the acquiring fingerprint information in the flow packet includes: acquiring a source IP address, a destination IP address and a destination port in the flow message; and the source IP address, the destination IP address and the destination port in the flow message are the fingerprint information.
In the embodiment of the application, when the flow message is a TCP protocol message or a UDP protocol message carried by an IP protocol, a source IP address, a destination IP address and a destination port in the flow message are extracted as fingerprint information so as to effectively identify a network data block of the TCP protocol message or the UDP protocol message carried by the IP protocol.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, when the flow packet is an HTTP protocol packet, the acquiring fingerprint information in the flow packet includes: acquiring a uniform resource locator, a destination terminal address, a file coding mode and a file type in the flow message; the fingerprint information comprises a uniform resource locator, a destination terminal address, a file name, a file coding mode and a file type in the flow message.
In the embodiment of the application, when the flow message is a message of the HTTP protocol, the uniform resource locator, the destination terminal address, the file name, the file coding mode and the file type in the flow message are extracted so as to effectively identify the network data block in the flow message of the HTTP protocol.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, when the flow packet is a packet of an FTP protocol, the acquiring fingerprint information in the flow packet includes: analyzing the flow message to obtain a transmission path and a file name of the flow message; and the transmission path of the flow message and the file name are the fingerprint information.
In the embodiment of the application, when the flow message is a message of the FTP protocol, the transmission path and the file name of the flow message are extracted as fingerprint information so as to effectively identify the network data block in the flow message of the FTP protocol.
In a second aspect, an embodiment of the present application provides a file transmission apparatus, applied to a network security device, including: the receiving module is used for receiving the flow message carrying the network data block sent by the first terminal; the acquisition module acquires fingerprint information in the flow message; the fingerprint information is used for identifying a file to which the network data block belongs, and the file is split into a plurality of network data blocks and transmitted in a breakpoint continuous transmission mode; the query module is used for querying whether locally stored malicious fingerprint information contains the fingerprint information; the malicious fingerprint information is fingerprint information corresponding to the identified malicious file; and the processing module is used for processing the flow message based on a first preset processing mode when the malicious fingerprint information contains the fingerprint information.
In a third aspect, an embodiment of the present application provides a network security device, including: the device comprises a processor and a memory, wherein the processor is connected with the memory; the memory is used for storing programs; the processor is configured to invoke a program stored in the memory to perform a method as provided by the embodiments of the first aspect described above and/or in combination with some possible implementations of the embodiments of the first aspect described above.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method as provided by the embodiments of the first aspect described above and/or in connection with some possible implementations of the embodiments of the first aspect described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of file breakpoint resume provided in the prior art.
Fig. 2 is a block diagram of a network system according to an embodiment of the present application.
Fig. 3 is a block diagram of a network security device according to an embodiment of the present application.
Fig. 4 is a flowchart of a file transfer method according to an embodiment of the present application.
Fig. 5 is a block diagram of a file transfer device according to an embodiment of the present application.
Icon: 10-a network system; 100-network security appliance; 110-a processor; 120-memory; 200-a first terminal; 300-a second terminal; 400-file transfer means; 410 a receiving module; 420-an acquisition module; 430-a query module; 440-processing module.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
First, a description is given of a file breakpoint continuous transmission method provided in the prior art. In order to ensure efficient file transmission, current file transmission methods generally split a larger file into a plurality of network data blocks for transmission. Referring to fig. 1, fig. 1 describes a process of transferring a file (for example, a virus file) from a first terminal to a second terminal. It is assumed that the virus file is divided into ten network data blocks for transmission, and the ten network data blocks are denoted by sequence numbers 1 to 10, for example, the first network data block for transmission is network data block 1, the second network data block for transmission is network data block 2, and so on, and the tenth network data block for transmission is network data block 10. Three virus strings A, B, C constituting viruses in the virus file are distributed in the network data block 1, the network data block 3, and the network data block 4, respectively.
It should be noted that if the virus is to function in the second terminal, the complete file needs to be obtained in the second terminal, and the file includes all the virus strings that constitute the virus. That is, the second terminal can only function after receiving the complete file, and the complete file contains three virus strings A, B, C (the virus string A, B, C may be used to indicate that the file is a malicious file or a virus file), and the second terminal cannot function if it includes only any two of the three virus strings, or only one virus string. Therefore, when the network security device detects, the corresponding file is determined to be a virus file only after all the character strings composing the virus are identified. As shown in fig. 1, the network data blocks are sequentially transmitted through the network and then detected by the network security device. Wherein the network data block 1 has arrived at the second terminal, i.e. the network data block 1 was successfully received by the second terminal; the network data block 2 and the network data block 3 are in the transmission process from the network security equipment to the second terminal; the network data block 4 is being detected by the network security device; the network data block 5-8 is in the process of transmission from the first terminal to the network security device, i.e. the network data block 5-8 has not yet arrived at the network security device; whereas the network data block 9 and the network data block 10 have not yet been sent from the first terminal.
When the network security device detects the network data block 4, the network security device blocks transmission of all network data blocks that have not yet arrived at the second terminal, since the virus string A, B, C has been detected, so that the network data blocks 2-10 do not arrive at the second terminal. However, the inventors found that if the breakpoint continuous transmission is adopted in the file transmission process, the second terminal transmits the remaining network data blocks (for example, in the second transmission process in fig. 1, the network data block 2 is transmitted) when the second terminal requests the second file transmission, and the successfully transmitted network data block (network data block 1) is not transmitted. The breakpoint continuous transmission mode is equivalent to reestablishing a session, so that the network security device can take the rest network data blocks (network data block 2 to network data block 10) as a new file when detecting, at this time, the network security device can determine that the files from the network data block 2 to the network data block 10 are safe and transmit the files to the second terminal, and further, the network data blocks carrying the virus character strings B and C are also transmitted to the second terminal.
In view of the above problems, the present application provides the following embodiments to solve the above problems.
Referring to fig. 2, an embodiment of the present application provides a network system 10, which includes a network security device 100, a first terminal 200, and a second terminal 300.
The network security device 100 is communicatively connected to the first terminal 200 and the second terminal 300, respectively.
The network security device 100 may be provided with intrusion detection, virus scanning, content filtering, sandbox protection, etc. In the embodiment of the present application, the network security device 100 is mainly used for detecting a traffic message carrying a network data block sent by the first terminal 200 to the second terminal 300.
The network security device 100 may be, but is not limited to, a router, gateway device, firewall in particular.
Referring to fig. 3, in architecture, network security device 100 may include a processor 110 and a memory 120.
The processor 110 is electrically connected to the memory 120, either directly or indirectly, to enable data transmission or interaction, for example, the elements may be electrically connected to each other via one or more communication buses or signal lines. The file transfer means comprises at least one software module which may be stored in the memory 120 in the form of software or Firmware (Firmware) or cured in an Operating System (OS) of the network security device 100. The processor 110 is configured to execute executable modules stored in the memory 120, such as software functional modules and computer programs included in the file transfer device, to implement a file transfer method. The processor 110 may execute the computer program after receiving the execution instructions.
The processor 110 may be an integrated circuit chip with signal processing capability. The Processor 110 may also be a general purpose Processor, for example, a central processing unit (Central Processing Unit, CPU), a digital signal Processor (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), discrete gate or transistor logic, discrete hardware components, and may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. Further, the general purpose processor may be a microprocessor or any conventional processor or the like.
The Memory 120 may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable programmable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), and electrically erasable programmable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM). The memory 120 is used for storing a program, and the processor 110 executes the program after receiving an execution instruction.
It should be noted that the structure shown in fig. 3 is only illustrative, and the network security device 100 provided in the embodiment of the present application may further have fewer or more components than those shown in fig. 3, or may have a different configuration from that shown in fig. 3. In addition, the components shown in fig. 3 may be implemented by software, hardware, or a combination thereof.
The first terminal 200 may be configured to transmit a traffic message to the second terminal 300. For example, when the second terminal 300 requests to obtain the target file from the first terminal 200, the first terminal 200 splits the target file into a plurality of network data blocks, and then sequentially sends a traffic message carrying the network data blocks to the second terminal 300.
In the embodiment of the present application, the first terminal 200 may be a terminal or a server, and the terminal may be, but is not limited to, a Personal computer (Personal Computer, PC), a smart phone, a tablet computer, a Personal digital assistant (Personal DIGITAL ASSISTANT, PDA), a Mobile internet device (Mobile INTERNET DEVICE, MID), and the like. The server may be, but is not limited to, a web server, a database server, a cloud server, or a server integration made up of multiple sub-servers, etc. The second terminal 300 may be, but is not limited to, a personal computer, a smart phone, a tablet computer, etc.
Of course, the above-listed hardware devices are only used to facilitate understanding of the embodiments of the present application, and should not be construed as limiting the present embodiments.
Referring to fig. 4, fig. 4 is a flowchart of a file transfer method according to an embodiment of the present application, where the method is applied to the network security device 100 shown in fig. 3. It should be noted that, the file transmission method provided in the embodiment of the present application is not limited by the order shown in fig. 4 and the following steps, and the method includes: step S101 to step S104.
Step S101: and receiving a flow message carrying the network data block sent by the first terminal.
Step S102: fingerprint information in the flow message is acquired.
The fingerprint information is used for identifying the file to which the network data block belongs. The file is split into a plurality of network data blocks by the first terminal, and the file is transmitted in a breakpoint continuous transmission mode.
Step S103: and inquiring whether the locally stored malicious fingerprint information contains fingerprint information or not.
The malicious fingerprint information is fingerprint information corresponding to the identified malicious file. The network security can store fingerprint information corresponding to the malicious file in advance, and further when a flow message carrying the network data block is received, whether the file to which the network data block carried by the flow message belongs to the malicious file can be directly determined according to the fingerprint information of the flow message.
Step S104: when the malicious fingerprint information contains fingerprint information, processing the flow message based on a first preset processing mode.
When the malicious fingerprint information contains the fingerprint information of the flow message, the file to which the network data block carried by the flow message belongs is indicated to belong to a malicious file, and the flow message can be processed according to a first preset processing mode.
The first preset processing mode is a processing mode formulated for the malicious file. The first preset processing mode is described later.
In summary, in the embodiment of the present application, the network security device may store fingerprint information corresponding to a malicious file in advance, and further after receiving a traffic message carrying a network data block sent by a first terminal, it may determine whether the network data block belongs to the malicious file through the fingerprint information carried by the traffic message, and if yes, perform corresponding processing on the received traffic message. By the method, even if the file is transmitted in a breakpoint continuous transmission mode, network data blocks which are continuously transmitted after the interruption can be effectively identified, and further continuous transmission of malicious files is blocked.
The above steps are described below in connection with specific examples.
In the embodiment of the application, fingerprint information corresponding to the flow messages of different protocols is different.
In an embodiment, the traffic message may be a TCP (Transmission Control Protocol ) protocol message or a UDP (User Datagram Protocol, user datagram protocol) protocol message carried by an IP (Internet Protocol ) protocol. When the traffic message is a TCP protocol message or a UDP protocol message carried by the IP protocol, the step S102 may specifically include: and acquiring a source IP address, a destination IP address and a destination port in the flow message.
The source IP address, the destination IP address and the destination port in the flow message are fingerprint information. Correspondingly, the locally stored malicious fingerprint information is a source IP address, a destination IP address and a destination port corresponding to the malicious file.
Therefore, in the embodiment of the application, when the traffic message is a TCP protocol message or a UDP protocol message carried by an IP protocol, a source IP address, a destination IP address and a destination port in the traffic message are extracted as fingerprint information, so as to effectively identify a network data block in the TCP protocol message or the UDP protocol message carried by the IP protocol.
In another embodiment, the traffic message may be a message of HTTP (Hyper Text Transfer Protocol ) protocol. When the traffic message is an HTTP protocol message, the step S102 may specifically include: and acquiring a uniform resource locator, a destination terminal Address (such as a Media Access Control (MAC) Address of a second terminal), a file name, a file coding mode and a file type in the flow message.
The fingerprint information comprises a uniform resource locator, a destination terminal address, a file name, a file coding mode and a file type in the flow message. Correspondingly, the locally stored malicious fingerprint information is a uniform resource locator, a destination terminal address, a file name, a file coding mode and a file type corresponding to the malicious file.
It can be seen that, in the embodiment of the present application, when the traffic message is a message of HTTP protocol, the uniform resource locator, the destination terminal address, the file name, the file coding mode and the file type in the traffic message are extracted, so as to effectively identify the network data block in the traffic message of HTTP protocol.
In another embodiment, the traffic message may be a message of FTP (FILE TRANSFER Protocol ) Protocol. When the traffic message is a message of the FTP protocol, the step S102 may specifically include: and analyzing the flow message to obtain the transmission path and the file name of the flow message.
The transmission path of the flow message and the file name are fingerprint information. Correspondingly, the locally stored malicious fingerprint information is a transmission path and a file name corresponding to the malicious file.
It should be noted that, in the traffic message of the FTP protocol, since the data stream and the control stream are separated, fingerprint information extraction of the traffic message is mainly in the control stream. The network security device may extract a transmission path by parsing a directory switching command (cd), extract a file name by parsing a file acquisition command (get), and then combine the transmission path and the file name into fingerprint information.
Therefore, in the embodiment of the application, when the flow message is a message of the FTP protocol, the transmission path and the file name of the flow message are extracted as fingerprint information, so as to effectively identify the network data block in the flow message of the FTP protocol.
In addition, the traffic message may also be a message of SMB (SERVER MESSAGE Block) protocol. The fingerprint information corresponding to the messages of each protocol can also be determined according to the implementation situation, and the application is not limited. In addition, when the traffic message is transmitted in different protocols, the network security device needs to identify what protocol message the traffic message is, and then extract fingerprint information of the traffic message according to the configured fingerprint information corresponding to the protocol message.
In an embodiment, the processing the traffic message in step S104 based on the first preset processing manner specifically includes: replacing the virus character string in the flow message; and sending the traffic message with the virus character string replaced to a second terminal.
Continuing to take fig. 1 as an example, if the network data block carried by the traffic message sent by the current first terminal is the network data block 4, at this time, the network security device replaces the virus character string after identifying the virus character string C in the network data block 4. The substitution herein may be to replace the virus character string C with any character string other than the character string C. The form of the character string is not limited by the present application. After the network security device replaces the virus character string C, the traffic message may be sent to the second terminal. Since the network data block does not contain the character string C, the file content is destroyed to cause the virus to fail, and thus the network data block 4 is sent to the second terminal, and the second terminal is not attacked by the virus.
Of course, if the traffic message does not include the virus string, the traffic message may be directly sent to the second terminal. If the network data block carried by the flow message sent by the current first terminal is the network data block 2, the network security device directly sends the flow message to the second terminal.
In an embodiment, the processing the traffic message in step S104 based on the first preset processing manner specifically includes: blocking the sending of the traffic message.
Continuing to take fig. 1 as an example, if the network data block carried by the traffic message sent by the current first terminal is the network data block 4, the network security device interrupts the transmission of the network data block 4 at this time.
Of course, the transmission of all network data blocks which have not yet arrived at the second terminal may also be blocked at this time. If the network data block carried by the traffic message sent by the first terminal is the network data block 4, the network security device interrupts the transmission of the network data block 2-4 at this time.
In an embodiment, the processing the traffic message in step S104 based on the first preset processing manner specifically includes: and processing the flow message based on the processing mode corresponding to the malicious fingerprint information which is the same as the fingerprint information.
That is, the network security device may locally store the processing pattern corresponding to the malicious fingerprint information. And further, the flow message can be processed directly based on the processing mode corresponding to the malicious fingerprint information which is the same as the fingerprint information.
The processing manner of the malicious fingerprint information here may be two implementations in the foregoing embodiments. For example, if the processing mode corresponding to the malicious fingerprint information identical to the fingerprint information is substitution of a virus character string, the virus character string in the traffic message is replaced, and if the traffic message does not include the virus character string, the traffic message is directly sent to the second terminal. For another example, the processing mode corresponding to the malicious fingerprint information identical to the fingerprint information is to block the sending of the traffic message, and at this time, the network security device interrupts the transmission of the traffic message.
Therefore, in the embodiment of the application, the flow message is processed based on the processing mode corresponding to the malicious fingerprint information which is the same as the fingerprint information, so that the flow message processing flow can be quickened, and the processing efficiency is improved.
Of course, when the malicious fingerprint information does not include fingerprint information, the file transmission method further includes: and detecting the flow message.
And when the detection result of the flow message indicates that the file is a non-malicious file, forwarding the flow message to a second terminal corresponding to the flow message.
That is, the network security device identifies the virus character strings in the traffic message, and if the file corresponding to the traffic message does not include all the virus character strings that constitute the virus, the file corresponding to the traffic message is determined to be a non-malicious file, and at this time, the traffic message is directly forwarded.
And when the detection result of the flow message represents that the file is a malicious file, processing the flow message based on a second preset processing mode, and storing fingerprint information and the processing mode of the flow message.
Continuing with FIG. 1 as an example, assume that the file carrying the virus string A, B, C at this time is Q. The network security equipment receives a message corresponding to the file Q for the first time. When the network security equipment detects the flow message carrying the network data blocks 1-3, the file Q is not determined to be a malicious file. When a traffic message carrying the network data block 4 is detected, the file Q is determined to be a malicious file due to the detection of the virus string A, B, C. At this time, the network security device processes the traffic message based on the second preset processing mode, and stores fingerprint information and the processing mode of the traffic message.
The second preset processing manner herein may be, but is not limited to, replacing the virus string and blocking the sending of the traffic message in the foregoing embodiment.
Taking the second preset processing mode as an example of replacing the virus character string, the network security device replaces the virus character string C in the network data block 4. The substitution herein may be to replace the virus character string C with any character string other than the character string C. The form of the character string is not limited by the present application. After the network security device replaces the virus character string C, the traffic message may be sent to the second terminal. Since the network data block does not contain the character string C, the file content is destroyed to cause virus failure, and thus the second terminal will not be attacked by the virus after the network data block 4 is sent to the second terminal. After the network security equipment processes, the fingerprint information of the file Q and the processing mode of the flow message are stored.
When the network security device receives the flow message corresponding to the file Q again, for example, when the network security device receives the flow message carrying the network data block 3 again, the virus character string B in the network data block 3 may be directly replaced, and then the flow message is sent to the second terminal.
Taking the second preset processing mode as an example of blocking the sending of the flow message, at this time, the network security device interrupts the transmission of the flow message carrying the network data block 4. After the network security equipment processes, the fingerprint information of the file Q and the processing mode of the flow message are stored.
When the network security device receives the flow message corresponding to the file Q again, for example, when the network security device receives the flow message carrying the network data block 2 again, the transmission of the flow message carrying the network data block 2 can be directly interrupted, that is, the method can effectively prevent the first terminal in fig. 1 from retransmitting the file Q to the second terminal at the break point.
It should be noted that, the interruption mode of breakpoint continuous transmission in the embodiment of the present application may be transmission interruption triggered by the first terminal or the second terminal, or may be interruption of the network security device after detecting the malicious file, or may be transmission interruption caused by poor network signal, and any interruption mode may be used to block the malicious file from being received by the second terminal in the manner of breakpoint continuous transmission.
Referring to fig. 5, based on the same inventive concept, an embodiment of the present application further provides a file transmission apparatus 400, including:
and the receiving module 410 is configured to receive a flow message carrying a network data block sent by the first terminal.
An obtaining module 420, configured to obtain fingerprint information in the flow packet; the fingerprint information is used for identifying a file to which the network data block belongs, and the file is split into a plurality of network data blocks and transmitted in a breakpoint continuous transmission mode.
A query module 430, configured to query whether locally stored malicious fingerprint information includes the fingerprint information; the malicious fingerprint information is fingerprint information corresponding to the identified malicious file.
And the processing module 440 is configured to process the traffic message based on a first preset processing manner when the malicious fingerprint information includes the fingerprint information.
Optionally, the processing module 440 is further configured to process the traffic message based on a processing manner corresponding to the malicious fingerprint information that is the same as the fingerprint information.
Optionally, the apparatus further comprises a detection module.
The detection module is used for detecting the flow message when the malicious fingerprint information does not contain the fingerprint information; when the detection result of the flow message represents that the file is a malicious file, processing the flow message based on a second preset processing mode, and storing the fingerprint information and the processing mode of the flow message; and when the detection result of the flow message indicates that the file is a non-malicious file, forwarding the flow message to a second terminal corresponding to the flow message.
Optionally, the detection module is further specifically configured to replace a virus string in the traffic message; and sending the traffic message after the virus character string replacement to the second terminal.
Optionally, when the traffic message is a TCP protocol message or a UDP protocol message carried by an IP protocol, the obtaining module 420 is specifically configured to obtain a source IP address, a destination IP address, and a destination port in the traffic message; and the source IP address, the destination IP address and the destination port in the flow message are the fingerprint information.
Optionally, when the flow message is a message of HTTP protocol, the obtaining module 420 is specifically configured to obtain a uniform resource locator, a destination terminal address, a file coding mode, and a file type in the flow message; the fingerprint information comprises a uniform resource locator, a destination terminal address, a file name, a file coding mode and a file type in the flow message.
Optionally, when the flow message is a message of an FTP protocol, the obtaining module 420 is specifically configured to parse the flow message to obtain a transmission path and a file name of the flow message; and the transmission path of the flow message and the file name are the fingerprint information.
It should be noted that, since it will be clearly understood by those skilled in the art, for convenience and brevity of description, the specific working processes of the systems, apparatuses and units described above may refer to the corresponding processes in the foregoing method embodiments, which are not repeated herein.
Based on the same inventive concept, the embodiments of the present application also provide a computer-readable storage medium having stored thereon a computer program which, when executed, performs the method provided in the above embodiments.
The storage media may be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk Solid STATE DISK (SSD)), etc.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
Further, the units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Furthermore, functional modules in various embodiments of the present application may be integrated together to form a single portion, or each module may exist alone, or two or more modules may be integrated to form a single portion.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (8)
1. A file transfer method, applied to a network security device, comprising:
receiving a flow message carrying a network data block sent by a first terminal;
Acquiring fingerprint information in the flow message; the fingerprint information is used for identifying a file to which the network data block belongs, and the file is split into a plurality of network data blocks and transmitted in a breakpoint continuous transmission mode;
Inquiring whether locally stored malicious fingerprint information contains the fingerprint information or not; the malicious fingerprint information is fingerprint information corresponding to the identified malicious file;
when the malicious fingerprint information contains the fingerprint information, processing the flow message based on a first preset processing mode;
detecting the flow message when the malicious fingerprint information does not contain the fingerprint information;
When the detection result of the flow message indicates that the file is a malicious file, replacing a virus character string in a network data block of the flow message; the flow message after the virus character string replacement is sent to a second terminal, and the fingerprint information and the processing mode of the flow message are stored;
and when the detection result of the flow message indicates that the file is a non-malicious file, forwarding the flow message to the second terminal corresponding to the flow message.
2. The method of claim 1, wherein the processing the traffic message based on the first preset processing manner comprises:
And processing the flow message based on a processing mode corresponding to the malicious fingerprint information which is the same as the fingerprint information.
3. The method of claim 1, wherein when the traffic message is a TCP protocol message or a UDP protocol message carried by an IP protocol, the obtaining fingerprint information in the traffic message includes:
acquiring a source IP address, a destination IP address and a destination port in the flow message; and the source IP address, the destination IP address and the destination port in the flow message are the fingerprint information.
4. The method according to claim 1, wherein when the traffic message is a message of HTTP protocol, the obtaining fingerprint information in the traffic message includes:
acquiring a uniform resource locator, a destination terminal address, a file coding mode and a file type in the flow message; the fingerprint information comprises a uniform resource locator, a destination terminal address, a file name, a file coding mode and a file type in the flow message.
5. The method of claim 1, wherein when the flow message is a message of an FTP protocol, the obtaining fingerprint information in the flow message comprises:
Analyzing the flow message to obtain a transmission path and a file name of the flow message; and the transmission path of the flow message and the file name are the fingerprint information.
6. A file transfer apparatus for use with a network security device, comprising:
The receiving module is used for receiving the flow message carrying the network data block sent by the first terminal;
The acquisition module acquires fingerprint information in the flow message; the fingerprint information is used for identifying a file to which the network data block belongs, and the file is split into a plurality of network data blocks and transmitted in a breakpoint continuous transmission mode;
The query module is used for querying whether locally stored malicious fingerprint information contains the fingerprint information; the malicious fingerprint information is fingerprint information corresponding to the identified malicious file;
The processing module is used for processing the flow message based on a first preset processing mode when the malicious fingerprint information contains the fingerprint information;
The device also comprises a detection module, wherein the detection module is used for detecting the flow message when the malicious fingerprint information does not contain the fingerprint information; when the detection result of the flow message indicates that the file is a malicious file, replacing a virus character string in a network data block of the flow message; the flow message after the virus character string replacement is sent to a second terminal, and the fingerprint information and the processing mode of the flow message are stored;
The detection module is further specifically configured to forward the traffic message to the second terminal corresponding to the traffic message when the detection result of the traffic message indicates that the file is a non-malicious file.
7. A network security appliance, comprising: the device comprises a processor and a memory, wherein the processor is connected with the memory;
The memory is used for storing programs;
The processor is configured to execute a program stored in the memory, and to perform the method according to any one of claims 1-5.
8. A computer-readable storage medium, characterized in that a computer program is stored thereon, which, when being run by a computer, performs the method according to any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111552297.9A CN114244610B (en) | 2021-12-17 | 2021-12-17 | File transmission method and device, network security equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111552297.9A CN114244610B (en) | 2021-12-17 | 2021-12-17 | File transmission method and device, network security equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114244610A CN114244610A (en) | 2022-03-25 |
| CN114244610B true CN114244610B (en) | 2024-05-03 |
Family
ID=80758027
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111552297.9A Active CN114244610B (en) | 2021-12-17 | 2021-12-17 | File transmission method and device, network security equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114244610B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN120513608A (en) * | 2022-12-01 | 2025-08-19 | 黄建邦 | Data transmission method, system, first end, intermediate network device and control device |
| CN117729029A (en) * | 2023-12-20 | 2024-03-19 | 北京江民新科技术有限公司 | A network file protection method, system, equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101626319A (en) * | 2009-08-03 | 2010-01-13 | 成都市华为赛门铁克科技有限公司 | Method, device and system for detecting gateway virus |
| CN101800754A (en) * | 2010-03-25 | 2010-08-11 | 中国科学院计算技术研究所 | Method for distributing patch |
| CN103425927A (en) * | 2012-05-16 | 2013-12-04 | 腾讯科技(深圳)有限公司 | Device and method for removing viruses of computer documents |
| US9202050B1 (en) * | 2012-12-14 | 2015-12-01 | Symantec Corporation | Systems and methods for detecting malicious files |
| CN111953668A (en) * | 2020-07-30 | 2020-11-17 | 中国工商银行股份有限公司 | Network security information processing method and device |
| CN112272212A (en) * | 2020-09-30 | 2021-01-26 | 新华三信息安全技术有限公司 | File transmission method and device |
| CN112417437A (en) * | 2020-10-28 | 2021-02-26 | 北京八分量信息科技有限公司 | Trusted cloud platform based program white list generation method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2901619C (en) * | 2015-08-26 | 2016-11-22 | Ultralight Technologies Inc. | Monitoring alignment of computer file states across a group of users |
| CN110362994B (en) * | 2018-03-26 | 2023-06-20 | 华为技术有限公司 | Malicious file detection method, device and system |
-
2021
- 2021-12-17 CN CN202111552297.9A patent/CN114244610B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101626319A (en) * | 2009-08-03 | 2010-01-13 | 成都市华为赛门铁克科技有限公司 | Method, device and system for detecting gateway virus |
| CN101800754A (en) * | 2010-03-25 | 2010-08-11 | 中国科学院计算技术研究所 | Method for distributing patch |
| CN103425927A (en) * | 2012-05-16 | 2013-12-04 | 腾讯科技(深圳)有限公司 | Device and method for removing viruses of computer documents |
| US9202050B1 (en) * | 2012-12-14 | 2015-12-01 | Symantec Corporation | Systems and methods for detecting malicious files |
| CN111953668A (en) * | 2020-07-30 | 2020-11-17 | 中国工商银行股份有限公司 | Network security information processing method and device |
| CN112272212A (en) * | 2020-09-30 | 2021-01-26 | 新华三信息安全技术有限公司 | File transmission method and device |
| CN112417437A (en) * | 2020-10-28 | 2021-02-26 | 北京八分量信息科技有限公司 | Trusted cloud platform based program white list generation method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114244610A (en) | 2022-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7299415B2 (en) | Security vulnerability protection methods and devices | |
| US10929538B2 (en) | Network security protection method and apparatus | |
| US8874723B2 (en) | Source detection device for detecting a source of sending a virus and/or a DNS attack linked to an application, method thereof, and program thereof | |
| US8635697B2 (en) | Method and system for operating system identification in a network based security monitoring solution | |
| KR102155262B1 (en) | Elastic honeynet system and method for managing the same | |
| EP3297248B1 (en) | System and method for generating rules for attack detection feedback system | |
| US20050278779A1 (en) | System and method for identifying the source of a denial-of-service attack | |
| JP4195480B2 (en) | An apparatus and method for managing and controlling the communication of a computer terminal connected to a network. | |
| WO2022083417A1 (en) | Method and device for data pack processing, electronic device, computer-readable storage medium, and computer program product | |
| US20060230456A1 (en) | Methods and apparatus to maintain telecommunication system integrity | |
| CN108270722B (en) | Attack behavior detection method and device | |
| CN114244610B (en) | File transmission method and device, network security equipment and storage medium | |
| CN106778229B (en) | VPN-based malicious application downloading interception method and system | |
| CN104796386B (en) | Botnet detection method, device and system | |
| CN115174243A (en) | Malicious IP address blocking processing method, device, equipment and storage medium | |
| JP2007006054A (en) | Packet relay apparatus and packet relay system | |
| WO2006043310A1 (en) | False access program monitoring method, false access program detecting program, and false access program countermeasure program | |
| CN110022319B (en) | Security isolation method, device, computer equipment and storage device for attack data | |
| CN102316074A (en) | HTTP (hyper text transfer protocol) multithreading restoration method based on libnids | |
| WO2005109797A1 (en) | Network attack combating method, network attack combating device and network attack combating program | |
| JP2019152912A (en) | Unauthorized communication handling system and method | |
| CN101277302A (en) | Device and method for centralized security protection of distributed network equipment | |
| CN118139052A (en) | Enhanced network security protection method and device, storage medium, and electronic device | |
| CN116723020A (en) | Network service simulation method and device, electronic equipment and storage medium | |
| JP6476853B2 (en) | Network monitoring system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |