CN117857066A - Virus transmission interception method and device based on session, electronic equipment and medium - Google Patents
Virus transmission interception method and device based on session, electronic equipment and medium Download PDFInfo
- Publication number
- CN117857066A CN117857066A CN202211211838.6A CN202211211838A CN117857066A CN 117857066 A CN117857066 A CN 117857066A CN 202211211838 A CN202211211838 A CN 202211211838A CN 117857066 A CN117857066 A CN 117857066A
- Authority
- CN
- China
- Prior art keywords
- message
- virus
- session
- target
- receiving
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 107
- 230000005540 biological transmission Effects 0.000 title claims abstract description 106
- 238000000034 method Methods 0.000 title claims abstract description 62
- 239000012634 fragment Substances 0.000 claims abstract description 59
- 230000004044 response Effects 0.000 claims abstract description 43
- 238000004590 computer program Methods 0.000 claims description 16
- 238000004891 communication Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 9
- 238000012544 monitoring process Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 238000013467 fragmentation Methods 0.000 description 4
- 238000006062 fragmentation reaction Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- FFBHFFJDDLITSX-UHFFFAOYSA-N benzyl N-[2-hydroxy-4-(3-oxomorpholin-4-yl)phenyl]carbamate Chemical compound OC1=C(NC(=O)OCC2=CC=CC=C2)C=CC(=C1)N1CCOCC1=O FFBHFFJDDLITSX-UHFFFAOYSA-N 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a virus transmission interception method, a device, electronic equipment and a medium based on a session. The method comprises the following steps: receiving a current fragment message of a target file sent by a sending terminal based on a session; forwarding the current fragment message to a receiving end, and identifying the current fragment message to obtain an identification result; if the identification result is a virus message, intercepting the received residual fragmented message sent by the sending end, determining a target virus message, generating a receiving response message, and sending the receiving response message to the sending end so that the sending end continues to send the residual fragmented message until the transmission of the residual fragmented message is finished. According to the technical scheme, the problem that virus characteristics cannot be identified under the breakpoint continuous transmission condition is solved, and the method has the characteristics of being small in resource occupation, high in identification efficiency, low in interception rate and the like, and the file is guaranteed to be more reliable and safe in transmission.
Description
Technical Field
The present invention relates to the field of virus interception technologies, and in particular, to a session-based virus transmission interception method, apparatus, electronic device, and medium.
Background
With the development of information technology, IP (Internet Protocol ) networks have penetrated the aspects of our lives. While bringing convenience to our communication and life, the network security problem is increasingly showing its severity. With the IP of the video monitoring field, the network security problem is also an inexperienced topic for video monitoring operators, and in recent years, the security problem occurring in the video monitoring network is frequently and frequently found, wherein a video monitoring IP terminal IPC (internet protocol Camera) is used as an important component of the video monitoring network, and because of the distributed layout, the types are different and the number is numerous, an attacker can easily utilize the monitoring terminal network to transmit virus files to a monitoring data center, so that the client is invaded and overshadowed.
In order to identify virus files, the current mainstream technology is to identify virus characteristics of a message through security devices such as a firewall, analyze the content of the message, compare the content of the message with a virus library of the security device, and determine the message conforming to the characteristics of the virus library. And after identifying viruses, recording file paths or file names, and comparing the paths or the file names when the file is transmitted next time, and intercepting if the paths or the file names are consistent.
The breakpoint continuous transmission is to retransmit the rest part of the transmission content by sending a specific message when the file is interrupted on the client, and the server identifies the retransmission part according to the instruction identification and splices the transmission content to realize the file transmission under the severe network packet loss scene. After breakpoint transmission, the five-tuple of the message transmission is changed, and the security device cannot compare the content of the second transmission with the content of the first cache, so that the virus message of the breakpoint transmission cannot be identified and intercepted.
Disclosure of Invention
The invention provides a session-based virus transmission interception method, a session-based virus transmission interception device, electronic equipment and a session-based virus transmission interception medium, solves the problem that virus characteristics cannot be identified under the condition of breakpoint continuous transmission, has the characteristics of less resource occupation, high identification efficiency, low interception rate and the like, and ensures that files are more reliable and safer in transmission.
According to an aspect of the present invention, there is provided a session-based virus transmission interception method, the method being performed by a security device, the method comprising:
receiving a current fragment message of a target file sent by a sending terminal based on a session;
forwarding the current fragment message to a receiving end, and identifying the current fragment message to obtain an identification result;
if the identification result is a virus message, intercepting the received residual fragmented message sent by the sending end, determining a target virus message, generating a receiving response message, and sending the receiving response message to the sending end so that the sending end continues to send the residual fragmented message until the transmission of the residual fragmented message is finished.
According to another aspect of the present invention, there is provided a session-based virus transmission interception apparatus, the apparatus being configured to a security device, the apparatus comprising:
the current fragment message receiving module is used for receiving the current fragment message of the target file sent by the sending end based on the session;
the identification result obtaining module is used for forwarding the current fragment message to a receiving end, and identifying the current fragment message to obtain an identification result;
and the virus message interception module is used for intercepting the received residual fragmented messages sent by the sending end if the identification result is a virus message, determining a target virus message, generating a receiving response message, and sending the receiving response message to the sending end so that the sending end can continuously send the residual fragmented messages until the transmission of the residual fragmented messages is finished.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the session-based virus transmission interception method according to any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the session-based virus transmission interception method according to any one of the embodiments of the present invention when executed.
According to the technical scheme, the current fragmented message of the target file sent by the sending end is received based on the session, and then the current fragmented message is identified, so that an identification result is obtained. If the identification result is the virus message, intercepting the received residual fragmented message sent by the sending end, determining a target virus message, generating a receiving response message, and sending the receiving response message to the sending end so that the sending end continues to send the residual fragmented message until the transmission of the residual fragmented message is finished. According to the technical scheme, the problem that virus characteristics cannot be identified under the breakpoint continuous transmission condition is solved, and the method has the characteristics of being small in resource occupation, high in identification efficiency, low in interception rate and the like, and the reliability and safety of a target in transmission are guaranteed.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for intercepting a session-based virus according to a first embodiment of the present invention;
fig. 2 is a schematic diagram of a session-based virus transmission interception method according to an embodiment of the present application;
fig. 3 is a schematic diagram of a session-based virus transmission interception method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a session-based virus interception apparatus according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device implementing a session-based virus interception method according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of a session-based virus interception method according to an embodiment of the present invention, where the method may be applicable to intercepting a virus transmission in a breakpoint continuous situation, and the method may be performed by a session-based virus transmission interception device, which may be implemented in hardware and/or software, and the session-based virus transmission interception device may be configured in a security device. As shown in fig. 1, the method includes:
s110, receiving a current fragment message of the target file sent by the sending end based on the session.
Wherein, the transmitting end and the receiving end may refer to respective devices for file transmission. For example, the transmitting end and the receiving end may be clients, servers, and the like.
In this embodiment, the security device may refer to devices and taken devices equipped to control dangerous and harmful data within a secure range, and to reduce, prevent, and eliminate hazards. For example, the security device may be a firewall, a vulnerability scanning device, a security isolation gatekeeper, or the like.
In this scheme, the principle of virus transmission in breakpoint resume mode is as follows:
step one, a transmitting end and a receiving end establish transmission connection.
And step two, the sending end performs message slicing on the file to be transmitted and sends the sliced message to the safety equipment.
And thirdly, forwarding the fragmented message to a receiving end by the safety equipment, and then identifying the fragmented message. For example, a virus file is divided into 20 pieces of messages due to the limitation of a transmission unit, the security device copies and forwards the piece of messages 1 when receiving the piece of messages 2, copies and forwards the piece of messages 1 and the piece of messages 2 according to message marks, and meanwhile, the piece of messages 1 and the piece of messages 2 are spliced.
And step four, assuming that when the segmented message 10 is received, after the security device forwards the segmented message 10, the result of splicing the first 10 pieces of messages is found to be in accordance with the characteristics of the virus library, and then all the messages are intercepted aiming at the five-tuple. Wherein the five-tuple comprises five sets of amounts of source IP address, source port, destination IP address, destination port, and transport layer protocol.
And fifthly, under the condition that the transmitting end does not receive the acknowledgement response of the receiving end in the transmission period, the transmitting end establishes connection with the receiving end again, namely the condition of breakpoint continuous transmission occurs, and at the moment, the port information of the two transmissions is completely changed. The sending end tells the receiving end that the received residual fragment message is a continuous transmission message through the flag bit, at the moment, the safety equipment cannot recognize that the file is virus because of no copy of the first 10 pieces of messages, so that the message can be directly transmitted to the receiving end, message splicing is completed, namely, virus transmission is completed, and a host is infected.
In the transmission process, the sending end perceives that the transmission of the target file fails and further carries out breakpoint continuous transmission, so that the safety equipment can construct a confirmation response to process the problems.
The target file may refer to various network transmission files. For example, the target file may be a video surveillance network security scheme, a Trojan horse virus file, or the like.
In this embodiment, the target file may be fragmented according to the limitation of the maximum transmission unit, so as to obtain a plurality of fragment messages. For example, the target file may be divided into 20 fragmented messages.
When forwarding the message, the security device establishes a session according to the first packet, and if the subsequent remaining message accords with the five-tuple characteristic of the first packet, the security device directly matches the session for forwarding so as to reduce the service pressure of the security device.
In this embodiment, the sending end segments the target file to obtain the segmented message. The fragmented messages are then sent to the secure device based on the session.
In this technical solution, optionally, the current fragment message of the target file sent by the sending end is received based on the session, including:
and under the condition that the sending end and the receiving end are successfully connected, receiving the current fragment message of the target file sent by the sending end based on the session.
Specifically, the transmitting end and the receiving end perform information verification such as user name and password, negotiate a transmission mode and confirm a transmission file. The transmission mode includes various transmission protocols, and for example, the transmission mode may be HTTP (Hyper Text Transfer Protocol ), TCP (Transmission Control Protocol, transmission control protocol), or the like. After the negotiation is completed, the sending end informs the receiving end of the name of the target file to be transmitted through message request transmission.
By establishing the connection with the sending end in advance, the current fragment message can be transmitted based on the session, so that the file transmission can be realized conveniently, and the accuracy of the file transmission is improved.
S120, forwarding the current fragment message to a receiving end, and identifying the current fragment message to obtain an identification result.
The identification result comprises a virus message and other messages.
In the scheme, after receiving the current fragmentation message sent by the sending end, the security device firstly sends the current fragmentation message to the receiving end to complete the transmission of the fragmentation message. And then identifying the current fragment message, and judging whether the transmitted target file contains a virus message or not.
In this technical solution, optionally, identifying the current fragment message to obtain an identification result includes:
splicing the current slicing message with a prestored historical slicing message to obtain a target slicing message;
and comparing the target fragment message with a virus message stored in a database in advance to obtain an identification result.
In the scheme, the security device splices the current fragmented message and the historical fragmented message according to the message mark to obtain the target fragmented message. For example, the current sliced message is sliced message 10 and the historical sliced messages are sliced messages 1-9. The fragmented message 10 and the fragmented messages 1-9 may be spliced to obtain a target fragmented message.
Specifically, virus characteristic identification can be performed on the target fragment message to obtain analysis message content, and then the analysis message content is compared with a virus message stored in a database in advance. If the contents are inconsistent, determining that the target fragment message is other messages, at the moment, continuously receiving the residual fragment message sent by the sending end, and forwarding the residual fragment message to the receiving end so as to realize the transmission of the target file. If the content is consistent, determining that the target fragment message is a virus message, and intercepting the rest fragment messages sent by the sending end at the moment.
In this technical solution, optionally, after forwarding the current fragment packet to the receiving end, the method further includes:
and storing the current slicing message to construct a historical slicing message.
In the scheme, the current slicing message can be stored, and the current slicing message and the stored historical slicing message are spliced to construct a new historical slicing message.
By forwarding the current fragmented message first and then identifying and storing, the delay of receiving flow of a receiving end can be reduced, and the file transmission efficiency is improved.
S130, if the identification result is a virus message, intercepting the received residual fragmented message sent by the sending end, determining a target virus message, generating a receiving response message, and sending the receiving response message to the sending end so that the sending end continues to send the residual fragmented message until the transmission of the residual fragmented message is finished.
The receiving a response message may refer to receiving an acknowledgement response of the fragmented packet. May include successful receipt of the current burst message and the number of bytes transferred for the target file. For example, the reception response message is a 5-byte reception success. The sender is conveniently informed to continue transmission from 6 bytes.
In this embodiment, when the security device identifies that the current segmented message is a virus message, the received remaining segmented messages sent by the sending end are intercepted, a receiving response message is constructed, and the receiving response message is sent to the sending end, so that the sending end cannot perceive that the transmission of the target file fails, and continues to transmit the remaining segmented messages, thereby avoiding the occurrence of breakpoint continuous transmission. At this time, the receiving end does not receive the complete virus file, so that the virus file cannot be infected.
In this technical solution, optionally, generating the receiving response message includes:
and generating a receiving response message according to the port information and the address information of the receiving end.
In this embodiment, the security device is mainly configured to forward the fragment packet sent by the sending end to the receiving end, so as to implement transmission of the target file. The receiving end can send a confirmation response after receiving the fragment message. Therefore, the security device can construct a new reception response message according to the port information and the address information of the receiving end.
Based on the security equipment construction, the receiving response message can enable the sending end to not sense the transmission failure of the target file, so that the occurrence of breakpoint continuous transmission is avoided.
According to the technical scheme, the current fragmented message of the target file sent by the sending end is received based on the session, and then the current fragmented message is identified, so that an identification result is obtained. If the identification result is a virus message, intercepting the received residual fragment message sent by the sending end to determine a target virus message. Then generating a receiving response message and sending the receiving response message to the sending end, so that the sending end continues to send the remaining fragmented messages until the transmission of the remaining fragmented messages is finished, the technical scheme is implemented, the problem that virus characteristics cannot be identified under the condition of breakpoint continuous transmission is solved, and the characteristics of high identification efficiency, low error interception rate and the like are achieved, and the reliability and safety of files in transmission are ensured.
Example two
Fig. 2 is a schematic diagram of a session-based virus interception transmission process according to a second embodiment of the present invention, and the relationship between the present embodiment and the above embodiment is a detailed description of the virus transmission interception process. As shown in fig. 2, the method includes:
s210, receiving a current fragment message of the target file sent by the sender based on the session.
S220, forwarding the current fragment message to a receiving end, and identifying the current fragment message to obtain an identification result.
S230, if the identification result is a virus message, generating a receiving response message, and sending the receiving response message to the sending end.
S240, marking the session to obtain a target session.
In this embodiment, the target session may be constructed by adding an identifier to the session. Wherein the identifier may be any form of identifier.
In the scheme, under the condition that the safety equipment identifies that the current fragmented message is a virus message, the safety equipment marks a session for file transmission between a sending end and a receiving end, and marks the session as a target session so as to be convenient for intercepting the fragmented message transmitted based on the target session.
S250, the received residual fragment messages sent by the sending end based on the target session are intercepted, and the target virus message is determined.
In the scheme, the fragmented message transmitted based on the target session is a virus message, if the fragmented message transmitted by the transmitting end based on the target session is received, the fragmented message is intercepted, and a receiving response message is transmitted to the transmitting end, so that the transmitting end continues to transmit the rest fragmented messages based on the target session until the transmission of the rest fragmented messages is finished.
In this technical solution, optionally, after intercepting the received remaining fragmented packets sent by the sending end based on the target session, and determining a target virus packet, the method further includes:
and deleting the target virus message and the target session under the condition that the transmission of the residual fragment message is finished.
After the transmission of the residual fragmented messages is finished, the target virus messages and the target session are automatically deleted, so that the problems of session accumulation or file path, name cache, retention period and the like are avoided, the possible caused equipment performance pressure is avoided, and the resource occupation is reduced.
Optionally, if the identification result is a virus message, releasing the corresponding buffer after marking the session; and deleting the target session after the file transmission is finished. Reducing the pressure of the device performance and reducing the resource occupation.
Fig. 3 is a schematic diagram of a session-based virus transmission interception method according to an embodiment of the present application, including the following procedures:
in the process 1, the security device does not perform any processing in the file transmission negotiation process of the sending end A and the receiving end B, and directly forwards the message.
In the process 2, in the file transmission process, after the security device identifies the virus characteristics in the file transmission process, intercepting the fragmented message, recording source-destination IP and other quintuple information of the fragmented message, and marking the transmission session with an identifier (the source IP is the IP address of the a device, and the source port is the data transmission port of the a device).
And 3, after intercepting the virus message sent by the A device, the safety device simulates the B device to carry out transmission response, sends a receiving response message, and at the moment, after receiving the receiving response message, the A device cannot detect abnormal file transmission and still continues to transmit the file.
And 4, the security device intercepts the subsequent fragmented messages hitting the session and constructs and receives response information and sends the response information to the A device.
And 5, after the file transmission is completed, the security equipment synchronously clears the corresponding target session. At this time, the B device does not receive the complete virus file, and thus cannot be infected. And the equipment A does not sense abnormal transmission in the whole transmission process.
According to the technical scheme, the current fragmented message of the target file sent by the sending end is received based on the session, and then the current fragmented message is identified, so that an identification result is obtained. And under the condition that the identification result is a virus message, generating a receiving response message, sending the receiving response message to a sending end, and marking the session to obtain a target session. Then, the received residual fragment message sent by the sending end based on the target session is intercepted, and the target virus message is determined. By executing the technical scheme, the problem that virus characteristics cannot be identified under the condition of breakpoint continuous transmission is solved, and the method has the characteristics of being small in resource occupation, high in identification efficiency, low in interception rate and the like, and ensures that files are more reliable and safe in transmission.
Example III
Fig. 4 is a schematic structural diagram of a session-based virus interception device according to a third embodiment of the present invention. As shown in fig. 4, the apparatus is configured to a security device, and the apparatus includes:
a current fragment message receiving module 410, configured to receive, based on the current fragment message of the target file sent by the sender through the session;
the recognition result obtaining module 420 is configured to forward the current fragment message to a receiving end, and recognize the current fragment message to obtain a recognition result;
and the virus message interception module 430 is configured to intercept the received remaining fragmented messages sent by the sending end if the identification result is a virus message, determine a target virus message, generate a receiving response message, and send the receiving response message to the sending end, so that the sending end continues to send the remaining fragmented messages until the transmission of the remaining fragmented messages is completed. In this technical solution, optionally, the apparatus further includes:
the target session obtaining module is used for marking the session to obtain a target session;
correspondingly, the virus message interception module 430 is specifically configured to:
and intercepting the received residual fragment messages sent by the sending end based on the target session to determine a target virus message.
In this technical solution, optionally, the apparatus further includes:
and the information deleting module is used for deleting the target virus message and the target session under the condition that the transmission of the residual fragmented message is finished.
In this embodiment, optionally, the virus message interception module 430 is further configured to:
and generating a receiving response message according to the port information and the address information of the receiving end.
In this embodiment, optionally, the recognition result obtaining module 420 is specifically configured to:
splicing the current slicing message with a prestored historical slicing message to obtain a target slicing message;
and comparing the target fragment message with a virus message stored in a database in advance to obtain an identification result.
In this embodiment, optionally, the current fragmentation message receiving module 410 is specifically configured to:
and under the condition that the sending end and the receiving end are successfully connected, receiving the current fragment message of the target file sent by the sending end based on the session.
In this technical solution, optionally, the apparatus further includes:
and the historical fragment message construction module is used for storing the current fragment message and constructing the historical fragment message.
The session-based virus transmission interception device provided by the embodiment of the invention can execute the session-based virus transmission interception method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
Fig. 5 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 5, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as the session-based virus transmission interception method.
In some embodiments, the session-based virus transmission interception method may be implemented as a computer program, which is tangibly embodied on a computer-readable storage medium, such as the storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into the RAM 13 and executed by the processor 11, one or more steps of the session-based virus transmission interception method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the session-based virus transmission interception method in any other suitable way (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. A session-based virus transmission interception method, the method being performed by a security device, the method comprising:
receiving a current fragment message of a target file sent by a sending terminal based on a session;
forwarding the current fragment message to a receiving end, and identifying the current fragment message to obtain an identification result;
if the identification result is a virus message, intercepting the received residual fragmented message sent by the sending end, determining a target virus message, generating a receiving response message, and sending the receiving response message to the sending end so that the sending end continues to send the residual fragmented message until the transmission of the residual fragmented message is finished.
2. The method according to claim 1, wherein before intercepting the received remaining fragmented packets sent by the sending end to determine a target virus packet, the method further comprises:
marking the session to obtain a target session;
correspondingly, intercepting the received residual fragment message sent by the sending end to determine a target virus message, including:
and intercepting the received residual fragment messages sent by the sending end based on the target session to determine a target virus message.
3. The method according to claim 2, wherein after the received remaining fragmented packets sent by the sending end based on the target session are intercepted and the target virus packet is determined, the method further comprises:
and deleting the target virus message and the target session under the condition that the transmission of the residual fragment message is finished.
4. The method of claim 1, wherein generating a receive response message comprises:
and generating a receiving response message according to the port information and the address information of the receiving end.
5. The method of claim 1, wherein identifying the current fragmented message to obtain an identification result comprises:
splicing the current slicing message with a prestored historical slicing message to obtain a target slicing message;
and comparing the target fragment message with a virus message stored in a database in advance to obtain an identification result.
6. The method of claim 1, wherein receiving the current fragmented message of the target file sent by the sender based on the session comprises:
and under the condition that the sending end and the receiving end are successfully connected, receiving the current fragment message of the target file sent by the sending end based on the session.
7. The method of claim 1, wherein after forwarding the current fragmented packet to a receiving end, the method further comprises:
and storing the current slicing message to construct a historical slicing message.
8. A session-based virus transmission interception apparatus, wherein the apparatus is configured in a security device, the apparatus comprising:
the current fragment message receiving module is used for receiving the current fragment message of the target file sent by the sending end based on the session;
the identification result obtaining module is used for forwarding the current fragment message to a receiving end, and identifying the current fragment message to obtain an identification result;
and the virus message interception module is used for intercepting the received residual fragmented messages sent by the sending end if the identification result is a virus message, determining a target virus message, generating a receiving response message, and sending the receiving response message to the sending end so that the sending end can continuously send the residual fragmented messages until the transmission of the residual fragmented messages is finished.
9. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the session-based virus transmission interception method of any one of claims 1-7.
10. A computer readable medium, characterized in that it stores computer instructions for causing a processor to implement the session-based virus transmission interception method according to any one of claims 1-7 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211211838.6A CN117857066A (en) | 2022-09-30 | 2022-09-30 | Virus transmission interception method and device based on session, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211211838.6A CN117857066A (en) | 2022-09-30 | 2022-09-30 | Virus transmission interception method and device based on session, electronic equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117857066A true CN117857066A (en) | 2024-04-09 |
Family
ID=90538613
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211211838.6A Pending CN117857066A (en) | 2022-09-30 | 2022-09-30 | Virus transmission interception method and device based on session, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117857066A (en) |
-
2022
- 2022-09-30 CN CN202211211838.6A patent/CN117857066A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2017088326A1 (en) | Tcp connection processing method, device and system | |
| CN110519265B (en) | Method and device for defending attack | |
| WO2017161760A1 (en) | Data transmission method and device | |
| US10834126B2 (en) | Method and system for processing forged TCP packet | |
| CN108833950A (en) | A kind of barrage message issuing method, server, system and storage medium | |
| WO2019057023A1 (en) | Data recovery method, sending/receiving apparatus, and computer-readable storage medium | |
| CN112087475B (en) | Message pushing method and device for cloud platform component application and message server | |
| CN106656966A (en) | Method and device for intercepting service processing request | |
| US12089105B2 (en) | Systems and methods of fail-safe packet transmission using long range wide area networks | |
| CN114465742A (en) | Network security protection method and protection equipment | |
| CN114553730B (en) | Application identification method and device, electronic equipment and storage medium | |
| CN109474540B (en) | Method and device for identifying OPC (optical proximity correction) flow | |
| CN110798451A (en) | Security authentication method and device | |
| CN117857066A (en) | Virus transmission interception method and device based on session, electronic equipment and medium | |
| CN113411228B (en) | Network condition determining method and server | |
| CN109995603B (en) | Method and device for measuring packet loss under Tag model and electronic equipment | |
| CN114281547B (en) | Data message processing method and device, electronic equipment and storage medium | |
| US20220286532A1 (en) | Method and apparatus for obtaining shared maximum segment size mss | |
| CN114338477B (en) | Communication link monitoring method, device, equipment and storage medium | |
| CN115695522A (en) | Data packet drainage system based on OVS-DPDK and implementation method thereof | |
| CN114024712B (en) | Authentication method, authentication device, computer equipment and storage medium | |
| WO2024230541A1 (en) | Traffic processing method and apparatus, and medium and electronic device | |
| CN113783769B (en) | Method and device for transmitting message in automatic driving and relay equipment | |
| US20240283775A1 (en) | Inline inspection cybersecurity enforcement of multipart file transmissions | |
| CN114553446B (en) | Network security protection method and protection equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |