CN102316074A - HTTP (hyper text transfer protocol) multithreading restoration method based on libnids - Google Patents
HTTP (hyper text transfer protocol) multithreading restoration method based on libnids Download PDFInfo
- Publication number
- CN102316074A CN102316074A CN2010102150683A CN201010215068A CN102316074A CN 102316074 A CN102316074 A CN 102316074A CN 2010102150683 A CN2010102150683 A CN 2010102150683A CN 201010215068 A CN201010215068 A CN 201010215068A CN 102316074 A CN102316074 A CN 102316074A
- Authority
- CN
- China
- Prior art keywords
- data
- libnids
- packet
- content
- multithreading
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000012546 transfer Methods 0.000 title description 4
- 238000005516 engineering process Methods 0.000 claims abstract description 4
- 238000012545 processing Methods 0.000 claims abstract description 4
- 238000012217 deletion Methods 0.000 claims description 6
- 230000037430 deletion Effects 0.000 claims description 6
- 230000006870 function Effects 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000001914 filtration Methods 0.000 claims description 4
- 238000012360 testing method Methods 0.000 claims description 4
- 230000002159 abnormal effect Effects 0.000 claims description 2
- 230000008521 reorganization Effects 0.000 claims 2
- 238000013467 fragmentation Methods 0.000 claims 1
- 238000006062 fragmentation reaction Methods 0.000 claims 1
- 230000009286 beneficial effect Effects 0.000 abstract 1
- 238000001514 detection method Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000013075 data extraction Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明设计了一种基于libnids的http协议多线程的还原方法。本系统要在Linux操作系统中运行,要求运行本系统的计算机功能正常,运行稳定。另外,要求安装有本发明软件的计算机处于一个局域网中。本发明首先要将主机网卡设为混杂模式,然后监控所有经过这个网段的数据包。判断是否是http协议的数据包。如果是则通过URL为该数据包命名,并记录下源IP,源端口,目的IP,作为一个四元组存入一个数据结构。继续判断数据包是否是一个多线程下载的数据包,如果是则记录下content_range和content_length这两个变量。通过content_range和content_length计算出数据包在原始文件中的位置。将数据包中的内容写入对应位置。本发明带来以下几点的有益效果:(1)完整性,能捕获局域网中大部分的数据包,能还原包括多线程下载的文件。(2)连续性,系统能在一个稳定的环境内稳定的运行。(3)高效性,采用多线程缓冲区技术针对不同应用层协议单独处理,提高处理效率,能保证在网络流量很大的情况下,仍然能捕获到大部分的数据。
The invention designs a libnids-based http protocol multi-thread restoration method. The system needs to run in the Linux operating system, and the computer running the system is required to function normally and run stably. In addition, it is required that the computer installed with the software of the present invention be in a local area network. In the present invention, firstly, the network card of the host computer is set to a promiscuous mode, and then all data packets passing through this network segment are monitored. Determine whether it is a data packet of the http protocol. If so, name the data packet through the URL, and record the source IP, source port, and destination IP, and store them in a data structure as a quadruple. Continue to judge whether the data packet is a multi-threaded downloaded data packet, and if so, record the two variables content_range and content_length. Calculate the position of the packet in the original file through content_range and content_length. Write the content in the data packet to the corresponding location. The present invention brings the following beneficial effects: (1) completeness, can capture most of the data packets in the local area network, and can restore files including multi-thread download. (2) Continuity, the system can operate stably in a stable environment. (3) High efficiency, using multi-thread buffer technology to process different application layer protocols separately, improving processing efficiency, and ensuring that most of the data can still be captured when the network traffic is heavy.
Description
技术领域 technical field
本发明涉及恶意代码。The present invention relates to malicious code.
背景技术 Background technique
现在基于网络的攻击是越来越普遍并且变化多样,而这些基于网络的入侵行为又很难被攻击主机发现,因此近年来基于网络的入侵监控系统不同于基于主机的入侵检测系统的地方在于主机型入侵检测系统可以直接获得主机的各项信息,如系统运行日志等,而网络入侵检测系统只能获得网络通讯的数据包,无法直接获得通讯的具体内容,只能通过对数据包进行协议还原来获取网络通信的具体内容,大部分网络入侵为只有根据这些还原的内容才能进行入侵行为检测。由于TCP/IP网络的大规模使用,目前大多数的入侵检测系统都是针对TCP/IP网络的。对TCP/IP网络而言,TCP/IP协议的还原成为网络入侵检测系统的关键技术之一。Now network-based attacks are becoming more and more common and diverse, and these network-based intrusion behaviors are difficult to be discovered by the attacking host. Therefore, in recent years, the network-based intrusion monitoring system is different from the host-based intrusion detection system. A network intrusion detection system can directly obtain various information of the host, such as system operation logs, etc., while a network intrusion detection system can only obtain data packets of network communication, and cannot directly obtain the specific content of communication. It turns out that the specific content of network communication is obtained, and most network intrusions can only be detected based on these restored content. Due to the large-scale use of TCP/IP networks, most current intrusion detection systems are aimed at TCP/IP networks. For TCP/IP network, the restoration of TCP/IP protocol becomes one of the key technologies of network intrusion detection system.
目前也有一些相关的专利,下面做些介绍。At present, there are also some related patents, which will be introduced below.
专利200610125451.3用于HTTP数据还原的方法。一种用于HTTP数据还原的方法,其特征在于:截获客户端对服务器发送的请求数据和服务器端对客户端请求的响应数据,然后进行过滤、解析、缓存,形成html格式的整体数据,如果数据传输时经过传输编码则对形成的整体数据进行解传输编码;如果数据在传输前进行压缩则对形成的整体数据进行解压缩,这样就形成可以用浏览器直接显示的数据,HTTP协议数据的还原也就完成。对这些请求和响应的HTTP包数据截获并进行处理,就可以将HTTP包的数据还原出来,用户的上网行为也可以再现出来。但是随着internet的发展,以迅雷,Flashget,下载旋风等为代表的多线程下载工具日益泛滥。在HTTP数据还原中,多IP地址和多端口下载同一文件的情况越来越多。而专利200610125451.3只实现了针对一对一情况下,即一个客户端在一个服务端下载一个文件,的协议还原,没有考虑到一对多(一个客户端在多个服务端下载同一个文件),和多对多(多个客户端在多个服务端下载同一个文件)的还原情况,并没有做进一步研究。相较之下,本专利不仅能完整的捕获局域网中大部分的数据包,能完整的还原包括多线程下载的文件,还能采用多线程缓冲区技术针对不同应用层协议单独处理,提高处理效率,保证了在网络流量很大的情况下,仍然能捕获到大部分的数据。Patent 200610125451.3 is used for HTTP data restoration method. A method for restoring HTTP data, characterized in that: the request data sent by the client to the server and the response data requested by the server to the client are intercepted, and then filtered, parsed and cached to form the overall data in html format, if When the data is transmitted through the transfer encoding, the formed overall data is decompressed; if the data is compressed before transmission, the formed overall data is decompressed, so that the data that can be directly displayed by the browser is formed, and the HTTP protocol data The restore is complete. By intercepting and processing the HTTP packet data of these requests and responses, the data of the HTTP packet can be restored, and the user's online behavior can also be reproduced. However, with the development of the Internet, multi-threaded downloading tools represented by Thunder, Flashget, Download Tornado, etc. are increasingly rampant. In HTTP data restoration, there are more and more situations where multiple IP addresses and multiple ports download the same file. However, the patent 200610125451.3 only implements protocol restoration for one-to-one situations, that is, one client downloads a file at one server, without considering one-to-many (one client downloads the same file at multiple servers), And many-to-many (multiple clients download the same file on multiple servers), no further research has been done. In contrast, this patent can not only completely capture most of the data packets in the local area network, but also completely restore files including multi-threaded downloads, and also use multi-threaded buffer technology to process different application layer protocols separately to improve processing efficiency , to ensure that most of the data can still be captured when the network traffic is heavy.
发明内容 Contents of the invention
本发明提供了一种基于libnids的http协议多线程的还原方法,它具有完整性,连续性,高效性。The invention provides a libnids-based http protocol multi-thread restoration method, which has integrity, continuity and high efficiency.
首先将主机网卡设为混杂模式,然后监控所有经过这个网段的数据包对每个数据包进行判断。首先判断数据包是来自客户端还是服务端。如果是客户端数据则查找get字段中时候有HTTP特征值,如果是服务端则判断数据包头里是否有HTTP特征值。如果确定为HTTP数据包则通过提取数据包里的URL并通过对URL分析为该数据包命名,同时记录下源IP,源端口,目的IP,作为一个五元组存入一个数据结构。将所有五元组数据结构用链表串联起来以数据包名作为唯一确定一个文件的所有数据包的关键字。继续判断数据包是否是一个多线程下载的数据包,如果是则记录下content_range和content_length这两个变量加上数据名和实体内容组成第二个链表,其作用是在写入文件时为实体写入文件内容作定位。再向同一文件写入数据时还需要建立第三个数据结构其中包括filename,content_range,long file_position用于定位具体写入位置。在多线程下载过程中,数据包到达客服端的方式是以content_range将文件分为多个段同时传输,所以每个段中数据包到达客服端的顺序是乱序的,要将这些数据包安其属于的段,和在属于段中所在的位置有序的组合起来就需要通过三个数据结构共同定位。将数据包中的内容写入对应位置。数据结构和链表是动态增长的如果不及时删除则会使内存耗尽。使程序无法长期稳定运行,但在一个文件的所有数据还没有全部到达客服端时就在链表中删除其数据结构又会造成文件无法成功还原。基于以上考虑在链表中数据结构的删除过程中我们采用Libnids提供nids_state。如果nids_state的状态为NIDS_CLOSE和NIDS_RESET我们就视为一个文件的数据包已经全部到达,通过链表中的filename关键字查找具有相同filename的数据结构,将所以同一filename的数据结构删除。程序分为两个线程。主线程负责捕获数据包,分析协议,组装数据。次线程负责创建文件,写入数据,内容控制等。First, set the host network card to promiscuous mode, and then monitor all data packets passing through this network segment to judge each data packet. First determine whether the packet is from the client or the server. If it is client data, check if there is an HTTP characteristic value in the get field, and if it is the server side, judge whether there is an HTTP characteristic value in the data packet header. If it is determined to be an HTTP data packet, the URL in the data packet is extracted and the data packet is named by analyzing the URL, and the source IP, source port, and destination IP are recorded at the same time, and stored in a data structure as a five-tuple. All five-tuple data structures are concatenated with a linked list, and the data package name is used as a key to uniquely determine all data packages of a file. Continue to judge whether the data packet is a multi-threaded downloaded data packet. If so, record the two variables content_range and content_length plus the data name and entity content to form a second linked list. Its function is to write for the entity when writing the file File content for positioning. When writing data to the same file, a third data structure needs to be established, including filename, content_range, and long file_position to locate the specific writing position. In the process of multi-threaded download, the way the data packets arrive at the customer service end is to divide the file into multiple segments by content_range and transmit them at the same time. Therefore, the order in which the data packets in each segment arrive at the customer service end is out of order. The segments, and the orderly combination of the positions in the segments need to be co-located through three data structures. Write the content in the data packet to the corresponding location. Data structures and linked lists are dynamically growing, and if they are not deleted in time, the memory will be exhausted. This makes the program unable to run stably for a long time, but deleting its data structure in the linked list before all the data of a file reaches the customer service end will cause the file to fail to be successfully restored. Based on the above considerations, we use Libnids to provide nids_state during the deletion process of the data structure in the linked list. If the state of nids_state is NIDS_CLOSE and NIDS_RESET, we consider that all the data packets of a file have arrived, and use the filename keyword in the linked list to find the data structure with the same filename, and delete all the data structures with the same filename. The program is divided into two threads. The main thread is responsible for capturing packets, analyzing protocols, and assembling data. Secondary threads are responsible for creating files, writing data, content control, etc.
本专利系统包括以下五个功能模块:This patent system includes the following five functional modules:
libnids:主要功能包括捕获网络数据包、IP碎片重组、TCP数据流重组及端口扫描攻击测试和异常数据包测试等。libnids: The main functions include capturing network data packets, IP fragment reassembly, TCP data stream reassembly, port scanning attack testing and abnormal data packet testing, etc.
过滤数据包模块:将libnids捕获到的数据包,进行分析,过滤掉出http协议以外的数据包。Filter data packet module: analyze the data packets captured by libnids, and filter out data packets other than the http protocol.
协议分析模块:提取http协议中所要用到的信息,主要包括:文件名,目的ip,端口等。Protocol analysis module: extract the information to be used in the http protocol, mainly including: file name, destination ip, port, etc.
数据写入模块:将属于同一四元组的数据包写入同一文件。Data writing module: write data packets belonging to the same quadruple to the same file.
文件删除模块:判断同一文件的数据包是否传输完毕,如果传输完毕就在内存中删除其四元组。File deletion module: determine whether the data packets of the same file have been transmitted, and if the transmission is completed, delete the quadruple in the memory.
本专利实施时Libnids模块主要负责包捕获,过滤数据包模块负责包过滤,协议分析模块负责从包中提取出关键数据,数据写入模块负责将数据包写入文件,文件删除模块负责判断文件是否传输完毕,已经删除过期的数据结构。When this patent was implemented, the Libnids module was mainly responsible for packet capture, the filter data packet module was responsible for packet filtering, the protocol analysis module was responsible for extracting key data from the packet, the data writing module was responsible for writing data packets into files, and the file deletion module was responsible for judging whether the file After the transfer is complete, the expired data structure has been deleted.
本系统在Linux操作系统中运行,要求运行本系统的计算机功能正常,运行稳定。另外,要求安装有本专利软件的计算机处于一个局域网中。并将此计算机的网卡设置为混杂模式。The system runs on the Linux operating system, and the computer running the system is required to function normally and run stably. In addition, it is required that the computer with this patented software installed is in a local area network. And set the network card of this computer to promiscuous mode.
附图说明 Description of drawings
图1为协议分析流程图;Figure 1 is a flow chart of protocol analysis;
图2为数据流过滤模块;Fig. 2 is a data stream filtering module;
图3为数据写入模块;Fig. 3 is a data writing module;
图4为文件删除模块Figure 4 is the file deletion module
图5为本专利的具体流程图;Fig. 5 is the concrete flowchart of this patent;
具体实施方式 Detailed ways
下面结合附图对本发明的技术方案作详细说明。The technical scheme of the present invention will be described in detail below in conjunction with the accompanying drawings.
图1显示了协议分析的过程,协议分析的主要功能包括分写http协议,提取关键数据。细化图1各步骤如下:Figure 1 shows the process of protocol analysis. The main functions of protocol analysis include writing the http protocol and extracting key data. The steps to refine Figure 1 are as follows:
步骤S101:通过分析数据包包头第一行判断是数据包属于客服端还是服务端。Step S101: Determine whether the data packet belongs to the customer service end or the server end by analyzing the first line of the data packet header.
步骤S102:如果是服务端数据提取状态码用以判断连接属于何种状态。Step S102: If it is the server data extraction status code, it is used to determine what status the connection belongs to.
步骤S103:如果是服务端数据提取数据包中提供的URL。Step S103: If it is the URL provided in the server-side data extraction packet.
步骤S104:分析URL通过正则表达式匹配提取出还原文件的文件名。Step S104: Analyzing the URL and extracting the file name of the restored file through regular expression matching.
步骤S105:提取目的IP,目地端口,源IP,源端口用于链表定位。Step S105: Extract the destination IP, destination port, source IP, and source port for link list positioning.
步骤S106:提取content_length和content_range字段用于写入文件时定位偏移量。Step S106: Extracting the content_length and content_range fields for locating the offset when writing the file.
步骤S107:提取实体内容,用于文件还原。Step S107: Extracting entity content for file restoration.
图2表示过滤数据包,分析数据包消息头,判断是否有http特征值。如果没有过滤,否则交给协议分析模块。它包含了以下步骤:Figure 2 shows filtering data packets, analyzing data packet message headers, and judging whether there are http characteristic values. If not filtered, otherwise handed over to the protocol analysis module. It contains the following steps:
步骤S201:通过分析数据包包头第一行判断是数据包属于客服端还是服务端。Step S201: Determine whether the data packet belongs to the customer service end or the server end by analyzing the first line of the data packet header.
步骤S202:客服端请求头,判断get字段,如果没有则丢弃包Step S202: The customer service end requests the header, judges the get field, and discards the packet if there is no
步骤S203:客服端判断否有特征值HTTP。如果没有则丢弃包Step S203: the customer service terminal judges whether there is a characteristic value HTTP. Drop the packet if not
步骤S204:如果为服务端数据则提取数据包状态行,判断开头部分是否为HTTP。如果存在HTTP特征值则视为HTTP数据包。Step S204: If it is server data, extract the data packet status line, and judge whether the beginning part is HTTP. If there is an HTTP characteristic value, it is regarded as an HTTP packet.
图3表示数据写入模块,将提取的实体内容按其在文件中的位置写入文件。具体过程如下:Figure 3 shows the data writing module, which writes the extracted entity content into the file according to its position in the file. The specific process is as follows:
步骤S301:由于文件名是通过协议分析模块分析得到具有唯一性所以首先通过文件名判断文件是否已创建。Step S301: Since the file name is unique through the analysis of the protocol analysis module, firstly judge whether the file has been created or not by the file name.
步骤S302:通过协议分析模块提取的状态码判断文件是否属于是多线程下载文件Step S302: Determine whether the file belongs to a multi-threaded download file through the status code extracted by the protocol analysis module
步骤S303:如果是多线程下载文件提取content_range,content_length属性。用于文件定位。Step S303: If it is a multi-thread download file, extract content_range and content_length attributes. Used for file positioning.
步骤S304:将实体内容安文件便宜量写入文件对应位置。Step S304: Write the entity content and file into the corresponding location of the file.
图4表示数据删除模块。判断数据连接状态,删除链表中对应的数据结构。Figure 4 shows the data deletion module. Determine the data connection status and delete the corresponding data structure in the linked list.
步骤S401:监控nids_state变量状态。Step S401: Monitor the state of the nids_state variable.
步骤S402:判断nids_state状态是否为NIDS_CLOSE和NIDS_RESET。这两种状态代表文件传输完毕。Step S402: Determine whether the nids_state is NIDS_CLOSE or NIDS_RESET. These two states represent the completion of file transfer.
步骤S403:通过目地ip目地端口,源ip源端口找到链表对应数据结构。这个四元组可以在链表中确定同一文件的所有数据包Step S403: Find the data structure corresponding to the linked list through the destination ip, destination port, source ip, and source port. This four-tuple can identify all packets of the same file in the linked list
步骤S404:提取数据结构中的文件名。文件名不但能确定一个链表中同一文件的所有包,它还可以同时在三个链表中唯一确定同一文件的所有数据包。Step S404: extract the file name in the data structure. The file name can not only determine all packages of the same file in a linked list, but also uniquely determine all data packages of the same file in three linked lists at the same time.
步骤S405:根据文件名找到三个链表中所有数据结构。Step S405: Find all the data structures in the three linked lists according to the file names.
步骤S406:删除数据结构。释放内存空间。Step S406: Delete the data structure. Free up memory space.
虽然本说明书只描述了所述方法的细节,而未更多地谈及本发明的应用,但由于基于libnids的http协议多线程还原方法在恶意代码研究中的重要价值,其应用面是非常广泛的,所以,本发明的精神和范围不应该局限于此处所描述的实施例。Although this instruction manual has only described the detail of described method, and does not talk about the application of the present invention more, but because of the important value of http protocol multi-thread restoration method based on libnids in malicious code research, its application area is very extensive Therefore, the spirit and scope of the present invention should not be limited to the embodiments described herein.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102150683A CN102316074A (en) | 2010-07-01 | 2010-07-01 | HTTP (hyper text transfer protocol) multithreading restoration method based on libnids |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102150683A CN102316074A (en) | 2010-07-01 | 2010-07-01 | HTTP (hyper text transfer protocol) multithreading restoration method based on libnids |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102316074A true CN102316074A (en) | 2012-01-11 |
Family
ID=45428900
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102150683A Pending CN102316074A (en) | 2010-07-01 | 2010-07-01 | HTTP (hyper text transfer protocol) multithreading restoration method based on libnids |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102316074A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103618720A (en) * | 2013-11-29 | 2014-03-05 | 华中科技大学 | Method and system for Trojan network communication detecting and evidence obtaining |
| CN104394211A (en) * | 2014-11-21 | 2015-03-04 | 浪潮电子信息产业股份有限公司 | Hadoop-based user behavior analysis system design and implementation method |
| CN105491158A (en) * | 2016-01-15 | 2016-04-13 | 成都科来软件有限公司 | HTTP content reduction method and HTTP content reduction system based on network data flow |
| CN106911637A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
| CN106911640A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
| CN117812068A (en) * | 2024-01-05 | 2024-04-02 | 湖北安博通科技有限公司 | SMB protocol file restoration method and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1997030A (en) * | 2006-12-13 | 2007-07-11 | 武汉虹旭信息技术有限责任公司 | Method for HTTP data recovery |
| US20080033905A1 (en) * | 2006-08-05 | 2008-02-07 | Terry Lee Stokes | System and Method for the Capture and Archival of Electronic Communications |
-
2010
- 2010-07-01 CN CN2010102150683A patent/CN102316074A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080033905A1 (en) * | 2006-08-05 | 2008-02-07 | Terry Lee Stokes | System and Method for the Capture and Archival of Electronic Communications |
| CN1997030A (en) * | 2006-12-13 | 2007-07-11 | 武汉虹旭信息技术有限责任公司 | Method for HTTP data recovery |
Non-Patent Citations (1)
| Title |
|---|
| 曾铖,韩桂华,: "基于网络的入侵检测系统分析与设计", 《成都信息工程学院学报》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103618720A (en) * | 2013-11-29 | 2014-03-05 | 华中科技大学 | Method and system for Trojan network communication detecting and evidence obtaining |
| CN104394211A (en) * | 2014-11-21 | 2015-03-04 | 浪潮电子信息产业股份有限公司 | Hadoop-based user behavior analysis system design and implementation method |
| CN106911637A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
| CN106911640A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
| CN105491158A (en) * | 2016-01-15 | 2016-04-13 | 成都科来软件有限公司 | HTTP content reduction method and HTTP content reduction system based on network data flow |
| CN105491158B (en) * | 2016-01-15 | 2018-12-25 | 成都科来软件有限公司 | A kind of HTTP content reduction method and system based on network data flow |
| CN117812068A (en) * | 2024-01-05 | 2024-04-02 | 湖北安博通科技有限公司 | SMB protocol file restoration method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11223639B2 (en) | Endpoint network traffic analysis | |
| US11863587B2 (en) | Webshell detection method and apparatus | |
| US10257224B2 (en) | Method and apparatus for providing forensic visibility into systems and networks | |
| CN112039904A (en) | Network traffic analysis and file extraction system and method | |
| EP1734718A2 (en) | Computer-implemented method with real-time response mechanism for detecting viruses in data transfer on a stream basis | |
| JP2004304752A (en) | System and method of defending attack | |
| EP2810412A1 (en) | Systems and methods for extracting structured application data from a communications link | |
| CN103780610A (en) | Network data recovery method based on protocol characteristics | |
| CN102316074A (en) | HTTP (hyper text transfer protocol) multithreading restoration method based on libnids | |
| CN104363240A (en) | Unknown threat comprehensive detection method based on information flow behavior validity detection | |
| CN110958231A (en) | Industrial control safety event monitoring platform and method based on Internet | |
| CN107666486A (en) | A kind of network data flow restoration methods and system based on message protocol feature | |
| US8490173B2 (en) | Unauthorized communication detection method | |
| US9055113B2 (en) | Method and system for monitoring flows in network traffic | |
| CN115664833B (en) | Network hijacking detection method based on LAN security equipment | |
| CN111030999B (en) | Method for extracting files based on network data packet | |
| CN114244610B (en) | File transmission method and device, network security equipment and storage medium | |
| JP2006067605A (en) | Attack detecting system and attack detecting method | |
| JP5925287B1 (en) | Information processing apparatus, method, and program | |
| CN104732141A (en) | Method for sampling and scanning viruses | |
| CN103095529A (en) | Method and device for detecting engine device, firewall and network transmission file | |
| CN114915442A (en) | Advanced persistent threat attack detection method and device | |
| JP2007312414A (en) | Attack detection system and attack detection method | |
| CN116318801B (en) | SOHO router data modification method | |
| CN103457773A (en) | Method and device for terminal customer experience management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120111 |