CN107592303A - A kind of high speed mirror is as the extracting method and device of outgoing document in network traffics - Google Patents
A kind of high speed mirror is as the extracting method and device of outgoing document in network traffics Download PDFInfo
- Publication number
- CN107592303A CN107592303A CN201710751696.5A CN201710751696A CN107592303A CN 107592303 A CN107592303 A CN 107592303A CN 201710751696 A CN201710751696 A CN 201710751696A CN 107592303 A CN107592303 A CN 107592303A
- Authority
- CN
- China
- Prior art keywords
- data
- protocol
- tcp
- document
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of high speed mirror as the extracting method and device of outgoing document in network traffics, this method comprise the following steps:The TCP data identified for each four-tuple of monitoring, creates a Hash bucket;According to four-tuple flag information when each TCP data bag arrives, TCP data is put into corresponding HASH buckets;Protocol identification and protocol data parsing are carried out to the TCP data being put into corresponding HASH buckets;Receive and pass through the message that protocol data parses to obtain, and document properties information is extracted from the message;Document data is extracted according to document properties, and by the document datastore of extraction on memory file system.By the solution of the present invention, outgoing document can be fast and effectively extracted, can ensure that the document data in high speed flow is handled, is that network auditing system, Viral diagnosis etc. provide condition.
Description
Technical field
The present invention relates to data security arts, and in particular to a kind of high speed mirror is as the extraction side of outgoing document in network traffics
Method and device.
Background technology
It is to prevent enterprise's sensitive data to carry out audit to the Port Mirroring flow of enterprise's outer net egress switch or router
The effective way to be leaked by network.The document in Port Mirroring flow how is extracted, and depth is carried out to the document of proposition
Parsing and precise contents matching are the keys for realizing network auditing system.Both outgoing document is included in Port Mirroring flow, also includes and connects
Message in-coming shelves, only outgoing document are only anti-data-leakage DLP focus.
The parsing of Port Mirroring flow is mainly comprising three session reduction, protocol identification, protocal analysis processes.Session reduces
Refer to handle the network packet in Port Mirroring flow, complete invalid packets discarding, out of order data packet sequencing etc.
Groundwork.Protocol identification refers to should corresponding to the BlueDrama attribution data restored according to port, protocol characteristic etc.
Use agreement.Protocal analysis refers to the protocol rule according to RFC, and the BlueDrama identified is analyzed, and extracts and is passed in session
Defeated content, extract the content of text or annex.In actual applications, the mirror image flow in enterprise's outer net is mainly HTTP flows
And SMTP traffic.
Prior art literature:
Document 1:CN104318162A, source code leakage detection method and device.
The patent document 1 carries out protocol analysis to data stream and obtains character stream, according to default by intercepting network data stream
Detection character string and/or syntactic analysis built-in function judge whether include source code in character stream.
The main purpose of document 1 is to judge whether character stream includes source code according to the means of detection character string, if then
Block the network data flow.But document has the following disadvantages:
(1) its processing procedure not for high speed flow.
(2) it mainly judges whether character stream includes special key words.
(3) concurrent protocol analysis is not used, causes data processing speed slow.
How the present invention mainly from the angle of content reduction, focuses in explanation high speed flow from each protocol conversation data
In extract the content of file.So as to be follow-up audit, the process set up the condition such as mark and encryption.
The content of the invention
In order to solve the above technical problems, the invention provides a kind of high speed mirror as the extraction side of outgoing document in network traffics
Method, this method comprise the following steps:
(1) it is the TCP data for each four-tuple mark monitored, creates a HASH bucket;
(2) according to four-tuple identification information when each TCP data bag arrives, TCP data is put into corresponding HASH buckets;
(3) protocol identification is carried out to the TCP data being put into corresponding HASH buckets and protocol data parses;
(4) message that protocol data parses to obtain is received, and document properties information is extracted from the message;
(5) document data is extracted according to the document attribute information, and by the document datastore of extraction in memory file system
On system;
Wherein, the protocol data parsing realizes high speed mirror as the high concurrent TCP sessions in network traffics using thread pool
Data parse.
According to an embodiment of the invention, it is preferred that also include step before the step (1):
On interchanger or router, the data traffic of one or more source ports is forwarded to some designated port
Realize the monitoring to network data.
According to an embodiment of the invention, it is preferred that also include after the step (2):
During TCP conversation ends, the HASH buckets created for TCP data are closed.
According to an embodiment of the invention, it is preferred that the protocol identification in the step (3) includes:
According to the command word of application request in session data and corresponding response code, the type of application protocol is determined, is wrapped
Include:HTTP, SMTP or File Transfer Protocol.
According to an embodiment of the invention, it is preferred that the protocol data parsing realizes high speed image network using thread pool
High concurrent TCP session datas parsing in flow specifically includes:After each TCP conversation ends, a message can be sent out to thread pool,
After thread pool obtains message, a thread is established at once, to handle this TCP session.
In order to solve the above technical problems, the invention provides a kind of high speed mirror as the extraction dress of outgoing document in network traffics
Put, the device includes:
Session recovery module, for the TCP data of each four-tuple mark of monitoring, create a HASH bucket, each TCP numbers
According to four-tuple identification information when being arrived according to bag, TCP data is put into corresponding HASH buckets, during TCP conversation ends, closes and is
The HASH buckets that TCP data creates, send messages to protocol resolution module;
Protocol resolution module, protocol identification is carried out to the TCP data being put into corresponding HASH buckets and protocol data parses, association
After view data are parsed, the document memory module is sent messages to;
Document memory module, the message that protocol resolution module is sent is received, and document properties information is extracted from the message,
Document data is extracted according to the document attribute information, and by the document datastore of extraction on memory file system;
Wherein, the protocol data parsing realizes high speed mirror as the high concurrent TCP sessions in network traffics using thread pool
Data parse.
According to an embodiment of the invention, it is preferred that forwarding module, by interchanger or router one or more source port
Data traffic is forwarded to some designated port to realize the monitoring to network.
According to an embodiment of the invention, it is preferred that according to the command word of application request in session data and corresponding response
Code, the type of application protocol is determined, including:HTTP, SMTP or File Transfer Protocol.
According to an embodiment of the invention, it is preferred that the protocol data parsing realizes high speed image network using thread pool
High concurrent TCP session datas parsing in flow specifically includes:After each TCP conversation ends, a message can be sent out to thread pool,
After thread pool obtains message, a thread is established at once, to handle this TCP session.
In order to solve the above technical problems, the invention provides a kind of computer-readable storage medium, it includes computer program and referred to
Order, when performing the computer program instructions, perform one of above method.
Technical scheme achieves following technique effect:
By the extracting method and device of high speed flow Chinese shelves proposed by the present invention, outgoing can be fast and effectively extracted
It document, can ensure that the document data in high speed flow is handled, be that network auditing system, Viral diagnosis etc. provide condition.
Brief description of the drawings
Fig. 1 is the system architecture diagram of the present invention
Embodiment
Port Mirroring:On interchanger or router, the data traffic of one or more source ports is forwarded to some
Designated port realizes the monitoring to network.Image feature is used in enterprise, can be well to the network data of enterprises
Management is monitored, when network is out of order, failure can be quickly located.
Procotol:To carry out the set of rule, standard or agreement that data exchange is established in computer network.
Protocol identification:Refer to the network data to L7 layer application protocols, according to deep packet inspection technical, in analysis heading
On the basis of combine different application protocols feature, the application belonging to comprehensive descision network data.
Protocol analysis:To having judged the network flow data of protocol type according to protocol format, the process of information is extracted.
DLP:Data Loss Prevention data loss preventions, or data leak protection (Data Leakage
Prevention) be current message area main flow enterprise information security and data guard system title.DLP is by certain
Data processing and analysis method, with reference to the information security management strategy of enterprise, all electronic information and data in enterprise are entered
Row classification classification management and control, prevents the information assets in enterprise or critical data to be lost in, divulge a secret or uncontrolled diffusion.
The extracting method for the high speed flow Chinese part that patent of the present invention proposes, for enterprise traffic audit or security protection etc.
Purpose, solves the technical barrier that document is extracted from high-speed network flow.This method parses from the flow of high-speed network flow
Start with, the processes such as session reduction, protocol analysis, document parsing extraction are described in detail, form a kind of network rapidly and efficiently
The solution that document extracts in flow.
Session reduces:By the data of multiple TCP bags, assembled by five-tuple and timestamp, abandoned in assembling process
Invalid TCP data bag, and adjust the disorder phenomenon of TCP data bag.TCP session datas after restructuring can reflect application in order
The data transmission scenarios of layer.
Protocol analysis:In a complete session data, according to the command word of application request in session data and accordingly
Response code, first determine the types of L7 layer application protocols, such as HTTP, SMTP or FTP etc..After determining protocol type, root
According to the specific flow of agreement, the transferring documents in analysis protocol content.
Document stores:Number of documents in high-speed network flow is huge, and byte capacity is big, it is necessary to which rapid saving is deposited in internal memory
Storage area domain, is then dumped on hard disk again.
<Method for processing business>
The invention provides a kind of high speed mirror as the extracting method of outgoing document in network traffics, this method include following step
Suddenly:
(1) it is the TCP data for each four-tuple mark monitored, according to four-tuple calling system HASH function creations one
HASH buckets;
The four-tuple refers to:Source IP address, target ip address, source port number, destination port number.
(2) according to four-tuple flag information when each TCP data bag arrives, TCP data is put into corresponding HASH buckets;
(3) protocol identification is carried out to the TCP data being put into corresponding HASH buckets and protocol data parses;
(4) message that protocol data parses to obtain is received, and document properties information is extracted from the message;
(5) document data is extracted according to the document attribute information, and by the document datastore of extraction in memory file system
On system;
Wherein, the protocol data parsing realizes high speed mirror as the high concurrent TCP sessions in network traffics using thread pool
Data parse.
Also include step before the step (1):
By the way that on interchanger or router, the data traffic of one or more source ports is forwarded into some designated ends
Mouthful realize the monitoring to network data.
Also include after the step (2):
During TCP conversation ends, the HASH buckets created for TCP data are closed.
Protocol identification in the step (3) includes:
According to the command word of application request in session data and corresponding response code, the type of application protocol is determined, is wrapped
Include:HTTP, SMTP or File Transfer Protocol.
Step (3) the protocol data parsing realizes high speed mirror as the high concurrent in network traffics using thread pool
The parsing of TCP session datas specifically includes:After each TCP conversation ends, a message can be sent out to thread pool, thread pool obtains message
Afterwards, a thread is established at once, to handle this TCP session.
After the step (5), document can be then transferred on hard disk.
<Transaction processing system>
Such as Fig. 1, the invention provides a kind of high speed mirror as the extraction element of outgoing document in network traffics, the device bag
Include:
Session recovery module, for the TCP data of each four-tuple mark of monitoring, calling system HASH function creations one
HASH buckets, according to four-tuple identification information when each TCP data bag arrives, TCP data is put into corresponding HASH buckets, TCP meetings
At the end of words, the HASH buckets created for TCP data are closed, send messages to protocol resolution module;
Wherein, the protocol data parsing realizes high speed mirror as the high concurrent TCP sessions in network traffics using thread pool
Data parse.
The four-tuple refers to:Source IP address, target ip address, source port number, destination port number.
Protocol resolution module, protocol identification is carried out to the TCP data being put into corresponding HASH buckets and protocol data parses, association
After view data are parsed, the document memory module is sent messages to.
Document memory module, the message that protocol resolution module is sent is received, and document properties information is extracted from the message,
Document data is extracted according to the document attribute information, and by the document datastore of extraction on memory file system.
The device also includes:
Forwarding module, the data traffic of interchanger or router one or more source port is forwarded to some designated ends
Mouthful realize the monitoring to network.
The protocol identification includes:
According to the command word of application request in session data and corresponding response code, the type of application protocol is determined, is wrapped
Include:HTTP, SMTP or File Transfer Protocol.
The protocol data parsing realizes high speed mirror as the high concurrent TCP session data solutions in network traffics using thread pool
Analysis specifically includes:After each TCP conversation ends, a message can be sent out to thread pool, after thread pool obtains message, establish one at once
Individual thread, to handle this TCP session.
As Fig. 1, the extraction element of high speed flow Chinese shelves proposed by the present invention are main to include with lower part:
(1) session recovery module.Recombinated comprising session, TCP data enters bucket, and TCP data goes out bucket.The session recovery module meeting
For the TCP data of each four-tuple mark, one HASH bucket of calling system HASH function creations.When each TCP data bag arrives
Specific HASH buckets can be put into according to quaternary group information.During TCP conversation ends, HASH buckets are closed, and send messages to agreement solution
Analyse module.
The four-tuple refers to:Source IP address, target ip address, source port number, destination port number.
(2) protocol resolution module.Protocol resolution module includes protocol identification and protocol data parses two parts.It is complete at one
In whole session data, according to the port numbers of TCP sessions and command word feature, first determine that the L7 layers application of the layer protocols of OSI seven is assisted
The type of view, such as HTTP:80、SMTP:25 or FTP:21 etc..After determining protocol type, according to the specific flow of agreement, solution
Analyse the annex or file in protocol contents.The Context resolution process of protocol data, realized using thread pool large number of concurrent
Processing, such as each TCP sessions are reduced after terminating, and thread pool can be given to send out a message, after thread pool obtains message, established at once
One thread, to handle this TCP session.Because the concurrent TCP amount of session data in high speed flow is very big, after the completion of restructuring,
Need the protocol data of parallel processing more.After the completion of protocol analysis, document memory module is sent messages to.
(3) document memory module.File storage module receives the message from protocol resolution module, is then carried from message
Take document properties information.The document path extraction document data finally included according to document properties, and by document datastore
On memory file system.Document can be then transferred on hard disk.
<Specific embodiment>
Specific embodiment 1
Certain enterprise needs to audit to the network data of enterprise's outgoing, it is therefore an objective to prevents from being dealt into outside enterprise-essential file mutually
In networking.The number of documents of enterprise's outgoing is little, but the downlink traffic of enterprise network mouth is big.
The extracting method of network traffics document described using the present invention, can extract enterprise staff by network egress outside
The document of hair, so as to provide condition for follow-up Content Advisor.
Specific embodiment 2
Certain enterprise carries out Viral diagnosis to the file that this enterprise is flowed into from network mouth, to prevent wooden horse or apt from attacking.Utilize
The technological means of the present invention, can be from enterprise network downlink traffic extracting data document.So as to be attacked for virus, wooden horse or apt
The inspection set up the condition hit.
Following technique effect is achieved by technical scheme:, can be quick by concurrent TCP Dialog processings
Effective extraction outgoing document, can ensure that the document data in high speed flow is handled, and be network auditing system, Viral diagnosis etc.
Offer condition.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Within the spirit and principles in the present invention, any modification, equivalent substitution and improvement for being made etc., the guarantor in the present invention all should be protected
Within the scope of shield.
Claims (10)
1. a kind of high speed mirror comprises the following steps as the extracting method of outgoing document in network traffics, this method:
(1) it is the TCP data for each four-tuple mark monitored, creates a HASH bucket;
(2) according to four-tuple identification information when each TCP data bag arrives, TCP data is put into corresponding HASH buckets;
(3) protocol identification is carried out to the TCP data being put into corresponding HASH buckets and protocol data parses;
(4) message that protocol data parses to obtain is received, and document properties information is extracted from the message;
(5) document data is extracted according to the document attribute information, and by the document datastore of extraction on memory file system;
Wherein, the protocol data parsing realizes high speed mirror as the high concurrent TCP session datas in network traffics using thread pool
Parsing.
2. according to the method for claim 1, also include step before the step (1):
On interchanger or router, the data traffic of one or more source ports is forwarded to some designated port to realize
Monitoring to network data.
3. according to the method for claim 1, also include after the step (2):
During TCP conversation ends, the HASH buckets created for TCP data are closed.
4. according to the method for claim 1, the protocol identification in the step (3) includes:
According to the command word of application request in session data and corresponding response code, the type of application protocol is determined, including:
HTTP, SMTP or File Transfer Protocol.
5. according to the method for claim 4, the protocol data parsing in the step (3) includes:After determining protocol type,
According to the specific flow of agreement, annex or file in analysis protocol content;
The protocol data parsing realizes that high speed mirror parses tool as the high concurrent TCP session datas in network traffics using thread pool
Body includes:After each TCP conversation ends, a message can be sent out to thread pool, after thread pool obtains message, establish a line at once
Journey, to handle this TCP session.
6. a kind of high speed mirror includes as the extraction element of outgoing document in network traffics, the device:
Session recovery module, for the TCP data of each four-tuple mark of monitoring, create a HASH bucket, each TCP data bag
According to four-tuple identification information during arrival, TCP data is put into corresponding HASH buckets, during TCP conversation ends, closed as TCP numbers
According to the HASH buckets of establishment, protocol resolution module is sent messages to;
Protocol resolution module, protocol identification is carried out to the TCP data being put into corresponding HASH buckets and protocol data parses, agreement number
After being parsed, the document memory module is sent messages to;
Document memory module, the message that protocol resolution module is sent is received, and document properties information is extracted from the message, according to
The document attribute information extracts document data, and by the document datastore of extraction on memory file system;
Wherein, the protocol data parsing realizes high speed mirror as the high concurrent TCP session datas in network traffics using thread pool
Parsing.
7. device according to claim 1, the device also includes:
Forwarding module, the data traffic of interchanger or router one or more source port is forwarded to some designated port
Realize the monitoring to network.
8. device according to claim 6, the protocol identification includes:
According to the command word of application request in session data and corresponding response code, the type of application protocol is determined, including:
HTTP, SMTP or File Transfer Protocol.
9. device according to claim 8, the protocol data parsing realizes high speed mirror as network traffics using thread pool
In high concurrent TCP session datas parsing specifically include:After each TCP conversation ends, a message, thread can be sent out to thread pool
After pond obtains message, a thread is established at once, to handle this TCP session.
10. a kind of computer-readable storage medium, it includes computer program instructions, when performing the computer program instructions, performs
One of claim 1-5 methods described.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710751696.5A CN107592303B (en) | 2017-08-28 | 2017-08-28 | Method and device for extracting outgoing files in high-speed mirror image network traffic |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710751696.5A CN107592303B (en) | 2017-08-28 | 2017-08-28 | Method and device for extracting outgoing files in high-speed mirror image network traffic |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107592303A true CN107592303A (en) | 2018-01-16 |
| CN107592303B CN107592303B (en) | 2020-01-03 |
Family
ID=61041845
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710751696.5A Active CN107592303B (en) | 2017-08-28 | 2017-08-28 | Method and device for extracting outgoing files in high-speed mirror image network traffic |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107592303B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109639592A (en) * | 2018-12-11 | 2019-04-16 | 武汉奥浦信息技术有限公司 | A kind of rapid data analysis method and device based on ten thousand megastream amounts |
| CN110224995A (en) * | 2019-05-17 | 2019-09-10 | 南京聚铭网络科技有限公司 | A kind of high-efficiency multi-function packet depth recognition method |
| CN110311914A (en) * | 2019-07-02 | 2019-10-08 | 北京微步在线科技有限公司 | Pass through the method and device of image network flow extraction document |
| CN111556058A (en) * | 2020-04-29 | 2020-08-18 | 杭州迪普信息技术有限公司 | Session processing method and device |
| CN111884876A (en) * | 2020-07-22 | 2020-11-03 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for detecting protocol type of network protocol |
| CN111988346A (en) * | 2019-05-21 | 2020-11-24 | 新华三信息安全技术有限公司 | Data leakage protection equipment and message processing method |
| CN112039904A (en) * | 2020-09-03 | 2020-12-04 | 福州林科斯拉信息技术有限公司 | Network traffic analysis and file extraction system and method |
| CN112328764A (en) * | 2020-11-05 | 2021-02-05 | 北京微步在线科技有限公司 | File identification method and device and computer readable storage medium |
| CN113268696A (en) * | 2021-06-16 | 2021-08-17 | 广州数智网络科技有限公司 | Method for identifying four-party payment website and analyzing user |
| CN114338436A (en) * | 2021-12-28 | 2022-04-12 | 深信服科技股份有限公司 | Network traffic file identification method and device, electronic equipment and medium |
| CN115348332A (en) * | 2022-07-08 | 2022-11-15 | 宜通世纪科技股份有限公司 | Recombination method of HTTP data stream session in signaling analysis scene |
| CN115604207A (en) * | 2022-12-12 | 2023-01-13 | 成都数默科技有限公司(Cn) | Session-oriented network flow storage and indexing method |
| CN118509252A (en) * | 2024-07-12 | 2024-08-16 | 国网思极网安科技(北京)有限公司 | Encrypted traffic mirror image outgoing method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127690A (en) * | 2006-08-17 | 2008-02-20 | 王玉鹏 | Identification method for next generation of network service traffic |
| CN101286903A (en) * | 2008-05-06 | 2008-10-15 | 北京锐安科技有限公司 | Method for enhancing integrity of sessions in network audit field |
| CN101431539A (en) * | 2008-12-11 | 2009-05-13 | 华为技术有限公司 | Domain name resolution method, system and apparatus |
| CN103281213A (en) * | 2013-04-18 | 2013-09-04 | 西安交通大学 | Method for extracting, analyzing and searching network flow and content |
| US9571286B2 (en) * | 2014-01-06 | 2017-02-14 | Cloudflare, Inc. | Authenticating the identity of initiators of TCP connections |
-
2017
- 2017-08-28 CN CN201710751696.5A patent/CN107592303B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127690A (en) * | 2006-08-17 | 2008-02-20 | 王玉鹏 | Identification method for next generation of network service traffic |
| CN101286903A (en) * | 2008-05-06 | 2008-10-15 | 北京锐安科技有限公司 | Method for enhancing integrity of sessions in network audit field |
| CN101431539A (en) * | 2008-12-11 | 2009-05-13 | 华为技术有限公司 | Domain name resolution method, system and apparatus |
| CN103281213A (en) * | 2013-04-18 | 2013-09-04 | 西安交通大学 | Method for extracting, analyzing and searching network flow and content |
| US9571286B2 (en) * | 2014-01-06 | 2017-02-14 | Cloudflare, Inc. | Authenticating the identity of initiators of TCP connections |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109639592A (en) * | 2018-12-11 | 2019-04-16 | 武汉奥浦信息技术有限公司 | A kind of rapid data analysis method and device based on ten thousand megastream amounts |
| CN110224995A (en) * | 2019-05-17 | 2019-09-10 | 南京聚铭网络科技有限公司 | A kind of high-efficiency multi-function packet depth recognition method |
| CN111988346A (en) * | 2019-05-21 | 2020-11-24 | 新华三信息安全技术有限公司 | Data leakage protection equipment and message processing method |
| WO2020233412A1 (en) * | 2019-05-21 | 2020-11-26 | 新华三信息安全技术有限公司 | Data leakage prevention |
| US11973741B2 (en) | 2019-05-21 | 2024-04-30 | New H3C Security Technologies, Co., Ltd. | Data leakage prevention |
| CN110311914A (en) * | 2019-07-02 | 2019-10-08 | 北京微步在线科技有限公司 | Pass through the method and device of image network flow extraction document |
| CN111556058B (en) * | 2020-04-29 | 2022-09-09 | 杭州迪普信息技术有限公司 | Session processing method and device |
| CN111556058A (en) * | 2020-04-29 | 2020-08-18 | 杭州迪普信息技术有限公司 | Session processing method and device |
| CN111884876A (en) * | 2020-07-22 | 2020-11-03 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for detecting protocol type of network protocol |
| CN112039904A (en) * | 2020-09-03 | 2020-12-04 | 福州林科斯拉信息技术有限公司 | Network traffic analysis and file extraction system and method |
| CN112328764A (en) * | 2020-11-05 | 2021-02-05 | 北京微步在线科技有限公司 | File identification method and device and computer readable storage medium |
| CN113268696A (en) * | 2021-06-16 | 2021-08-17 | 广州数智网络科技有限公司 | Method for identifying four-party payment website and analyzing user |
| CN114338436A (en) * | 2021-12-28 | 2022-04-12 | 深信服科技股份有限公司 | Network traffic file identification method and device, electronic equipment and medium |
| CN115348332A (en) * | 2022-07-08 | 2022-11-15 | 宜通世纪科技股份有限公司 | Recombination method of HTTP data stream session in signaling analysis scene |
| CN115348332B (en) * | 2022-07-08 | 2023-08-29 | 宜通世纪科技股份有限公司 | Method for reorganizing HTTP data stream session in signaling analysis scene |
| CN115604207A (en) * | 2022-12-12 | 2023-01-13 | 成都数默科技有限公司(Cn) | Session-oriented network flow storage and indexing method |
| CN118509252A (en) * | 2024-07-12 | 2024-08-16 | 国网思极网安科技(北京)有限公司 | Encrypted traffic mirror image outgoing method and device |
| CN118509252B (en) * | 2024-07-12 | 2024-09-17 | 国网思极网安科技(北京)有限公司 | Encrypted traffic mirror image outgoing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107592303B (en) | 2020-01-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107592303A (en) | A kind of high speed mirror is as the extracting method and device of outgoing document in network traffics | |
| JP3954385B2 (en) | System, device and method for rapid packet filtering and packet processing | |
| US9954873B2 (en) | Mobile device-based intrusion prevention system | |
| US7706378B2 (en) | Method and apparatus for processing network packets | |
| US9246825B2 (en) | Accelerated processing of aggregate data flows in a network environment | |
| US8743690B1 (en) | Selective packet sequence acceleration in a network environment | |
| US8792353B1 (en) | Preserving sequencing during selective packet acceleration in a network environment | |
| US7486673B2 (en) | Method and system for reassembling packets prior to searching | |
| US7177311B1 (en) | System and method for routing traffic through a virtual router-based network switch | |
| US9722933B2 (en) | Selective packet sequence acceleration in a network environment | |
| US9398043B1 (en) | Applying fine-grain policy action to encapsulated network attacks | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| CN103763194B (en) | A kind of message forwarding method and device | |
| CN102055674B (en) | Internet protocol (IP) message as well as information processing method and device based on same | |
| TW200531500A (en) | Method and apparatus for datastream analysis and blocking | |
| CN106341404A (en) | IPSec VPN system based on many-core processor and encryption and decryption processing method | |
| CN104135490A (en) | Intrusion detection system (IDS) analysis method and intrusion detection system | |
| KR101292873B1 (en) | Network interface card device and method of processing traffic by using the network interface card device | |
| CN101262405A (en) | Network Processor-Based High-Speed Security Virtual Private Network Channel and Its Realization Method | |
| CN109120602B (en) | IPv6 attack tracing method | |
| US20140331311A1 (en) | Security processing in active security devices | |
| CN108243143A (en) | A kind of gateway penetrating method and system based on different web agent | |
| CN104994094A (en) | Virtualization platform safety protection method, device and system based on virtual switch | |
| CN104333549A (en) | Data package filtering method applied to distributive firewall system | |
| CN104519012A (en) | SIP-protocol-based method and system for detecting communication network attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |