Network transmission data virus detection processing method

Abstract

The invention discloses a network transmission data virus detection processing method. According to the method, through zero memory copying, a virtual memory is used to map a data packet of transfer files from an inner core layer to a user layer; an application layer protocol is analyzed, transfer files are restored and delivered to a virus checking engine for detection, and coupling of an anti-virus wall system and the inner core is very small and kept stable; a conventional proxy connection technology is abandoned, a unique packet detaining mechanism is adopted, on the premise of not changing any features of original connection, and through double detection of a flow engine and a file engine, timely and accurate blocking of virus-carrying transfer files are guaranteed.

Description

technical field [0001] The invention relates to the technical field of data virus detection and processing, in particular to a method for network transmission data virus detection and processing. Background technique [0002] Generally, existing virus processing technologies for processing computer viruses include two types: proxy firewall technology and anti-virus engine technology. [0003] Proxy firewall technology: [0004] Different from the packet filtering firewall, which only performs data flow feature matching and filtering, the proxy firewall replaces the direct communication between the client and the server through a proxy connection, and performs protocol analysis and file restoration at the application layer for more in-depth security analysis and processing; [0005] Anti-virus engine technology: [0006] An anti-virus engine generally refers to a method of scanning and killing viruses running on an operating system (such as a Windows operating system). It i...

AI Technical Summary

Problems solved by technology

[0013] 1) The transparent proxy antivirus wall system replaces the original connection with a pair of connections (takeover connection and proxy connection). In a high-throughput environment (such as a Gigabit or 10 Gigabit backbone network), the scalability is poor and performance requirements are usually not met;

[0014] 2) Although the proxy connection of the transparent proxy maintains the IP address and TCP port of the original connection, it is still different in finer connection characteristics (such as TCP sequence number);

[0015] 3) Transparent proxy technology is usually based on the netfilter mechanism of the Linux kernel (a Linux2.4 kernel firewall technology proposed by Rusty Russell), using NAT-like address translation technology, highly coupled with the kernel, complex implementation, high error rate, unknown potential There are many errors, and it is difficult to upgrade simultaneously when the kernel version is upgraded

However, at present, most backbone networks have introduced redundancy mechanisms. If the two-way data packets of the TCP connection flow through different links, the antivirus wall cannot work normally, and even normal network communication will be affected;

Images