CN103634306B - The safety detection method and safety detection server of network data - Google Patents

Abstract

The invention provides a network data safety detection method and a safety detection server. Among them, the security detection method of network data includes: grabbing the data packets transmitted in the network; grouping the data packets to restore the transmission control protocol TCP connection data, identifying the application layer protocol used by the TCP connection data; using the protocol corresponding to the application layer protocol The security scanning module performs security scanning on TCP connection data. Utilize the technical solution of the present invention, after grabbing the data packet and carrying out grouping, carry out the security monitoring of data according to the application layer protocol corresponding to the data packet, carry out protocol analysis on the basis of the data of the recombined application layer protocol, the pertinence is strong, can Identify network attacks quickly and efficiently, improving network security.

Description

Network data security detection method and security detection server

technical field

The invention relates to the field of Internet security, in particular to a network data security detection method and a security detection server.

Background technique

Malicious program is an umbrella term for any software program intentionally created to perform unauthorized and often harmful acts. Computer viruses, backdoor programs, keyloggers, password stealers, Word and Excel macro viruses, boot sector viruses, script viruses (batch, windows shell, java, etc.), Trojan horses, crimeware, spyware and adware, etc., These are examples of what could be called malicious programs.

Traditional anti-malware programs mainly rely on signature database matching or behavior analysis. The identification method of signature database matching is as follows: the antivirus engine reads the local file and matches all the signature code "keywords" in the signature database. If the file program code is found to be hit, it can be determined that the file program is a malicious program. The identification method of behavior analysis is: the behavior of the program is used as the basis for judging malicious programs, and the behavior of identifying and blocking malicious programs is derived by using the signature library locally, setting behavior thresholds locally, and heuristically killing viruses locally.

Local active defense can easily prevent malicious programs from being killed. For example, by packing a malicious program or modifying the signature code of the malicious program, the signature library anti-kill mode of local active defense can be avoided; by targeting malicious programs, reducing Or replace the relevant behaviors performed by malicious programs so as to avoid triggering the upper limit of the behavior threshold anti-killing mode. In addition, local active defense still depends on the timely update of the local database.

Based on the above problems, some companies have proposed "cloud scanning and killing technology", which means that a large number of client computers will be used as a virus collector, and they will upload the suspicious files they encounter daily to the server, so that the server can pass the uploaded samples. Perform analysis to enable rapid response to new viruses.

However, the current "cloud scanning and killing technology" can only scan and process downloaded files, and for those virus or Trojan files that need to consume a lot of network resources to download, it is possible to find and delete them only after the download command is executed. But it is powerless for the content that is being transmitted in the network.

Contents of the invention

In view of the above problems, the present invention is proposed to provide a network data security detection server and a corresponding network data security detection method that overcome the above problems or at least partially solve the above problems.

Based on an object of the present invention, a security detection method for network data is provided. The security detection method of the network data comprises: grabbing the data packets transmitted in the network; grouping the data packets to restore the transmission control protocol TCP connection data, identifying the application layer protocol used by the TCP connection data; using the corresponding application layer protocol The security scanning module performs security scanning on TCP connection data.

Optionally, capturing the data packets transmitted in the network includes: using the network bypass of the switch to copy the data packets transmitted in the network and sending them to the network card of the security detection server.

Optionally, grouping the data packets to restore the transmission control protocol TCP connection data includes: writing the data packets into a cache file; reassembling the data packets written into the cache file to restore them to the TCP connection data.

Optionally, reassembling the data packets written into the cache file includes: parsing the sequence number and the confirmation sequence number in the TCP header in the data packet; and sorting the data packets according to the TCP transmission order according to the sequence number and the confirmation sequence number.

Optionally, identifying the application layer protocol used by the TCP connection data includes: judging the application layer protocol used by the data packet according to the data characteristics and port characteristics of the reassembled data packet.

Optionally, the application layer protocol used by the data packet includes: File Transfer Protocol FTP, Simple Mail Transfer Protocol SMTP, the third version of Post Office Protocol POP3, Hypertext Transfer Protocol HTTP, Simple Network Management Protocol SNMP, Network News Transfer Protocol NNTP , Domain Name System DNS resolution request.

Optionally, after using the security scanning module corresponding to the application layer protocol to perform security scanning on the TCP connection data, the method further includes: extracting files from the TCP connection data, and performing cloud security analysis and dynamic behavior security analysis on the files.

Optionally, performing cloud security analysis on the file includes: calculating the hash value of the file, and comparing the hash value with the hash value risk list in the cloud security server; and/or extracting the Uniform Resource Locator URL of the file, And compare the URL with the URL danger list in the cloud security server.

Optionally, comparing the URL with the URL risk list in the cloud security server includes: extracting the URL ciphertext corresponding to the URL; matching the URL ciphertext with the ciphertext stored in the cloud security server database, and the ciphertext stored in the database Including the ciphertext marked as a malicious URL; if the ciphertext of the URL matches the ciphertext stored in the cloud security server database, it is determined that the URL contains malicious content.

Optionally, performing dynamic behavioral security analysis on files includes: determining the corresponding virtual detection environment according to the type of the file; running or opening the file in the virtual detection environment, monitoring the running status of the virtual testing environment, and generating a running status log; The status log is analyzed to obtain the dynamic behavior security analysis results of the file.

Optionally, analyzing the running status log includes: performing weighted accumulation of various operations triggered by files in the running status log according to preset weights; judging whether the weighted cumulative value is greater than the preset value, and if so, determining that the file is malicious document.

Optionally, monitoring the running state of the virtual testing environment includes: monitoring memory changes, registry modifications, process changes, and network connections of the virtual testing environment.

Based on another aspect of the present invention, a security detection server for network data is also provided. The security detection server of the network data includes: a data packet grabbing interface, which is used to grab data packets transmitted in the network; a grouping device, which is used to group the data packets to restore the transmission control protocol TCP connection data, and a protocol identification device Identifying the application layer protocol used by the TCP connection data; the data packet security scanning device is used to perform security scanning on the TCP connection data by using a security scanning module corresponding to the application layer protocol.

Optionally, the data packet capture interface is configured to: use the network bypass of the switch to copy the data packets transmitted in the network and send them to the network card of the security detection server.

Optionally, the packet grouping device is configured to: write the data packets into the cache file; reassemble the data packets written into the cache file, and restore them to TCP connection data.

Optionally, the protocol identification device is configured to: judge the application layer protocol used by the data packet according to the data characteristics and port characteristics of the reassembled data packet.

Optionally, the data packet security scanning device includes: a file transfer protocol FTP scanning module, which is used to perform security scanning on the data packets of the FTP protocol; a simple mail transfer protocol SMTP scanning module, which is used to perform security scanning on the data packets of the SMTP protocol; The third version of the protocol, the POP3 scanning module, is used for security scanning of data packets of the POP3 protocol; the hypertext transfer protocol HTTP scanning module is used for security scanning of data packets of the HTTP protocol; the simple network management protocol SNMP scanning module is used for SNMP protocol data packets for security scanning; Network News Transfer Protocol NNTP scanning module for security scanning of NNTP protocol data packets; Domain Name System DNS resolution request scanning module for DNS resolution request protocol data packets for security scanning.

Optionally, the network data security detection server provided by the present invention further includes: a file analysis device, which is used to extract files from the TCP connection data, and perform cloud security analysis and dynamic behavior security analysis on the files.

Optionally, the file analysis device includes: a hash value cloud analysis module, which is used to calculate the hash value of the file, and compares the hash value with the hash value danger list in the cloud security server; the URL cloud analysis module uses It is used to extract the Uniform Resource Locator URL of the file, and compare the URL with the URL danger list in the cloud security server.

Optionally, the dynamic behavior security analysis module is used to determine the corresponding virtual detection environment according to the type of the file; run or open the file in the virtual detection environment, and monitor the running status of the virtual testing environment to generate a running status log; check the running status The log is analyzed to obtain the dynamic behavior security analysis results of the file.

Optionally, the monitoring of the running status of the virtual testing environment by the dynamic behavior security analysis module includes: monitoring the memory changes, registry modification, process changes, and network connections of the virtual testing environment.

The security detection method and the security detection server of the network data provided by the present invention, after capturing the data packets and grouping them, perform data security monitoring according to the application layer protocol corresponding to the data packets, and perform data security monitoring on the basis of the reorganized application layer protocol data. Protocol analysis is highly targeted and can quickly and effectively identify network attacks, improving network security.

Furthermore, the network data security detection method of the present invention realizes data packet reassembly of high-speed network traffic, can support a network environment with high-speed traffic, multiple IP connections and high concurrency, and improves the efficiency of network security monitoring.

Furthermore, the dynamic analysis and cloud analysis of files transmitted in the network are realized, which improves the comprehensiveness of file security analysis and guarantees network security safely and reliably.

The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

Those skilled in the art will be more aware of the above and other objects, advantages and features of the present invention according to the following detailed description of specific embodiments of the present invention in conjunction with the accompanying drawings.

Description of drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same parts. In the attached picture:

FIG. 1 is a schematic diagram of a security detection server 100 for network data according to an embodiment of the present invention;

2 is a schematic diagram of a data packet security scanning device 140 in the security detection server 100 of network data according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of a file analysis device 150 in the security detection server 100 of network data according to an embodiment of the present invention; and

Fig. 4 is a schematic diagram of a security detection method for network data according to an embodiment of the present invention.

detailed description

The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

1 is a schematic diagram of a security detection server 100 for network data according to an embodiment of the present invention. As shown in the figure, the security detection server 100 for network data generally includes: An identification device 130, a data packet security scanning device 140; in addition, a configuration file analysis device 150 can also be added as required. The server 100 can be implemented based on Linux or other Linux-based platforms.

In the above security detection server 100, the data packet capture interface 110 is used to capture the data packets transmitted in the network. Capturing the data packets can be carried out by capturing the data packets through the network data bypass and importing them into the security detection server 100 . For example, a bypass is set in the network channel, and the data packets in the network traffic are imported to the server 100 through the data packet capture interface 110 . A specific implementation method is: open the bypass switch of the switch, copy the data packet by hardware and transmit it to the network card of the server 100, use the packet capture tool to modify the driver of the network card, and directly send the data packet to the packet assembly device 120 .

Compared with the packet capture method of the above packet capture interface 110, the process of connecting a traditional application program to the network is as follows: a request to connect to the network is sent through the application program interface (Application Program Interface, API for short) provided by the operating system, and the operating system receives After this kind of network request, the data sent by the application program is received, and the received data is encapsulated, and then the encapsulated data is sent to the physical device (such as a network card, etc.), and finally the hardware device transmits the data. When it is necessary to capture network packets, the operating system will use some protocol drivers and filter drivers to obtain network behavior data when processing related data, so you can register protocol drivers or create filters similar to the filter drivers used by the operating system Drive, and then obtain the data of network behavior. The implementation of specific monitoring includes the following methods: by registering the protocol driver on the client, creating a filter driver similar to the operating system, using the application programming interface function (hook function) provided by the operating system to intercept current network behavior information, taking over The program calls the network programming interface function (Winsock) request or registers the firewall callback to intercept the current network behavior information of the program. It can be seen that the above processes of obtaining network behavior data are all implemented on the operating system of the client.

The existing method needs to be called through the operating system of the server, and there is an interaction between the memory and the operating system. In the case of high bandwidth, serious packet loss will occur due to the limitation of the buffer. However, using the packet capture interface 110 of the security detection server 100 of this embodiment, the packet capture function of the high-speed network is realized without calling the operating system.

The grouping device 120 is used for grouping the data packets to restore the transmission control protocol TCP connection data. Since the order in which data packets are transmitted in the network may be inconsistent with the original order of data packets, the application layer protocol for identifying data packets needs to reassemble data packets according to the predefined order of data packets. The packet grouping device 120 may be configured to: write the data packets into the cache file; reassemble the data packets written into the cache file, and restore them to TCP connection data, which provides means for protocol identification. The content of the data packet written into the cache file may include: source IP, destination IP, source port, destination port, sequence number (Sequence Number), confirmation sequence number (Acknowledge Number) of the TCP connection, and data content of the data packet.

The above process of reassembling the buffered data packets according to a predefined sequence can be performed by using the sequence number and the confirmation sequence number in the TCP header. First, analyze the sequence number and confirmation sequence number in the TCP header in the data packet; sort the cached data packets according to the sequence number and confirmation sequence number.

After the data packets in the network pass through routers and other network devices, the order of transmission and grouping changes. Therefore, it is necessary to reorganize the transmission order of data packets according to the connection status of each TCP port. For example, a piece of text is transmitted in the network, including: 0, 1, 2, 3, a total of 4 bytes. At the same time, the order is changed during network transmission, and the order becomes 2, 1, 3, 4, 0, and the data packet is processed. During the reassembly process, the original order of the data packets needs to be restored first.

The order in which the packet assembly device 120 reassembles the data packets may use a TCP sequence number (Sequence Number) and an acknowledgment sequence number (Acknowledge Number). Among them, the sequence number of TCP marks the position of a certain data packet in the data stream, and the sequence number of TCP confirmation records the number of consecutive data received from the destination port to the source port. The identifiers of these two serial numbers are included in the header data of the TCP data packet. The change of the confirmation serial number indicates that a file has been transferred. The sequence number of the file is sequentially reassembled for the data packets of the file.

After the buffered data packets are reassembled through the TCP sequence number and the confirmation sequence number, the application layer protocol used by the data packets is judged according to the data characteristics and port characteristics of the reassembled data packets.

The protocol identifying means 130 is used to identify the application layer protocol used by the TCP connection data. The protocol identification device 130 may be configured to: judge the application layer protocol used by the data packet according to the data characteristics and port characteristics of the reassembled data packet. The data feature and port feature may include source IP, destination IP, source port, destination port of the TCP connection, and data content data of the data packet.

The identified protocol types may include: the third version of the Post Office Protocol (Post Office Protocol 3, referred to as POP3 protocol), File Transfer Protocol (File Transfer Protocol, referred to as FTP), Hypertext Transport Protocol (Hypertext Transport Protocol, referred to as HTTP), Simple Mail Transfer Protocol (SMTP for short), Domain Name System (Domain Name System, DNS for short) requests, etc., Simple Network Management Protocol (Simple Network Management Protocol, SNMP for short), Network News Transport Protocol (Network NewsTransport Protocol, short for NNTP).

The data packet security scanning device 140 includes a plurality of security scanning blocks, and uses a security scanning module corresponding to an application layer protocol to perform security scanning on the data packet. Fig. 2 is the schematic diagram of the data packet security scanning device 140 in the security detection server 100 of network data according to an embodiment of the present invention, and this data packet security scanning device 140 can comprise: File Transfer Protocol FTP scanning module 141, for FTP protocol The data packet of the simple mail transfer protocol SMTP scanning module 142 is used for the data packet of the SMTP protocol to carry out the security scanning; the third version POP3 scanning module 143 of the Post Office Protocol is used for the data packet of the POP3 protocol to carry out the security scanning; The hypertext transfer protocol HTTP scanning module 144 is used for the data packet of the HTTP protocol to carry out security scanning; the simple network management protocol SNMP scanning module 145 is used for the data packet of the SNMP protocol to carry out security scanning; the network news transmission protocol NNTP scanning module 146 is used for The data packets of the NNTP protocol are used for security scanning; the domain name system DNS resolution request scanning module 147 is used for the data packets of the DNS resolution request protocol to perform security scanning. The above scanning modules can be flexibly configured according to actual application requirements, and some or all of the above scanning modules can be selected.

The security detection server 100 uses the pre-established correspondence between various scanning modules and file protocols, and invokes corresponding scanning modules to scan files of corresponding protocol types.

After the security scanning by the data packet security scanning device 140 , the network data security detection server 100 can also use the file analysis device 150 to perform security analysis on the files in the extracted data packets.

Fig. 3 is a schematic diagram of a file analysis device 150 in the security detection server 100 of network data according to an embodiment of the present invention, and the file analysis device 150 may include: a hash value cloud analysis module 151, a URL cloud analysis module 153, a dynamic behavior security Analysis module 153 . The file analysis device 150 is used to extract files from the TCP connection data, and perform cloud security analysis and dynamic behavior security analysis on the files.

The above three modules, the hash value cloud analysis module 151, the URL cloud analysis module 153, and the dynamic behavior security analysis module 153, respectively perform various security analyzes on the extracted files. Wherein the hash value cloud analysis module 151 is used to calculate the hash value of the file, and the hash value is compared with the hash value danger list in the cloud security server, and the above hash value can be obtained using the MD5 algorithm, and the cloud security server The data contained in the hash value danger list in is the hash value of the detected malicious file, and through matching, it can be obtained whether the current file is a known malicious file in the hash value danger list in the cloud security server.

The URL cloud analysis module 153 checks the Uniform Resource Locator URL of the file, and compares the URL with the URL risk list in the cloud security server. Similarly, the data contained in the URL danger list in the cloud security server is also the source URL of the detected malicious file, and whether the current file is a known malicious file in the URL danger list in the cloud security server can be obtained through matching.

If the file parsed out in the data packet has passed the cloud inspection and killing of the above hash value cloud analysis module 151 and URL cloud analysis module 153, the dynamic behavior security analysis module 153 can also carry out honeypot behavior analysis to the file to confirm the evaluation file Risk of triggering system behavior.

In addition, for the detection and killing of portable executable files (Portable Execute, referred to as PE files), you can also use the cloud detection and killing engine and artificial intelligence engine (Qihoo Virtual Machine, QVM engine for short), as well as Bit Defender antivirus engine and Little Red Umbrella antivirus engine, etc. Common PE type files include EXE, DLL, OCX, SYS, COM and other types of files.

For script files, you can first use the script antivirus engine to detect the script virus. If no script virus is detected, the client will call other antivirus engines such as the cloud antivirus engine, QVM engine, and macro virus antivirus engine (QEX engine) to perform virus inspection. kill. In addition, other anti-virus engines such as the cloud anti-virus engine, QVM engine, and QEX engine can also be called to perform virus detection and killing. When no virus is detected, the script anti-virus engine is called to scan and kill the script.

The analysis flow of dynamic behavior security analysis module 153 comprises: according to the type of file, determine corresponding virtual detection environment; Run or open file under virtual detection environment, and monitor the operation state of virtual detection environment, generate operation status log; Perform analysis to obtain the dynamic behavior security analysis results of the file. Wherein, the dynamic behavior security analysis module 153 monitors the operation state of the virtual detection environment generally may include: monitoring the memory changes of the virtual detection environment, the registry modification, the process change, the network connection situation, and further, the following actions can be performed Selectively monitor: file operations, network operations, create processes, create threads, registry operations, windows, tray operations, stack overflows, inject threads, intercept system API calls, and access, modify, and create user accounts. All of the above actions may be behaviors of malicious programs.

The dynamic behavior security analysis module 153 can call active defense to carry out security detection, that is, the behavior of a large number of malicious programs is stored in advance on the server side, and is used to compare the behavior of this detection file. The specific process is: through a large number of client computers. Collect the program behavior of a program (it can be a single behavior or a combination of a group of behaviors) and/or the program characteristics of the program that initiates the program behavior, and send it to the server; The program features and/or program behavior of a program on the client computer are analyzed and compared in the database of the server, and the program is judged according to the comparison results, and fed back to the corresponding client computer; the corresponding client computer The judgment result determines whether to intercept the program behavior, terminate the execution of the program and/or clean up the program, and restore the system environment.

The above program behaviors can be directly performed by a program, or the program does not directly perform the behavior, but controls another target program to indirectly perform the behavior, so the program behavior includes: the program behavior body and the attributes of the behavior target ;The attributes of the behavior target include: the black and white level of the behavior target itself (ie, malicious or non-malicious), the location in the system (such as in the boot sector, etc.), the type (such as executable files, backup files, etc.), It can also be expanded to include the black and white level of the behavior of the behavior target, the behavior itself, and so on.

The malicious behaviors stored in the database are assumed to include: deleting registry startup items or services, terminating the process of computer security program tools, cracking administrator accounts of other computers in the LAN with weak passwords and copying and disseminating them, and modifying registry keys so that they cannot be viewed Hiding files and system files, trying to destroy files under hard disk partitions, deleting user system backup files, etc., for these malicious behaviors, the degree or severity of damage can be judged based on the experience of technicians, so that malicious behaviors with a high degree of damage or seriousness Behaviors are assigned greater weights; in addition, in practice, a large amount of client data collected can also be used to establish a mathematical model based on a series of parameters such as the reporting frequency of malicious program behaviors and the scope of damage, and obtain the weight of each malicious behavior through statistical algorithms. weight and assign weight values. When the accumulated weight value is greater than the preset value, the malicious program is determined.

In the specific operation, after years of collection of Trojan horse behavior rules, the existing Trojan horse operation behaviors include: automatic compression or decompression of files, Trojan horse binding on some files, resulting in file enlargement, renaming files, deleting files, and changing file content , Upload and download files, scan times, scan days and scan objects, use the system to automatically run programs to start, modify the registry, disguise files, modify group policies, etc.

Further, the operation behavior of the Trojan horse may also include: file operations, network operations, creating processes, creating threads, registry operations, windows, tray operations, stack overflow, injecting threads, intercepting system API calls, and accessing, modifying, and creating user accounts , calling SHELL programs, modifying program files or writing program files, calling FTP or TFTP, creating FTP or TFTP services, sending emails, browsers or email systems automatically running other programs, creating a large number of identical threads, modifying and creating user accounts, dangerous networks Operation, adding startup items to the system registry, modifying system startup files, injecting threads into other processes, stack overflow, automatic promotion of application-level processes to system-level process operations, and intercepting system API calls.

When analyzing behavior logs, weights can be set for the above actions, and finally the weighted accumulation is performed for comprehensive judgment.

For example, the above file is an office document, which can be detected by the office virtual detection environment; for image files, it can be detected by the image viewer; the script file can be directly run by the virtual system, and the URL file can be opened by the virtual browser.

Script files can also be detected in the script detection engine by presetting multiple script antivirus engines; script types targeted by script antivirus engines generally include: JS (JavaScript) script type, HTML (HypertextMarkup Language) script type, PHP (Hypertext Preprocessor) script type and VBS (Microsoft Visual Basic Script Editon) script type; correspondingly, script antivirus engines include: JS script antivirus engine, HTML script antivirus engine, PHP script antivirus engine and VBS script antivirus engine; wherein, each script The antivirus engine is set according to the script type, and parses the type of script according to the script specification of the certain type. For example, the JS script antivirus engine is set according to the script specification of the JS script, and performs lexical analysis and expression analysis on the JS script according to the JS script specification. Analysis and parsing. After the type of the actual script is determined, a script antivirus engine corresponding to the type of the actual script is invoked for processing. For example, when the actual script is a JS script, the JS script antivirus engine is invoked for processing.

During the detection process, through the analysis of log files that record memory changes, registry modifications, process changes, and network connections, whether the files trigger the above-mentioned malicious behavior or whether the calculated malicious weighted value is greater than the preset value is all important. Can determine whether the file is malicious or not. Thereby, the security analysis level of the files is further improved, and it can be judged whether the files transmitted in the above network are Trojan horse files or other malicious files.

For advanced persistent threats (Advanced Persistent Threat, referred to as APT), due to its latency and persistence, the existing technology lacks defense means for APT attacks. Even if the sequential attacks are prevented, the problem cannot be completely solved. The security detection server 100 of the company can extract files transmitted in the high-speed network, and perform in-depth and fast analysis on the files, so as to quickly and effectively identify APT attacks. It provides an identification method to further prevent APT attacks.

The browser 100 provided in this embodiment can be deployed in the intranet of the enterprise, and by analyzing the real traffic of the enterprise, obtain files that may be dangerous, and use cloud scanning and Qihoo Support Vector Machine (QVM for short) Quickly judge with the macro virus killing engine (QEX); for files that cannot be judged, use the built-in 360 sample analysis engine in the product to quickly reproduce the sample behavior and issue an alarm for high-risk samples.

The embodiment of the present invention also provides a network data security detection method, the network data security detection method can be executed by any network data security detection server 100 introduced in the above embodiments, and captures the transmission data packets in the network After grouping and packetizing, data security monitoring is carried out according to the application layer protocol corresponding to the data packet, which is highly targeted and can quickly and effectively identify network attacks. Fig. 4 is a schematic diagram of a security detection method for network data according to an embodiment of the present invention, the security detection method for network data includes:

Step S402, capturing data packets transmitted in the network;

Step S404, grouping the data packets to restore the transmission control protocol TCP connection data;

Step S406, identifying the application layer protocol used by the TCP connection data;

Step S408, using the security scanning module corresponding to the application layer protocol to perform security scanning on the TCP connection data

The process of step S402 may include: using the network bypass of the switch to copy the data packets transmitted in the network and sending them to the network card of the security detection server. Capturing data packets can be performed by capturing data packets through a network data bypass. For example, a bypass is set in the network channel to direct the data packets in the network traffic to the server executing the method. A specific implementation method is as follows: open the bypass switch of the switch, copy the data packet through hardware and transmit it to the network card of the security detection server, use the packet capture tool to modify the driver of the network card, and directly send the data packet to the network card that executes this embodiment. The process of the security detection method of network data.

Since the order of data packets transmitted in the network may be inconsistent with the original order of the data packets, the process of step S404 may include: recombining the data packets written into the cache file includes: parsing the serial number in the TCP header in the data packet and confirmation sequence number; according to the sequence number and confirmation sequence number, the data packets are sorted according to the transmission order of TCP. Reassembling the cached data packets according to a predefined sequence may include: parsing the sequence number and the confirmation sequence number in the TCP header in the data packet; and sorting the cached data packets according to the sequence number and the confirmation sequence number. The serial number of TCP marks the position of a certain data packet in the data stream, and the serial number of TCP confirmation records the number of continuous data received from the destination port to the source port. The identifiers of these two serial numbers are included in the header data of the TCP data packet. Confirming the change of the serial number indicates that a file has been transmitted, and confirming that the serial number changes indicates that the data source has sent a piece of data, and then the file is sent according to the TCP serial number. The data packets are sequentially reassembled.

Step S406 can determine the application layer protocol used by the data packet according to the data characteristics and port characteristics of the reassembled data packet. The data feature and port feature may include source IP, destination IP, source port, destination port of the TCP connection, and data content data of the data packet.

Generally, the application layer protocols used by data packets include: File Transfer Protocol FTP, Simple Mail Transfer Protocol SMTP, the third version of Post Office Protocol POP3, Hypertext Transfer Protocol HTTP, Simple Network Management Protocol SNMP, Network News Transfer Protocol NNTP, Domain Name System DNS resolution request. Therefore, for the above protocols, step S408 can use the File Transfer Protocol FTP scanning module 141, the Simple Mail Transfer Protocol SMTP scanning module 142, the third version of the Post Office Protocol POP3 scanning module 143, the Hypertext Transfer Protocol HTTP scanning module 144, and the simple S408 respectively. The network management protocol SNMP scanning module 145 , the network news transfer protocol NNTP scanning module 146 , and the domain name system DNS resolution request scanning module 147 perform security scanning on respective corresponding data packets.

In order to further analyze the files included in the data package, the step of extracting the files in the data package and performing security analysis on the files may also be performed after step S408. The security analysis on the file may include: extracting the file from the TCP connection data, and performing cloud security analysis and dynamic behavior security analysis on the file.

Wherein, the cloud security analysis on the file may include: cloud checking and killing of hash value and URL cloud checking and killing, and the like. The hash value cloud scanning and killing includes: calculating the hash value of the file, and comparing the hash value with the hash value danger list in the cloud security server. The calculation of the hash value can preferably use the message digest algorithm MD5.

URL cloud scanning and killing includes: Uniform resource locator URL of the file, and comparing the URL with the URL danger list in the cloud security server.

The process of URL cloud scanning and killing can be as follows:

Objects of URL cloud scanning and killing include web page access behaviors of various types of browsers, and the requested URL information is called the first URL. The first URL may include the following types: the first type, the URL of the web page corresponding to the web site that requests access, for example, if a request is made to visit the "Sina" homepage, the URL of the web page is: http://www.sina.com. cn/. The second type is the URL linked in the content of the webpage corresponding to the URL requested for access; there may be some linked URLs in the content of the webpage requested for access, and the URLs of these linked URLs also belong to the scope of monitoring. The second type, the URL of the downloaded file, requests to download the file, and the URL of the downloaded file also belongs to the scope of monitoring.

The object of URL cloud scanning and killing may involve one or more of the above three URLs, that is, the first URL includes any one or any combination of the above three URLs. Its killing process includes:

Step S502, extracting the URL ciphertext according to the URL information, for example, extracting the URL ciphertext corresponding to the first URL according to the information contained in the first URL;

Step S504, matching the URL ciphertext with the ciphertext stored in the database, the ciphertext stored in the database includes the ciphertext marked as malicious URL; if the URL ciphertext matches the ciphertext marked as malicious URL in the database, execute Step 506; otherwise, go to step 508. In this embodiment, a database is pre-built, and at least ciphertexts marked as malicious URLs are stored in the database. These ciphertexts are all obtained from a large number of URLs known to be malicious.

Step 506, return the malicious website query result, and execute step 508. If the URL ciphertext matches the ciphertext marked as a malicious URL in the database, it is indicated that the URL contains malicious content, and a malicious URL query result is returned; otherwise, step 510 is performed.

Step 508, according to the query result of the malicious website, block the behavior of accessing the website, and end.

Step 510, return normal URL query results, the URL ciphertext of the killing target does not match the ciphertext marked as malicious URLs in the database, indicating that the URL does not contain malicious content, return normal URL query results, and do not block access to the URL ,End.

According to the URL cloud scanning and killing provided in this embodiment, when the killing object includes URL data, the URL ciphertext is extracted from the URL information, and the URL ciphertext is matched with the ciphertext stored in the database to complete the security query and verification of the URL. This method does not rely on the client's local database, and completes the security query and verification of the URL on the server side. Because the killing database can update all kinds of malicious websites on the Internet in time, the information storage capacity of malicious websites in the database is very large, and the coverage is very wide, so that malicious websites can be blocked quickly and effectively.

If the extracted file is web page data, cloud security analysis can be performed based on the web page information. The specific process is: collecting and summarizing the information of the webpage itself: snapshots, CSS, JavaScript, html code, text, pictures, links, resources (such as videos, executable files, documents); webpage server information: URL, HOST, IP, Change time, change frequency; relevant information of the domain name where the web page is located: ICP record information (such as sponsor name, sponsor nature, business scope, review time, etc.), WHOIS information (such as registrar, domain name server, related websites, DNS server, Domain name status, update time, creation time, expiration time, REGISTRANT CONTACT INFO, ADMINISTRATIVE CONTACT INFO, TECHNICALCONTACT INFO, BILLING CONTACT INFO), domain name weight and page indexing volume under other search engines. Cloud security analysis based on web page information can be performed from the following aspects:

Financial fraud webpages will imitate the official website in terms of text and pictures.

Check family background (server information): For example, if there are malicious web pages under HOST and IP, then the current web page is highly likely to be malicious.

Three generations of Zha ancestors (ICP filing information, WHOIS information): For example: a webpage can sell air tickets, but the filing information does not have ticketing operations, so the possibility of fraud is very high; another example: websites under the name of the registrar often publish malicious webpages, trust records If it is very bad, then the probability that the new web page is malicious is relatively high.

Refer to the neighborhood evaluation (the weight and page index in other search engines): For example, the weight given by everyone is not high, and the corresponding web pages are not included. In the identification, the score of such web pages can also be reduced.

If the files parsed from the data package pass the above-mentioned cloud detection and killing, the honeypot behavior analysis (dynamic behavior security analysis) can be performed on the files to confirm and evaluate the risk of file triggering system behavior.

For example, the file contained in the data packet being transmitted is a downloaded document, which can be packaged by HTTP, and the data packet is scanned by the hypertext transfer protocol HTTP scanning module 144, and the file in the data packet is extracted after scanning, and This file is imported into the dynamic behavior analysis system.

The analysis process of dynamic behavior security analysis is: determine the corresponding virtual detection environment according to the type of the file; run or open the file in the virtual detection environment, monitor the running status of the virtual testing environment, and generate running status logs; analyze the running status logs , to obtain the dynamic behavior security analysis result of the file. Wherein, monitoring the running status of the virtual testing environment includes: monitoring the memory changes, registry modification, process changes, and network connections of the virtual testing environment.

For example, the above file is an office document, which can be detected by the office virtual detection environment; for image files, it can be detected by the image viewer; the script file can be directly run by the virtual system, and the URL file can be opened by the virtual browser. During the detection process, by analyzing the log files that record memory changes, registry modifications, process changes, and network connections, it is possible to determine whether the file has triggered malicious behavior to determine whether the file is malicious. Thereby, the security analysis level of the files is further improved, and it can be judged whether the files transmitted in the above network are Trojan horse files or other malicious files. The above files may include various types of files such as portable executable files (Portable Execute, PE files for short), script files, text files, and video and audio files.

Dynamic behavior security analysis can call active defense for security detection, that is, the behavior of a large number of malicious programs is pre-stored on the server side to compare the behavior of the detected files. The specific process is: through a large number of client computers, various programs The program behavior (it can be a single behavior or a combination of a group of behaviors) and/or the program characteristics of the program that initiates the program behavior is collected and sent to the server; the server is based on the collected The program features and/or program behavior of a program on the computer are analyzed and compared in the database of the server, the program is judged according to the comparison results, and fed back to the corresponding client computer; the corresponding client computer judges the results according to the feedback Decide whether to intercept the program behavior, terminate the execution of the program and/or clean up the program, and restore the system environment.

The above program behaviors can be directly performed by a program, or the program does not directly perform the behavior, but controls another target program to indirectly perform the behavior, so the program behavior includes: the program behavior body and the attributes of the behavior target ;The attributes of the behavior target include: the black and white level of the behavior target itself (ie, malicious or non-malicious), the location in the system (such as in the boot sector, etc.), the type (such as executable files, backup files, etc.), It can also be expanded to include the black and white level of the behavior of the behavior target, the behavior itself, and so on.

The malicious behaviors stored in the database are assumed to include: deleting registry startup items or services, terminating the process of computer security program tools, cracking administrator accounts of other computers in the LAN with weak passwords and copying and disseminating them, and modifying registry keys so that they cannot be viewed Hiding files and system files, trying to destroy files under hard disk partitions, deleting user system backup files, etc., for these malicious behaviors, the degree or severity of damage can be judged based on the experience of technicians, so that malicious behaviors with a high degree of damage or seriousness Behaviors are assigned greater weights; in addition, in practice, a large amount of client data collected can also be used to establish a mathematical model based on a series of parameters such as the reporting frequency of malicious program behaviors and the scope of damage, and obtain the weight of each malicious behavior through statistical algorithms. weight and assign weight values. When the accumulated weight value is greater than the preset value, the malicious program is identified.

In the specific operation, after years of collection of Trojan horse behavior rules, the existing Trojan horse operation behaviors include: automatic compression or decompression of files, Trojan horse binding on some files, resulting in file enlargement, renaming files, deleting files, and changing file content , Upload and download files, scan times, scan days and scan objects, use the system to automatically run programs to start, modify the registry, disguise files, modify group policies, etc.

Further, the operation behavior of the Trojan horse may also include: file operations, network operations, creating processes, creating threads, registry operations, windows, tray operations, stack overflow, injecting threads, intercepting system API calls, and accessing, modifying, and creating user accounts , calling SHELL programs, modifying program files or writing program files, calling FTP or TFTP, creating FTP or TFTP services, sending emails, browsers or email systems automatically running other programs, creating a large number of identical threads, modifying and creating user accounts, dangerous networks Operation, adding startup items to the system registry, modifying system startup files, injecting threads into other processes, stack overflow, automatic promotion of application-level processes to system-level process operations, and intercepting system API calls.

When analyzing behavior logs, weights can be set for the above actions, and finally the weighted accumulation is performed for comprehensive judgment.

Through the above series of security analysis: the following functions can be realized:

1. It has excellent and accurate detection effect on unknown vulnerability exploit attacks that are powerless to traditional security products (such as IDS, IPS, UTM);

2. It has excellent and accurate detection results for unknown Trojans, unknown viruses, unknown malicious codes, and special Trojans that traditional terminal antivirus software and antivirus walls are powerless to do;

3. Comprehensively detect the behavior of using known system vulnerabilities and application vulnerabilities to attack;

4. Comprehensive and rapid detection of known Trojan horses, worms, viruses and other malicious codes;

5. It has comprehensive and rapid detection capabilities for access behaviors of phishing websites, Trojan websites, and exploit websites (such as XSS);

6. It has the ability to accurately detect the attack method of spreading malicious code through email attachments (this method is the main method of APT attack);

7. It has the ability to accurately detect malicious URLs embedded in the email body;

8. It has the ability to accurately detect files containing malicious codes transmitted through IM tools (such as QQ, Aliwangwang, etc.);

9. Ability to accurately detect malicious URLs appearing in IM chat content;

10. It has the ability to accurately detect files containing malicious code downloaded through the Web;

11. It has the ability to accurately detect the pages containing Internet horses accessed through the Web.

By capturing network operation data packets and conducting comprehensive detection, it can comprehensively and accurately identify various malicious files, greatly improving security and reliability. Different from the implementation on the client side of the personal computer in the prior art, the implementation environment of the technical solution of the present invention can be a server on linux or other linux-based platforms. For example, a single-core CPU can support a bandwidth limit of up to 10Gbps on high-speed network traffic. Multi-core is the number of CPU cores * 10Gbps.

In addition, different from the technical solution of the present invention, the network scanning method of binary feature matching in the prior art does not perform group packet processing, but simply performs binary data matching of data packets, and linear search matches the required features, which is considered malicious data pack. The network data detection method of this embodiment implements fast data packet reassembly, supports high-speed traffic and multiple IP connections with high concurrency, and can reorganize fragmented data packets into meaningful data, and then perform protocol analysis on this basis.

The security detection method for network data and the security detection server 100 provided by the present invention, after capturing data packets and grouping them, perform data security monitoring according to the application layer protocol corresponding to the data packets, based on the data of the reorganized application layer protocol Protocol analysis is highly targeted and can quickly and effectively identify network attacks, improving network security.

Furthermore, the network data security detection method of the present invention realizes data packet reassembly of high-speed network traffic, can support a network environment with high-speed traffic, multiple IP connections and high concurrency, and improves the efficiency of network security monitoring.

In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings), as well as any method or method so disclosed, may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the claims, any one of the claimed embodiments can be used in any combination.

The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the security detection server according to the embodiment of the present invention. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

So far, those skilled in the art should appreciate that, although a number of exemplary embodiments of the present invention have been shown and described in detail herein, without departing from the spirit and scope of the present invention, the disclosed embodiments of the present invention can still be used. Many other variations or modifications consistent with the principles of the invention are directly identified or derived from the content. Accordingly, the scope of the present invention should be understood and deemed to cover all such other variations or modifications.

The embodiment of the present invention also provides A1. A security detection method for network data, comprising:

Grab the data packets transmitted in the network;

Packing the data packets to restore the transmission control protocol TCP connection data,

identifying the application layer protocol used by the TCP connection data;

Using a security scanning module corresponding to the application layer protocol to perform security scanning on the TCP connection data.

A2. The method according to A1, wherein capturing the data packets transmitted in the network includes: using the network bypass of the switch to copy the data packets transmitted in the network and sending them to the network card of the security detection server.

A3. The method according to A1, wherein grouping the data packets to restore the transmission control protocol TCP connection data includes:

Writing the data packet into a cache file;

Reassemble the data packets written to the cache file and restore them to TCP connection data.

A4. according to the method described in A3, wherein, recombining the data packets written into the cache file includes:

Analyzing the sequence number and confirmation sequence number in the TCP header in the data packet;

The data packets are sorted according to the sequence of TCP transmission according to the sequence number and the confirmation sequence number.

A5. The method according to any one of A1 to A4, wherein identifying the application layer protocol used by the TCP connection data includes: judging the application used by the data packet according to the data characteristics and port characteristics of the reassembled data packet layer protocol.

A6. according to the method described in any one of A1 to A5, wherein, the application layer protocol used by the data packet includes: the third version POP3 of the file transfer protocol FTP, the simple mail transfer protocol SMTP, the post office protocol, hypertext Transmission protocol HTTP, Simple Network Management Protocol SNMP, Network News Transmission Protocol NNTP, Domain Name System DNS resolution request.

A7. The method according to any one of A1 to A6, wherein, after performing a security scan on the TCP connection data using a security scan module corresponding to the application layer protocol, it also includes:

Files are extracted from the TCP connection data, and cloud security analysis and dynamic behavior security analysis are performed on the files.

A8. The method according to A7, wherein, performing cloud security analysis on the file includes:

calculating a hash value of the file, and comparing the hash value with the hash value hazard list in the cloud security server; and/or

Extract the Uniform Resource Locator URL of the file, and compare the URL with the URL danger list in the cloud security server.

A9. The method according to A8, wherein comparing the URL with the URL danger list in the cloud security server includes:

Extracting the URL ciphertext corresponding to the URL;

Matching the URL ciphertext with the ciphertext stored in the cloud security server database, the ciphertext stored in the database includes the ciphertext marked as malicious URL;

If the URL ciphertext matches the ciphertext stored in the cloud security server database, it is determined that the URL contains malicious content.

A10. The method according to any one of A7 to A9, wherein performing dynamic behavior security analysis on the file includes:

Determine the corresponding virtual testing environment according to the type of the file;

Run or open the file in the virtual testing environment, monitor the running status of the virtual testing environment, and generate a running status log;

The running state log is analyzed to obtain the dynamic behavior security analysis result of the file.

A11. The method according to A10, wherein analyzing the running status log includes:

Carry out weighted accumulation according to preset weights for each operation operation behavior triggered by the file in the operation status log;

Judging whether the weighted cumulative value is greater than a preset value, and if so, determining that the file is a malicious file.

A12. The method according to A10 or A11, wherein monitoring the running state of the virtual testing environment includes: monitoring memory changes, registry modifications, process changes, and network connections of the virtual testing environment.

B13. A security detection server for network data, comprising:

Data packet capture interface, used to capture data packets transmitted in the network;

Packing device, used to pack the data packets to restore the transmission control protocol TCP connection data,

A protocol identifying device, identifying the application layer protocol used by the TCP connection data;

The data packet security scanning device is used to perform security scanning on the TCP connection data by using a security scanning module corresponding to the application layer protocol.

B14. The security detection server according to B13, wherein the data packet capture interface is configured to: use the network bypass of the switch to copy the data packets transmitted in the network and send them to the network card of the security detection server.

B15. The security detection server according to B13, wherein the grouping device is configured to: write the data packets into a cache file; reassemble the data packets written into the cache file, and restore them to TCP connection data.

B16. The security detection server according to B15, wherein the protocol identification device is configured to: judge the application layer protocol used by the data packet according to the data characteristics and port characteristics of the reassembled data packet.

B17. The security detection server according to any one of B13 to B16, wherein the data packet security scanning device comprises:

A file transfer protocol FTP scanning module is used to perform security scanning on the data packets of the FTP protocol;

Simple Mail Transfer Protocol SMTP scanning module, used for the described data packet of SMTP agreement to carry out safety scanning;

The third version POP3 scanning module of the post office protocol, which is used for the security scanning of the data packets of the POP3 protocol;

The hypertext transfer protocol HTTP scanning module is used for the described data packet of HTTP agreement to carry out safety scanning;

Simple Network Management Protocol SNMP scanning module, for the described data packet of SNMP agreement to carry out safety scanning;

Network news transfer protocol NNTP scanning module, used for the described data packet of NNTP agreement to carry out safe scanning;

The domain name system DNS resolution request scanning module is used for security scanning of the data packets of the DNS resolution request protocol.

B18. The security detection server according to any one of B13 to B17, further comprising:

The file analysis device is used to extract files from the TCP connection data, and perform cloud security analysis and dynamic behavior security analysis on the files.

B19. The security detection server according to B18, wherein the file analysis device includes:

The hash value cloud analysis module is used to calculate the hash value of the file, and compares the hash value with the hash value danger list in the cloud security server;

The URL cloud analysis module is used to extract the Uniform Resource Locator URL of the file, and compare the URL with the URL risk list in the cloud security server.

B20. The security detection server according to B18 or B19, wherein the file analysis device also includes:

The dynamic behavior security analysis module is used to determine the corresponding virtual detection environment according to the type of the file; run or open the file under the virtual detection environment, monitor the running state of the virtual detection environment, and generate a running state log ; Analyzing the running status log to obtain the dynamic behavior security analysis result of the file.

B21. According to the security detection server described in B20, wherein the dynamic behavior security analysis module monitors the running status of the virtual detection environment including: monitoring the memory changes of the virtual detection environment, registry modification, process changes, network Connection status.

Claims (17)

1. A security detection method for network data, comprising: Grab the data packets transmitted in the network; Packing the data packets to restore the transmission control protocol TCP connection data, identifying the application layer protocol used by the TCP connection data; Use the security scanning module corresponding to the application layer protocol to carry out security scanning on the TCP connection data, which includes the third version POP3 scanning module using the File Transfer Protocol FTP scanning module, the Simple Mail Transfer Protocol SMTP scanning module, and the Post Office Protocol. , Hypertext Transfer Protocol HTTP scanning module, Simple Network Management Protocol SNMP scanning module, Network News Transfer Protocol NNTP scanning module, Domain Name System DNS resolution request scanning module to perform security scanning on their corresponding data packets; Extract files from the TCP connection data, and determine the corresponding virtual detection environment according to the type of the file; Run or open the file under the virtual testing environment, and monitor the running status of the virtual testing environment, generate a running status log, record the memory changes of the virtual testing environment, the registry in the running status log Modifications, process changes, and network connections; Analyzing the running state log to obtain the dynamic behavior security analysis result of the file; analyzing the running state log includes: performing various operation behaviors triggered by the file in the running state log according to preset The weights are weighted and accumulated; it is judged whether the weighted accumulated value is greater than a preset value, and if so, it is determined that the file is a malicious file. 2. The method according to claim 1, wherein capturing the data packets transmitted in the network comprises: using the network bypass of the switch to copy the data packets transmitted in the network and sending them to the network card of the security detection server. 3. The method according to claim 1, wherein grouping the data packets to restore Transmission Control Protocol (TCP) connection data comprises: Writing the data packet into a cache file; Reassemble the data packets written to the cache file and restore them to TCP connection data. 4. The method according to claim 3, wherein recombining the packets written into the cache file comprises: Analyzing the sequence number and confirmation sequence number in the TCP header in the data packet; The data packets are sorted according to the sequence of TCP transmission according to the sequence number and the confirmation sequence number. 5. The method according to any one of claims 1 to 4, wherein identifying the application layer protocol used by the TCP connection data comprises: judging the use of the data packet according to the data characteristics and port characteristics of the reassembled data packet application layer protocol. 6. The method according to any one of claims 1 to 4, wherein the application layer protocols used by the data packets include: File Transfer Protocol FTP, Simple Mail Transfer Protocol SMTP, the 3rd version POP3 of the Post Office Protocol, Hypertext Transfer Protocol HTTP, Simple Network Management Protocol SNMP, Network News Transfer Protocol NNTP, Domain Name System DNS resolution request. 7. The method according to any one of claims 1 to 4, wherein, after extracting the file from the TCP connection data, further comprising: Perform cloud security analysis on the file. 8. The method according to claim 7, wherein performing cloud security analysis on the file comprises: calculating a hash value of the file, and comparing the hash value with the hash value hazard list in the cloud security server; and/or Extract the Uniform Resource Locator URL of the file, and compare the URL with the URL danger list in the cloud security server. 9. The method according to claim 8, wherein comparing the URL with the URL danger list in the cloud security server comprises: Extracting the URL ciphertext corresponding to the URL; Matching the URL ciphertext with the ciphertext stored in the cloud security server database, the ciphertext stored in the database includes the ciphertext marked as malicious URL; If the URL ciphertext matches the ciphertext stored in the cloud security server database, it is determined that the URL contains malicious content. 10. The method according to claim 1, wherein monitoring the running status of the virtual testing environment comprises: monitoring memory changes, registry modifications, process changes, and network connections of the virtual testing environment. 11. A security detection server for network data, comprising: Data packet capture interface, used to capture data packets transmitted in the network; Packing device, used to pack the data packets to restore the transmission control protocol TCP connection data, A protocol identifying device, identifying the application layer protocol used by the TCP connection data; A data packet security scanning device, configured to perform security scanning on the TCP connection data using a security scanning module corresponding to the application layer protocol; The file analysis device is used to extract files from the TCP connection data, and includes: a dynamic behavior security analysis module used to determine a corresponding virtual detection environment according to the type of the file; run or Open the file, and monitor the running state of the virtual detection environment, generate a running state log; analyze the running state log, obtain the dynamic behavior security analysis result of the file, and record some in the running state log The memory changes, registry modifications, process changes, and network connections of the virtual detection environment, the analysis of the operation status log includes: the various operation behaviors triggered by the files in the operation status log according to the pre-set The set weight is weighted and accumulated; judging whether the weighted cumulative value is greater than the preset value, if so, determining that the file is a malicious file, and The data packet security scanning device includes: A file transfer protocol FTP scanning module is used to perform security scanning on the data packets of the FTP protocol; Simple Mail Transfer Protocol SMTP scanning module, used for the described data packet of SMTP agreement to carry out safety scanning; The third version POP3 scanning module of the post office protocol, which is used for the security scanning of the data packets of the POP3 protocol; The hypertext transfer protocol HTTP scanning module is used for the described data packet of HTTP agreement to carry out safety scanning; Simple Network Management Protocol SNMP scanning module, for the described data packet of SNMP agreement to carry out safety scanning; Network news transfer protocol NNTP scanning module, used for the described data packet of NNTP agreement to carry out safe scanning; The domain name system DNS resolution request scanning module is used for security scanning of the data packets of the DNS resolution request protocol. 12 . The security detection server according to claim 11 , wherein the data packet capture interface is configured to use a network bypass of a switch to copy data packets transmitted in the network and send them to the network card of the security detection server. 13 . 13. The security detection server according to claim 11, wherein the grouping device is configured to: write the data packets into a cache file; reassemble the data packets written into the cache file, and restore them to TCP connection data . 14. The security detection server according to claim 13, wherein the protocol identification device is configured to: judge the application layer protocol used by the data packet according to the data characteristics and port characteristics of the reassembled data packet. 15. The security detection server according to claim 11, further comprising: The file analysis device is also used to perform cloud security analysis on the file. 16. The security detection server according to claim 15, wherein the file analysis device comprises: The hash value cloud analysis module is used to calculate the hash value of the file, and compares the hash value with the hash value danger list in the cloud security server; The URL cloud analysis module is used to extract the Uniform Resource Locator URL of the file, and compare the URL with the URL risk list in the cloud security server. 17. The security detection server according to claim 11, wherein the monitoring of the running status of the virtual detection environment by the dynamic behavior security analysis module comprises: monitoring the memory changes, registry modification, and process changes of the virtual detection environment , Network connection status.