CN101414996A - Firewall and method thereof - Google Patents
Firewall and method thereof Download PDFInfo
- Publication number
- CN101414996A CN101414996A CN 200710162441 CN200710162441A CN101414996A CN 101414996 A CN101414996 A CN 101414996A CN 200710162441 CN200710162441 CN 200710162441 CN 200710162441 A CN200710162441 A CN 200710162441A CN 101414996 A CN101414996 A CN 101414996A
- Authority
- CN
- China
- Prior art keywords
- program
- control table
- user
- dangerous
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 10
- 238000012795 verification Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 238000003384 imaging method Methods 0.000 claims description 5
- 230000008878 coupling Effects 0.000 claims description 3
- 238000010168 coupling process Methods 0.000 claims description 3
- 238000005859 coupling reaction Methods 0.000 claims description 3
- 230000006978 adaptation Effects 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 abstract description 5
- 230000003068 static effect Effects 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 8
- 238000006243 chemical reaction Methods 0.000 description 7
- 241000700605 Viruses Species 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 231100001261 hazardous Toxicity 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Abstract
The invention provides a firewall, comprising an interception device which is used for sniffing and intercepting access program, an engine device which is used for outputting and indicating the danger level of the access program according to the access program; wherein, the engine device comprises an analysis device which is used for analyzing the characteristic of the intercepted access program; the firewall also comprises a matching device which carries out the matching between the analyzed program characteristic and a database, and an output device which judges the danger level of the access program according to the matching result and is used for the strategy of the user. The firewall scans and analyzes the programs from the dynamic and static perspectives, discovers suspicious information in a process, gives out the danger level of the program by the intelligent analysis on the information, and leads the user to know how to process the program basically.
Description
Technical field
The present invention relates to a kind of firewall technology.
Background technology
At present internet worm spread and rogue program is attacked computer system, network and safety of data is caused serious threat.For the protection computer system network is immune against attacks and infects, current many kinds of safeguard measures have been proposed, firewall technology is wherein the most frequently used a kind of.Fire compartment wall is mounted in the network security management software on the personal computer, and the user can control the communication of computer by filtercondition is set, and stops unsafe network behavior.A kind of typical filtercondition is exactly the filtercondition of application program, can stop unsafe application access network by it.
Yet, for how the application program filtering condition is set, traditional personal fire wall does not provide decision references to the user, therefore, though fire compartment wall can stop the routine access network, which program should be prevented from, which program should always be that giving the user judges by clearance, how the user does is according to its oneself interpretation ability fully, this for the user particularly naive user very high specification requirement is proposed, the general user is difficult to make correct decisions.Therefore be necessary to improve present fire compartment wall.
Summary of the invention
The purpose of present technique will provide decision references information accurately to the user for the user reduces the heavy burdens exactly.Utilize the intellectual analysis result of present technique, the user can determine whether this certain program of letting pass basically.
According to an aspect of the present invention, provide a kind of fire compartment wall, comprising: interception device is used to intercept and the Intercept Interview program; Engine apparatus is used for exporting the danger classes of indicating described access program according to described access program.
Wherein said engine apparatus comprises: analytical equipment is used to analyze the characteristic of the access program of being intercepted; Coalignment carries out matching judgment with a program characteristic and a database of being analyzed; Output device is used for judging that according to described matching result the danger classes of described access program is for user's decision-making.
According to another aspect of the present invention, provide a kind of method of Control Network routine access, comprising: intercept and the Intercept Interview program; Analyze the characteristic of the access program of being intercepted; A program characteristic and the database analyzed are carried out matching judgment; The danger classes of judging described access program according to described matching result is for user's decision-making.
The present invention carries out analysis-by-synthesis to the accesses network program for this reason, and Intelligent Recognition goes out the program safety rank, and it is the user, particularly naive user supervising the network program provides important references, has solved in the past fully by the user to come the whether problem of safety of recognizer.The present invention is on the basis of a whole set of known technology, from dynamically program being carried out scanning analysis, find the suspicious information of process, by intellectual analysis to these information with static two angles, provide the harmful grade of program, the user can know this program of how handling substantially thus.
Description of drawings
Fig. 1 is according to fire compartment wall schematic diagram of the present invention;
Fig. 2 is according to fire compartment wall part schematic diagram of the present invention;
Fig. 3 is according to database example schematic diagram of the present invention;
Fig. 4 is according to intelligent firewall process chart of the present invention;
Embodiment
As shown in Figure 1, comprise according to the fire compartment wall of present embodiment and intercept unit 1 and intelligence engine.Wherein, interception device 1 is used to intercept and tackles the access to netwoks program, and in the present invention, interception device 1 can adopt any interception technology known in the art to tackle and the hang-up program is handled with products for further; Intelligence engine is then exported the danger classes of the described access program of indication according to described access program.Whether the user can determine to allow described program to continue to carry out according to the danger classes prompting of fire compartment wall output.In this example, the harmful grade with program is divided into Three Estate: low dangerous program, unknown dangerous program, high-risk program.Low danger is the program that the user substantially can relieved clearance, and unknown danger is the program that needs the user further to confirm, the high-risk program very likely is wooden horse or Virus, needs user's careful attention.After the dangerous tip that interception device 1 is exported based on fire compartment wall according to the user makes a policy, release procedure operation or interrupt run.
In this example, described intelligence engine comprises database 2, analytical equipment 3, coalignment 4 and output device 5.
Store the characteristic element relevant or other data message in the database 2 with preset program.In this example, database 2 can be comprised three parts, dangerous tables of data 21, be defined as RiskData (data), wherein store the sensitive data of user or system definition or secure data and the file that other needs protection especially, the user can be provided with the filtercondition of some sensitive datas, and the purpose that this territory is set is to avoid sensitive data to leak; Dangerous address table 22, wherein store fire compartment wall supplier or user-defined responsive port or malice address, comprise the IP address, be defined as RiskAddress (address), routine access will be regarded as hazardous act when these addresses or port, also can the maintain communications agreement in this table also can be used as user's reference; And program control table 23, be defined as ProgramControl (...).As example, routine access control table 23 mainly is made of five territories, is respectively the Path territory, is used for define program title and/or path; The connection territory is used for definition and whether allows corresponding routine access network; Whether the Post territory is used for definition and allows corresponding program to send mail, and sending mail generally is to be responsible for by the mail class method, and ordinary procedure sends mail will be considered as hazardous act, and this can be avoided trojan horse program that user data is revealed away by mail; The service territory, be used to define whether corresponding program is server program, the purpose that this territory is set exists: have a lot of trojan horse programs to move as server on subscriber set, unless it is server program that the user specifies this program, find that else if certain program moves as server, we also will think the dangerous program in this program position; The MD5 territory is used to define the MD5 value of corresponding program, thus this program control table can note by abridging into ProgramControl (path, connection, post, service, md5).Post item and service item are defaulted as and do not allow, unless the user specifies.Here it is to be noted, although above-mentionedly as example database 2 is divided into three tables, and wherein said ProgramControl table only comprises five territories, for those skilled in the art show and see be, the present invention is not limited to this, can increase the territory in corresponding table or the table as required.
Analytical equipment 4 is used to analyze the characteristic of the program of being tackled, and characteristic information is offered coalignment 3.The characteristic here comprises Program Type, for example sends, receives the data distributing program of data, or the network action of creating address or file, being connected to network, listening port or network and accepting client-requested.
Obtain the characteristic of program at analytical equipment 4 after, it is transferred to coalignment 3, the program characteristic and the above-mentioned database 2 that are used for being analyzed carry out matching judgment.As shown in Figure 2, the coalignment 3 here comprises a conversion equipment 31; By data protection unit 32 and mail coupling 33 first modules that constitute; Second module that constitutes by wooden horse scanning element 34, first dangerous address judging unit 35 and authentication unit 36; And the three module that constitutes by MD5 computing unit 37, Authority Verification unit 38 and the second dangerous address judging unit 39.
Conversion equipment 31 is carried out corresponding operation according to the program characteristic that receives.Particularly, when described analytical equipment 4 these programs of indication were a data distributing program, described conversion equipment 31 switched to first module.At this, judge by data protection unit 32 whether described program has comprised the secure data that is stored in the described RiskData table 21.If this program does not comprise secure data, whether be the mailer that is registered in the described ProgramControl table with definite described access program then by the described ProgramControl table of described mail adaptation 33 inquiries.If the program that the execution mail that is allowed in the ProgramControl table sends, receives, then indicate interception device 1 this program of automatically letting pass.
If this program is not a data distributing program, but the network action program, then the described ProgramControl table of conversion equipment 31 inquiries is to determine whether this program is registered in the described ProgramControl table.If unregistered, then conversion equipment 31 switches to second module.Carry out the trojan horse scanning imaging system at this by program or data module that 34 pairs of these access programs of wooden horse scanning element and/or this process load.If do not find any trojan horse, then judge by the first dangerous address judging unit 35 whether described access program has comprised the presumptive address that is stored in the RiskAddress table 22.If do not comprise presumptive address, then further judge whether described access program has digital signature by described authentication unit 36, wherein have under the situation of digital signature in described access program, described authentication unit can verify further that whether described signature is by predetermined verification algorithm.Here select the digital signature verification technology meaning to be: digital signature technology is that technology is very widely used in present security fields.Relatively the software company of standard all can sign for its software product, obtains users' trust with this.Can verify that the software that passes through all is comparatively safe software so carried out digital signature and this signature basically.The program that but checking is not passed through if bear the signature, or be because this signature has used the mistrustful CA of user, or be that this program was distorted, be breakneck for latter event.
If described conversion equipment 31 confirms that described program has been registered in the described ProgramControl table and the ProgramControl table allows its accesses network or current computer, then switch to three module and do further safe handling.Wherein, calculate the MD5 value of this access program by MD5 computing unit 37, and with described access program table in advance the MD5 of storage compare to judge the danger of access program, for example prevent to steal valuable information through camouflage or the routine access grid distorted.Select the meaning of MD5 algorithm to be: the cryptographic Hash of utilizing the routine data section that the MD5 value-based algorithm obtains be the MD5 value of unique (the actual probability that repeats of taking place is minimum, need not consider substantially) program change normally because of program upgrade or program infector virus.Whether upgrade for program, the user can make judgement basically.So when the MD5 value of the program of accesses network was changed, this program very likely was to have infected virus.When the MD5 of this program value not during change, whether move by the described access program of Authority Verification unit 38 checkings as server program, for example whether this program is the program of creating address, listening port or accepting the request connection of client, and judges whether to allow it to move as server program according to described ProgramControl table.If described access program is the server program that described ProgramControl table allows, then judge further by the second dangerous address judging unit 39 whether this program has used the presumptive address in the described RiskAddress table, to point out the danger of this program to the client.
In addition, if conversion equipment 31 definite described access programs are documented in the ProgramControl table and clearly are labeled as when not allowing to carry out, then stop this program.
Output device 4 is exported the danger classes of described access program for user's decision-making according to the matching result of described coalignment 3.
Preferably, the intelligence engine of fire compartment wall of the present invention also comprises a updating device 6, upgrades ProgramControl table 23 according to user's the result of decision.In addition, this updating device 6 can also provide an input interface for developer or manufacturer, is convenient to the manufacturer and upgrades dangerous address in the RiskAddress table 22 by this input interface.
Describe intelligent firewall handling process of the present invention in detail below in conjunction with a preferred embodiment of the present invention Fig. 4.As shown in Figure 4, at step S100, the interception device 1 in the fire compartment wall is intercepted network, when network event takes place, tackles this network event.At step S200, judge the type of network event subsequently.If described network event is a transfer of data action, then handle and enter step S201, data that data protection unit 32 these incidents of usefulness are transmitted and RiskData table 21 coupling, if find that at step S202 the data of being transmitted are sensitive data, then entering this program of step S501 prompting user is the high-risk program, inform the consumers risk reason, and these data under the interception, this program whether continued by user's decision-making; Do not find any sensitive data at step S202 else if, then enter step S203, judge whether this program sends mail, if, then look into the ProgramControl table,, then enter step S501 if do not allow this program to send mail, this program of prompting user is the high-risk program, whether continues this program by user's decision-making; If allowing transmission mail or this program is not a mailer, then indicate interception device 1 this program of clearance.
If judge that at step S200 this network event is not a data distributing program, but network action then enters step S300, search user ProgramControl table to confirm whether this program is registered in the table.At this, the network action of program has important value, and the network action that need distinguish comprises: Create Address, Listen, Connect, Send, Accept, Recv, UDP Send, UDP Recv.
If determine that at step S300 this program is unregistered in ProgramControl table 203, then handle and enter step S400, carry out trojan horse scanning by 34 pairs of modules that this program and program loaded of wooden horse scanning element,, then handle and enter step S501 if find trojan horse at step S401; Otherwise, look into RiskAddress table 22 at step S402 by the first dangerous address judging unit 35, see whether this program has comprised defined dangerous address or port in the RiskAddress table, if then enter step S501; Otherwise in the digital signature of step S403 by authentication unit 36 proving programs, if signed and pass through according to certain proof of algorithm, the prompting user can let pass substantially for low dangerous program; If signed, but verify and do not pass through that then enter step S501, the prompting user is the high-risk program, whether continue this program by user's decision-making.If this program does not have digital signature, then enter step S502, the prompting user is unknown harmful grade program, is further verified by the user.
If determine that at step S300 this program registration is in the ProgramControl table, and allow its accesses network, then process enters step S301, in this MD5 value by MD5 computing unit 37 calculation procedures, and and ProgramControl table in corresponding MD5 value comparison, change as the MD5 value, enter step S501; Otherwise,, then judge that by Authority Verification unit 38 whether this program is the server program that the Service territory in the ProgramControl table allows, if do not allow, then handles and enters step S501 if the MD5 value does not change; If allow, judge by the second dangerous address judging unit 39 at step S303 whether this program has used the dangerous address in the RiskAddress table, if "Yes" enters step S501, otherwise, indication interception device 1 this program of clearance.If this network event is not a server program, but network connecting request, still judge by the second dangerous address judging unit 39 that at step S303 whether look into its remote address is dangerous address in the RiskAddress table, if, then enter step S501, if not, then indicate interception device 1 this program of clearance.
In addition,, but do not allow its accesses network, then directly stop this program if determine this program registration in the ProgramControl table at step S300.
Three grades of dangerous tips in step S501, S502, S503 output please be submitted to the user, for user's uses of making a strategic decision, and choosing during ProgramControl shows step S600 preservation user.In the processing mode that this user can select fire compartment wall to recommend, also can handle it according to the actual needs.For example, although judge that according to step S203 this mailer is not that ProgramControl table allows, and in the prompting of step S501 output high-risk, because this program is the mailbot that the user newly enables, so user's this program of can letting pass.Thus, updating device 6 joins this program in the ProgramControl table, and it is set for allowing to send mail in mail domain.Thereby, when fire compartment wall listens to this mailer once more, can let pass this program automatically and dangerous tip no longer is provided, perhaps reduce the danger classes of this program, thereby improved the degree of intelligence of fire compartment wall.
Preferably, fire compartment wall of the present invention can also provide the user that module is set, and conveniently is used for manually revising RiskData table 21, dangerous address table 22 and ProgramControl table 23, thereby improves the sensitivity of fire compartment wall.The updating device 6 of this module in can fire compartment wall is integrated together, and also can separate setting.
Although more than have been described in detail in conjunction with a most preferred embodiment of the present invention, but should understand, this embodiment is not determinate, and those skilled in the art can adjust the processing sequence of fire compartment wall according to actual needs, perhaps increase, delete wherein the unit with the decision fire compartment wall scale and cost.Therefore, protection scope of the present invention is with the appending claims standard.
Claims (29)
1, a kind of fire compartment wall comprises:
Interception device is used to intercept and the Intercept Interview program;
Engine apparatus is used for exporting the danger classes of indicating described access program according to described access program.
2, fire compartment wall according to claim 1, wherein said engine apparatus comprises:
Analytical equipment is used to analyze the characteristic of the access program of being intercepted;
Coalignment carries out matching judgment with a program characteristic and a database of being analyzed;
Output device is used for judging that according to described matching result the danger classes of described access program is for user's decision-making.
3, fire compartment wall as claimed in claim 2, wherein said database comprises dangerous tables of data, is used to store sensitive data information; Described coalignment further comprises a data protection unit, wherein
When described analytical equipment indicated this access program to be a data distributing program, whether the described program of described data protection unit judges had comprised the secure data that is stored in the described dangerous tables of data.
4, fire compartment wall as claimed in claim 3, wherein said database further comprises program control table, is used to store the information of relevant program characteristic, comprise: program name and/territory, path, whether allow accesses network or carry out the territory, whether allow to send mail domain, server domain and MD5 codomain;
Described coalignment further comprises the mail adaptation, is used for inquiring about described program control table to determine whether described access program is the mailer that is registered in described program control table.
5, fire compartment wall as claimed in claim 4, wherein when described analytical equipment indicated described access program to be a network action program, described coalignment was inquired about described program control table to determine whether this program is registered in the described program control table.
6, fire compartment wall as claimed in claim 5, described coalignment further comprises the wooden horse scanning element, when described access program is not included in the described program control table, is used for the program module of this program and/or the loading of this program is carried out the wooden horse scanning imaging system.
7, fire compartment wall as claimed in claim 6, described database further comprises a dangerous address table, be used for storing predetermined address information, wherein said coalignment further comprises the first dangerous address judging unit, be used for not finding under the situation of trojan horse, judge whether described access program has comprised above-mentioned presumptive address.
8, fire compartment wall as claimed in claim 7, described coalignment further comprises demo plant, does not comprise under the above-mentioned presumptive address situation in described program, is used to verify whether described access program has digital signature.
9, fire compartment wall as claimed in claim 8 wherein has under the situation of digital signature in described access program, and whether the described demo plant further described signature of checking passes through predetermined verification algorithm.
10, as any described fire compartment wall among the claim 4-9, described coalignment further comprises the MD5 computing unit, when described access program is included in the described program control table, be used to calculate the MD5 value of this access program, and with described access program table in advance the MD5 of storage compare to judge the danger of access program.
11, fire compartment wall as claimed in claim 10, described coalignment further comprises the Authority Verification unit, whether be used to verify described access program as the server program operation, and judge whether to allow it to move as server program according to described program control table.
12, fire compartment wall as claimed in claim 10, described coalignment further comprises the second dangerous address judging unit, wherein when described access program was the program of described program control table permission, the described second dangerous address judging unit judged further whether this program has used the presumptive address in the described dangerous address table.
13, fire compartment wall as claimed in claim 5 if wherein described access program is documented in the program control and is labeled as when not allowing to carry out, then stops this program.
14, fire compartment wall as claimed in claim 12 further comprises updating device, is used for upgrading based on the decision-making of risk indication according to described user the corresponding entry of described program control table.
15, fire compartment wall as claimed in claim 2, wherein said database comprises:
Dangerous tables of data is used to store sensitive data information;
Program control table, the information that is used to store relevant program characteristic comprises: program name and/territory, path, whether allow accesses network or carry out the territory, whether allow to send mail domain, server domain and MD5 codomain;
Dangerous address table is used for storing predetermined address information, and wherein said coalignment is carried out following processing according to the described program characteristic of analyzing:
◆ when described analytical equipment indicates this access program to be a data distributing program,
Described coalignment judges whether described program has comprised the secure data that is stored in the described dangerous tables of data, if for being, then export high-risk and indicate to the user, if be not, then
Inquire about described program control table to determine whether described access program is the mailer that is registered in the described program control table; If, then issue this program,, then export high-risk and indicate to the user and do further decision-making if for not for being;
◆ when described analytical equipment indicated described access program to be a network action program, described coalignment was inquired about described program control table to determine whether this program is registered in the described program control table, wherein
If described program is unregistered in described program control table, then described coupling
Device is carried out following processing:
I. the program module of this program and/or the loading of this program is carried out the wooden horse scanning imaging system, if find trojan horse, the prompting user is the high-risk program; Otherwise
Ii. searching for described dangerous address table, is the high-risk program if described access program, is then pointed out the user from the dangerous address in the described dangerous address table; Otherwise
Iii. verify whether described access program has digital signature, if signed and verify and pass through, the prompting user is low dangerous program; If signed, but verify and do not pass through that the prompting user is the high-risk program; If show signature, then pointing out the user is unknown harmful grade program.
If this program registration is in program control table and be not allow accesses network, then prevent this program;
If this program registration is in program control table and allow accesses network, then described coalignment is carried out following processing procedure:
(1) calculate the MD5 value of this access program, and with described access program table in advance the MD5 of storage compare, if wherein different, then pointing out the user is the high-risk program; If identical, then
(2) if this program behavior for creating listening port, is perhaps monitored, the request of accepting client connects, the corresponding with service device territory in the determining program control table then, if this server domain is designated as and does not allow such action, then pointing out the user is the high-risk program; If this server domain indication allows, but used the dangerous address in the dangerous address table, also pointing out the user is the high-risk program;
(3), look into its remote address and whether be the dangerous address in the dangerous address table, if the prompting user is the high-risk program if action is link.
16, fire compartment wall as claimed in claim 15 further comprises a updating device, is used for indicating the decision-making of doing according to the user based on the danger of described output device output, upgrades the corresponding entry of described program control table.
17, a kind of method of Control Network routine access comprises:
Intercept and the Intercept Interview program;
Analyze the characteristic of the access program of being intercepted;
A program characteristic and the database analyzed are carried out matching judgment;
The danger classes of judging described access program according to described matching result is for user's decision-making.
18, method as claimed in claim 17 when it is a data distributing program when this access program, judges whether described program has comprised the secure data that is stored in the dangerous tables of data.
19, method as claimed in claim 18 if described dangerous tables of data does not comprise when transmitting data, is inquired about a program control table to determine whether described access program is the mailer that is registered in the described program control table.
20, method as claimed in claim 19, wherein when described access program is a network action program, inquire about described program control table to determine whether this program is registered in the described program control table, when described access program is not included in the described program control table, the program module of this program and/or the loading of this program is carried out the wooden horse scanning imaging system.
21, method as claimed in claim 20 is not wherein finding under the situation of trojan horse, judges whether described access program has comprised the presumptive address that is stored in the dangerous address table.
22, method as claimed in claim 21, do not comprise under the above-mentioned presumptive address situation in described program, verify whether described access program has digital signature, wherein have under the situation of digital signature, verify that further whether described signature is by predetermined verification algorithm in described access program.
23, as any described method among the claim 17-22, when described access program is included in the described program control table, be used to calculate the MD5 value of this access program, and with described access program table in advance the MD5 of storage compare to judge the danger of access program.
24, whether method as claimed in claim 23 further comprises the described access program of checking as the server program operation, and judges whether to allow it to move as server program according to described program control table.
25, method as claimed in claim 24 wherein when described access program is the program of described program control table permission, judges further whether this program has used the presumptive address in the described dangerous address table.
26, method as claimed in claim 25 if wherein described access program is documented in the program control and is labeled as when not allowing to carry out, then stops this program.
27, method as claimed in claim 26 further comprises the corresponding entry of upgrading described program control table according to described user based on the decision-making of risk indication.
28, method as claimed in claim 17, wherein said database comprises:
Dangerous tables of data is used to store sensitive data information;
Program control table, the information that is used to store relevant program characteristic comprises: program
Title and/territory, path, whether allow accesses network or carry out the territory, whether allow to send and post
The part territory, service-domain and MD5 codomain;
Dangerous address table is used for storing predetermined address information, and wherein said matching treatment comprises:
◆ when this access program is a data distributing program,
Judge whether described program has comprised the secure data that is stored in the described dangerous tables of data, if, then export high-risk and indicate, if be not, then to the user for being
Inquire about described program control table to determine whether described access program is the mailer that is registered in the described program control table; If, then issue this program,, then export high-risk and indicate to the user and do further decision-making if for not for being;
◆ when described access program is a network action program, inquire about described program control table to determine whether this program is registered in the described program control table, wherein
If described program is unregistered in described program control table, then carry out following processing:
Iv. the program module of this program and/or the loading of this program is carried out the wooden horse scanning imaging system, if find trojan horse, the prompting user is the high-risk program; Otherwise
V. searching for described dangerous address table, is the high-risk program if described access program, is then pointed out the user from the dangerous address in the described dangerous address table; Otherwise
Vi. verify whether described access program has digital signature, if signed and verify and pass through, the prompting user is low dangerous program; If signed, but verify and do not pass through that the prompting user is the high-risk program; If show signature, then pointing out the user is unknown harmful grade program.
If this program registration is in program control table and be not allow accesses network, then prevent this program;
If this program registration is in program control table and allow accesses network, then carry out following processing procedure:
(2) calculate the MD5 value of this access program, and with described access program table in advance the MD5 of storage compare, if wherein different, then pointing out the user is the high-risk program; If identical, then
(2) if the request connection of client for creating listening port, is perhaps monitored or accepted to this program behavior, then judge the corresponding with service territory in the described program control table, if service-domain is not for allowing such action, then pointing out the user is the high-risk program; If service-domain is permission, but used the dangerous address in the dangerous address table, also pointing out the user is the high-risk program;
(3) if whether its remote address, is looked in action for " connections " is dangerous address in the dangerous address table, if pointing out the user is the high-risk program.
29, method as claimed in claim 28 further comprises the corresponding entry of upgrading described program control table according to described user based on the decision-making of risk indication.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200710162441 CN101414996B (en) | 2007-10-15 | 2007-10-15 | Firewall and method thereof |
| HK09107174.4A HK1127454A1 (en) | 2007-10-15 | 2009-08-05 | Firewall and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200710162441 CN101414996B (en) | 2007-10-15 | 2007-10-15 | Firewall and method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101414996A true CN101414996A (en) | 2009-04-22 |
| CN101414996B CN101414996B (en) | 2012-12-05 |
Family
ID=40595310
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200710162441 Active CN101414996B (en) | 2007-10-15 | 2007-10-15 | Firewall and method thereof |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101414996B (en) |
| HK (1) | HK1127454A1 (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102202062A (en) * | 2011-06-03 | 2011-09-28 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
| CN102263773A (en) * | 2010-05-25 | 2011-11-30 | 腾讯科技(深圳)有限公司 | Real-time protection method and apparatus thereof |
| CN102457497A (en) * | 2010-10-27 | 2012-05-16 | 金蝶软件(中国)有限公司 | Method and device for network communication |
| CN102737203A (en) * | 2012-07-13 | 2012-10-17 | 珠海市君天电子科技有限公司 | Virus defense method and system based on program father-son gene relation |
| CN102790758A (en) * | 2011-05-18 | 2012-11-21 | 海尔集团公司 | Firewall system and processing method thereof |
| CN102801688A (en) * | 2011-05-23 | 2012-11-28 | 联想(北京)有限公司 | Data access method, device and terminal supporting data access |
| CN106131078A (en) * | 2016-08-29 | 2016-11-16 | 联动优势科技有限公司 | A kind of method and device processing service request |
| CN106341400A (en) * | 2016-08-29 | 2017-01-18 | 联动优势科技有限公司 | Service request processing method and device |
| CN112583790A (en) * | 2020-11-05 | 2021-03-30 | 贵州数安汇大数据产业发展有限公司 | Intelligent security threat discovery method based on multiple evidence entities |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7437760B2 (en) * | 2002-10-10 | 2008-10-14 | International Business Machines Corporation | Antiviral network system |
| CN1820262A (en) * | 2003-06-09 | 2006-08-16 | 范拉诺公司 | Event monitoring and management |
| CN100362803C (en) * | 2004-10-15 | 2008-01-16 | 华中科技大学 | Network safety warning system based on cluster and relavance |
| JP2006120024A (en) * | 2004-10-25 | 2006-05-11 | Hitachi Ltd | Computer virus invasion/spread preventing system |
-
2007
- 2007-10-15 CN CN 200710162441 patent/CN101414996B/en active Active
-
2009
- 2009-08-05 HK HK09107174.4A patent/HK1127454A1/en not_active IP Right Cessation
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102263773A (en) * | 2010-05-25 | 2011-11-30 | 腾讯科技(深圳)有限公司 | Real-time protection method and apparatus thereof |
| WO2011147306A1 (en) * | 2010-05-25 | 2011-12-01 | 腾讯科技(深圳)有限公司 | Real-time protection method and equipment |
| CN102263773B (en) * | 2010-05-25 | 2014-06-11 | 腾讯科技(深圳)有限公司 | Real-time protection method and apparatus thereof |
| CN102457497A (en) * | 2010-10-27 | 2012-05-16 | 金蝶软件(中国)有限公司 | Method and device for network communication |
| CN102457497B (en) * | 2010-10-27 | 2015-04-29 | 金蝶软件(中国)有限公司 | Method and device for network communication |
| CN102790758A (en) * | 2011-05-18 | 2012-11-21 | 海尔集团公司 | Firewall system and processing method thereof |
| CN102801688B (en) * | 2011-05-23 | 2015-11-25 | 联想(北京)有限公司 | The terminal of a kind of method of data access, device and supported data access |
| CN102801688A (en) * | 2011-05-23 | 2012-11-28 | 联想(北京)有限公司 | Data access method, device and terminal supporting data access |
| CN102202062A (en) * | 2011-06-03 | 2011-09-28 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
| CN102202062B (en) * | 2011-06-03 | 2013-12-25 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
| CN102737203A (en) * | 2012-07-13 | 2012-10-17 | 珠海市君天电子科技有限公司 | Virus defense method and system based on program father-son gene relation |
| CN102737203B (en) * | 2012-07-13 | 2015-10-21 | 珠海市君天电子科技有限公司 | Virus defense method and system based on program parent-child gene relationship |
| CN106131078A (en) * | 2016-08-29 | 2016-11-16 | 联动优势科技有限公司 | A kind of method and device processing service request |
| CN106341400A (en) * | 2016-08-29 | 2017-01-18 | 联动优势科技有限公司 | Service request processing method and device |
| CN106341400B (en) * | 2016-08-29 | 2019-06-18 | 联动优势科技有限公司 | A kind of method and device of processing business request |
| CN112583790A (en) * | 2020-11-05 | 2021-03-30 | 贵州数安汇大数据产业发展有限公司 | Intelligent security threat discovery method based on multiple evidence entities |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101414996B (en) | 2012-12-05 |
| HK1127454A1 (en) | 2009-09-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101414996B (en) | Firewall and method thereof | |
| KR100670826B1 (en) | Method for protection of internet privacy and apparatus thereof | |
| CN102246490B (en) | System and method for classification of unwanted or malicious software | |
| EP3128459B1 (en) | System and method of utilizing a dedicated computer security service | |
| US9223973B2 (en) | System and method for attack and malware prevention | |
| EP2447877B1 (en) | System and method for detection of malware and management of malware-related information | |
| US10033746B2 (en) | Detecting unauthorised changes to website content | |
| US20130081129A1 (en) | Outbound Connection Detection and Blocking at a Client Computer | |
| KR101607951B1 (en) | Dynamic cleaning for malware using cloud technology | |
| US7613918B2 (en) | System and method for enforcing a security context on a downloadable | |
| US11671461B1 (en) | Apparatus and methods thereof for inspecting events in a computerized environment respective of a unified index for granular access control | |
| US9455994B1 (en) | Techniques for intelligently executing a digital signature | |
| CN101908116B (en) | Computer safeguard system and method | |
| US20140195793A1 (en) | Remotely Establishing Device Platform Integrity | |
| US20180124070A1 (en) | Cloud-based malware detection | |
| EP3935781A1 (en) | Network data traffic identification | |
| CN110222485B (en) | Industrial control white list management system and method based on SGX software protection extended instruction | |
| KR102020178B1 (en) | Fire wall system for dynamic control of security policy | |
| CN105631312A (en) | Method and system for processing rogue programs | |
| US20060156400A1 (en) | System and method for preventing unauthorized access to computer devices | |
| CN103236932A (en) | Webpage tamper-proofing device and method based on access control and directory protection | |
| WO2018039792A1 (en) | Apparatus and methods for network-based line-rate detection of unknown malware | |
| CN112749088A (en) | Application program detection method and device, electronic equipment and storage medium | |
| CN110837646A (en) | Risk investigation device of unstructured database | |
| TWI556129B (en) | Management server and method and user client device and monitoring method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 1127454 Country of ref document: HK |
|
| ASS | Succession or assignment of patent right |
Owner name: BEIJING RISING INTERNATIONAL TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: BEIJING RISING INTERNATIONAL SOFTWARE CO., LTD. Effective date: 20100413 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100080 ROOM 1305, ZHONGKE BUILDING, NO.22, ZHONGGUANCUN AVENUE, BEIJING CITY TO: 100190 ROOM 1301, ZHONGKE BUILDING, NO.22, ZHONGGUANCUN AVENUE, HAIDIAN DISTRICT, BEIJING CITY |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20100413 Address after: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Applicant after: Beijing Rising Information Technology Co., Ltd. Address before: 100080, room 1305, Zhongke building, 22 Zhongguancun street, Beijing Applicant before: Beijing Rising International Software Co., Ltd. |
|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: GR Ref document number: 1127454 Country of ref document: HK |
|
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee after: Beijing Rising Information Technology Co., Ltd Address before: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee before: Beijing Rising Information Technology Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee after: Beijing net an Technology Limited by Share Ltd Address before: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee before: Beijing Rising Information Technology Co., Ltd |