CN101414996B - Firewall and method thereof - Google Patents
Firewall and method thereof Download PDFInfo
- Publication number
- CN101414996B CN101414996B CN 200710162441 CN200710162441A CN101414996B CN 101414996 B CN101414996 B CN 101414996B CN 200710162441 CN200710162441 CN 200710162441 CN 200710162441 A CN200710162441 A CN 200710162441A CN 101414996 B CN101414996 B CN 101414996B
- Authority
- CN
- China
- Prior art keywords
- program
- access
- access program
- control table
- dangerous
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 10
- 238000012795 verification Methods 0.000 claims description 8
- 238000003384 imaging method Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 5
- 230000006978 adaptation Effects 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 abstract description 5
- 230000003068 static effect Effects 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 8
- 238000006243 chemical reaction Methods 0.000 description 7
- 241000700605 Viruses Species 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 231100001261 hazardous Toxicity 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Abstract
The invention provides a firewall, comprising an interception device which is used for sniffing and intercepting access program, an engine device which is used for outputting and indicating the danger level of the access program according to the access program; wherein, the engine device comprises an analysis device which is used for analyzing the characteristic of the intercepted access program; the firewall also comprises a matching device which carries out the matching between the analyzed program characteristic and a database, and an output device which judges the danger level of the access program according to the matching result and is used for the strategy of the user. The firewall scans and analyzes the programs from the dynamic and static perspectives, discovers suspicious information in a process, gives out the danger level of the program by the intelligent analysis on the information, and leads the user to know how to process the program basically.
Description
Technical field
The present invention relates to a kind of firewall technology.
Background technology
At present internet worm spread and rogue program is attacked computer system, network and safety of data is caused serious threat.For the protection computer system network is immune against attacks and infects, current many kinds of safeguard measures have been proposed, firewall technology is wherein the most frequently used a kind of.Fire compartment wall is mounted in the network security management software on the personal computer, and the user can control the communication of computer through filtercondition is set, and stops unsafe network behavior.A kind of typical filtercondition is exactly the filtercondition of application program, can stop unsafe application access network through it.
Yet for how the application program filtering condition is set, traditional personal fire wall does not provide decision references to the user; Therefore, though fire compartment wall can stop the routine access network, which program should be prevented from; Which program should always be that giving the user judges by clearance; How the user does is according to its oneself interpretation ability fully, this for the user particularly naive user very high specification requirement is proposed, the general user is difficult to make correct decisions.Therefore be necessary to improve present fire compartment wall.
Summary of the invention
The purpose of present technique will provide decision references information accurately to the user for the user reduces the heavy burdens exactly.Utilize the intellectual analysis result of present technique, the user can determine whether certain program of this clearance basically.
According to an aspect of the present invention, a kind of fire compartment wall is provided, comprises: interception device is used to intercept and the Intercept Interview program; Engine apparatus is used for exporting the danger classes of indicating said access program according to said access program.
Wherein said engine apparatus comprises: analytical equipment is used to analyze the characteristic of the access program of being intercepted; Coalignment carries out matching judgment with a program characteristic of being analyzed and a database; Output device is used for judging that according to said matching result the danger classes of said access program supplies user's decision-making.
According to another aspect of the present invention, a kind of method of Control Network routine access is provided, comprises: intercept and the Intercept Interview program; Analyze the characteristic of the access program of being intercepted; A program characteristic of being analyzed and a database are carried out matching judgment; Judge that according to said matching result the danger classes of said access program supplies user's decision-making.
The present invention carries out analysis-by-synthesis to the accesses network program for this reason, and Intelligent Recognition goes out the program safety rank, and it is the user, particularly naive user supervising the network program provides important references, has solved in the past fully by the user to come the whether problem of safety of recognizer.The present invention is on the basis of a whole set of known technology; From dynamically program being carried out scanning analysis, find the suspicious information of process, through intellectual analysis to these information with static two angles; Provide the harmful grade of program, the user can know this program of how handling basically thus.
Description of drawings
Fig. 1 is according to fire compartment wall sketch map of the present invention;
Fig. 2 is according to fire compartment wall part sketch map of the present invention;
Fig. 3 is according to database example sketch map of the present invention;
Fig. 4 is according to intelligent firewall process chart of the present invention;
Embodiment
As shown in Figure 1, comprise according to the fire compartment wall of present embodiment and to intercept unit 1 and intelligence engine.Wherein, interception device 1 is used to intercept and tackles the access to netwoks program, and in the present invention, interception device 1 can adopt any interception technology known in the art to tackle and the hang-up program is handled with products for further; Intelligence engine is then exported the danger classes of the said access program of indication according to said access program.Whether the user can determine to allow said program to continue to carry out according to the danger classes prompting of fire compartment wall output.In this example, the harmful grade with program is divided into Three Estate: low dangerous program, unknown dangerous program, high-risk program.Low danger is the program that the user basically can relieved clearance, and unknown danger is the program that needs the user further to confirm, the high-risk program very likely is wooden horse or Virus, needs user's careful attention.After the dangerous tip that interception device 1 is exported based on fire compartment wall according to the user makes a policy, release procedure operation or interrupt run.
In this example, said intelligence engine comprises database 2, analytical equipment 3, coalignment 4 and output device 5.
Store the characteristic element relevant or other data message in the database 2 with preset program.In this example; Database 2 can be comprised three parts; Dangerous tables of data 21 is defined as RiskData (data), wherein stores the sensitive data of user or system definition or secure data and the file that other needs protection especially; The user can be provided with the filtercondition of some sensitive datas, and the purpose that this territory is set is to avoid sensitive data to leak; Dangerous address table 22; Wherein store fire compartment wall supplier or user-defined responsive port or malice address; Comprise the IP address; Be defined as RiskAddress (address), routine access will be regarded as hazardous act when these addresses or port, also can the maintain communications agreement in this table also can be used as user's reference; And program control table 23, be defined as ProgramControl (...).As an example, routine access control table 23 mainly is made up of five territories, is respectively the Path territory, is used for define program title and/or path; The connection territory is used for definition and whether allows corresponding routine access network; Whether the Post territory is used for definition and allows corresponding program to send mail, and sending mail generally is to be responsible for by the mail class method, and ordinary procedure sends mail will be regarded as hazardous act, and this can be avoided trojan horse program that user data is revealed away through mail; The service territory; Be used to define whether corresponding program is server program; The purpose that this territory is set exists: have a lot of trojan horse programs on subscriber set, to move as server; Only if it is server program that the user specifies this program, find that else if certain program moves as server, we also will think the dangerous program in this program position; The MD5 territory is used to define the MD5 value of corresponding program, thus this program control table can note by abridging into ProgramControl (path, connection, post, service, md5).Post item and service item are defaulted as and do not allow, only if the user specifies especially.Here it is to be noted; Although above-mentionedly as an example database 2 is divided into three tables, and wherein said ProgramControl table only comprises five territories, for those skilled in the art show and see be; The present invention is not limited to this, can increase the territory in corresponding table or the table as required.
Analytical equipment 4 is used to analyze the characteristic of the program of being tackled, and characteristic information is offered coalignment 3.The characteristic here comprises Program Type, for example sends, receives the data distributing program of data, or the network action of creating address or file, being connected to network, listening port or network and accepting client-requested.
Obtain the characteristic of program at analytical equipment 4 after, it is transferred to coalignment 3, is used for program characteristic of being analyzed and above-mentioned database 2 are carried out matching judgment.As shown in Figure 2, the coalignment 3 here comprises a conversion equipment 31; First module that constitutes by data protection unit 32 and mail coupling 33; Second module that constitutes by wooden horse scanning element 34, first dangerous address judging unit 35 and authentication unit 36; And the three module that constitutes by MD5 computing unit 37, Authority Verification unit 38 and the second dangerous address judging unit 39.
Conversion equipment 31 is carried out corresponding operation according to the program characteristic that receives.Particularly, when said analytical equipment 4 these programs of indication were a data distributing program, said conversion equipment 31 switched to first module.At this, judge by data protection unit 32 whether said program has comprised the secure data that is stored in the said RiskData table 21.If this program does not comprise secure data, whether be the mailer that is registered in the said ProgramControl table with definite said access program then by the said ProgramControl table of said mail adaptation 33 inquiries.If the program that the execution mail that is allowed in the ProgramControl table sends, receives, then indicate interception device 1 this program of automatically letting pass.
If this program is not a data distributing program, but the network action program, then the said ProgramControl table of conversion equipment 31 inquiries is to confirm whether this program is registered in the said ProgramControl table.If unregistered, then conversion equipment 31 switches to second module.Carry out the trojan horse scanning imaging system at this by program or data module that 34 pairs of these access programs of wooden horse scanning element and/or this process load.If do not find any trojan horse, then judge by the first dangerous address judging unit 35 whether said access program has comprised the presumptive address that is stored in the RiskAddress table 22.If do not comprise presumptive address; Then further judge whether said access program has digital signature by said authentication unit 36; Wherein have under the situation of digital signature in said access program, said authentication unit can verify further that whether said signature is through predetermined verification algorithm.Here select the digital signature verification technology meaning to be: digital signature technology is that technology is very widely used in present security fields.Relatively the software company of standard all can sign for its software product, obtains users' trust with this.Can verify that the software that passes through all is comparatively safe software so carried out digital signature and this signature basically.The program that but checking is not passed through if bear the signature, or be because this signature has used the mistrustful CA of user, or be that this program was distorted, be breakneck for latter event.
If said conversion equipment 31 confirms that said program has been registered in the said ProgramControl table and the ProgramControl table allows its accesses network or current computer, then switch to three module and do further safe handling.Wherein, Calculate the MD5 value of this access program by MD5 computing unit 37; And with said access program table in advance the MD5 of storage compare to judge the danger of access program, for example prevent to steal valuable information through camouflage or the routine access grid distorted.Select the meaning of MD5 algorithm to be: the cryptographic hash of utilizing the routine data section that the MD5 value-based algorithm obtains be the MD5 value of unique (the actual probability that repetition takes place is minimum, need not consider basically) program change normally because of program upgrade or program infector virus.Whether upgrade for program, the user can make judgement basically.So when the MD5 value of the program of accesses network was changed, this program very likely was to have infected virus.When the MD5 of this program value not during change; Whether move by the said access program of Authority Verification unit 38 checkings as server program; For example whether this program is the program of creating address, listening port or accepting the request connection of client, and judges whether to allow it to move as server program according to said ProgramControl table.If said access program is the server program that said ProgramControl table allows; Then judge further by the second dangerous address judging unit 39 whether this program has used the presumptive address in the said RiskAddress table, to point out the danger of this program to the client.
In addition, if conversion equipment 31 definite said access programs are documented in the ProgramControl table and clearly are labeled as when not allowing to carry out, then stop this program.
The danger classes that output device 4 is exported said access program according to the matching result of said coalignment 3 supplies user's decision-making.
Preferably, the intelligence engine of fire compartment wall of the present invention also comprises a updating device 6, upgrades ProgramControl table 23 according to user's the result of decision.In addition, this updating device 6 can also provide an input interface for developer or manufacturer, is convenient to the manufacturer and upgrades the dangerous address in the RiskAddress table 22 through this input interface.
Describe intelligent firewall handling process of the present invention in detail below in conjunction with a preferred embodiment of the present invention Fig. 4.As shown in Figure 4, at step S100, the interception device 1 in the fire compartment wall is intercepted network, when the occurring network incident, tackles this network event.At step S200, judge the type of network event subsequently.If said network event is a transfer of data action; Then handle and enter step S201, data that data protection unit 32 these incidents of usefulness are transmitted and RiskData table 21 coupling are if find that at step S202 the data of being transmitted are sensitive data; Then entering this program of step S501 prompting user is the high-risk program; Inform the consumers risk reason, and these data under the interception, this program whether continued by user's decision-making; Do not find any sensitive data at step S202 else if, then enter step S203, judge whether this program sends mail; If; Then look into the ProgramControl table,, then enter step S501 if do not allow this program to send mail; This program of prompting user is the high-risk program, whether continues this program by user's decision-making; If allowing transmission mail or this program is not a mailer, then indicate interception device 1 this program of clearance.
If judge that at step S200 this network event is not a data distributing program, but network action then enters step S300, search user ProgramControl table to confirm whether this program is registered in the table.At this, the network action of program has important value, and the network action that need distinguish comprises: Create Address, Listen, Connect, Send, Accept, Recv, UDP Send, UDP Recv.
If confirm that at step S300 this program is unregistered in ProgramControl table 203; Then handle and enter step S400; Carry out trojan horse scanning by 34 pairs of modules that this program and program loaded of wooden horse scanning element,, then handle and enter step S501 if find trojan horse at step S401; Otherwise, look into RiskAddress table 22 at step S402 by the first dangerous address judging unit 35, see whether this program has comprised defined dangerous address or port in the RiskAddress table, if then enter step S501; Otherwise in the digital signature of step S403 by authentication unit 36 proving programs, if signed and pass through according to certain proof of algorithm, the prompting user can let pass for low dangerous program basically; If signed, but verify and do not pass through that then enter step S501, the prompting user is the high-risk program, whether continue this program by user's decision-making.If this program does not have digital signature, then enter step S502, the prompting user is unknown harmful grade program, is further verified by the user.
If confirm that at step S300 this program registration is in the ProgramControl table; And allow its accesses network; Then process enters step S301, in this MD5 value by MD5 computing unit 37 calculation procedures, and with ProgramControl table in corresponding MD5 value comparison; Change like the MD5 value, enter step S501; Otherwise,, then judge that by Authority Verification unit 38 whether this program is the server program that the Service territory in the ProgramControl table allows, if do not allow, then handles and enters step S501 if the MD5 value does not change; If allow, judge by the second dangerous address judging unit 39 at step S303 whether this program has used the dangerous address in the RiskAddress table, if " being " enters step S501, otherwise, indication interception device 1 this program of clearance.If this network event is not a server program; But network connecting request; Still judge by the second dangerous address judging unit 39 at step S303 whether look into its remote address is the dangerous address in the RiskAddress table, if then enter step S501; If not, then indicate interception device 1 this program of clearance.
In addition,, but do not allow its accesses network, then directly stop this program if confirm this program registration in the ProgramControl table at step S300.
Three grades of dangerous tips in step S501, S502, S503 output please be submitted to the user, supply user's uses of making a strategic decision, and preserve choosing during ProgramControl shows of user at step S600.In the processing mode that this user can select fire compartment wall to recommend, also can handle it according to the needs of reality.For example, although judge that according to step S203 this mailer is not that the ProgramControl table allows, and in the prompting of step S501 output high-risk, because this program is the mailbot that the user newly launches, so user's this program of can letting pass.Thus, updating device 6 joins this program in the ProgramControl table, and it is set for allowing to send mail in mail domain.Thereby, when fire compartment wall listens to this mailer once more, can let pass this program automatically and dangerous tip no longer is provided, perhaps reduce the danger classes of this program, thereby improved the degree of intelligence of fire compartment wall.
Preferably, fire compartment wall of the present invention can also provide the user that module is set, and conveniently is used for manually revising RiskData table 21, dangerous address table 22 and ProgramControl table 23, thereby improves the sensitivity of fire compartment wall.The updating device 6 of this module in can fire compartment wall is integrated together, and also can separate setting.
Although more than combine a most preferred embodiment of the present invention to specify; But should understand; This embodiment is not determinate, and those skilled in the art can adjust the processing sequence of fire compartment wall according to actual needs, perhaps increase, delete wherein the unit with the decision fire compartment wall scale and cost.Therefore, protection scope of the present invention is accurate with appending claims.
Claims (28)
1. fire compartment wall comprises:
Interception device is used to intercept and the Intercept Interview program;
Engine apparatus is used for exporting according to said access program the information of danger classes of the said access program of indication, and wherein said engine apparatus comprises:
Analytical equipment is used to analyze the characteristic of the access program of being intercepted;
Database comprises program control table, is used to store the information of relevant program characteristic, is made up of following territory: the Path territory is used for define program title and/or path; The connection territory is used for definition and whether allows corresponding routine access network; Whether the Post territory is used for definition and allows corresponding program to send mail; The service territory is used to define whether corresponding program is server program; The MD5 territory is used to define the MD5 value of corresponding program,
Coalignment carries out matching judgment with program characteristic of being analyzed and said database;
Output device is used for judging that according to matching result the danger classes of said access program supplies user's decision-making.
2. fire compartment wall as claimed in claim 1, wherein said database comprises dangerous tables of data, is used to store sensitive data information; Said coalignment further comprises a data protection unit, wherein
When said this access program of analytical equipment indication was a data distributing program, whether the said access program of said data protection unit judges had comprised the secure data that is stored in the said dangerous tables of data.
3. fire compartment wall as claimed in claim 2, wherein said coalignment further comprises the mail adaptation, is used for inquiring about said program control table to confirm whether said access program is the mailer that is registered in said program control table.
4. fire compartment wall as claimed in claim 3, wherein when said analytical equipment indicated said access program to be a network action program, said coalignment was inquired about said program control table to confirm whether this access program is registered in the said program control table.
5. fire compartment wall as claimed in claim 4; Said coalignment further comprises the wooden horse scanning element; When said access program is not included in the said program control table, be used for the program module of this access program and/or the loading of this access program is carried out the wooden horse scanning imaging system.
6. fire compartment wall as claimed in claim 5; Said database further comprises a dangerous address table; Be used for storing predetermined address information; Wherein said coalignment further comprises the first dangerous address judging unit, is used for not finding under the situation of trojan horse, judges whether said access program has comprised above-mentioned predetermined address information.
7. fire compartment wall as claimed in claim 6, said coalignment further comprises demo plant, does not comprise under the above-mentioned predetermined address information situation in said access program, is used to verify whether said access program has digital signature.
8. fire compartment wall as claimed in claim 7 wherein has under the situation of digital signature in said access program, and whether the said demo plant further said signature of checking passes through predetermined verification algorithm.
9. like any described fire compartment wall among the claim 6-8; Said coalignment further comprises the MD5 computing unit; When said access program is included in the said program control table; Be used to calculate the MD5 value of this access program, and with said program control table in advance the MD5 of storage compare to judge the danger of access program.
10. fire compartment wall as claimed in claim 9; Said coalignment further comprises the Authority Verification unit; Whether be used to verify said access program as the server program operation, and judge whether to allow it to move as server program according to said program control table.
11. fire compartment wall as claimed in claim 9; Said coalignment further comprises the second dangerous address judging unit; Wherein when said access program was the program of said program control table permission, the said second dangerous address judging unit judged further whether this access program has used the presumptive address in the said dangerous address table.
12. fire compartment wall as claimed in claim 4 if wherein said access program is documented in the said program control table and is labeled as when not allowing to carry out, then stops this access program.
13. fire compartment wall as claimed in claim 11 further comprises updating device, is used for upgrading based on the decision-making of risk indication according to said user the corresponding entry of said program control table.
14. fire compartment wall as claimed in claim 1, wherein said database also comprises:
Dangerous tables of data is used to store sensitive data information;
Dangerous address table is used for storing predetermined address information,
Wherein said coalignment is carried out following the processing according to the said program characteristic of analyzing:
◆ when said this access program of analytical equipment indication is a data distributing program,
● said coalignment judges whether said access program has comprised the secure data that is stored in the said dangerous tables of data, if for being, then export high-risk and indicate to the user, if be not, then
● inquire about said program control table to confirm whether said access program is the mailer that is registered in the said program control table; If for being, if this access program of then letting pass for not, is then exported high-risk and is indicated to the user and do further decision-making;
◆ when said analytical equipment indicated said access program to be a network action program, said coalignment was inquired about said program control table to confirm whether this access program is registered in the said program control table, wherein
● if said access program is unregistered in said program control table, and then said coalignment is carried out following the processing:
I. the program module of this access program and/or the loading of this access program is carried out the wooden horse scanning imaging system, if find trojan horse, the prompting user is the high-risk program; Otherwise
Ii. searching for said dangerous address table, is the high-risk program if said access program, is then pointed out the user from the dangerous address in the said dangerous address table; Otherwise
Iii. verify whether said access program has digital signature, if signed and verify and pass through, the prompting user is low dangerous program; If signed, but verify and do not pass through that the prompting user is the high-risk program; If unsign, then pointing out the user is unknown harmful grade program;
● if this access program is registered in the program control table and is not allow accesses network, then stops this access program;
● if this access program is registered in the program control table and allows accesses network; Then said coalignment calculates the MD5 value of this access program; And with said program control table in advance the MD5 of storage compare, if wherein different, then pointing out the user is the high-risk program; If identical, judge then whether said access program is moved as server program; If this access program is perhaps accepted the request connection of client for creating address, listening port; Be that said access program is moved as server program; Corresponding service territory in the polling routine control table then; If this service territory this access program of indication is not a server program, then pointing out the user is the high-risk program; If this service territory this access program of indication is a server program, but has used the dangerous address in the dangerous address table, also pointing out the user is the high-risk program; If this access program is a network connecting request, promptly said access program as the server program operation, does not check then whether its remote address is the dangerous address in the dangerous address table, if the prompting user is the high-risk program.
15. fire compartment wall as claimed in claim 14 further comprises a updating device, is used for indicating the decision-making of doing according to the user based on the danger of said output device output, upgrades the corresponding entry of said program control table.
16. the method for a Control Network routine access comprises:
Intercept and the Intercept Interview program;
Analyze the characteristic of the access program of being intercepted;
A program characteristic of being analyzed and a database are carried out matching judgment;
Judge that according to matching result the danger classes of said access program supplies user's decision-making,
Wherein said database comprises program control table, is used to store the information of relevant program characteristic, is made up of following territory: the Path territory is used for define program title and/or path; The connection territory is used for definition and whether allows corresponding routine access network; Whether the Post territory is used for definition and allows corresponding program to send mail; The service territory is used to define whether corresponding program is server program; The MD5 territory is used to define the MD5 value of corresponding program.
17. method as claimed in claim 16 when it is a data distributing program when this access program, judges whether said access program has comprised the secure data that is stored in the dangerous tables of data.
18. method as claimed in claim 17 when if said access program does not comprise the secure data that is stored in the dangerous tables of data, is inquired about said program control table to confirm whether said access program is the mailer that is registered in the said program control table.
19. method as claimed in claim 18; Wherein when said access program is a network action program; Inquire about said program control table to confirm whether this access program is registered in the said program control table; When said access program is not included in the said program control table, the program module of this access program and/or the loading of this access program is carried out the wooden horse scanning imaging system.
20. method as claimed in claim 19 is not wherein finding under the situation of trojan horse, judges whether said access program has comprised the presumptive address that is stored in the dangerous address table.
21. method as claimed in claim 20; Do not comprise under the above-mentioned presumptive address situation in said access program; Verify whether said access program has digital signature, wherein have under the situation of digital signature, verify that further whether said signature is through predetermined verification algorithm in said access program.
22. like any described method among the claim 20-21; When said access program is included in the said program control table; Calculate the MD5 value of this access program, and with said program control table in advance the MD5 of storage compare to judge the danger of access program.
23. whether method as claimed in claim 22 further comprises the said access program of checking as the server program operation, and judges whether to allow it to move as server program according to said program control table.
24. method as claimed in claim 23 wherein when said access program is the program of said program control table permission, judges further whether this access program has used the presumptive address in the said dangerous address table.
25. method as claimed in claim 24 if wherein said access program is documented in the said program control table and is labeled as when not allowing to carry out, then stops this access program.
26. method as claimed in claim 25 further comprises the corresponding entry of upgrading said program control table according to said user based on the decision-making of risk indication.
27. method as claimed in claim 16, wherein said database also comprises:
Dangerous tables of data is used to store sensitive data information;
Dangerous address table is used for storing predetermined address information,
Wherein said matching judgment comprises:
◆ when this access program is a data distributing program,
● judge whether said access program has comprised the secure data that is stored in the said dangerous tables of data, if, then export high-risk and indicate, if be not, then to the user for being
● inquire about said program control table to confirm whether said access program is the mailer that is registered in the said program control table; If for being, if this access program of then letting pass for not, is then exported high-risk and is indicated to the user and do further decision-making;
◆ when said access program is a network action program, inquire about said program control table to confirm whether this access program is registered in the said program control table, wherein
● if said access program is unregistered in said program control table, then carries out following the processing:
Iv. the program module of this access program and/or the loading of this access program is carried out the wooden horse scanning imaging system, if find trojan horse, the prompting user is the high-risk program; Otherwise
V. searching for said dangerous address table, is the high-risk program if said access program, is then pointed out the user from the dangerous address in the said dangerous address table; Otherwise
Vi. verify whether said access program has digital signature, if signed and verify and pass through, the prompting user is low dangerous program; If signed, but verify and do not pass through that the prompting user is the high-risk program; If unsign, then pointing out the user is unknown harmful grade program;
● if this access program is registered in the program control table and is not allow accesses network, then stops this access program;
● if this access program is registered in the program control table and allows accesses network, then calculates the MD5 value of this access program, and with said program control table in advance the MD5 of storage compare, if difference wherein, then pointing out the user is the high-risk program; If identical, judge then whether said access program is moved as server program; If this access program is perhaps accepted the request connection of client for creating address, listening port; Be that said access program is moved as server program; Then inquire about service territory corresponding in the said program control table; If this service territory this access program of indication is not a server program, then pointing out the user is the high-risk program; If this service territory this access program of indication is a server program, but has used the dangerous address in the dangerous address table, also pointing out the user is the high-risk program; If this access program is a network connecting request, promptly said access program as the server program operation, does not check whether its remote address is the dangerous address in the dangerous address table, if the prompting user is the high-risk program.
28. method as claimed in claim 27 further comprises the corresponding entry of upgrading said program control table according to said user based on the decision-making of risk indication.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200710162441 CN101414996B (en) | 2007-10-15 | 2007-10-15 | Firewall and method thereof |
| HK09107174.4A HK1127454A1 (en) | 2007-10-15 | 2009-08-05 | Firewall and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200710162441 CN101414996B (en) | 2007-10-15 | 2007-10-15 | Firewall and method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101414996A CN101414996A (en) | 2009-04-22 |
| CN101414996B true CN101414996B (en) | 2012-12-05 |
Family
ID=40595310
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200710162441 Active CN101414996B (en) | 2007-10-15 | 2007-10-15 | Firewall and method thereof |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101414996B (en) |
| HK (1) | HK1127454A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102790758B (en) * | 2011-05-18 | 2017-08-18 | 海尔集团公司 | Firewall system and its processing method |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102263773B (en) * | 2010-05-25 | 2014-06-11 | 腾讯科技(深圳)有限公司 | Real-time protection method and apparatus thereof |
| CN102457497B (en) * | 2010-10-27 | 2015-04-29 | 金蝶软件(中国)有限公司 | Method and device for network communication |
| CN102801688B (en) * | 2011-05-23 | 2015-11-25 | 联想(北京)有限公司 | The terminal of a kind of method of data access, device and supported data access |
| CN102202062B (en) * | 2011-06-03 | 2013-12-25 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
| CN102737203B (en) * | 2012-07-13 | 2015-10-21 | 珠海市君天电子科技有限公司 | Virus defense method and system based on program parent-child gene relationship |
| CN106131078A (en) * | 2016-08-29 | 2016-11-16 | 联动优势科技有限公司 | A kind of method and device processing service request |
| CN106341400B (en) * | 2016-08-29 | 2019-06-18 | 联动优势科技有限公司 | A kind of method and device of processing business request |
| CN112583790A (en) * | 2020-11-05 | 2021-03-30 | 贵州数安汇大数据产业发展有限公司 | Intelligent security threat discovery method based on multiple evidence entities |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1489048A (en) * | 2002-10-10 | 2004-04-14 | �Ҵ���˾ | Anti-virus network system and method |
| CN1588880A (en) * | 2004-10-15 | 2005-03-02 | 华中科技大学 | Network safety warning system based on cluster and relavance |
| JP2006120024A (en) * | 2004-10-25 | 2006-05-11 | Hitachi Ltd | Computer virus invasion/spread preventing system |
| CN1820262A (en) * | 2003-06-09 | 2006-08-16 | 范拉诺公司 | Event monitoring and management |
-
2007
- 2007-10-15 CN CN 200710162441 patent/CN101414996B/en active Active
-
2009
- 2009-08-05 HK HK09107174.4A patent/HK1127454A1/en not_active IP Right Cessation
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1489048A (en) * | 2002-10-10 | 2004-04-14 | �Ҵ���˾ | Anti-virus network system and method |
| CN1820262A (en) * | 2003-06-09 | 2006-08-16 | 范拉诺公司 | Event monitoring and management |
| CN1588880A (en) * | 2004-10-15 | 2005-03-02 | 华中科技大学 | Network safety warning system based on cluster and relavance |
| JP2006120024A (en) * | 2004-10-25 | 2006-05-11 | Hitachi Ltd | Computer virus invasion/spread preventing system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102790758B (en) * | 2011-05-18 | 2017-08-18 | 海尔集团公司 | Firewall system and its processing method |
Also Published As
| Publication number | Publication date |
|---|---|
| HK1127454A1 (en) | 2009-09-25 |
| CN101414996A (en) | 2009-04-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101414996B (en) | Firewall and method thereof | |
| KR100670826B1 (en) | Method for protection of internet privacy and apparatus thereof | |
| US9667657B2 (en) | System and method of utilizing a dedicated computer security service | |
| CN102246490B (en) | System and method for classification of unwanted or malicious software | |
| US7613918B2 (en) | System and method for enforcing a security context on a downloadable | |
| EP2447877B1 (en) | System and method for detection of malware and management of malware-related information | |
| KR101607951B1 (en) | Dynamic cleaning for malware using cloud technology | |
| US20130081129A1 (en) | Outbound Connection Detection and Blocking at a Client Computer | |
| US11671461B1 (en) | Apparatus and methods thereof for inspecting events in a computerized environment respective of a unified index for granular access control | |
| US20140317754A1 (en) | Detecting Unauthorised Changes to Website Content | |
| US9455994B1 (en) | Techniques for intelligently executing a digital signature | |
| US11347847B2 (en) | Cloud-based malware detection | |
| WO2018182126A1 (en) | System and method for authenticating safe software | |
| CN108415398A (en) | Automobile information safety automation tests system and test method | |
| US20140195793A1 (en) | Remotely Establishing Device Platform Integrity | |
| EP3935781A1 (en) | Network data traffic identification | |
| US20190199740A1 (en) | Apparatus and Methods for Network-Based Line-Rate Detection of Unknown Malware | |
| CN105631312A (en) | Method and system for processing rogue programs | |
| CN110222510A (en) | A kind of leak detection method, device and computer system | |
| US9894045B1 (en) | Determining application reputation based on deviations in security rating scores | |
| CN110837646A (en) | Risk investigation device of unstructured database | |
| TWI556129B (en) | Management server and method and user client device and monitoring method thereof | |
| CN110099041A (en) | A kind of Internet of Things means of defence and equipment, system | |
| CN105868632A (en) | Method and device for intercepting and releasing DHCP (dynamic host configuration protocol) | |
| CN115396109A (en) | Scene-based data dynamic authorization control method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 1127454 Country of ref document: HK |
|
| ASS | Succession or assignment of patent right |
Owner name: BEIJING RISING INTERNATIONAL TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: BEIJING RISING INTERNATIONAL SOFTWARE CO., LTD. Effective date: 20100413 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100080 ROOM 1305, ZHONGKE BUILDING, NO.22, ZHONGGUANCUN AVENUE, BEIJING CITY TO: 100190 ROOM 1301, ZHONGKE BUILDING, NO.22, ZHONGGUANCUN AVENUE, HAIDIAN DISTRICT, BEIJING CITY |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20100413 Address after: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Applicant after: Beijing Rising Information Technology Co., Ltd. Address before: 100080, room 1305, Zhongke building, 22 Zhongguancun street, Beijing Applicant before: Beijing Rising International Software Co., Ltd. |
|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: GR Ref document number: 1127454 Country of ref document: HK |
|
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee after: Beijing Rising Information Technology Co., Ltd Address before: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee before: Beijing Rising Information Technology Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee after: Beijing net an Technology Limited by Share Ltd Address before: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee before: Beijing Rising Information Technology Co., Ltd |