CN102868694A

CN102868694A - Method, device and system for detecting whether to control client to visit network

Info

Publication number: CN102868694A
Application number: CN2012103455067A
Authority: CN
Inventors: 江爱军; 谭合力; 张波
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2012-09-17
Filing date: 2012-09-17
Publication date: 2013-01-09
Anticipated expiration: 2032-09-17
Also published as: CN105100092B; WO2014040571A1; CN105100092A; CN102868694B

Abstract

The invention discloses a method, device and system for detecting whether to control a client to visit a network, relating to the technical field of communication and capable of detecting and repairing destruction of malicious programs on a client application access network from multiple dimensionalities, such as system kernel and system setup. The method for detecting whether to control the client to visit to the network, provided by the embodiment of the invention, comprises the following steps of: selecting system setup detection items according to the system setup of the client; detecting the communication between the client application and a network object by using the system setup detection items and the network object needed to be visited by the client application; when the detection result indicates the communication is abnormal, repairing the system setup detection items, and when the detection result indicates that the communication is normal, allowing the client application to visit the network object; and when the repair of the system setup detection items is failed, detecting drive detection items, when the detection result indicates that the communication is abnormal, repairing the drive detection items, and when the detection result indicates that the communication is normal, allowing the client application to visit the network object.

Description

Detection method, device and the system of control client-access network

Technical field

The present invention relates to communication technical field, particularly a kind of detection method, device and system that controls the client-access network.

Background technology

The current safety securing software in order to alleviate the resource consumption of client, can improve wooden horse killing function by means of the webserver simultaneously in order to identify rapidly and the new wooden horse of killing.For example, under the cloud security technology, the server at client secure softward interview cloud security center, the feature of apocrypha is passed to the server at cloud security center, by the cloud security center it is made a determination safely, then the information passed back according to the cloud security center of client secure software is reported wooden horse and is processed.

Yet, other rogue program of trojan horse and some is in order to hide the detection of fail-safe software, can destroy by every means the network communication between client secure software and the webserver, stop the client secure softward interview webserver, cause the virus base that client can't the upgrade of network server end, None-identified and remove new wooden horse has weakened the security protection performance of client secure software.For this problem, some client secure softwares are to main frame (Host) file or DNS((Domain Name System, domain name system) detects and repair, the wooden horse killing effect of this scheme that only detects for certain point is relatively poor, and is existing to how guaranteeing that the normal communication between client secure software and the webserver does not also propose effective solution.

Summary of the invention

In view of the above problems, the present invention has been proposed in order to a kind of detection method, device and system of the control client-access network that overcomes the problems referred to above or address the above problem at least in part are provided.

According to one aspect of the present invention, a kind of detection method of controlling the client-access network is provided, comprising:

According to FTP client FTP selecting system is set detection is set;

Utilize described system that the communication information of the network object that detection and client application need to access is set, the communication between client application and the described network object is detected;

When system being arranged the testing result indication communication abnormality of detection, repair described system detection is set, when testing result indication communication is normal, allow client application to access described network object;

When the described system of reparation arranges the detection failure, the driving detection of choosing is detected, when the testing result that drives detection is indicated communication abnormality, repair described driving detection, when indicating communication normal to the testing result that drives detection, allow client application to access described network object.

The domain name of above-mentioned packets includes network object and IP address, said system arranges procotol fail safe setting, system's fire compartment wall setting, local ip address, route entry, domain name system DNS setting and/or the Hosts file that detection comprises FTP client FTP, the above-mentioned communication information that utilizes system that the network object that detection and client application need to access is set, detect the communication between client application and the network object and to comprise:

The communication information that whether has network object in the prevention tabulation of the procotol fail safe setting of detection FTP client FTP, if, testing result indication communication abnormality, if not, testing result indication communication is normal;

And/or,

Whether there are the IP address of network object and the title of client application in the rule entries of the prevention tabulation of system's fire compartment wall setting of detection FTP client FTP, if, testing result indication communication abnormality, if not, testing result indication communication is normal; And/or,

Detect FTP client FTP and whether exist and the IP address of the network object local ip address at the same network segment, if, testing result indication communication abnormality, if not, testing result indication communication is normal; And/or,

Detect the IP address that whether exists in the route entry of FTP client FTP with network object in the IP address of the same network segment, if, testing result indication communication abnormality, if not, testing result indication communication is normal;

And/or,

IP address during the DNS that detects FTP client FTP arranges whether in forbidding the DNS tabulation, if, testing result indication communication abnormality, if not, testing result indication communication is normal; And/or,

The domain name that whether comprises network object in each clauses and subclauses of the Hosts file of detection FTP client FTP, if, testing result indication communication abnormality, if not, testing result indication communication is normal.

When testing result indication communication abnormality, repair system arranges detection and comprises:

When having the communication information of network object in the prevention tabulation of the procotol fail safe setting that detects FTP client FTP, the communication information of network object is removed from the prevention tabulation that the procotol fail safe arranges; And/or,

When the title of the IP address that has network object in the rule entries of the prevention of the system's fire compartment wall setting that detects FTP client FTP tabulation and client application, will comprise the IP address of network object or this rule entries of client application title and from the prevention tabulation that system's fire compartment wall arranges, remove; And/or,

When detecting FTP client FTP and have local ip address at the same network segment of IP address with network object, will remove at the local ip address of the same network segment with the IP address of network object in the FTP client FTP;

And/or,

When the IP address that exists IP address with network object at the same network segment in the route entry that detects FTP client FTP, will exist in the FTP client FTP with the IP address of network object and remove at the route entry of the IP address of the same network segment; And/or,

When the IP address in the DNS that detects FTP client FTP arranges was being forbidden in the DNS tabulation, reliable dns server address was revised as in the IP address during DNS arranged; And/or,

When comprising the domain name of network object in each clauses and subclauses of the Hosts file that detects FTP client FTP, the clauses and subclauses of Hosts file that comprise the domain name of network object in the FTP client FTP are removed.

The above-mentioned driving detection of choosing is networks filter driver, and this method detects the driving detection of choosing and comprises:

Whether the Sampling network filtration drive is present in the blacklist, if, testing result indication communication abnormality; If not, testing result indication communication is normal;

When testing result indication communication abnormality, repair networks filter driver and make testing result indication communication normal, when testing result indication communication is normal, allow client application accesses network object.

Above-mentioned reparation networks filter driver comprises: after the backup of the networks filter driver in the blacklist, this networks filter driver is removed, testing result indication communication is normal, allows client application accesses network object.

After with the backup of the networks filter driver in the blacklist, this networks filter driver to be removed from blacklist, testing result indication communication is normal, allows after the client application accesses network object, and this method also comprises:

When the failure of client application accesses network object, if third party's network object that client application can not successful access be trusted, confirm that client application can't accesses network, if third party's network object that client application can successful access be trusted, judge whether client application has the networks filter driver that is not present in blacklist and the white list, if do not have, confirm that client application can't accesses network, if have, with removing after this networks filter driver backup, allow client application accesses network object.

According to a further aspect in the invention, provide a kind of checkout gear of controlling the client-access network, this device comprises:

Detection is chosen the unit, is suitable for according to FTP client FTP selecting system being set detection is set;

Detecting unit is suitable for utilizing described system that the communication information of the network object that detection and client application need to access is set, and the communication between client application and the described network object is detected;

Access control unit is suitable for repairing described system detection being set when system being arranged the testing result indication communication abnormality of detection, when testing result indication communication is normal, allows client application to access described network object;

Described detection is chosen the unit, also is suitable for choosing the driving detection and detects; Described detecting unit also is suitable for when the described system of reparation arranges the detection failure driving detection of choosing being detected;

Described access control unit also is suitable for repairing described driving detection when the testing result that drives detection is indicated communication abnormality, when indicating communication normal to the testing result that drives detection, allows client application to access described network object.

The domain name of above-mentioned packets includes network object and IP address, said system arranges procotol fail safe setting, system's fire compartment wall setting, local ip address, route entry, domain name system DNS setting and/or the Hosts file that detection comprises FTP client FTP, detecting unit, specifically be suitable for detecting the communication information that whether has network object in the prevention tabulation of procotol fail safe setting of FTP client FTP, if, testing result indication communication abnormality, if not, testing result indication communication is normal; And/or,

And/or,

Above-mentioned access control unit is suitable for by the following manner repair system detection being set when testing result indication communication abnormality:

When the title of the IP address that has network object in the rule entries of the prevention of the system's fire compartment wall setting that detects FTP client FTP tabulation and client application, will comprise the IP address of network object and this rule entries of client application title and from the prevention tabulation that system's fire compartment wall arranges, remove; And/or,

When the IP address that exists IP address with network object at the same network segment in the route entry that detects FTP client FTP, will there be the route entry removing of the IP address identical with the IP address of network object in the FTP client FTP; And/or,

Above-mentioned detection is chosen the unit, and the networks filter driver that also is suitable for choosing FTP client FTP arranges detection as system;

Detecting unit also is suitable for after access control unit allows client application accesses network object, and when the failure of client application accesses network object, whether the Sampling network filtration drive is present in the blacklist, if, testing result indication communication abnormality; If not, testing result indication communication is normal;

Access control unit also is suitable for when testing result indication communication abnormality, repairs networks filter driver and makes testing result indication communication normal, when testing result indication communication is normal, allows client application accesses network object.

Above-mentioned access control unit is suitable for repairing networks filter driver by following manner:

After the backup of the networks filter driver in the blacklist, this networks filter driver to be removed, testing result indication communication is normal, allows client application accesses network object.

Above-mentioned access control unit, also be suitable for after with the backup of the networks filter driver in the blacklist, this networks filter driver is removed from blacklist, testing result indication communication is normal, allow after the client application accesses network object, when the failure of client application accesses network object, if third party's network object that client application can not successful access be trusted, confirm that client application can't accesses network, if third party's network object that client application can successful access be trusted, judge whether client application has the networks filter driver that is not present in blacklist and the white list, if do not have, confirm that client application can't accesses network, if having, with removing after this networks filter driver backup, allow client application accesses network object.

A kind of communication system that the embodiment of the invention provides comprises client device, and described client device comprises the checkout gear of above-mentioned control client-access network,

The network object that the client application of moving on the client device need to be accessed is the cloud security central server;

When the checkout gear of control client-access network allows client application access cloud security central server, this client application, be suitable for the information of apocrypha is sent to the cloud security central server, and the analysis result to the information of apocrypha that receives that the cloud security central server issues.

From the above mentioned, the embodiment of the invention arranges detection and drives detection by selecting system, the technological means that the communication information that utilizes system that detection, driving detection and network object are set conducts interviews and controls, a plurality of dimension detection of malicious programs can be set etc. to the destruction of client application access system network from the system kernel to the system, effectively repair rogue program to the destruction that communication between client application and the network object causes, guaranteed the normal access of client application to network object.

Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.

Description of drawings

By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:

Fig. 1 shows a kind of according to an embodiment of the invention detection method flow chart of controlling the client-access network;

Fig. 2 shows the reparation rogue program of filtration drive Network Based of another embodiment according to the present invention to the method flow diagram of the destruction of client application accesses network object; And

Fig. 3 shows a kind of according to an embodiment of the invention structure of the detecting device schematic diagram of controlling the client-access network.

Fig. 4 shows the structural representation of a kind of communication system that the embodiment of the invention provides.

Embodiment

Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.

The application can be applied to computer system/server, and it can be with numerous other universal or special computingasystem environment or configuration operation.The example that is suitable for well-known computing system, environment and/or the configuration used with computer system/server includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, the system based on microprocessor, set-top box, programmable consumer electronics, NetPC Network PC, minicomputer system large computer system and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.

Computer system/server can be described under the general linguistic context of the computer system executable instruction (such as program module) of being carried out by computer system.Usually, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they are carried out specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in the distributed cloud computing environment, task is by carrying out by the teleprocessing equipment of communication network link.In distributed cloud computing environment, program module can be positioned on the Local or Remote computing system storage medium that comprises memory device.

Computer system/server also can be communicated by letter with one or more external equipments---such as keyboard, sensing equipment, display etc.---, with one or more make the user can with the mutual devices communicating of computer system/server, and/or with make computer system/server can with any equipment of one or more other computing device communication (for example network interface card, modulator-demodulator etc.) communication.This communication can be undertaken by I/O (I/O) interface.And computer system/server can also be by network adapter and one or more network---such as Local Area Network, and wide area network (WAN) and/or public network (for example internet)---communication.As shown in the figure, network adapter is by other module communication of bus and computer system/server.Should be understood that other hardware and/or software module can use with computer system/server.Example includes but not limited to: microcode, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and data backup storage system, etc.

A kind of detection method of controlling the client-access network that one embodiment of the invention provides, referring to Fig. 1, described method comprises:

S100: detection is set according to the FTP client FTP selecting system, described system arrange that procotol fail safe (Internet Protocol Security, IPSec) setting, system's fire compartment wall setting, local ip address, route entry, DNS that detection comprises FTP client FTP arrange and Hosts file in one or more.

S102: utilize described system that the communication information of the network object that detection and client application need to access is set, the communication between client application and the described network object is detected.

In the present embodiment, usually the system that chooses among the above-mentioned steps S100 is arranged detection as the detection on basis, and in this step above-mentioned all systems are arranged detection and detect, be appreciated that in this step and also can only detect above-mentioned part communication detection item.By system being arranged the detection of detection, this programme can detect and repair client application access system network from the dimension of system's setting.

Above-mentioned network object is the network equipment or the system that client application will be accessed, and can be cloud security central server under the Windows system etc. such as network object.

S104: when the testing result indication communication that system is arranged detection is normal, allow client application to access described network object.

S106: when system being arranged the testing result indication communication abnormality of detection, repair described system and detection is set makes testing result indication communication normal, when communication is normal, allow client application to access described network object.

S108: when the described system of reparation arranges the detection failure, the driving detection of choosing is detected, enter step S110, when the described system of reparation arranges the detection success, show that communication is normal, allow client application to access described network object.By the detection to the driving detection, this programme can detect and repair client application access system network from the dimension of system kernel.

S110: when the testing result that drives detection is indicated communication abnormality, repair described driving detection, when indicating communication normal to the testing result that drives detection, allow client application to access described network object.

Another embodiment of the present invention describes as the scene of cloud security central server as example take client application as the network object that client secure is used, client application need to be accessed that be used for to guarantee client network safety.

Cloud computing environment comprises one or more cloud computing node that the local computing device of cloud computing consumer use can communicate with it, local computing device is such as individual digital auxiliary equipment (PDA) or mobile phone, desktop computer, notebook computer, and/or automobile computer system.Can intercom mutually between the node.Can be at one or more network---such as aforesaid privately owned cloud, community's cloud, public cloud or mixed cloud or their combination---in, node is carried out physics or virtual group (not shown).This allows cloud computing environment to provide the cloud consumer to need not that the architecture that maintenance resources just can be asked on local computing device is namely served, platform is namely served and/or software is namely served.Should be understood that computing node and cloud computing environment can with the network of any type on and/or computing equipment (for example the using web browser) communication of any type that is connected of network addressable.

The cloud security framework is realized based on cloud computing environment, that all cloud security clients are connected in real time with the cloud security server, client constantly gathers and reports renewal, form a huge rogue program database at server end, and the analyses and comparison of Initiative Defense operation is placed on server end finishes, thereby make whole cloud security network become an Initiative Defense instrument; Collect and be kept at for the program behavior with threat in the database of server, when server end carries out malware analysis, support direct service routine behavior to carry out rogue program and judge;

In addition, the embodiment of the invention is by the behavior of client collection procedure and be associated with performance of program, thereby logging program feature and corresponding program behavior thereof in database, incidence relation according to the program behavior of collecting and performance of program, can in database, carry out analytic induction to sample, thereby help software or program are carried out the discriminant classification of black and white, can also formulate corresponding removal or restoration measure for the Malware in the blacklist.

Yet, other rogue program of trojan horse and some is in order to hide the detection of fail-safe software, can destroy by every means client secure software and the webserver, for example, network communication between the cloud security server, stop the client secure softward interview webserver, cause the virus base that client can't the upgrade of network server end, None-identified and remove new wooden horse.

Domain name and the IP address of the packets includes network object of network object, the domain name tabulation that consists of cloudlike a plurality of domain names of security centre's server and the IP address list of a plurality of IP address formation, this domain name tabulation can be expressed as CloudSecCentre (Domain)={ D1, D2 ..., Dn}, this IP address list can be expressed as CloudSecCentre (IP)={ IP1, IP2 ..., IPn}.

Then utilize system that the communication information of the network object that detection and client application need to access is set, the detection that the communication between client application and the described network object is carried out can comprise as follows:

(1) IPSec arranges

Consider that rogue program (such as wooden horse) can join the cloud security central server IP address of security firm or domain name in the prevention tabulation that IPSec arranges and destroy network communication, the communication information that whether has network object in the prevention tabulation of the procotol fail safe setting of detection FTP client FTP in the present embodiment, if, testing result indication communication abnormality, if not, testing result indication communication is normal.

For example, the IPSec that reads FTP client FTP arranges, the project that whether has domain name CloudSecCentre (Domain) and the IP address CloudSecCentre (IP) at cloud security center in the prevention tabulation of inspection setting option, if exist then removed, if there is no, IPSec is not arranged and make amendment.Optionally, all information in also can directly arranging IPSec in the present embodiment detect, and judge that the communication information of network object is whether in IPSec arranges, if in the communication information removing from IPSec arranges with network object, if do not exist, keep IPSec to arrange constant.

(2) system's fire compartment wall arranges

Consider that wooden horse can be revised Vista and with the discrepancy inbound rule of system's fire compartment wall of upper mounting plate, destroying network communication in the rule entries adding prevention tabulation that comprises cloud security central server IP address or client secure Apply Names, whether there are the IP address of network object or the title of client application in the rule entries of the prevention tabulation of system's fire compartment wall setting of detection FTP client FTP in the present embodiment, if, testing result indication communication abnormality, if not, testing result indication communication is normal.

For example, read system's fire compartment wall setting of FTP client FTP, whether the rule entries in the prevention of the check system fire compartment wall tabulation exists the title of IP address, cloud security center CloudSecCentre (IP) or client secure application one by one, then removed if exist, being about to the IP address of network object or the rule entries of client application title removes from the prevention tabulation that system's fire compartment wall arranges, if do not exist, keep the setting of original system fire compartment wall.

(3) local ip address

Consider that wooden horse can be by adding in client and IP address and the invalid gateway address of cloud security central server at the same network segment, so that can't accessing cloud security central server IP, client application destroys communication, whether present embodiment detects FTP client FTP and exists and the IP address of the network object local ip address at the same network segment, if, testing result indication communication abnormality, if not, testing result indication communication is normal.

For example, all IP addresses of reading FTP client FTP arrange, check that one by one a certain IP that whether has among IP address and the cloud security central server IP address CloudSecCentre (IP) is in the same network segment, if exist then remove this IP address entry of client, be about to remove at the local ip address of the same network segment with the IP address of network object in the FTP client FTP, if there is no, keep the IP address of FTP client FTP to arrange.

(4) route entry

Consider that wooden horse can arrange wrong route entry and cause client application can't access cloud security central server IP address destroying communication, whether present embodiment detects and to exist in the route entry of FTP client FTP and the IP address at the same network segment, the IP address of network object, if, testing result indication communication abnormality, if not, testing result indication communication is normal.

For example, read all route entries of FTP client FTP, whether the network address that checks one by one route entry is identical with the network address among the cloud security central server IP address CloudSecCentre (IP), if the same remove this route entry, be about to exist in the FTP client FTP IP address with network object to remove at the route entry of the IP address of the same network segment, if different, keep former route entry.

(5) DNS arranges

Consider that wooden horse can revise the DNS of FTP client FTP and arrange, client is pointed to the black dns server of wooden horse author control, cause to resolve cloud security center domain name, thereby can't normal communication, when the IP address of present embodiment in the DNS that detects FTP client FTP arranges forbidden in the DNS tabulation, reliable dns server address was revised as in the IP address during DNS arranged.This is forbidden the DNS tabulation by the illegal IP address of having known or forbids that the IP address of client application access consists of, also can be referred to as black DNS tabulation.

For example, read the network DNS setting of FTP client FTP, check that the IP address of DNS is whether in forbidding the DNS tabulation, if, reliable dns server address is revised as in IP address in then DNS being arranged, as DNS being modified to the dns server address that presets: 8.8.8.8 and 8.8.4.4, if do not exist, keep the network DNS of FTP client FTP to arrange constant.

(6) Hosts file (Hosts)

Consider that wooden horse can add cloud security central server domain name and make its IP address of pointing to mistake destroy communication in the Hosts file of FTP client FTP, present embodiment is removed the clauses and subclauses of Hosts file that comprise the domain name of network object in the FTP client FTP when comprising the domain name of network object in each clauses and subclauses of the Hosts file that detects FTP client FTP.Hosts file is usually by the information structure of multirow, and every row visualization of information is clauses and subclauses, is provided with domain-name information etc. in the clauses and subclauses.

For example, Hosts file be usually located at FTP client FTP c: windows system32 drivers under the etc catalogue, read the Hosts file of FTP client FTP, check one by one whether the domain name in each clauses and subclauses wherein comprises the domain name CloudSecCentre (Domain) at cloud security center, if comprise, then the clauses and subclauses of Hosts file that comprise the domain name of network object in the FTP client FTP are removed, if do not comprise, then kept the clauses and subclauses of Hosts file constant.

Therefore the mode of the reparation of adopting in the present embodiment comprises following at least a or its combination:

When having the communication information of network object in the prevention tabulation that the IPSec that detects FTP client FTP arranges, the communication information of network object is removed from the prevention tabulation that IPSec arranges;

When the title of the IP address that has network object in the rule entries of the prevention of the system's fire compartment wall setting that detects FTP client FTP tabulation or client application, the IP address of network object or the rule entries of client application title are removed from the prevention tabulation that system's fire compartment wall arranges;

When the IP address that exists IP address with network object at the same network segment in the route entry that detects FTP client FTP, will exist in the FTP client FTP with the IP address of network object and remove at the route entry of the IP address of the same network segment;

When the IP address in the DNS that detects FTP client FTP arranges was being forbidden in the DNS tabulation, reliable dns server address was revised as in the IP address during DNS arranged;

Said system arranges choosing of detection in the present embodiment, and the concrete mode that detects and repair etc. with wooden horse (such as typical " hurricane wooden horse ") antagonism practice process in sum up out, can effectively repair the wooden horse destruction that communication causes to the cloud security central site network, to guarantee the normal communication at client secure software and cloud security center, for the wooden horse killing of back provides reliable network environment, so that the best wooden horse killing effect of fail-safe software performance.

Because in most cases, after the operation that executes above-mentioned main points point, can detect and repair rogue program to the destruction of client application access Windows grid, then allow client secure application access cloud security central server this moment, thereby can guarantee that client in time reports apocrypha the cloud security central server rapidly.

If after the wooden horse that executes above-mentioned main points point detects and repairs, client secure is used also can't access the cloud security central server, then present embodiment comprises that also the networks filter driver of choosing FTP client FTP is as driving detection, based on NDIS(Network Driver Interface Specification, network-driven interface specification) networks filter driver carries out the wooden horse killing.

(7) networks filter driver

Networks filter driver generally includes networks filter driver file and registry information, and whether present embodiment Sampling network filtration drive is present in the blacklist, if, testing result indication communication abnormality; If not, testing result indication communication is normal;

When testing result indication communication abnormality, repair described networks filter driver and make testing result indication communication normal, when testing result indication communication is normal, allow client application to access described network object.Referring to Fig. 2, show the reparation rogue program of filtration drive Network Based to the method flow diagram of the destruction of client application accesses network object, specifically process as follows:

S200: judge that can client application the accesses network object.

If after the detection that executes above-mentioned main points point and repairing, client application energy accesses network object, communication is normal, then detects and finishes.

If after the detection that executes above-mentioned main points point and repairing, client application can't the accesses network object, execution in step S202.

S202: the identification information that obtains the all-network filtration drive in the FTP client FTP.

The identification information of networks filter driver comprises signing messages and/or the version information of networks filter driver.By enumerate registration table HLM SYSTEM CurrentControlSet Control all-network filtration drive in Network and the INetCfg network configuration interface reading system.

S204: check that networks filter driver is whether in blacklist and white list.

Record the identification information of the networks filter driver that allows in the white list, recorded the identification information of the networks filter driver of forbidding in the blacklist.

The state that is arranged in the networks filter driver of blacklist is set to deceive, wherein, black representative is insincere, the state that is arranged in the networks filter driver of white list is set to white, the Bai representative is credible, neither be arranged in the state that blacklist is not arranged in the networks filter driver of white list yet and be set to ash, ash represent the unknown.

If the all-network filtration drive in the FTP client FTP all is arranged in white list, then do not carrying out subsequent treatment, detect and finish, otherwise, execution in step S206.

S206: if there is black networks filter driver in the FTP client FTP, then with after the backup of the networks filter driver in the blacklist, the networks filter driver in the blacklist is removed, the testing result indication communication of this moment is normal, allow client application to access described network object, execution in step S208.

S208: can client application that judge this moment the accesses network object, if communication is normal, and end operation, if not, execution in step S210.

S210: judge whether client can access third party's network object of trust under current user environment, if can, execution in step S212, if can not, illustrating that the access of client itself goes wrong, client can't accesses network, end operation.To the access of network object, this programme also detects and repairs client application access system network from the dimension of user's attitude by the above-mentioned client application that detects under user environment.

As from the foregoing, this programme can be from system kernel to user's attitude and system a plurality of dimension complete detection rogue programs are set etc. to the destruction of client application access system network, guarantee before the killing of carrying out rogue program, to have a reliable network communication environment.

S212: judge whether client application has the networks filter driver that is not present in blacklist and the white list, namely whether there is the networks filter driver of ash, if do not have the networks filter driver of ash, confirms that client application can't accesses network, if have, execution in step S214.

S214: should remove after the networks filter driver backup of ash, and allow client application to access described network object.

Be appreciated that and also can carry out simultaneously with above-mentioned main points point the detection of networks filter driver.

One embodiment of the invention also provides a kind of checkout gear of controlling the client-access network, and referring to Fig. 3, this device comprises:

Detection is chosen unit 300, be suitable for according to the FTP client FTP selecting system detection being set, wherein this system arranges procotol fail safe setting, system's fire compartment wall setting, local ip address, route entry, domain name system DNS setting and/or the Hosts file that detection comprises FTP client FTP;

Detecting unit 302 is suitable for utilizing system that the communication information of the network object that detection and client application need to access is set, and the communication between client application and the network object is detected;

Access control unit 304 is suitable for repairing described system detection being set when system being arranged the testing result indication communication abnormality of detection, when testing result indication communication is normal, allows client application to access described network object;

Detection is chosen unit 300, also is suitable for choosing the driving detection and detects; Detecting unit 302 also is suitable for when the described system of reparation arranges the detection failure driving detection of choosing being detected;

Access control unit 304 also is suitable for repairing described driving detection when the testing result that drives detection is indicated communication abnormality, when indicating communication normal to the testing result that drives detection, allows client application to access described network object.

Wherein, the domain name of above-mentioned packets includes network object and IP address, detecting unit 302, specifically be suitable for detecting the communication information that whether has network object in the prevention tabulation of procotol fail safe setting of FTP client FTP, if, testing result indication communication abnormality, if not, testing result indication communication is normal; And/or,

Whether there are the IP address of network object or the title of client application in the rule entries of the prevention tabulation of system's fire compartment wall setting of detection FTP client FTP, if, testing result indication communication abnormality, if not, testing result indication communication is normal; And/or,

And/or,

Wherein, access control unit 304 is suitable for by the following manner repair system detection being set when testing result indication communication abnormality:

When the title of the IP address that has network object in the rule entries of the prevention of the system's fire compartment wall setting that detects FTP client FTP tabulation or client application, will comprise the IP address of network object or the rule entries of client application title and from the prevention tabulation that system's fire compartment wall arranges, remove; And/or,

And/or,

Optionally, detection is chosen unit 300, specifically is suitable for choosing networks filter driver as described driving detection;

Whether detecting unit 302 also is suitable for the Sampling network filtration drive and is present in the blacklist, if, testing result indication communication abnormality; If not, testing result indication communication is normal;

Access control unit 304 also is suitable for when testing result indication communication abnormality, repairs networks filter driver and makes testing result indication communication normal, when testing result indication communication is normal, allows client application accesses network object.

Wherein, above-mentioned detecting unit 302 specifically is suitable for by following manner, and whether the Sampling network filtration drive is present in the blacklist: the signing messages and the version information that obtain networks filter driver from the registration table of FTP client FTP and network configuration interface; When the signing messages of networks filter driver and version information are arranged in blacklist, confirm that this networks filter driver is present in the blacklist, when the signing messages of networks filter driver and version information are not arranged in blacklist, confirm that this networks filter driver is not present in the blacklist.

Wherein, access control unit 304 is suitable for repairing networks filter driver by following manner: after the backup of the networks filter driver in the blacklist, this networks filter driver is removed, testing result indication communication is normal, allows client application accesses network object.

Further, access control unit 304, also be suitable for after with the backup of the networks filter driver in the blacklist, this networks filter driver is removed from blacklist, testing result indication communication is normal, allow after the client application accesses network object, when the failure of client application accesses network object, if third party's network object that client application can not successful access be trusted, confirm that client application can't accesses network, if third party's network object that client application can successful access be trusted, from the registration table of FTP client FTP and network configuration interface, obtain signing messages and/or the version information of networks filter driver, signing messages and/or version information according to networks filter driver judge whether client application has the networks filter driver that is not present in blacklist and the white list, if do not have, confirm that client application can't accesses network, if having, with removing after this networks filter driver backup, allow client application accesses network object.

Detecting unit 302 specifically is suitable for by following manner, and whether the Sampling network filtration drive is present in the blacklist: the signing messages and/or the version information that obtain networks filter driver from the registration table of FTP client FTP and network configuration interface; When the signing messages of networks filter driver and/or version information are arranged in blacklist, confirm that this networks filter driver is present in the blacklist, when the signing messages of networks filter driver and/or version information are not arranged in blacklist, confirm that this networks filter driver is not present in the blacklist;

Detecting unit 302 specifically is suitable for by following manner, judges whether client application has the networks filter driver that is not present in blacklist and the white list:

When the signing messages of networks filter driver and/or version information are not present in blacklist and the white list, confirm that client application has the networks filter driver that is not present in blacklist and the white list, otherwise, confirm that client application does not have the networks filter driver that is not present in blacklist and the white list.

The specific works mode of each unit can referring to embodiment of the method for the present invention, not repeat them here among apparatus of the present invention embodiment.

From the above mentioned, the embodiment of the invention is by choosing procotol fail safe setting, system's fire compartment wall arranges, local ip address, route entry, DNS arranges and Hosts file arranges detection as system, the technological means that the communication information that utilizes system that detection and network object are set conducts interviews and controls, can be from system kernel to user's attitude and system a plurality of dimension detection of malicious programs are set etc. to the destruction of client application access Windows grid, effectively repair rogue program to the destruction that communication between client application and the network object causes, guaranteed the normal access of client application to network object.

The embodiment of the invention also provides a kind of communication system, and referring to Fig. 4, this communication system comprises client device 400, and the checkout gear 402 of at least a control client-access network that provides such as above-mentioned embodiment is provided client device 400,

It is cloud security central server 404 that the client application 406 of operation on the client device 400 needs the network object of access;

When the checkout gear 402 of control client-access network allows client application access cloud security central server 404, client application 406, be suitable for the information of apocrypha is sent to cloud security central server 404, and the analysis result to the information of this apocrypha that receives that cloud security central server 404 issues.

Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.

In the specification that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this specification (comprising claim, summary and the accompanying drawing followed).

In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.

All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the checkout gear of the control client-access network of the embodiment of the invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.

It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.

Claims

1. detection method of controlling the client-access network, described method comprises:

According to FTP client FTP selecting system is set detection is set;

2. method according to claim 1, wherein, described system arranges procotol fail safe setting, system's fire compartment wall setting, local ip address, route entry, domain name system DNS setting and/or the Hosts file that detection comprises FTP client FTP.

3. method according to claim 2, wherein, the domain name of described packets includes network object and IP address, the described communication information that utilizes described system that the network object that detection and client application need to access is set, detect the communication between client application and the described network object and to comprise:

And/or,

4. method according to claim 3, wherein described when testing result indication communication abnormality, repair described system and detection is set comprises:

When the title of the IP address that has network object in the rule entries of the prevention of the system's fire compartment wall setting that detects FTP client FTP tabulation or client application, this rule entries is removed from the prevention tabulation that system's fire compartment wall arranges; And/or,

And/or,

5. according to claim 1 to 4 each described methods, wherein, the driving detection of choosing is networks filter driver, and the described driving detection of choosing is detected comprises:

Whether the Sampling network filtration drive is present in the blacklist, if, to the testing result indication communication abnormality of networks filter driver; If not, the testing result indication communication to networks filter driver is normal.

6. method according to claim 5, wherein, the described networks filter driver of described reparation comprises:

After the backup of the networks filter driver in the blacklist, this networks filter driver is removed, when testing result indication communication is normal, allow client application to access described network object.

7. method according to claim 6, wherein, described with the backup of the networks filter driver in the blacklist after, this networks filter driver is removed from blacklist, testing result indication communication is normal, allows client application to access after the described network object, and described method also comprises:

When the failure of client application accesses network object, if third party's network object that client application can not successful access be trusted, confirm that client application can't accesses network, if third party's network object that client application can successful access be trusted, judge whether client application has the networks filter driver that is not present in blacklist and the white list, if do not have, confirm that client application can't accesses network, if have, with removing after this networks filter driver backup, allow client application to access described network object.

8. method according to claim 7 is characterized in that,

Whether described Sampling network filtration drive is present in the blacklist comprises:

From the registration table of FTP client FTP and network configuration interface, obtain signing messages and/or the version information of networks filter driver;

When the signing messages of networks filter driver and/or version information are arranged in blacklist, confirm that this networks filter driver is present in the blacklist, when the signing messages of networks filter driver and/or version information are not arranged in blacklist, confirm that this networks filter driver is not present in the blacklist;

Describedly judge whether client application has the networks filter driver that is not present in blacklist and the white list and comprise:

9. checkout gear of controlling the client-access network, described device comprises:

10. device according to claim 9, wherein, described system arranges procotol fail safe setting, system's fire compartment wall setting, local ip address, route entry, domain name system DNS setting and/or the Hosts file that detection comprises FTP client FTP, the domain name of described packets includes network object and IP address

Described detecting unit specifically is suitable for detecting the communication information that whether has network object in the prevention tabulation of procotol fail safe setting of FTP client FTP, if, testing result indication communication abnormality, if not, testing result indication communication is normal; And/or,

Whether there are the IP address of network object or the title of client application in the rule entries in the prevention tabulation of system's fire compartment wall setting of detection FTP client FTP, if, testing result indication communication abnormality, if not, testing result indication communication is normal; And/or,

And/or,

11. device according to claim 9, wherein, described access control unit is suitable for repairing described system by following manner detection being set when testing result indication communication abnormality:

When the title of the IP address that has network object in the rule entries in the prevention of the system's fire compartment wall setting that the detects FTP client FTP tabulation or client application, this rule entries is removed from the prevention tabulation that system's fire compartment wall arranges; And/or,

And/or,

12. device according to claim 9, wherein,

Described detection is chosen the unit, specifically is suitable for choosing networks filter driver as described driving detection;

Whether described detecting unit also is suitable for the Sampling network filtration drive and is present in the blacklist, if, to the testing result indication communication abnormality of networks filter driver; If not, the testing result indication communication to networks filter driver is normal.

13. device according to claim 12, wherein,

Described access control unit, be suitable for repairing described networks filter driver by following manner: after the backup of the networks filter driver in the blacklist, this networks filter driver is removed, and testing result indication communication is normal, allows client application to access described network object.

14. device according to claim 13, wherein, described access control unit, also be suitable for described after the networks filter driver in the blacklist backup, this networks filter driver is removed from blacklist, testing result indication communication is normal, allow client application to access after the described network object, when the failure of client application accesses network object, if third party's network object that client application can not successful access be trusted confirms that client application can't accesses network, if third party's network object that client application can successful access be trusted, judge whether client application has the networks filter driver that is not present in blacklist and the white list, if do not have, confirm that client application can't accesses network, if having, with removing after this networks filter driver backup, allow client application to access described network object.

15. device according to claim 14, wherein,

Described detecting unit specifically is suitable for by following manner, and whether the Sampling network filtration drive is present in the blacklist: the signing messages and/or the version information that obtain networks filter driver from the registration table of FTP client FTP and network configuration interface; When the signing messages of networks filter driver and/or version information are arranged in blacklist, confirm that this networks filter driver is present in the blacklist, when the signing messages of networks filter driver and/or version information are not arranged in blacklist, confirm that this networks filter driver is not present in the blacklist;

Described detecting unit specifically is suitable for by following manner, judges whether client application has the networks filter driver that is not present in blacklist and the white list:

16. a communication system, described system comprises client device, and described client device comprises the checkout gear such as each described control client-access network of above-mentioned claim 9 to 15,

The network object that the client application of moving on the described client device need to be accessed is the cloud security central server;

When the checkout gear of described control client-access network allows client application access cloud security central server, described client application, be suitable for the information of apocrypha is sent to the cloud security central server, and the analysis result to the information of described apocrypha that receives that the cloud security central server issues.