Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
Program is a common file, is the set of a machine code instruction and data, is the concept of a static state.Process is a program implementation on computers, is a dynamic concept.Same program can run on several data acquisition systems simultaneously, that is to say that same program can corresponding a plurality of processes.The access to netwoks behavior is to be initiated by active program (also being process).The current network access behavior of program namely is the access to netwoks behavior of being initiated by the process that belongs to this program.Access to netwoks behavior of a great variety comprises HTTP access (common are download file or upload information), and SMTP ask (for example sending and receiving e-mail), DNS request (information such as IP address corresponding to parsing domain name) etc.
Fig. 1 shows the flow chart according to the means of defence 100 of the access to netwoks behavior of first embodiment of the invention.As shown in Figure 1, method 100 starts from step S101, wherein drives the packet of the network access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socket receive) of the request (socket send) of the transmission data that program initiates and receive data.
If a common program needs interconnection network, the API(Application Program Interface that needs provide by operating system (such as Windows), application programming interfaces) interface sends network access request, after operating system receives this network access request of program, the packet that the meeting reception program will send, and the packet that receives encapsulated, afterwards with the Packet Generation of encapsulation to physical equipment (such as network interface card etc.), by hardware device packet is spread out of at last.Based on the flow process of such routine access network, the relevant information of network behavior is intercepted and captured the purpose of the current network behavior that can realize monitoring program in arbitrary link of this flow process.Alternatively, the packet that drives the network access request of layer intercepting and capturing program initiation can adopt following several mode:
(1) by drives or creates filtration drive, the packet of the network access request that the intercepting and capturing program is initiated in client log-in protocol.
In the process of routine access network, operating system is when processing related data, can obtain the data of access to netwoks behavior with some protocol-driven or filtration drive, so can pass through in the driving of client log-in protocol or the establishment filtration drive similar to operating system the packet of the network access request that the intercepting and capturing program is initiated.Particularly, can pass through to NDIS(Network Driver Interface Specification, NDIS) log-in protocol drives, perhaps at Afd.sys (Ancillary Function Driver for winsock, the miscellaneous function driving of winsock) driving arrangement stack, Tdi.sys(Transport Dispatch Interface, the transmission distribution interface) driving arrangement stack or Tcpip.sys(Transmission Control Protocol/InternetProtocol, transmission control/network communication protocol) creates the filtration drive similar to operating system on the driving arrangement stack, the packet of the network access request that the intercepting and capturing program is initiated.
Create filtration drive as example take the driving arrangement stack at Afd.sys, when sending the packet of network access request, the driving distribution function of the Afd.sys that system is called originally can call first the distribution function of the filtration drive of establishment, utilizes this method to come the intercepted data bag.
The packet of the network access request that the application programming interface function intercepting and capturing program of (2) utilizing operating system to provide is initiated.
(hook) function is example take the application programming interface function as hook, the hook function that utilizes operating system to provide is intercepted and captured Windows SSDT(System Services Descriptor Table, the system service descriptor table) derivative function that the service function that the interface function that provides (such as the NtDeviceIoControl function) or Tcpip.sys driving provide or NDIS.sys provide, the packet of the network access request that the acquisition program is initiated.
(3) by taking over the request of routine call interface for network programming function (Winsock), the packet of the network access request that the intercepting and capturing program is initiated.
(4) mode of utilizing the registration fire compartment wall to adjust back, the packet of the network access request that the intercepting and capturing program is initiated.
Subsequently, method 100 enters step S102, wherein drives layer and resolves the packet of intercepting and capturing, and obtains at least a domain information in the packet, and packet and at least a domain information thereof are sent to application layer.In this method, drive layer (ring0) and have the function of resolving the packet among socket send and the socket receive, obtain one or more domain informations that this packet comprises, packet and domain information thereof are sent to application layer (ring3) process.
Subsequently, method 100 enters step S103, wherein whether preserves at least a domain information any in the application layer inquiry local data base, if, execution in step S104 then; Otherwise execution in step S106.Store the mark that a large amount of domain informations and these domain informations belong to blacklist or white list in the local data base of client.Alternatively, the data memory format in the local data base can be the md5(Message Digest Algorithm 5 of domain information, Message Digest Algorithm 5) value and extended byte, write the mark that domain information belongs to blacklist or white list in the extended byte.
In step S104, application layer judges whether at least a domain information any belongs to the blacklist of local data base, if, execution in step S105 then; Otherwise execution in step S106.Application layer belongs to the mark of blacklist or white list by domain information, judges whether at least a domain information any belongs to the blacklist of local data base.
In step S105, stop the network access request of program.If any in the packet of the network access request that certain program is initiated at least a domain information belongs to the blacklist of local data base, show that this program is rogue program, the network access request that then stops this program also namely stops the access to netwoks behavior of this program.
In step S106, the network access request of clearance program.If at least a domain information does not belong to the blacklist of local data base in the packet of the network access request that certain program is initiated, but wherein any belongs to the white list of local data base, show that this program is normal procedure, the network access request of this program of then letting pass, the access to netwoks behavior of this program of also namely letting pass.If application layer inquires local data base and do not preserve at least a domain information any, show that this program is unknown program, the network access request of this program of can letting pass.As another kind of execution mode, if program is unknown program, also can select by prompting user, stop or the network access request of this program of letting pass according to the mode of user's selection.
The method that provides according to present embodiment, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, and application layer is determined the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, this method directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, thus the access to netwoks behavior that can tackle more in time rogue program.
Fig. 2 shows the flow chart according to the means of defence 200 of the access to netwoks behavior of second embodiment of the invention.As shown in Figure 2, method 200 starts from step S201, wherein drives the packet of the network access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socket receive) of the request (socket send) of the transmission data that program initiates and receive data.The method that drives layer intercepted data bag can referring to the associated description of method 100, not repeat them here.
Subsequently, method 200 enters step S202, wherein drives layer and resolves the packet of intercepting and capturing, and obtains at least a domain information in the packet, and packet and at least a domain information thereof are sent to application layer.In this method, drive layer (ring0) and have the function of resolving the packet among socket send and the socket receive, obtain one or more domain informations that this packet comprises, packet and domain information thereof are sent to application layer (ring3) process.
Subsequently, method 200 enters step S203, wherein whether preserves at least a domain information any in the application layer inquiry local data base, if, execution in step S204 then; Otherwise execution in step S205.Store the mark that a large amount of domain informations and these domain informations belong to blacklist or white list in the local data base of client.Alternatively, the data memory format in the local data base can for md5 value and the extended byte of domain information, write the mark that domain information belongs to blacklist or white list in the extended byte.
In step S204, application layer judges whether at least a domain information any belongs to the blacklist of local data base, if, execution in step S209 then; Otherwise execution in step S210.Application layer belongs to the mark of blacklist or white list by domain information, judges whether at least a domain information any belongs to the blacklist of local data base.
In step S205, application layer sends to network equipment with at least a domain information.Also store the mark that a large amount of domain informations and these domain informations belong to blacklist or white list in the high in the clouds database of network equipment.Network equipment judges whether at least a domain information any belongs to the high in the clouds database, if belong to the high in the clouds database, the mark that then further belongs to blacklist or white list according to domain information, judge that this domain information belongs to blacklist or the white list of high in the clouds database, obtains thus Query Result and returns to client.
After step S205, method 200 enters step S206, and wherein application layer receives any Query Result of whether preserving in the database of network equipment inquiry high in the clouds at least a domain information.
After step S206, method 200 enters step S207, and application layer judges whether Query Result shows and preserve at least a domain information any in the database of high in the clouds, if, execution in step S208; Otherwise, execution in step S210.
In step S208, application layer judge Query Result whether show the high in the clouds database preserve at least a domain information any and belong to blacklist, if, execution in step S209; Otherwise, execution in step S210.
In step S209, stop the network access request of program.If any in the packet of the network access request that certain program is initiated at least a domain information belongs to the blacklist of local data base or high in the clouds database, show that this program is rogue program, the network access request that then stops this program also namely stops the access to netwoks behavior of this program.
In step S210, the network access request of clearance program.If at least a domain information does not belong to the blacklist of local data base but wherein any belongs to the white list of local data base in the packet of the network access request that certain program is initiated, perhaps do not belong to the blacklist of high in the clouds database but wherein any belongs to the white list of high in the clouds database, show that this program is normal procedure, the network access request of this program of then letting pass, the access to netwoks behavior of this program of also namely letting pass.If application layer inquires local data base and high in the clouds database and all do not preserve at least a domain information any, show that this program is unknown program, the network access request of this program of can letting pass.As another kind of execution mode, if program is unknown program, also can select by prompting user, stop or the network access request of this program of letting pass according to the mode of user's selection.
The method that provides according to present embodiment, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, application layer is at first inquired about the network access request that local data base is determined prevention or this program of letting pass according to this domain information, if local data base does not have the domain information that comprises in the save data bag, then continue the network access request that network side inquiry high in the clouds database is determined prevention or this program of letting pass.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, this method directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, also can tackle in time the access to netwoks behavior of rogue program.This method is judged whether safety of network access request in conjunction with local data base and high in the clouds database, has further improved the efficient of the access to netwoks behavior of interception rogue program.
Fig. 3 shows the flow chart according to the means of defence 300 of the access to netwoks behavior of third embodiment of the invention.In this method 300, describe as the HTTP access request as example take network access request.As shown in Figure 3, method 300 starts from step S301, wherein drives the packet of the HTTP access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socket receive) of the request (socket send) of the transmission data that program initiates and receive data.The method that drives layer intercepted data bag can referring to the associated description of method 100, not repeat them here.
Subsequently, method 300 enters step S302, wherein drives layer and resolves the packet of intercepting and capturing, and obtains the domain name (host) in the packet.Drive layer before resolving the socket send that intercepts and captures and the packet among the socket receive or simultaneously, also can obtain IP address and port among the socket connect.
Subsequently, method 300 enters step S303, wherein drive layer and judge to drive in the layer internal memory (ring0 cache) whether record the process state information that has this program of last time of identical ip addresses and port and domain name with the HTTP access request of this secondary program, if, execution in step S304; Otherwise execution in step S306.In the method, after handling a HTTP access request, ring0 cache can record IP address and port and the domain name of current HTTP access request, and record this program pin to the process state information of current HTTP access request, the process state information here refers to that the domain name of the current HTTP access request of this program belongs to blacklist or white list, and perhaps this program is identified as unknown program in current HTTP access request.Record based on ring0 cache does in step S303, drives layer and can judge first whether ring0 cache records the process state information that has this program of last time of identical ip addresses and port and domain name with the HTTP access request of this secondary program.
In step S304, drive layer and judge whether the process state information of last this program is that this program is unknown program, if, execution in step S306; Otherwise execution in step S305.
In step S305, drive process state information that layer judges last this program and whether belong to blacklist for the domain name of the HTTP access request of last this program, if, execution in step S314 then; Otherwise execution in step S315.
In step S306, drive layer packet and domain name, IP address and port are sent to application layer.
After step S306, method 300 enters step S307, and the further resolution data bag of application layer obtains more domain information, comprises network address (URL), Agent sign (User-Agent) and parent page information (Referer).
The example of the packet of HTTP access request is as follows:
GET/index.html?HTTP/1.1\r\n
Host:www.360.cn\r\n
User-Agent:IE\r\n
Referer:http://www.qihoo.net/\r\n
For this example, a driving layer resolution data bag obtains a domain name and is: www.360.cn; The further resolution data bag of application layer obtains URL:http: //www.360.cn/index.html, User-Agent:IE r n, and Referer:http: //www.qihoo.net/ r n.
After step S307, method 300 enters step S308, wherein whether preserves in domain name, IP address and the domain informations such as port, URL, User-Agent and Referer any in the application layer inquiry local data base, if, execution in step S309 then; Otherwise execution in step S310.
In step S309, application layer judges whether in domain name, IP address and the domain informations such as port, URL, User-Agent and Referer any belongs to the blacklist of local data base, if, execution in step S314 then; Otherwise execution in step S315.
In step S310, application layer sends to network equipment with domain name, IP address and the domain informations such as port, URL, User-Agent and Referer.Also store the mark that a large amount of domain informations and these domain informations belong to blacklist or white list in the high in the clouds database of network equipment.Network equipment judges whether in the above-mentioned domain information any belongs to the high in the clouds database, if belong to the high in the clouds database, the mark that then further belongs to blacklist or white list according to domain information, judge that this domain information belongs to blacklist or the white list of high in the clouds database, obtains thus Query Result and returns to client.
After step S310, method 300 enters step S311, and wherein application layer receives the Query Result of network equipment inquiry high in the clouds database.
After step S311, method 300 enters step S312, application layer judges whether Query Result shows and preserves in domain name, IP address and the domain informations such as port, URL, User-Agent and Referer any in the database of high in the clouds, if, execution in step S313; Otherwise, execution in step S315.
In step S313, application layer judge Query Result whether show the high in the clouds database preserve in domain name, IP address and the domain informations such as port, URL, User-Agent and Referer any and belong to blacklist, if, execution in step S314; Otherwise, execution in step S315.
In step S314, stop the HTTP access request of program.
In step S315, the HTTP access request of clearance program.
After step S314 and step S315, method 300 enters step S316, wherein in ring0 cache the IP address of the HTTP access request of minute book secondary program and port and domain name (for above-mentioned example, the content of record is: IP:220.181.24.100, port:80, Host:www.360.cn), and the process state information of minute book secondary program, the process state information of this secondary program belongs to blacklist or white list at least a domain information of the HTTP access request of this secondary program any, and perhaps this secondary program is unknown program.
In this method, driving before layer sends to application layer with packet and domain information, judge first the process state information that whether records the last HTTP access request of same program among the ring0 cache, last HTTP access request refers to the HTTP access request of the last time that domain name and IP address are identical with this HTTP access request with port, if any the record and process state information be that domain information belongs to blacklist or white list, then directly do same processing according to the process state information of last time, need not packet and domain information are re-send to the processing that application layer is done inquiry local data base and high in the clouds database, can greatly reduce the inquiry amount like this, reduce the burden on backstage, improve the efficient of access to netwoks.And, ring0 cache record is domain name and IP address and the port of HTTP access request in this method, do not record URL, for having same domain name and IP address with port but have the HTTP access request of different URL, all can do same processing according to the process state information of last time, reduce so the Query Database number of times of unknown URL, further improved the efficient of access to netwoks.
In order further to improve the treatment effeciency of this method, on the basis of above-described embodiment, ring0 cache can also record the cumulative number that same program is confirmed to be unknown program.In step S304, judge that the process state information of last this program is unknown program for this program if drive layer, drive so layer and further judge that whether this program is confirmed to be the cumulative number of unknown program more than or equal to preset value, this preset value is preferably 4, if cumulative number is more than or equal to preset value, the network access request of this program of then letting pass; Otherwise, execution in step S306.Corresponding, in step S316, if the process state information of this secondary program is unknown program for this secondary program, ring0 cache also needs refresh routine to be confirmed to be the cumulative number of unknown program so, namely adds 1 on former cumulative number basis.By such processing, if certain program is repeatedly confirmed as unknown program, the access to netwoks behavior of this program of so directly letting pass has improved the efficient of access to netwoks.
In this method, after application layer received packet, further the resolution data bag obtained more domain information.Because in the process of subsequent query local data base and high in the clouds database, if any in these domain informations belongs to blacklist or white list, they can determine procedures be rogue program or normal procedure just accordingly, so domain information is more, the intercepting efficiency of access to netwoks behavior be also just higher.
But should be understandable that also step S307 is optional step.That is, application layer can no longer be resolved packet when receiving packet, and in subsequent step, the domain information of application layer process comprises domain name, IP address and port, does not comprise the domain informations such as URL, User-Agent and Referer.
The method that above-mentioned the 3rd embodiment provides describes as an example of the HTTP access request example, but the method is only for being applied to the HTTP access request, the means of defence that other and the similar network access request of HTTP access request also can adopt the 3rd embodiment to provide.
Fig. 4 shows the flow chart according to the means of defence 400 of the access to netwoks behavior of four embodiment of the invention.In this method 400, describe as the DNS access request as example take network access request.As shown in Figure 4, method 400 starts from step S401, wherein drives the packet of the DNS access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socket receive) of the request (socket send) of the transmission data that program initiates and receive data.The method that drives layer intercepted data bag can referring to the associated description of method 100, not repeat them here.
Subsequently, method 400 enters step S402, wherein drives layer and resolves the packet of intercepting and capturing, and obtains the DNS domain name in the packet.
The example of the packet of DNS access request is as follows:
Domain?Name?System(query)
Transaction?ID:0x276b
Questions:1
Answer?RRs:0
Authority?RRs:0
Additional?RRs:0
Queries?www.360.cn:type?A,class?IN
For this example, a driving layer resolution data bag obtains a DNS domain name and is: www.360.cn.
Subsequently, method 400 enters step S403, wherein drive layer and judge to drive in the layer internal memory (ring0 cache) whether record the process state information that has this program of last time of identical DNS domain name with the DNS access request of this secondary program, if, execution in step S404; Otherwise execution in step S406.In the method, after handling a DNS access request, ring0 cache can record the DNS domain name of current DNS access request, and record this program to the process state information of current DNS access request, the process state information here refers to that the DNS domain name of the current DNS access request of this program belongs to blacklist or white list, and perhaps this program is identified as unknown program in current DNS access request.Record based on ring0 cache does in step S403, drives layer and can judge first whether ring0 cache records the process state information that has this program of last time of identical DNS domain name with the DNS access request of this secondary program.
In step S404, drive layer and judge whether the process state information of last this program is that this program is unknown program, if, execution in step S414; Otherwise execution in step S405.
In step S405, drive process state information that layer judges last this program and whether belong to blacklist for the DNS domain name of the DNS access request of last this program, if, execution in step S413 then; Otherwise execution in step S414.
In step S406, drive layer packet and DNS domain name are sent to application layer.
After step S406, method 400 enters step S407, wherein whether preserves the DNS domain name in the application layer inquiry local data base, if, execution in step S408 then; Otherwise execution in step S409.
In step S408, application layer judges whether the DNS domain name belongs to the blacklist of local data base, if, execution in step S413 then; Otherwise execution in step S414.
In step S409, application layer sends to network equipment with the DNS domain name.Also store the mark that a large amount of DNS domain names and these DNS domain names belong to blacklist or white list in the high in the clouds database of network equipment.Network equipment judges whether the DNS domain name belongs to the high in the clouds database, if belong to the high in the clouds database, the mark that then further belongs to blacklist or white list according to the DNS domain name judges that this DNS domain name belongs to blacklist or the white list of high in the clouds database, obtains thus Query Result and returns to client.
After step S409, method 400 enters step S410, and wherein application layer receives the Query Result of network equipment inquiry high in the clouds database.
After step S410, method 400 enters step S411, and application layer judges whether Query Result shows and preserve the DNS domain name in the database of high in the clouds, if, execution in step S412; Otherwise, execution in step 414.
In step S412, application layer judges whether Query Result shows that the high in the clouds database is preserved the DNS domain name and this DNS domain name belongs to blacklist, if, execution in step S413; Otherwise, execution in step S414.
In step S413, stop the DNS access request of program.
In step S414, the DNS access request of clearance program.
After step S413 and step S414, method 400 enters step S415, wherein in ring0 cache the DNS domain name of the DNS access request of minute book secondary program (for above-mentioned example, the content of record is: www.360.cn), and the process state information of minute book secondary program, the process state information of this secondary program belongs to blacklist or white list for the DNS domain name of the DNS access request of this secondary program, and perhaps this secondary program is unknown program.
In this method, driving before layer sends to application layer with packet and DNS domain name, judge first the process state information that whether records the last DNS access request of same program among the ring0 cache, last DNS access request refers to the DNS access request of the last time that the DNS domain name is identical with this DNS access request.If any the record and process state information be that the DNS domain name belongs to blacklist or white list, then directly do same processing according to the process state information of last time, be that program is unknown program such as process state information, the network access request of this program of then directly letting pass, need not packet and domain information are re-send to the processing that application layer is done inquiry local data base and high in the clouds database, can greatly reduce the inquiry amount like this, reduce the burden on backstage, improve the efficient of access to netwoks.
The method that above-mentioned the 4th embodiment provides describes as an example of the DNS access request example, but the method is only for being applied to the DNS access request, the means of defence that other network access request also can adopt the 4th embodiment to provide.
Fig. 5 shows the flow chart according to the means of defence 500 of the access to netwoks behavior of fifth embodiment of the invention.In this method 500, describe as the SMTP access request as example take network access request.As shown in Figure 5, method 500 starts from step S501, wherein drives the packet of the SMTP access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socket receive) of the request (socket send) of the transmission data that program initiates and receive data.The method that drives layer intercepted data bag can referring to the associated description of method 100, not repeat them here.
Subsequently, method 500 enters step S502, wherein drives layer and resolves a packet of intercepting and capturing, and obtains sender in the packet and/or addressee's email address.
The example of the packet of SMTP access request is as follows:
"220?smtp.example.com?ESMTP?Postfix\r\n"
"HELO?relay.example.org\r\n"
"250Hello?relay.example.org,I?am?glad?to?meet?you\r\n"
"MAIL?FROM:<bob@example.org>SIZE\r\n"
"250?Ok\r\n"
"RCPT?TO:<alice@example.com>\r\n"
"250Ok\r\n"
"RCPT?TO:<theboss@example.com>\r\n"
"250Ok\r\n"
"DATA\r\n"
"354End?data?with<CR><LF>.<CR><LF>\r\n"
"From:\″Bob?Example\″<bob@example.org>\r\n"
"To:\″Alice?Example\″<alice@example.com>\r\n"
"Cc:theboss@example.com\r\n"
"Date:Tue,15Jan?200816:02:43-0500\r\n"
"Subject:Test?message\r\n"
"\r\n"
"Hello?Alice.\r\n"
"This?is?a?test?message?with?5?header?fields?and?4?lines?in?the?message?body.\r\n"
"Your?friend,\r\n"
"Bob\r\n"
".\r\n"
"250?Ok:queued?as?12345\r\n"
"QUIT\r\n"
"221Bye\r\n"
For this example, the email address that drives layer resolution data bag acquisition sender is bob@example.org, and addressee's email address is: alice@example.com and theboss@example.com.
Subsequently, method 500 enters step S503, wherein drive layer and judge to drive whether record the process state information of this program of last time that has identical sender and/or addressee's email address with the SMTP access request of this secondary program in the layer internal memory (ring0 cache), if, execution in step S504; Otherwise execution in step S506.In the method, after handling a SMTP access request, ring0 cache can record sender and/or the addressee's of current SMTP access request email address, and record this program to the process state information of current SMTP access request, the process state information here refers to that the sender of the current SMTP access request of this program and/or addressee's email address belong to blacklist or white list, and perhaps this program is identified as unknown program in current SMTP access request.The record of doing based on ring0 cache, in step S503, drive layer and can judge first whether ring0 cache records the process state information of this program of last time that has identical sender and/or addressee's email address with the SMTP access request of this secondary program.
In step S504, drive layer and judge whether the process state information of last this program is that this program is unknown program, if, execution in step S514; Otherwise execution in step S505.
In step S505, drive process state information that layer judges last this program and whether belong to blacklist for the sender of the SMTP access request of last this program and/or addressee's email address, if, execution in step S513 then; Otherwise execution in step S514.
In step S506, drive layer email address with packet and sender and/or addressee and send to application layer.
After step S506, method 500 enters step S507, wherein whether preserves sender and/or addressee's email address in the application layer inquiry local data base, if, execution in step S508 then; Otherwise execution in step S509.
In step S508, application layer judges whether sender and/or addressee's email address belongs to the blacklist of local data base, if, execution in step S513 then; Otherwise execution in step S514.
In step S509, application layer sends to network equipment with sender and/or addressee's email address.The email address that also stores a large amount of senders and/or addressee's email address and these senders and/or addressee in the high in the clouds database of network equipment belongs to the mark of blacklist or white list.Network equipment judges whether sender and/or addressee's email address belongs to the high in the clouds database, if belong to the high in the clouds database, the mark that then further belongs to blacklist or white list according to sender and/or addressee's email address, judge that this sender and/or addressee's email address belongs to blacklist or the white list of high in the clouds database, obtains thus Query Result and returns to client.
After step S509, method 500 enters step S510, and wherein application layer receives the Query Result of network equipment inquiry high in the clouds database.
After step S510, method 500 enters step S511, and application layer judges whether Query Result shows the email address of preserving sender and/or addressee in the database of high in the clouds, if, execution in step S512; Otherwise, execution in step 514.
In step S512, application layer judges whether Query Result shows that the high in the clouds database is preserved sender and/or addressee's email address and this sender and/or addressee's email address belongs to blacklist, if, execution in step S513; Otherwise, execution in step S514.
In step S513, stop the SMTP access request of program.
In step S514, the SMTP access request of clearance program.
After step S513 and step S514, method 500 enters step S515, wherein in ring0 cache the sender of the SMTP access request of minute book secondary program and/or addressee's email address (for above-mentioned example, the content of record is: bob@example.org, alice@example.com, theboss@example.com), and the process state information of minute book secondary program, the process state information of this secondary program belongs to blacklist or white list for the sender of the SMTP access request of this secondary program and/or addressee's email address, and perhaps this secondary program is unknown program.
In this method, before the driving layer email address with packet and sender and/or addressee sends to application layer, judge first the process state information that whether records the last SMTP access request of same program among the ring0 cache, last SMTP access request refers to the SMTP access request of the last time that sender and/or addressee's email address is identical with this SMTP access request.Belong to blacklist or white list if any record and process state information for sender and/or addressee's email address, then directly do same processing according to the process state information of last time, be that program is unknown program such as process state information, the network access request of this program of then directly letting pass, need not packet and sender and/or addressee's email address is re-send to the processing that application layer is done inquiry local data base and high in the clouds database, can greatly reduce the inquiry amount like this, reduce the burden on backstage, improve the efficient of access to netwoks.
The method that above-mentioned the 5th embodiment provides describes as an example of the SMTP access request example, but the method is only for being applied to the SMTP access request, the means of defence that other network access request also can adopt the 5th embodiment to provide.
Need to prove, in above-mentioned several embodiments of the method, can not inquire about the high in the clouds database, only rely on the inquiry local data base that the access to netwoks behavior is stoped or the processing of letting pass also is optional embodiment.
Fig. 6 shows the structural representation according to the protector of the access to netwoks behavior of sixth embodiment of the invention.As shown in Figure 6, this network protection device 600 comprises driving layer module 610 and application layer module 620.Wherein, driving layer module 610 comprises intercepting and capturing module 611, drives layer parsing module 612 and the first sending module 613.Intercept and capture the packet that module 611 is suitable for the network access request of intercepting and capturing program initiation; Drive layer parsing module 612 and be suitable for the resolution data bag, obtain at least a domain information in the packet; The first sending module 613 is suitable for packet and at least a domain information thereof are sent to application layer module 620.Application layer module 620 comprises: the first receiver module 621, enquiry module 622, prevention module 623 and clearance module 624.The first receiver module 621 is suitable for receiving packet and at least a domain information thereof that the first sending module 613 sends; Enquiry module 622 is suitable for inquiring about whether preserve at least a domain information any in the local data base; Stop module 623 to be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module 622, stop the network access request of program; Clearance module 624 is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but at least a domain information any belongs in the situation of white list of local data base the network access request of clearance program at enquiry module 622.
Alternatively, clearance module 624 also is suitable for inquiring local data base at enquiry module 622 does not preserve in any situation at least a domain information, shows that program is unknown program, the network access request of clearance program.
Alternatively, intercept and capture module 611 and specifically be suitable for: by drive or create filtration drive, the packet of the network access request that the intercepting and capturing program is initiated in client log-in protocol; The packet of the network access request that the application programming interface function intercepting and capturing program of perhaps, utilizing operating system to provide is initiated; Perhaps, by taking over the request of routine call interface for network programming function, the packet of the network access request that the intercepting and capturing program is initiated; Perhaps, utilize the mode of registration fire compartment wall readjustment, the packet of the network access request that the intercepting and capturing program is initiated.More specifically, intercepting and capturing module 611 can specifically be suitable for: by driving to NDIS log-in protocol, the driving arrangement stack of the driving arrangement stack of the driving arrangement stack that perhaps drives in the miscellaneous function of winsock, transmission distribution interface or transmission control/network communication protocol creates filtration drive, the packet of the network access request of intercepting and capturing program initiation.Intercepting and capturing module 611 also can specifically be suitable for: the derivative function that the service function that the interface function that the Hook Function interception system service descriptor table that utilizes operating system to provide provides or transmission control/network communication protocol provide or NDIS provide, the packet of the network access request that the acquisition program is initiated.
The device that provides according to present embodiment, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, and application layer is determined the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, this device directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, thus the access to netwoks behavior that can tackle more in time rogue program.
Fig. 7 shows the structural representation according to the protector of the access to netwoks behavior of seventh embodiment of the invention.As shown in Figure 7, this network protection device 700 comprises driving layer module 710 and application layer module 720.
Wherein, driving layer module 710 comprises: intercept and capture module 711, drive layer parsing module 712 and the first sending module 713.Intercept and capture the packet that module 711 is suitable for the network access request of intercepting and capturing program initiation; Drive layer parsing module 712 and be suitable for the resolution data bag, obtain at least a domain information in the packet; The first sending module 713 is suitable for packet and at least a domain information thereof are sent to application layer module 720.
Application layer module 720 comprises: the first receiver module 721, enquiry module 722, prevention module 723, clearance module 724, the second sending module 725 and the second receiver module 726.The first receiver module 721 is suitable for receiving packet and at least a domain information thereof that the first sending module 713 sends; Enquiry module 722 is suitable for inquiring about whether preserve at least a domain information any in the local data base; Stop module 723 to be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module 722, stop the network access request of program; Clearance module 724 is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but at least a domain information any belongs in the situation of white list of local data base the network access request of clearance program at enquiry module 722.The second sending module 725 is suitable for inquiring in any situation of not preserving in the local data base at least a domain information at enquiry module 722, and at least a domain information is sent to network equipment; The second receiver module 726 is suitable for receiving any Query Result of whether preserving in the database of network equipment inquiry high in the clouds at least a domain information; Stop module 723 also be suitable for the Query Result that the second receiver module 726 receives show the high in the clouds database preserve at least a domain information any and belong in the situation of blacklist, stop the network access request of program; Clearance module 724 also is suitable for showing that at the Query Result that the second receiver module 726 receives the high in the clouds database preserves at least a domain information any and do not belong to blacklist and belong in the situation of white list the network access request of clearance program.
Alternatively, clearance module 724 also is suitable for all not preserving in any situation at least a domain information inquiring local data base and high in the clouds database, shows that program is unknown program, the network access request of clearance program.
Alternatively, can referring to the description of the 6th embodiment, not repeat them here about the related content of intercepting and capturing module 711.
The device that provides according to present embodiment, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, application layer is at first inquired about the network access request that local data base is determined prevention or this program of letting pass according to this domain information, if local data base does not have the domain information that comprises in the save data bag, then continue the network access request that network side inquiry high in the clouds database is determined prevention or this program of letting pass.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, this device directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, also can tackle in time the access to netwoks behavior of rogue program.This device is judged whether safety of network access request in conjunction with local data base and high in the clouds database, has further improved the efficient of the access to netwoks behavior of interception rogue program.
Fig. 8 shows the structural representation according to the protector of the access to netwoks behavior of eighth embodiment of the invention.As shown in Figure 8, this network protection device 800 comprises driving layer module 810 and application layer module 820.
Driving layer module 810 comprises: intercept and capture module 811, a driving layer parsing module 812, acquisition module 813, drive layer internal memory 814, the first judge module 815 and the first sending module 816.Application layer module 820 comprises: the first receiver module 821, application layer parsing module 822, enquiry module 823, prevention module 824 and clearance module 825.
Intercept and capture the packet that module 811 is suitable for the HTTP access request of intercepting and capturing program initiation, alternatively, can referring to the description of the 6th embodiment, not repeat them here about the related content of intercepting and capturing module 811; Drive layer parsing module 812 and be suitable for the resolution data bag, obtain the domain name (host) that comprises in the packet; Acquisition module 813 is suitable for obtaining IP address and the port of HTTP access request; The first judge module 815 is suitable for judging in driving layer internal memory 814 whether record the process state information that has the upper once program of identical ip addresses and port and domain name with the HTTP access request of this secondary program; The first sending module 816 is suitable for being judged as in the no situation at the first judge module 815, perhaps, the first judge module 815 be judged as be and on once the process state information of program be on once program be in the situation of unknown program, packet and domain name are sent to the first receiver module 821 of application layer module 820.
The first receiver module 821 is suitable for receiving packet and the domain name that the first sending module 816 sends; Application layer parsing module 822 is suitable for further resolution data bag, and one or more that obtain following information are as the part at least a domain information: network address, Agent sign and parent page information.Wherein application layer parsing module 822 is optional module.Enquiry module 823 is suitable for inquiring about whether preserve at least a domain information any in the local data base.Stop module 824 to be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module 823, perhaps be judged as at the first judge module 815 and be, and the process state information of last program is that at least a domain information of HTTP access request of last program any belongs in the situation of blacklist, stops the network access request of this program; Clearance module 825 is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but wherein any belongs in the situation of white list of local data base at enquiry module 823, perhaps be judged as at the first judge module 815 and be, and once any at least a domain information of the HTTP access request of program belongs in the situation of white list the network access request of clearance program on the process state information of upper once program is.
As a kind of optional execution mode, clearance module 825 also is suitable for inquiring local data base at enquiry module 823 does not preserve in any situation at least a domain information, shows that program is unknown program, the network access request of clearance program.
As the optional execution mode of another kind, application layer module 820 also comprises: the second sending module and the second receiver module.The second sending module is suitable for inquiring in any situation of not preserving in the local data base at least a domain information at enquiry module, and at least a domain information is sent to network equipment; The second receiver module is suitable for receiving any Query Result of whether preserving in the database of network equipment inquiry high in the clouds at least a domain information; Stop module also be suitable for the Query Result that the second receiver module receives show the high in the clouds database preserve at least a domain information any and belong in the situation of blacklist, stop the network access request of program; The clearance module also is suitable for showing that at the Query Result that the second receiver module receives the high in the clouds database preserves at least a domain information any and do not belong to blacklist and belong in the situation of white list the network access request of clearance program.Alternatively, the clearance module also is suitable for all not preserving in any situation at least a domain information inquiring local data base and high in the clouds database, shows that program is unknown program, the network access request of clearance program.
Alternatively, drive IP address and port and domain name that layer internal memory is suitable for the HTTP access request of logging program, and the process state information of logging program, the process state information of program is that at least a domain information of HTTP access request of program any belongs to blacklist or white list, and perhaps program is unknown program.
Alternatively, the process state information that driving layer internal memory also is suitable in program is that program is in the situation of unknown program, and logging program is confirmed to be the cumulative number of unknown program.
On the basis of above-described embodiment, the another kind of embodiment that replaces is: the first judge module is replaced by the second judge module and the 3rd judge module, corresponding, the function of the first sending module, prevention module and clearance module also changes to some extent.Particularly, the second judge module is suitable for judging in driving layer internal memory whether record the process state information that has the upper once program of identical ip addresses and port and domain name with the HTTP access request of this secondary program; The 3rd judge module be suitable for the second judge module be judged as be and on once the process state information of program be on once program be in the situation of unknown program, whether determining program is confirmed to be the cumulative number of unknown program more than or equal to preset value; The first sending module specifically is suitable for being judged as in the no situation at the second judge module, perhaps, is judged as in the no situation at the 3rd judge module, and packet and at least a domain information thereof are sent to application layer module; Stop module also to be suitable for being judged as at the second judge module to be, and the process state information of last program is that at least a domain information of HTTP access request of last program any belongs in the situation of blacklist, stops the network access request of program; The clearance module also is suitable for being judged as at the second judge module, and once any at least a domain information of the HTTP access request of program belongs in the situation of white list the network access request of clearance program on the process state information of upper once program is.
Fig. 9 shows the structural representation according to the protector of the access to netwoks behavior of ninth embodiment of the invention.As shown in Figure 9, this network protection device 900 comprises driving layer module 910 and application layer module 920.
Driving layer module 910 comprises: intercept and capture module 911, drive layer parsing module 912, drive layer internal memory 913, judge module 914 and the first sending module 915.Application layer module 920 comprises: the first receiver module 921, enquiry module 922, prevention module 923 and clearance module 924.
Intercept and capture the packet that module 911 is suitable for the network access request of intercepting and capturing program initiation, alternatively, can referring to the description of the 6th embodiment, not repeat them here about the related content of intercepting and capturing module 911; Drive layer parsing module 912 and be suitable for the resolution data bag, obtain at least a domain information that comprises in the packet; Judge module 914 is suitable for judging in driving layer internal memory 913 whether record the process state information that has the upper once program of identical at least a domain information with the network access request of this secondary program; The first sending module 915 is suitable for being judged as in the no situation at judge module 914, packet and at least a domain information thereof is sent to the first receiver module 921 of application layer module 920.
The first receiver module 921 is suitable for receiving packet and at least a domain information thereof that the first sending module 915 sends; Enquiry module 922 is suitable for inquiring about whether preserve at least a domain information any in the local data base; Stop module 923 to be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module 922, perhaps be judged as at judge module 914 and be, and the process state information of last program is that at least a domain information of network access request of last program any belongs in the situation of blacklist, stops the network access request of this program; Clearance module 924 is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but wherein any belongs in the situation of white list of local data base at enquiry module 922, perhaps be judged as at judge module 914 and be, and the process state information of last program is that any process state information that belongs to white list or last program at least a domain information of network access request of last program is that last program is in the situation of unknown program, the network access request of clearance program.
As a kind of optional execution mode, clearance module 924 also is suitable for inquiring local data base at enquiry module 922 does not preserve in any situation at least a domain information, shows that program is unknown program, the network access request of clearance program.
As the optional execution mode of another kind, application layer module 920 also comprises: the second sending module and the second receiver module.The second sending module is suitable for inquiring in any situation of not preserving in the local data base at least a domain information at enquiry module, and at least a domain information is sent to network equipment; The second receiver module is suitable for receiving any Query Result of whether preserving in the database of network equipment inquiry high in the clouds at least a domain information; Stop module also be suitable for the Query Result that the second receiver module receives show the high in the clouds database preserve at least a domain information any and belong in the situation of blacklist, stop the network access request of program; The clearance module also is suitable for showing that at the Query Result that the second receiver module receives the high in the clouds database preserves at least a domain information any and do not belong to blacklist and belong in the situation of white list the network access request of clearance program.Alternatively, the clearance module also is suitable for all not preserving in any situation at least a domain information inquiring local data base and high in the clouds database, shows that program is unknown program, the network access request of clearance program.
Alternatively, drive at least a domain information that layer internal memory is suitable for the network access request of logging program, and the process state information of logging program, the process state information of program is that at least a domain information of network access request of program any belongs to blacklist or white list, and perhaps program is unknown program.
Alternatively, in the present embodiment, network access request can be the DNS access request, and at least a domain information comprises the DNS domain name.Network access request also can be the SMTP access request, and at least a domain information comprises sender and/or addressee's email address.
Figure 10 shows the structural representation according to the guard system of the access to netwoks behavior of tenth embodiment of the invention.As shown in figure 10, this network-safeguard system 1000 comprises client device 1010 and network equipment 1020.Wherein, client device 1010 can comprise the protector of the described access to netwoks behavior of arbitrary embodiment among above-mentioned the 7th, eight and nine embodiment.Network equipment 1020 comprises: high in the clouds database 1021, network side receiver module 1022, network side enquiry module 1023 and network side sending module 1024.Wherein, network side receiver module 1022 is connected with the second sending module in the client device, is suitable for receiving at least a domain information that client device sends; Network side enquiry module 1023 is suitable for inquiring about whether preserve at least a domain information any in the high in the clouds database 1021, obtains Query Result; Network side sending module 1024 is connected with the second receiver module in the client device, is suitable for Query Result is sent to client device.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the specification that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this specification (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the guard system of the access to netwoks behavior of the embodiment of the invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.