CN102916983A - Protection system for network access behavior - Google Patents
Protection system for network access behavior Download PDFInfo
- Publication number
- CN102916983A CN102916983A CN2012104784254A CN201210478425A CN102916983A CN 102916983 A CN102916983 A CN 102916983A CN 2012104784254 A CN2012104784254 A CN 2012104784254A CN 201210478425 A CN201210478425 A CN 201210478425A CN 102916983 A CN102916983 A CN 102916983A
- Authority
- CN
- China
- Prior art keywords
- program
- module
- access request
- domain information
- network access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a protection system for network access behavior. The system comprises a client device and a network side device; the client device comprises a protection apparatus for network access behavior; the network side device comprises a cloud database, a network side receiving module suitable for receiving at least one kind of domain information transmitted by the client device, a network side inquiry module suitable for inquiring whether the cloud database stores any type of the at least one type of domain information, and obtaining the inquiry result, and a network side transmitting module suitable for transmitting the inquiry result to the client device; and the protection apparatus for network access behavior comprises a driver layer module and an application layer module. The system provided by the invention directly uses the targets of these high layer protocols to judge whether the network access request is safe, thereby intercepting the network access behavior of rogue programs more effectively.
Description
Technical field
The present invention relates to the Network Communicate Security technical field, be specifically related to a kind of guard system of access to netwoks behavior.
Background technology
Along with the develop rapidly of Internet technology and the generally reduction of cost of surfing the net, the Internet has become indispensable in a most of general public daily lifes important component part.But some programmers for show off and prove oneself ability or other aspects (such as politics, military, religion, national, patent etc.) demand, tend to write out the rogue program that some affect the normal operation of computer, thereby so that the user who is invaded and harassed by these rogue programs can not realize the purpose that oneself is surfed the Net, even meeting is so that paralysis appears in whole system.Thereby network security just becomes the focus of paying close attention to now.
Existing network protection method all is based on TCP(Transmission Control Protocol, transmission control protocol)/IP(Internet Protocol, Internet Protocol) or UDP(User Datagram Protocol, IP address User Datagram Protoco (UDP)) and port are let pass or are stoped the access to netwoks behavior of certain program.Particularly, when certain program is initiated network access request, at first initiate the request (socket connect) connect, in socket connect, can obtain IP address and the port of target to be visited, determine whether to let pass or stop the access to netwoks behavior of this program according to the IP address of target to be visited and the local database of preserving of interface querying.For unknown program, but whether prompting user is selected to let pass.
But, the procotol great majority that existing program is used are based on TCP/IP or udp protocol and the upper-layer protocol realized, HTTP(Hypertext Transport Protocol for example, HTTP), SMTP(Simple Mail Transfer Protocol, Simple Mail Transfer protocol), DNS(DomainName System, domain name system) and FTP(File Transfer Protocol, file transfer protocol (FTP)) etc.When program uses these upper-layer protocols to carry out network access request, lean on merely IP address and port can't determine the purpose of network access request; And, the change of IP address and port is very frequent in network, the IP address will change thereupon when changing such as Network Provider, yet more new capital of local data base needs the regular hour, therefore adopts existing network protection method can not tackle timely and effectively the access to netwoks behavior of rogue program.
Summary of the invention
In view of the above problems, the present invention has been proposed in order to a kind of guard system of the access to netwoks behavior that overcomes the problems referred to above or address the above problem at least in part is provided.
According to the present invention, a kind of guard system of access to netwoks behavior is provided, comprise client device and network equipment; Described client device comprises the protector of access to netwoks behavior; Network equipment comprises: the high in the clouds database; The network side receiver module is suitable for receiving at least a domain information that client device sends; The network side enquiry module is suitable for inquiring about whether preserve at least a domain information any in the database of high in the clouds, obtains Query Result; The network side sending module is suitable for Query Result is sent to client device; The protector of described access to netwoks behavior comprises: drive layer module and application layer module; Driving layer module comprises: intercept and capture module, be suitable for the packet of the network access request of intercepting and capturing program initiation; Drive layer parsing module, be suitable for the resolution data bag, obtain at least a domain information in the packet; The first sending module is suitable for packet and at least a domain information thereof are sent to application layer module; Application layer module comprises: the first receiver module is suitable for receiving packet and at least a domain information thereof that the first sending module sends; Enquiry module is suitable for inquiring about whether preserve at least a domain information any in the local data base; Stop module, be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module, stop the network access request of program; The clearance module is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but at least a domain information any belongs in the situation of white list of local data base the network access request of clearance program at enquiry module.
According to scheme provided by the invention, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, and application layer is determined the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, the present invention directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, thus the access to netwoks behavior that can tackle more in time rogue program.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of drawings
By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:
Fig. 1 shows the flow chart according to the means of defence of the access to netwoks behavior of first embodiment of the invention;
Fig. 2 shows the flow chart according to the means of defence of the access to netwoks behavior of second embodiment of the invention;
Fig. 3 shows the flow chart according to the means of defence of the access to netwoks behavior of third embodiment of the invention;
Fig. 4 shows the flow chart according to the means of defence of the access to netwoks behavior of four embodiment of the invention;
Fig. 5 shows the flow chart according to the means of defence of the access to netwoks behavior of fifth embodiment of the invention;
Fig. 6 shows the structural representation according to the protector of the access to netwoks behavior of sixth embodiment of the invention;
Fig. 7 shows the structural representation according to the protector of the access to netwoks behavior of seventh embodiment of the invention;
Fig. 8 shows the structural representation according to the protector of the access to netwoks behavior of eighth embodiment of the invention;
Fig. 9 shows the structural representation according to the protector of the access to netwoks behavior of ninth embodiment of the invention;
Figure 10 shows the structural representation according to the guard system of the access to netwoks behavior of tenth embodiment of the invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
Program is a common file, is the set of a machine code instruction and data, is the concept of a static state.Process is a program implementation on computers, is a dynamic concept.Same program can run on several data acquisition systems simultaneously, that is to say that same program can corresponding a plurality of processes.The access to netwoks behavior is to be initiated by active program (also being process).The current network access behavior of program namely is the access to netwoks behavior of being initiated by the process that belongs to this program.Access to netwoks behavior of a great variety comprises HTTP access (common are download file or upload information), and SMTP ask (for example sending and receiving e-mail), DNS request (information such as IP address corresponding to parsing domain name) etc.
Fig. 1 shows the flow chart according to the means of defence 100 of the access to netwoks behavior of first embodiment of the invention.As shown in Figure 1, method 100 starts from step S101, wherein drives the packet of the network access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socket receive) of the request (socket send) of the transmission data that program initiates and receive data.
If a common program needs interconnection network, the API(Application Program Interface that needs provide by operating system (such as Windows), application programming interfaces) interface sends network access request, after operating system receives this network access request of program, the packet that the meeting reception program will send, and the packet that receives encapsulated, afterwards with the Packet Generation of encapsulation to physical equipment (such as network interface card etc.), by hardware device packet is spread out of at last.Based on the flow process of such routine access network, the relevant information of network behavior is intercepted and captured the purpose of the current network behavior that can realize monitoring program in arbitrary link of this flow process.Alternatively, the packet that drives the network access request of layer intercepting and capturing program initiation can adopt following several mode:
(1) by drives or creates filtration drive, the packet of the network access request that the intercepting and capturing program is initiated in client log-in protocol.
In the process of routine access network, operating system is when processing related data, can obtain the data of access to netwoks behavior with some protocol-driven or filtration drive, so can pass through in the driving of client log-in protocol or the establishment filtration drive similar to operating system the packet of the network access request that the intercepting and capturing program is initiated.Particularly, can pass through to NDIS(Network Driver Interface Specification, NDIS) log-in protocol drives, perhaps at Afd.sys (Ancillary Function Driver for winsock, the miscellaneous function driving of winsock) driving arrangement stack, Tdi.sys(Transport Dispatch Interface, the transmission distribution interface) driving arrangement stack or Tcpip.sys(Transmission Control Protocol/InternetProtocol, transmission control/network communication protocol) creates the filtration drive similar to operating system on the driving arrangement stack, the packet of the network access request that the intercepting and capturing program is initiated.
Create filtration drive as example take the driving arrangement stack at Afd.sys, when sending the packet of network access request, the driving distribution function of the Afd.sys that system is called originally can call first the distribution function of the filtration drive of establishment, utilizes this method to come the intercepted data bag.
The packet of the network access request that the application programming interface function intercepting and capturing program of (2) utilizing operating system to provide is initiated.
(hook) function is example take the application programming interface function as hook, the hook function that utilizes operating system to provide is intercepted and captured Windows SSDT(System Services Descriptor Table, the system service descriptor table) derivative function that the service function that the interface function that provides (such as the NtDeviceIoControl function) or Tcpip.sys driving provide or NDIS.sys provide, the packet of the network access request that the acquisition program is initiated.
(3) by taking over the request of routine call interface for network programming function (Winsock), the packet of the network access request that the intercepting and capturing program is initiated.
(4) mode of utilizing the registration fire compartment wall to adjust back, the packet of the network access request that the intercepting and capturing program is initiated.
Subsequently, method 100 enters step S102, wherein drives layer and resolves the packet of intercepting and capturing, and obtains at least a domain information in the packet, and packet and at least a domain information thereof are sent to application layer.In this method, drive layer (ring0) and have the function of resolving the packet among socket send and the socket receive, obtain one or more domain informations that this packet comprises, packet and domain information thereof are sent to application layer (ring3) process.
Subsequently, method 100 enters step S103, wherein whether preserves at least a domain information any in the application layer inquiry local data base, if, execution in step S104 then; Otherwise execution in step S106.Store the mark that a large amount of domain informations and these domain informations belong to blacklist or white list in the local data base of client.Alternatively, the data memory format in the local data base can be the md5(Message Digest Algorithm 5 of domain information, Message Digest Algorithm 5) value and extended byte, write the mark that domain information belongs to blacklist or white list in the extended byte.
In step S104, application layer judges whether at least a domain information any belongs to the blacklist of local data base, if, execution in step S105 then; Otherwise execution in step S106.Application layer belongs to the mark of blacklist or white list by domain information, judges whether at least a domain information any belongs to the blacklist of local data base.
In step S105, stop the network access request of program.If any in the packet of the network access request that certain program is initiated at least a domain information belongs to the blacklist of local data base, show that this program is rogue program, the network access request that then stops this program also namely stops the access to netwoks behavior of this program.
In step S106, the network access request of clearance program.If at least a domain information does not belong to the blacklist of local data base in the packet of the network access request that certain program is initiated, but wherein any belongs to the white list of local data base, show that this program is normal procedure, the network access request of this program of then letting pass, the access to netwoks behavior of this program of also namely letting pass.If application layer inquires local data base and do not preserve at least a domain information any, show that this program is unknown program, the network access request of this program of can letting pass.As another kind of execution mode, if program is unknown program, also can select by prompting user, stop or the network access request of this program of letting pass according to the mode of user's selection.
The method that provides according to present embodiment, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, and application layer is determined the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, this method directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, thus the access to netwoks behavior that can tackle more in time rogue program.
Fig. 2 shows the flow chart according to the means of defence 200 of the access to netwoks behavior of second embodiment of the invention.As shown in Figure 2, method 200 starts from step S201, wherein drives the packet of the network access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socket receive) of the request (socket send) of the transmission data that program initiates and receive data.The method that drives layer intercepted data bag can referring to the associated description of method 100, not repeat them here.
Subsequently, method 200 enters step S202, wherein drives layer and resolves the packet of intercepting and capturing, and obtains at least a domain information in the packet, and packet and at least a domain information thereof are sent to application layer.In this method, drive layer (ring0) and have the function of resolving the packet among socket send and the socket receive, obtain one or more domain informations that this packet comprises, packet and domain information thereof are sent to application layer (ring3) process.
Subsequently, method 200 enters step S203, wherein whether preserves at least a domain information any in the application layer inquiry local data base, if, execution in step S204 then; Otherwise execution in step S205.Store the mark that a large amount of domain informations and these domain informations belong to blacklist or white list in the local data base of client.Alternatively, the data memory format in the local data base can for md5 value and the extended byte of domain information, write the mark that domain information belongs to blacklist or white list in the extended byte.
In step S204, application layer judges whether at least a domain information any belongs to the blacklist of local data base, if, execution in step S209 then; Otherwise execution in step S210.Application layer belongs to the mark of blacklist or white list by domain information, judges whether at least a domain information any belongs to the blacklist of local data base.
In step S205, application layer sends to network equipment with at least a domain information.Also store the mark that a large amount of domain informations and these domain informations belong to blacklist or white list in the high in the clouds database of network equipment.Network equipment judges whether at least a domain information any belongs to the high in the clouds database, if belong to the high in the clouds database, the mark that then further belongs to blacklist or white list according to domain information, judge that this domain information belongs to blacklist or the white list of high in the clouds database, obtains thus Query Result and returns to client.
After step S205, method 200 enters step S206, and wherein application layer receives any Query Result of whether preserving in the database of network equipment inquiry high in the clouds at least a domain information.
After step S206, method 200 enters step S207, and application layer judges whether Query Result shows and preserve at least a domain information any in the database of high in the clouds, if, execution in step S208; Otherwise, execution in step S210.
In step S208, application layer judge Query Result whether show the high in the clouds database preserve at least a domain information any and belong to blacklist, if, execution in step S209; Otherwise, execution in step S210.
In step S209, stop the network access request of program.If any in the packet of the network access request that certain program is initiated at least a domain information belongs to the blacklist of local data base or high in the clouds database, show that this program is rogue program, the network access request that then stops this program also namely stops the access to netwoks behavior of this program.
In step S210, the network access request of clearance program.If at least a domain information does not belong to the blacklist of local data base but wherein any belongs to the white list of local data base in the packet of the network access request that certain program is initiated, perhaps do not belong to the blacklist of high in the clouds database but wherein any belongs to the white list of high in the clouds database, show that this program is normal procedure, the network access request of this program of then letting pass, the access to netwoks behavior of this program of also namely letting pass.If application layer inquires local data base and high in the clouds database and all do not preserve at least a domain information any, show that this program is unknown program, the network access request of this program of can letting pass.As another kind of execution mode, if program is unknown program, also can select by prompting user, stop or the network access request of this program of letting pass according to the mode of user's selection.
The method that provides according to present embodiment, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, application layer is at first inquired about the network access request that local data base is determined prevention or this program of letting pass according to this domain information, if local data base does not have the domain information that comprises in the save data bag, then continue the network access request that network side inquiry high in the clouds database is determined prevention or this program of letting pass.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, this method directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, also can tackle in time the access to netwoks behavior of rogue program.This method is judged whether safety of network access request in conjunction with local data base and high in the clouds database, has further improved the efficient of the access to netwoks behavior of interception rogue program.
Fig. 3 shows the flow chart according to the means of defence 300 of the access to netwoks behavior of third embodiment of the invention.In this method 300, describe as the HTTP access request as example take network access request.As shown in Figure 3, method 300 starts from step S301, wherein drives the packet of the HTTP access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socket receive) of the request (socket send) of the transmission data that program initiates and receive data.The method that drives layer intercepted data bag can referring to the associated description of method 100, not repeat them here.
Subsequently, method 300 enters step S302, wherein drives layer and resolves the packet of intercepting and capturing, and obtains the domain name (host) in the packet.Drive layer before resolving the socket send that intercepts and captures and the packet among the socket receive or simultaneously, also can obtain IP address and port among the socket connect.
Subsequently, method 300 enters step S303, wherein drive layer and judge to drive in the layer internal memory (ring0 cache) whether record the process state information that has this program of last time of identical ip addresses and port and domain name with the HTTP access request of this secondary program, if, execution in step S304; Otherwise execution in step S306.In the method, after handling a HTTP access request, ring0 cache can record IP address and port and the domain name of current HTTP access request, and record this program pin to the process state information of current HTTP access request, the process state information here refers to that the domain name of the current HTTP access request of this program belongs to blacklist or white list, and perhaps this program is identified as unknown program in current HTTP access request.Record based on ring0 cache does in step S303, drives layer and can judge first whether ring0 cache records the process state information that has this program of last time of identical ip addresses and port and domain name with the HTTP access request of this secondary program.
In step S304, drive layer and judge whether the process state information of last this program is that this program is unknown program, if, execution in step S306; Otherwise execution in step S305.
In step S305, drive process state information that layer judges last this program and whether belong to blacklist for the domain name of the HTTP access request of last this program, if, execution in step S314 then; Otherwise execution in step S315.
In step S306, drive layer packet and domain name, IP address and port are sent to application layer.
After step S306, method 300 enters step S307, and the further resolution data bag of application layer obtains more domain information, comprises network address (URL), Agent sign (User-Agent) and parent page information (Referer).
The example of the packet of HTTP access request is as follows:
GET/index.html?HTTP/1.1\r\n
Host:www.360.cn\r\n
User-Agent:IE\r\n
Referer:http://www.qihoo.net/\r\n
For this example, a driving layer resolution data bag obtains a domain name and is: www.360.cn; The further resolution data bag of application layer obtains URL:http: //www.360.cn/index.html, User-Agent:IE r n, and Referer:http: //www.qihoo.net/ r n.
After step S307, method 300 enters step S308, wherein whether preserves in domain name, IP address and the domain informations such as port, URL, User-Agent and Referer any in the application layer inquiry local data base, if, execution in step S309 then; Otherwise execution in step S310.
In step S309, application layer judges whether in domain name, IP address and the domain informations such as port, URL, User-Agent and Referer any belongs to the blacklist of local data base, if, execution in step S314 then; Otherwise execution in step S315.
In step S310, application layer sends to network equipment with domain name, IP address and the domain informations such as port, URL, User-Agent and Referer.Also store the mark that a large amount of domain informations and these domain informations belong to blacklist or white list in the high in the clouds database of network equipment.Network equipment judges whether in the above-mentioned domain information any belongs to the high in the clouds database, if belong to the high in the clouds database, the mark that then further belongs to blacklist or white list according to domain information, judge that this domain information belongs to blacklist or the white list of high in the clouds database, obtains thus Query Result and returns to client.
After step S310, method 300 enters step S311, and wherein application layer receives the Query Result of network equipment inquiry high in the clouds database.
After step S311, method 300 enters step S312, application layer judges whether Query Result shows and preserves in domain name, IP address and the domain informations such as port, URL, User-Agent and Referer any in the database of high in the clouds, if, execution in step S313; Otherwise, execution in step S315.
In step S313, application layer judge Query Result whether show the high in the clouds database preserve in domain name, IP address and the domain informations such as port, URL, User-Agent and Referer any and belong to blacklist, if, execution in step S314; Otherwise, execution in step S315.
In step S314, stop the HTTP access request of program.
In step S315, the HTTP access request of clearance program.
After step S314 and step S315, method 300 enters step S316, wherein in ring0 cache the IP address of the HTTP access request of minute book secondary program and port and domain name (for above-mentioned example, the content of record is: IP:220.181.24.100, port:80, Host:www.360.cn), and the process state information of minute book secondary program, the process state information of this secondary program belongs to blacklist or white list at least a domain information of the HTTP access request of this secondary program any, and perhaps this secondary program is unknown program.
In this method, driving before layer sends to application layer with packet and domain information, judge first the process state information that whether records the last HTTP access request of same program among the ring0 cache, last HTTP access request refers to the HTTP access request of the last time that domain name and IP address are identical with this HTTP access request with port, if any the record and process state information be that domain information belongs to blacklist or white list, then directly do same processing according to the process state information of last time, need not packet and domain information are re-send to the processing that application layer is done inquiry local data base and high in the clouds database, can greatly reduce the inquiry amount like this, reduce the burden on backstage, improve the efficient of access to netwoks.And, ring0 cache record is domain name and IP address and the port of HTTP access request in this method, do not record URL, for having same domain name and IP address with port but have the HTTP access request of different URL, all can do same processing according to the process state information of last time, reduce so the Query Database number of times of unknown URL, further improved the efficient of access to netwoks.
In order further to improve the treatment effeciency of this method, on the basis of above-described embodiment, ring0 cache can also record the cumulative number that same program is confirmed to be unknown program.In step S304, judge that the process state information of last this program is unknown program for this program if drive layer, drive so layer and further judge that whether this program is confirmed to be the cumulative number of unknown program more than or equal to preset value, this preset value is preferably 4, if cumulative number is more than or equal to preset value, the network access request of this program of then letting pass; Otherwise, execution in step S306.Corresponding, in step S316, if the process state information of this secondary program is unknown program for this secondary program, ring0 cache also needs refresh routine to be confirmed to be the cumulative number of unknown program so, namely adds 1 on former cumulative number basis.By such processing, if certain program is repeatedly confirmed as unknown program, the access to netwoks behavior of this program of so directly letting pass has improved the efficient of access to netwoks.
In this method, after application layer received packet, further the resolution data bag obtained more domain information.Because in the process of subsequent query local data base and high in the clouds database, if any in these domain informations belongs to blacklist or white list, they can determine procedures be rogue program or normal procedure just accordingly, so domain information is more, the intercepting efficiency of access to netwoks behavior be also just higher.
But should be understandable that also step S307 is optional step.That is, application layer can no longer be resolved packet when receiving packet, and in subsequent step, the domain information of application layer process comprises domain name, IP address and port, does not comprise the domain informations such as URL, User-Agent and Referer.
The method that above-mentioned the 3rd embodiment provides describes as an example of the HTTP access request example, but the method is only for being applied to the HTTP access request, the means of defence that other and the similar network access request of HTTP access request also can adopt the 3rd embodiment to provide.
Fig. 4 shows the flow chart according to the means of defence 400 of the access to netwoks behavior of four embodiment of the invention.In this method 400, describe as the DNS access request as example take network access request.As shown in Figure 4, method 400 starts from step S401, wherein drives the packet of the DNS access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socket receive) of the request (socket send) of the transmission data that program initiates and receive data.The method that drives layer intercepted data bag can referring to the associated description of method 100, not repeat them here.
Subsequently, method 400 enters step S402, wherein drives layer and resolves the packet of intercepting and capturing, and obtains the DNS domain name in the packet.
The example of the packet of DNS access request is as follows:
Domain?Name?System(query)
Transaction?ID:0x276b
Questions:1
Answer?RRs:0
Authority?RRs:0
Additional?RRs:0
Queries?www.360.cn:type?A,class?IN
For this example, a driving layer resolution data bag obtains a DNS domain name and is: www.360.cn.
Subsequently, method 400 enters step S403, wherein drive layer and judge to drive in the layer internal memory (ring0 cache) whether record the process state information that has this program of last time of identical DNS domain name with the DNS access request of this secondary program, if, execution in step S404; Otherwise execution in step S406.In the method, after handling a DNS access request, ring0 cache can record the DNS domain name of current DNS access request, and record this program to the process state information of current DNS access request, the process state information here refers to that the DNS domain name of the current DNS access request of this program belongs to blacklist or white list, and perhaps this program is identified as unknown program in current DNS access request.Record based on ring0 cache does in step S403, drives layer and can judge first whether ring0 cache records the process state information that has this program of last time of identical DNS domain name with the DNS access request of this secondary program.
In step S404, drive layer and judge whether the process state information of last this program is that this program is unknown program, if, execution in step S414; Otherwise execution in step S405.
In step S405, drive process state information that layer judges last this program and whether belong to blacklist for the DNS domain name of the DNS access request of last this program, if, execution in step S413 then; Otherwise execution in step S414.
In step S406, drive layer packet and DNS domain name are sent to application layer.
After step S406, method 400 enters step S407, wherein whether preserves the DNS domain name in the application layer inquiry local data base, if, execution in step S408 then; Otherwise execution in step S409.
In step S408, application layer judges whether the DNS domain name belongs to the blacklist of local data base, if, execution in step S413 then; Otherwise execution in step S414.
In step S409, application layer sends to network equipment with the DNS domain name.Also store the mark that a large amount of DNS domain names and these DNS domain names belong to blacklist or white list in the high in the clouds database of network equipment.Network equipment judges whether the DNS domain name belongs to the high in the clouds database, if belong to the high in the clouds database, the mark that then further belongs to blacklist or white list according to the DNS domain name judges that this DNS domain name belongs to blacklist or the white list of high in the clouds database, obtains thus Query Result and returns to client.
After step S409, method 400 enters step S410, and wherein application layer receives the Query Result of network equipment inquiry high in the clouds database.
After step S410, method 400 enters step S411, and application layer judges whether Query Result shows and preserve the DNS domain name in the database of high in the clouds, if, execution in step S412; Otherwise, execution in step 414.
In step S412, application layer judges whether Query Result shows that the high in the clouds database is preserved the DNS domain name and this DNS domain name belongs to blacklist, if, execution in step S413; Otherwise, execution in step S414.
In step S413, stop the DNS access request of program.
In step S414, the DNS access request of clearance program.
After step S413 and step S414, method 400 enters step S415, wherein in ring0 cache the DNS domain name of the DNS access request of minute book secondary program (for above-mentioned example, the content of record is: www.360.cn), and the process state information of minute book secondary program, the process state information of this secondary program belongs to blacklist or white list for the DNS domain name of the DNS access request of this secondary program, and perhaps this secondary program is unknown program.
In this method, driving before layer sends to application layer with packet and DNS domain name, judge first the process state information that whether records the last DNS access request of same program among the ring0 cache, last DNS access request refers to the DNS access request of the last time that the DNS domain name is identical with this DNS access request.If any the record and process state information be that the DNS domain name belongs to blacklist or white list, then directly do same processing according to the process state information of last time, be that program is unknown program such as process state information, the network access request of this program of then directly letting pass, need not packet and domain information are re-send to the processing that application layer is done inquiry local data base and high in the clouds database, can greatly reduce the inquiry amount like this, reduce the burden on backstage, improve the efficient of access to netwoks.
The method that above-mentioned the 4th embodiment provides describes as an example of the DNS access request example, but the method is only for being applied to the DNS access request, the means of defence that other network access request also can adopt the 4th embodiment to provide.
Fig. 5 shows the flow chart according to the means of defence 500 of the access to netwoks behavior of fifth embodiment of the invention.In this method 500, describe as the SMTP access request as example take network access request.As shown in Figure 5, method 500 starts from step S501, wherein drives the packet of the SMTP access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socket receive) of the request (socket send) of the transmission data that program initiates and receive data.The method that drives layer intercepted data bag can referring to the associated description of method 100, not repeat them here.
Subsequently, method 500 enters step S502, wherein drives layer and resolves a packet of intercepting and capturing, and obtains sender in the packet and/or addressee's email address.
The example of the packet of SMTP access request is as follows:
"220?smtp.example.com?ESMTP?Postfix\r\n"
"HELO?relay.example.org\r\n"
"250Hello?relay.example.org,I?am?glad?to?meet?you\r\n"
"MAIL?FROM:<bob@example.org>SIZE\r\n"
"250?Ok\r\n"
"RCPT?TO:<alice@example.com>\r\n"
"250Ok\r\n"
"RCPT?TO:<theboss@example.com>\r\n"
"250Ok\r\n"
"DATA\r\n"
"354End?data?with<CR><LF>.<CR><LF>\r\n"
"From:\″Bob?Example\″<bob@example.org>\r\n"
"To:\″Alice?Example\″<alice@example.com>\r\n"
"Cc:theboss@example.com\r\n"
"Date:Tue,15Jan?200816:02:43-0500\r\n"
"Subject:Test?message\r\n"
"\r\n"
"Hello?Alice.\r\n"
"This?is?a?test?message?with?5?header?fields?and?4?lines?in?the?message?body.\r\n"
"Your?friend,\r\n"
"Bob\r\n"
".\r\n"
"250?Ok:queued?as?12345\r\n"
"QUIT\r\n"
"221Bye\r\n"
For this example, the email address that drives layer resolution data bag acquisition sender is bob@example.org, and addressee's email address is: alice@example.com and theboss@example.com.
Subsequently, method 500 enters step S503, wherein drive layer and judge to drive whether record the process state information of this program of last time that has identical sender and/or addressee's email address with the SMTP access request of this secondary program in the layer internal memory (ring0 cache), if, execution in step S504; Otherwise execution in step S506.In the method, after handling a SMTP access request, ring0 cache can record sender and/or the addressee's of current SMTP access request email address, and record this program to the process state information of current SMTP access request, the process state information here refers to that the sender of the current SMTP access request of this program and/or addressee's email address belong to blacklist or white list, and perhaps this program is identified as unknown program in current SMTP access request.The record of doing based on ring0 cache, in step S503, drive layer and can judge first whether ring0 cache records the process state information of this program of last time that has identical sender and/or addressee's email address with the SMTP access request of this secondary program.
In step S504, drive layer and judge whether the process state information of last this program is that this program is unknown program, if, execution in step S514; Otherwise execution in step S505.
In step S505, drive process state information that layer judges last this program and whether belong to blacklist for the sender of the SMTP access request of last this program and/or addressee's email address, if, execution in step S513 then; Otherwise execution in step S514.
In step S506, drive layer email address with packet and sender and/or addressee and send to application layer.
After step S506, method 500 enters step S507, wherein whether preserves sender and/or addressee's email address in the application layer inquiry local data base, if, execution in step S508 then; Otherwise execution in step S509.
In step S508, application layer judges whether sender and/or addressee's email address belongs to the blacklist of local data base, if, execution in step S513 then; Otherwise execution in step S514.
In step S509, application layer sends to network equipment with sender and/or addressee's email address.The email address that also stores a large amount of senders and/or addressee's email address and these senders and/or addressee in the high in the clouds database of network equipment belongs to the mark of blacklist or white list.Network equipment judges whether sender and/or addressee's email address belongs to the high in the clouds database, if belong to the high in the clouds database, the mark that then further belongs to blacklist or white list according to sender and/or addressee's email address, judge that this sender and/or addressee's email address belongs to blacklist or the white list of high in the clouds database, obtains thus Query Result and returns to client.
After step S509, method 500 enters step S510, and wherein application layer receives the Query Result of network equipment inquiry high in the clouds database.
After step S510, method 500 enters step S511, and application layer judges whether Query Result shows the email address of preserving sender and/or addressee in the database of high in the clouds, if, execution in step S512; Otherwise, execution in step 514.
In step S512, application layer judges whether Query Result shows that the high in the clouds database is preserved sender and/or addressee's email address and this sender and/or addressee's email address belongs to blacklist, if, execution in step S513; Otherwise, execution in step S514.
In step S513, stop the SMTP access request of program.
In step S514, the SMTP access request of clearance program.
After step S513 and step S514, method 500 enters step S515, wherein in ring0 cache the sender of the SMTP access request of minute book secondary program and/or addressee's email address (for above-mentioned example, the content of record is: bob@example.org, alice@example.com, theboss@example.com), and the process state information of minute book secondary program, the process state information of this secondary program belongs to blacklist or white list for the sender of the SMTP access request of this secondary program and/or addressee's email address, and perhaps this secondary program is unknown program.
In this method, before the driving layer email address with packet and sender and/or addressee sends to application layer, judge first the process state information that whether records the last SMTP access request of same program among the ring0 cache, last SMTP access request refers to the SMTP access request of the last time that sender and/or addressee's email address is identical with this SMTP access request.Belong to blacklist or white list if any record and process state information for sender and/or addressee's email address, then directly do same processing according to the process state information of last time, be that program is unknown program such as process state information, the network access request of this program of then directly letting pass, need not packet and sender and/or addressee's email address is re-send to the processing that application layer is done inquiry local data base and high in the clouds database, can greatly reduce the inquiry amount like this, reduce the burden on backstage, improve the efficient of access to netwoks.
The method that above-mentioned the 5th embodiment provides describes as an example of the SMTP access request example, but the method is only for being applied to the SMTP access request, the means of defence that other network access request also can adopt the 5th embodiment to provide.
Need to prove, in above-mentioned several embodiments of the method, can not inquire about the high in the clouds database, only rely on the inquiry local data base that the access to netwoks behavior is stoped or the processing of letting pass also is optional embodiment.
Fig. 6 shows the structural representation according to the protector of the access to netwoks behavior of sixth embodiment of the invention.As shown in Figure 6, this network protection device 600 comprises driving layer module 610 and application layer module 620.Wherein, driving layer module 610 comprises intercepting and capturing module 611, drives layer parsing module 612 and the first sending module 613.Intercept and capture the packet that module 611 is suitable for the network access request of intercepting and capturing program initiation; Drive layer parsing module 612 and be suitable for the resolution data bag, obtain at least a domain information in the packet; The first sending module 613 is suitable for packet and at least a domain information thereof are sent to application layer module 620.Application layer module 620 comprises: the first receiver module 621, enquiry module 622, prevention module 623 and clearance module 624.The first receiver module 621 is suitable for receiving packet and at least a domain information thereof that the first sending module 613 sends; Enquiry module 622 is suitable for inquiring about whether preserve at least a domain information any in the local data base; Stop module 623 to be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module 622, stop the network access request of program; Clearance module 624 is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but at least a domain information any belongs in the situation of white list of local data base the network access request of clearance program at enquiry module 622.
Alternatively, clearance module 624 also is suitable for inquiring local data base at enquiry module 622 does not preserve in any situation at least a domain information, shows that program is unknown program, the network access request of clearance program.
Alternatively, intercept and capture module 611 and specifically be suitable for: by drive or create filtration drive, the packet of the network access request that the intercepting and capturing program is initiated in client log-in protocol; The packet of the network access request that the application programming interface function intercepting and capturing program of perhaps, utilizing operating system to provide is initiated; Perhaps, by taking over the request of routine call interface for network programming function, the packet of the network access request that the intercepting and capturing program is initiated; Perhaps, utilize the mode of registration fire compartment wall readjustment, the packet of the network access request that the intercepting and capturing program is initiated.More specifically, intercepting and capturing module 611 can specifically be suitable for: by driving to NDIS log-in protocol, the driving arrangement stack of the driving arrangement stack of the driving arrangement stack that perhaps drives in the miscellaneous function of winsock, transmission distribution interface or transmission control/network communication protocol creates filtration drive, the packet of the network access request of intercepting and capturing program initiation.Intercepting and capturing module 611 also can specifically be suitable for: the derivative function that the service function that the interface function that the Hook Function interception system service descriptor table that utilizes operating system to provide provides or transmission control/network communication protocol provide or NDIS provide, the packet of the network access request that the acquisition program is initiated.
The device that provides according to present embodiment, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, and application layer is determined the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, this device directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, thus the access to netwoks behavior that can tackle more in time rogue program.
Fig. 7 shows the structural representation according to the protector of the access to netwoks behavior of seventh embodiment of the invention.As shown in Figure 7, this network protection device 700 comprises driving layer module 710 and application layer module 720.
Wherein, driving layer module 710 comprises: intercept and capture module 711, drive layer parsing module 712 and the first sending module 713.Intercept and capture the packet that module 711 is suitable for the network access request of intercepting and capturing program initiation; Drive layer parsing module 712 and be suitable for the resolution data bag, obtain at least a domain information in the packet; The first sending module 713 is suitable for packet and at least a domain information thereof are sent to application layer module 720.
Application layer module 720 comprises: the first receiver module 721, enquiry module 722, prevention module 723, clearance module 724, the second sending module 725 and the second receiver module 726.The first receiver module 721 is suitable for receiving packet and at least a domain information thereof that the first sending module 713 sends; Enquiry module 722 is suitable for inquiring about whether preserve at least a domain information any in the local data base; Stop module 723 to be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module 722, stop the network access request of program; Clearance module 724 is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but at least a domain information any belongs in the situation of white list of local data base the network access request of clearance program at enquiry module 722.The second sending module 725 is suitable for inquiring in any situation of not preserving in the local data base at least a domain information at enquiry module 722, and at least a domain information is sent to network equipment; The second receiver module 726 is suitable for receiving any Query Result of whether preserving in the database of network equipment inquiry high in the clouds at least a domain information; Stop module 723 also be suitable for the Query Result that the second receiver module 726 receives show the high in the clouds database preserve at least a domain information any and belong in the situation of blacklist, stop the network access request of program; Clearance module 724 also is suitable for showing that at the Query Result that the second receiver module 726 receives the high in the clouds database preserves at least a domain information any and do not belong to blacklist and belong in the situation of white list the network access request of clearance program.
Alternatively, clearance module 724 also is suitable for all not preserving in any situation at least a domain information inquiring local data base and high in the clouds database, shows that program is unknown program, the network access request of clearance program.
Alternatively, can referring to the description of the 6th embodiment, not repeat them here about the related content of intercepting and capturing module 711.
The device that provides according to present embodiment, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, application layer is at first inquired about the network access request that local data base is determined prevention or this program of letting pass according to this domain information, if local data base does not have the domain information that comprises in the save data bag, then continue the network access request that network side inquiry high in the clouds database is determined prevention or this program of letting pass.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, this device directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, also can tackle in time the access to netwoks behavior of rogue program.This device is judged whether safety of network access request in conjunction with local data base and high in the clouds database, has further improved the efficient of the access to netwoks behavior of interception rogue program.
Fig. 8 shows the structural representation according to the protector of the access to netwoks behavior of eighth embodiment of the invention.As shown in Figure 8, this network protection device 800 comprises driving layer module 810 and application layer module 820.
Driving layer module 810 comprises: intercept and capture module 811, a driving layer parsing module 812, acquisition module 813, drive layer internal memory 814, the first judge module 815 and the first sending module 816.Application layer module 820 comprises: the first receiver module 821, application layer parsing module 822, enquiry module 823, prevention module 824 and clearance module 825.
Intercept and capture the packet that module 811 is suitable for the HTTP access request of intercepting and capturing program initiation, alternatively, can referring to the description of the 6th embodiment, not repeat them here about the related content of intercepting and capturing module 811; Drive layer parsing module 812 and be suitable for the resolution data bag, obtain the domain name (host) that comprises in the packet; Acquisition module 813 is suitable for obtaining IP address and the port of HTTP access request; The first judge module 815 is suitable for judging in driving layer internal memory 814 whether record the process state information that has the upper once program of identical ip addresses and port and domain name with the HTTP access request of this secondary program; The first sending module 816 is suitable for being judged as in the no situation at the first judge module 815, perhaps, the first judge module 815 be judged as be and on once the process state information of program be on once program be in the situation of unknown program, packet and domain name are sent to the first receiver module 821 of application layer module 820.
The first receiver module 821 is suitable for receiving packet and the domain name that the first sending module 816 sends; Application layer parsing module 822 is suitable for further resolution data bag, and one or more that obtain following information are as the part at least a domain information: network address, Agent sign and parent page information.Wherein application layer parsing module 822 is optional module.Enquiry module 823 is suitable for inquiring about whether preserve at least a domain information any in the local data base.Stop module 824 to be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module 823, perhaps be judged as at the first judge module 815 and be, and the process state information of last program is that at least a domain information of HTTP access request of last program any belongs in the situation of blacklist, stops the network access request of this program; Clearance module 825 is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but wherein any belongs in the situation of white list of local data base at enquiry module 823, perhaps be judged as at the first judge module 815 and be, and once any at least a domain information of the HTTP access request of program belongs in the situation of white list the network access request of clearance program on the process state information of upper once program is.
As a kind of optional execution mode, clearance module 825 also is suitable for inquiring local data base at enquiry module 823 does not preserve in any situation at least a domain information, shows that program is unknown program, the network access request of clearance program.
As the optional execution mode of another kind, application layer module 820 also comprises: the second sending module and the second receiver module.The second sending module is suitable for inquiring in any situation of not preserving in the local data base at least a domain information at enquiry module, and at least a domain information is sent to network equipment; The second receiver module is suitable for receiving any Query Result of whether preserving in the database of network equipment inquiry high in the clouds at least a domain information; Stop module also be suitable for the Query Result that the second receiver module receives show the high in the clouds database preserve at least a domain information any and belong in the situation of blacklist, stop the network access request of program; The clearance module also is suitable for showing that at the Query Result that the second receiver module receives the high in the clouds database preserves at least a domain information any and do not belong to blacklist and belong in the situation of white list the network access request of clearance program.Alternatively, the clearance module also is suitable for all not preserving in any situation at least a domain information inquiring local data base and high in the clouds database, shows that program is unknown program, the network access request of clearance program.
Alternatively, drive IP address and port and domain name that layer internal memory is suitable for the HTTP access request of logging program, and the process state information of logging program, the process state information of program is that at least a domain information of HTTP access request of program any belongs to blacklist or white list, and perhaps program is unknown program.
Alternatively, the process state information that driving layer internal memory also is suitable in program is that program is in the situation of unknown program, and logging program is confirmed to be the cumulative number of unknown program.
On the basis of above-described embodiment, the another kind of embodiment that replaces is: the first judge module is replaced by the second judge module and the 3rd judge module, corresponding, the function of the first sending module, prevention module and clearance module also changes to some extent.Particularly, the second judge module is suitable for judging in driving layer internal memory whether record the process state information that has the upper once program of identical ip addresses and port and domain name with the HTTP access request of this secondary program; The 3rd judge module be suitable for the second judge module be judged as be and on once the process state information of program be on once program be in the situation of unknown program, whether determining program is confirmed to be the cumulative number of unknown program more than or equal to preset value; The first sending module specifically is suitable for being judged as in the no situation at the second judge module, perhaps, is judged as in the no situation at the 3rd judge module, and packet and at least a domain information thereof are sent to application layer module; Stop module also to be suitable for being judged as at the second judge module to be, and the process state information of last program is that at least a domain information of HTTP access request of last program any belongs in the situation of blacklist, stops the network access request of program; The clearance module also is suitable for being judged as at the second judge module, and once any at least a domain information of the HTTP access request of program belongs in the situation of white list the network access request of clearance program on the process state information of upper once program is.
Fig. 9 shows the structural representation according to the protector of the access to netwoks behavior of ninth embodiment of the invention.As shown in Figure 9, this network protection device 900 comprises driving layer module 910 and application layer module 920.
Driving layer module 910 comprises: intercept and capture module 911, drive layer parsing module 912, drive layer internal memory 913, judge module 914 and the first sending module 915.Application layer module 920 comprises: the first receiver module 921, enquiry module 922, prevention module 923 and clearance module 924.
Intercept and capture the packet that module 911 is suitable for the network access request of intercepting and capturing program initiation, alternatively, can referring to the description of the 6th embodiment, not repeat them here about the related content of intercepting and capturing module 911; Drive layer parsing module 912 and be suitable for the resolution data bag, obtain at least a domain information that comprises in the packet; Judge module 914 is suitable for judging in driving layer internal memory 913 whether record the process state information that has the upper once program of identical at least a domain information with the network access request of this secondary program; The first sending module 915 is suitable for being judged as in the no situation at judge module 914, packet and at least a domain information thereof is sent to the first receiver module 921 of application layer module 920.
The first receiver module 921 is suitable for receiving packet and at least a domain information thereof that the first sending module 915 sends; Enquiry module 922 is suitable for inquiring about whether preserve at least a domain information any in the local data base; Stop module 923 to be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module 922, perhaps be judged as at judge module 914 and be, and the process state information of last program is that at least a domain information of network access request of last program any belongs in the situation of blacklist, stops the network access request of this program; Clearance module 924 is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but wherein any belongs in the situation of white list of local data base at enquiry module 922, perhaps be judged as at judge module 914 and be, and the process state information of last program is that any process state information that belongs to white list or last program at least a domain information of network access request of last program is that last program is in the situation of unknown program, the network access request of clearance program.
As a kind of optional execution mode, clearance module 924 also is suitable for inquiring local data base at enquiry module 922 does not preserve in any situation at least a domain information, shows that program is unknown program, the network access request of clearance program.
As the optional execution mode of another kind, application layer module 920 also comprises: the second sending module and the second receiver module.The second sending module is suitable for inquiring in any situation of not preserving in the local data base at least a domain information at enquiry module, and at least a domain information is sent to network equipment; The second receiver module is suitable for receiving any Query Result of whether preserving in the database of network equipment inquiry high in the clouds at least a domain information; Stop module also be suitable for the Query Result that the second receiver module receives show the high in the clouds database preserve at least a domain information any and belong in the situation of blacklist, stop the network access request of program; The clearance module also is suitable for showing that at the Query Result that the second receiver module receives the high in the clouds database preserves at least a domain information any and do not belong to blacklist and belong in the situation of white list the network access request of clearance program.Alternatively, the clearance module also is suitable for all not preserving in any situation at least a domain information inquiring local data base and high in the clouds database, shows that program is unknown program, the network access request of clearance program.
Alternatively, drive at least a domain information that layer internal memory is suitable for the network access request of logging program, and the process state information of logging program, the process state information of program is that at least a domain information of network access request of program any belongs to blacklist or white list, and perhaps program is unknown program.
Alternatively, in the present embodiment, network access request can be the DNS access request, and at least a domain information comprises the DNS domain name.Network access request also can be the SMTP access request, and at least a domain information comprises sender and/or addressee's email address.
Figure 10 shows the structural representation according to the guard system of the access to netwoks behavior of tenth embodiment of the invention.As shown in figure 10, this network-safeguard system 1000 comprises client device 1010 and network equipment 1020.Wherein, client device 1010 can comprise the protector of the described access to netwoks behavior of arbitrary embodiment among above-mentioned the 7th, eight and nine embodiment.Network equipment 1020 comprises: high in the clouds database 1021, network side receiver module 1022, network side enquiry module 1023 and network side sending module 1024.Wherein, network side receiver module 1022 is connected with the second sending module in the client device, is suitable for receiving at least a domain information that client device sends; Network side enquiry module 1023 is suitable for inquiring about whether preserve at least a domain information any in the high in the clouds database 1021, obtains Query Result; Network side sending module 1024 is connected with the second receiver module in the client device, is suitable for Query Result is sent to client device.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the specification that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this specification (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the guard system of the access to netwoks behavior of the embodiment of the invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.
Claims (16)
1. the guard system of an access to netwoks behavior comprises client device and network equipment;
Described client device comprises the protector of access to netwoks behavior;
Described network equipment comprises:
The high in the clouds database;
The network side receiver module is suitable for receiving at least a domain information that described client device sends;
The network side enquiry module is suitable for inquiring about whether preserve in the described at least a domain information any in the database of described high in the clouds, obtains Query Result;
The network side sending module is suitable for described Query Result is sent to described client device;
The protector of described access to netwoks behavior comprises: drive layer module and application layer module;
Described driving layer module comprises:
Intercept and capture module, be suitable for the packet of the network access request of intercepting and capturing program initiation;
Drive layer parsing module, be suitable for resolving described packet, obtain at least a domain information in the described packet;
The first sending module is suitable for described packet and at least a domain information thereof are sent to described application layer module;
Described application layer module comprises:
The first receiver module is suitable for receiving described packet and at least a domain information thereof that described the first sending module sends;
Enquiry module is suitable for inquiring about whether preserve in the described at least a domain information any in the local data base;
Stop module, be suitable for inquiring in the situation of blacklist that in the described at least a domain information any belong to local data base at described enquiry module, stop the network access request of described program;
The clearance module, be suitable for inquiring that described at least a domain information does not belong to the blacklist of local data base but in the described at least a domain information any belongs in the situation of white list of local data base the network access request of the described program of letting pass at described enquiry module.
2. guard system according to claim 1, described clearance module also is suitable for inquiring described local data base at described enquiry module and does not preserve in any situation in the described at least a domain information, show that described program is unknown program, the network access request of the described program of letting pass.
3. guard system according to claim 1, described application layer module also comprises:
The second sending module is suitable for inquiring in any situation of not preserving in the local data base in the described at least a domain information at described enquiry module, and described at least a domain information is sent to network equipment;
The second receiver module is suitable for receiving any Query Result of whether preserving in the database of network equipment inquiry high in the clouds in the described at least a domain information;
Described prevention module also be suitable for the Query Result that described the second receiver module receives show described high in the clouds database preserve in the described at least a domain information any and belong in the situation of blacklist, stop the network access request of described program;
Described clearance module also is suitable for showing that at the Query Result that described the second receiver module receives described high in the clouds database preserves in the described at least a domain information any and do not belong to blacklist and belong in the situation of white list the network access request of the described program of letting pass.
4. guard system according to claim 3, described clearance module also is suitable for all not preserving in any situation in the described at least a domain information inquiring described local data base and described high in the clouds database, show that described program is unknown program, the network access request of the described program of letting pass.
5. according to claim 2 or 4 described guard systems, described intercepting and capturing module specifically is suitable for the packet of the HTTP access request that the intercepting and capturing program initiates; Described at least a domain information comprises domain name;
A described driving layer module also comprises: acquisition module is suitable for obtaining IP address and the port of HTTP access request.
6. guard system according to claim 5, described application layer module also comprises: the application layer parsing module, be suitable for further resolution data bag, one or more that obtain following information are as the part at least a domain information: network address, Agent sign and parent page information.
7. according to claim 5 or 6 described guard systems, described driving layer module also comprises:
Drive layer internal memory;
The first judge module is suitable for judging in described driving layer internal memory whether record the process state information that has the upper once described program of identical ip addresses and port and domain name with the HTTP access request of this described program;
Described the first sending module specifically is suitable for being judged as in the no situation at described the first judge module, perhaps, described the first judge module be judged as be and on once the process state information of described program be on once described program be in the situation of unknown program, described packet and at least a domain information thereof are sent to described application layer module;
Described prevention module also is suitable for being judged as at described the first judge module, and the process state information of last described program is that at least a domain information of HTTP access request of last described program any belongs in the situation of blacklist, stops the network access request of described program;
Described clearance module also is suitable for being judged as at described the first judge module, and once any at least a domain information of the HTTP access request of described program belongs in the situation of white list the network access request of the described program of letting pass on the process state information of upper once described program is.
8. according to claim 5 or 6 described guard systems, described driving layer module also comprises:
Drive layer internal memory;
The second judge module is suitable for judging in described driving layer internal memory whether record the process state information that has the upper once described program of identical ip addresses and port and domain name with the HTTP access request of this described program;
The 3rd judge module, be suitable for described the second judge module be judged as be and on once the process state information of described program be on once described program be in the situation of unknown program, judge that whether described program is confirmed to be the cumulative number of unknown program more than or equal to preset value;
Described the first sending module specifically is suitable for being judged as in the no situation at described the second judge module, perhaps, is judged as in the no situation at described the 3rd judge module, and described packet and at least a domain information thereof are sent to described application layer module;
Described prevention module also is suitable for being judged as at described the second judge module, and the process state information of last described program is that at least a domain information of HTTP access request of last described program any belongs in the situation of blacklist, stops the network access request of described program;
Described clearance module also is suitable for being judged as at described the second judge module, and once any at least a domain information of the HTTP access request of described program belongs in the situation of white list the network access request of the described program of letting pass on the process state information of upper once described program is.
9. according to claim 5 to 8 each described guard systems, describedly drive IP address and port and the domain name that layer internal memory is suitable for recording the HTTP access request of described program, and record the process state information of described program, the process state information of described program is that at least a domain information of HTTP access request of described program any belongs to blacklist or white list, and perhaps described program is unknown program.
10. guard system according to claim 9, the process state information that described driving layer internal memory also is suitable in described program is that described program is in the situation of unknown program, records the cumulative number that described program is confirmed to be unknown program.
11. according to claim 2 or 4 described guard systems, described driving layer module comprises:
Drive layer internal memory;
Judge module is suitable for judging in described driving layer internal memory whether record the process state information that has the upper once described program of identical at least a domain information with the network access request of this described program;
Described the first sending module specifically is suitable for being judged as in the no situation at described judge module, and described packet and at least a domain information thereof are sent to described application layer module;
Described prevention module also is suitable for being judged as at described judge module, and the process state information of last described program is that at least a domain information of network access request of last described program any belongs in the situation of blacklist, stops the network access request of described program;
Described clearance module also is suitable for being judged as at described judge module, and the process state information of last described program is that any process state information that belongs to white list or last described program at least a domain information of network access request of last described program is that last described program is in the situation of unknown program, the network access request of the described program of letting pass.
12. guard system according to claim 11, describedly drive at least a domain information that layer internal memory is suitable for recording the network access request of described program, and record the process state information of described program, the process state information of described program is that at least a domain information of network access request of described program any belongs to blacklist or white list, and perhaps described program is unknown program.
13. according to claim 11 or 12 described guard systems,
Described network access request is the DNS access request, and described at least a domain information comprises the DNS domain name;
Perhaps, described network access request is the SMTP access request, and described at least a domain information comprises sender and/or addressee's email address.
14. to 13 each described guard systems, described intercepting and capturing module specifically is suitable for according to claim 1:
By drive or create filtration drive, the packet of the network access request that the intercepting and capturing program is initiated in client log-in protocol;
The packet of the network access request that the application programming interface function intercepting and capturing program of perhaps, utilizing operating system to provide is initiated;
Perhaps, by taking over the request of routine call interface for network programming function, the packet of the network access request that the intercepting and capturing program is initiated;
Perhaps, utilize the mode of registration fire compartment wall readjustment, the packet of the network access request that the intercepting and capturing program is initiated.
15. according to claim 1 to 13 each described guard systems, described intercepting and capturing module specifically is suitable for: by driving to NDIS log-in protocol, the driving arrangement stack of the driving arrangement stack of the driving arrangement stack that perhaps drives in the miscellaneous function of winsock, transmission distribution interface or transmission control/network communication protocol creates filtration drive, the packet of the network access request of intercepting and capturing program initiation.
16. according to claim 1 to 13 each described guard systems, described intercepting and capturing module specifically is suitable for: the derivative function that the interface function that the Hook Function interception system service descriptor table that utilizes operating system to provide provides or the transmission service function that provides of control/network communication protocol or NDIS provide obtains the packet of the network access request of described program initiation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210478425.4A CN102916983B (en) | 2012-11-22 | 2012-11-22 | The guard system of access to netwoks behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210478425.4A CN102916983B (en) | 2012-11-22 | 2012-11-22 | The guard system of access to netwoks behavior |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102916983A true CN102916983A (en) | 2013-02-06 |
| CN102916983B CN102916983B (en) | 2015-08-05 |
Family
ID=47615217
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210478425.4A Active CN102916983B (en) | 2012-11-22 | 2012-11-22 | The guard system of access to netwoks behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102916983B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103929418A (en) * | 2014-03-28 | 2014-07-16 | 汉柏科技有限公司 | Wireless Internet access method and system based on network safety equipment |
| CN104104666A (en) * | 2013-04-15 | 2014-10-15 | 腾讯科技(深圳)有限公司 | Method of detecting abnormal cloud service and device |
| CN104348850A (en) * | 2013-07-25 | 2015-02-11 | 凌群电脑股份有限公司 | System utilizing transparent technology to access data of cloud database |
| CN105376222A (en) * | 2015-10-30 | 2016-03-02 | 四川九洲电器集团有限责任公司 | Intelligent defense system based on cloud computing platform |
| CN105518663A (en) * | 2013-08-12 | 2016-04-20 | 沃尔玛连锁商店公司 | Automatic blocking of bad actors |
| CN105561580A (en) * | 2015-12-24 | 2016-05-11 | 北京奇虎科技有限公司 | Network protecting method and device based on game platform |
| CN106131090A (en) * | 2016-08-31 | 2016-11-16 | 北京力鼎创软科技有限公司 | A kind of method and system of the customer access network under web authentication |
| CN107342999A (en) * | 2017-07-04 | 2017-11-10 | 郑州云海信息技术有限公司 | A kind of system and method based on agent protection certificate is strengthened |
| CN107528861A (en) * | 2017-10-12 | 2017-12-29 | 山东浪潮云服务信息科技有限公司 | A kind of method and device for determining IP user's access rights |
| CN107821284A (en) * | 2017-11-07 | 2018-03-23 | 河北工业大学 | A kind of intelligent fish breeding system based on cloud database |
| CN108632280A (en) * | 2018-05-08 | 2018-10-09 | 国家计算机网络与信息安全管理中心 | Flow processing method, apparatus and system, fire wall and server |
| CN109379404A (en) * | 2018-09-14 | 2019-02-22 | 厦门天锐科技股份有限公司 | The method for effectively acting on behalf of forwarding data based on TDI driving and proxy server |
| CN105142130B (en) * | 2015-06-12 | 2019-05-31 | 联想(北京)有限公司 | A kind of information processing method and electronic equipment |
| CN111552539A (en) * | 2014-07-14 | 2020-08-18 | 甲骨文国际公司 | Variable handle |
| US20230379340A1 (en) * | 2016-08-22 | 2023-11-23 | Paubox, Inc. | Method for securely communicating email content between a sender and a recipient |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101378395A (en) * | 2008-10-10 | 2009-03-04 | 福建星网锐捷网络有限公司 | Method and apparatus for preventing reject access aggression |
| CN101404654A (en) * | 2008-10-30 | 2009-04-08 | 中兴通讯股份有限公司 | Apparatus and method for preventing frequent accesses to electronic program menu server by suspicious users |
| CN101527721A (en) * | 2009-04-22 | 2009-09-09 | 中兴通讯股份有限公司 | Anti-virus method on the basis of household gateway and device thereof |
| CN101834866A (en) * | 2010-05-05 | 2010-09-15 | 北京来安科技有限公司 | CC (Communication Center) attack protective method and system thereof |
| CN102025713A (en) * | 2010-02-09 | 2011-04-20 | 中国移动通信集团北京有限公司 | Access control method, system and DNS (Domain Name Server) server |
| CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
-
2012
- 2012-11-22 CN CN201210478425.4A patent/CN102916983B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101378395A (en) * | 2008-10-10 | 2009-03-04 | 福建星网锐捷网络有限公司 | Method and apparatus for preventing reject access aggression |
| CN101404654A (en) * | 2008-10-30 | 2009-04-08 | 中兴通讯股份有限公司 | Apparatus and method for preventing frequent accesses to electronic program menu server by suspicious users |
| CN101527721A (en) * | 2009-04-22 | 2009-09-09 | 中兴通讯股份有限公司 | Anti-virus method on the basis of household gateway and device thereof |
| CN102025713A (en) * | 2010-02-09 | 2011-04-20 | 中国移动通信集团北京有限公司 | Access control method, system and DNS (Domain Name Server) server |
| CN101834866A (en) * | 2010-05-05 | 2010-09-15 | 北京来安科技有限公司 | CC (Communication Center) attack protective method and system thereof |
| CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104104666A (en) * | 2013-04-15 | 2014-10-15 | 腾讯科技(深圳)有限公司 | Method of detecting abnormal cloud service and device |
| CN104104666B (en) * | 2013-04-15 | 2015-06-24 | 腾讯科技(深圳)有限公司 | Method of detecting abnormal cloud service and device |
| CN104348850B (en) * | 2013-07-25 | 2017-10-20 | 凌群电脑股份有限公司 | The system for accessing cloud database data using saturating logical technology |
| CN104348850A (en) * | 2013-07-25 | 2015-02-11 | 凌群电脑股份有限公司 | System utilizing transparent technology to access data of cloud database |
| CN105518663B (en) * | 2013-08-12 | 2019-03-01 | 沃尔玛阿波罗有限责任公司 | The automatic blocking of bad behavior people |
| CN105518663A (en) * | 2013-08-12 | 2016-04-20 | 沃尔玛连锁商店公司 | Automatic blocking of bad actors |
| CN103929418A (en) * | 2014-03-28 | 2014-07-16 | 汉柏科技有限公司 | Wireless Internet access method and system based on network safety equipment |
| CN111552539B (en) * | 2014-07-14 | 2023-07-07 | 甲骨文国际公司 | Variable handle |
| CN111552539A (en) * | 2014-07-14 | 2020-08-18 | 甲骨文国际公司 | Variable handle |
| CN105142130B (en) * | 2015-06-12 | 2019-05-31 | 联想(北京)有限公司 | A kind of information processing method and electronic equipment |
| WO2017071148A1 (en) * | 2015-10-30 | 2017-05-04 | 四川九洲电器集团有限责任公司 | Cloud computing platform-based intelligent defense system |
| CN105376222A (en) * | 2015-10-30 | 2016-03-02 | 四川九洲电器集团有限责任公司 | Intelligent defense system based on cloud computing platform |
| CN105561580A (en) * | 2015-12-24 | 2016-05-11 | 北京奇虎科技有限公司 | Network protecting method and device based on game platform |
| US20230379340A1 (en) * | 2016-08-22 | 2023-11-23 | Paubox, Inc. | Method for securely communicating email content between a sender and a recipient |
| CN106131090A (en) * | 2016-08-31 | 2016-11-16 | 北京力鼎创软科技有限公司 | A kind of method and system of the customer access network under web authentication |
| CN107342999A (en) * | 2017-07-04 | 2017-11-10 | 郑州云海信息技术有限公司 | A kind of system and method based on agent protection certificate is strengthened |
| CN107528861B (en) * | 2017-10-12 | 2019-11-12 | 浪潮云信息技术有限公司 | A kind of method and device of determining IP user's access authority |
| CN107528861A (en) * | 2017-10-12 | 2017-12-29 | 山东浪潮云服务信息科技有限公司 | A kind of method and device for determining IP user's access rights |
| CN107821284A (en) * | 2017-11-07 | 2018-03-23 | 河北工业大学 | A kind of intelligent fish breeding system based on cloud database |
| CN108632280A (en) * | 2018-05-08 | 2018-10-09 | 国家计算机网络与信息安全管理中心 | Flow processing method, apparatus and system, fire wall and server |
| CN109379404A (en) * | 2018-09-14 | 2019-02-22 | 厦门天锐科技股份有限公司 | The method for effectively acting on behalf of forwarding data based on TDI driving and proxy server |
| CN109379404B (en) * | 2018-09-14 | 2022-04-01 | 厦门天锐科技股份有限公司 | Method for forwarding data based on TDI drive and effective proxy of proxy server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102916983B (en) | 2015-08-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102916983B (en) | The guard system of access to netwoks behavior | |
| CN102932375B (en) | The means of defence of access to netwoks behavior and device | |
| US8484377B1 (en) | Systems and methods for prepending nonce labels to DNS queries to enhance security | |
| EP2532136B1 (en) | System and method for risk rating and detecting redirection activities | |
| US9071974B2 (en) | Mobile telephone firewall and compliance enforcement system and method | |
| US20060080444A1 (en) | System and method for controlling access to a network resource | |
| KR101907392B1 (en) | Method and system for inspecting malicious link addree listed on email | |
| CN103051617A (en) | Method, device and system for identifying network behaviors of program | |
| WO2006014804A2 (en) | Messaging spam detection | |
| CN103368941A (en) | User network access scenario-based protection method and device | |
| CN102783119A (en) | Access control method and system, and access terminal | |
| US9264440B1 (en) | Parallel detection of updates to a domain name system record system using a common filter | |
| US10659335B1 (en) | Contextual analyses of network traffic | |
| CA2911989C (en) | Method, system and apparatus for dectecting instant message spam | |
| EP3332533B1 (en) | Parallel detection of updates to a domain name system record system using a common filter | |
| CN102752411A (en) | Redirection method and device | |
| JP2010171471A (en) | E-mail filtering system | |
| Alani et al. | Tcp/ip model | |
| CN103747005A (en) | DNS (domain name system) cache poisoning protection method and device | |
| CN101668045B (en) | Information processing method and information processing server | |
| US8001243B2 (en) | Distributed denial of service deterrence using outbound packet rewriting | |
| CN103067360A (en) | Method and system for procedure network behavior identification | |
| CN101674311B (en) | Address inquiring method, gateway or user device, and server | |
| CN105119774A (en) | Harassment information identification method, device and system | |
| CN103618777A (en) | Method and device for calling client side |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220325 Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |
|
| TR01 | Transfer of patent right |