CN102916983B - The guard system of access to netwoks behavior - Google Patents
The guard system of access to netwoks behavior Download PDFInfo
- Publication number
- CN102916983B CN102916983B CN201210478425.4A CN201210478425A CN102916983B CN 102916983 B CN102916983 B CN 102916983B CN 201210478425 A CN201210478425 A CN 201210478425A CN 102916983 B CN102916983 B CN 102916983B
- Authority
- CN
- China
- Prior art keywords
- program
- module
- access request
- domain information
- network access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of guard system of access to netwoks behavior, it comprises client device and network equipment; Described client device comprises the protector of access to netwoks behavior; Described network equipment comprises: cloud database; Network side receiver module, is suitable at least one domain information receiving the transmission of described client device; Network side enquiry module, is suitable for inquiring about in described cloud database any one of whether preserving in described at least one domain information, obtains Query Result; Network side sending module is suitable for described Query Result to send to described client device; The protector of described access to netwoks behavior comprises driving layer module and application layer module.The present invention directly utilizes the target of these upper-layer protocols to judge network access request whether safety, more effectively can tackle the access to netwoks behavior of rogue program.
Description
Technical field
The present invention relates to Network Communicate Security technical field, be specifically related to a kind of guard system of access to netwoks behavior.
Background technology
Along with the develop rapidly of Internet technology and the generally reduction of cost of surfing the net, the Internet has become an important component part indispensable in most of general public daily life.But some programmers are in order to show off and prove that oneself ability or other aspects are (as politics, military, religion, national, patent etc.) demand, often write out some and affect the rogue program that computer normally runs, thus make the object that can not be realized oneself online by the user that these rogue programs are invaded and harassed, whole system even can be made to occur paralysis.Thus, network security just becomes the focus paid close attention to now.
Existing network protection method is all based on TCP(Transmission Control Protocol, transmission control protocol)/IP(Internet Protocol, Internet Protocol) or UDP(User Datagram Protocol, User Datagram Protoco (UDP)) IP address and port let pass or stop the access to netwoks behavior of certain program.Particularly, when certain program initiates network access request, first the request (socket connect) connected is initiated, IP address and the port of target to be visited can be obtained in socket connect, determine whether clearance according to the database that IP address and interface querying this locality of target to be visited are preserved or stop the access to netwoks behavior of this program.For unknown program, user can be pointed out to select whether to let pass.
But, the procotol great majority that existing program uses are the upper-layer protocols realized based on TCP/IP or udp protocol, such as HTTP(Hypertext Transport Protocol, HTTP), SMTP(Simple Mail TransferProtocol, Simple Mail Transfer protocol), DNS(DomainName System, domain name system) and FTP(File TransferProtocol, file transfer protocol (FTP)) etc.When program uses these upper-layer protocols to carry out network access request, the simple object cannot determining network access request by IP address and port; And, the variation of IP address and port is very frequent in a network, as when Network Provider changes, IP address will change thereupon, but more new capital of local data base needs the regular hour, therefore adopt existing network protection method can not tackle the access to netwoks behavior of rogue program timely and effectively.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of guard system of access to netwoks behavior overcoming the problems referred to above or solve the problem at least in part.
According to the present invention, provide a kind of guard system of access to netwoks behavior, comprise client device and network equipment; Described client device comprises the protector of access to netwoks behavior; Network equipment comprises: cloud database; Network side receiver module, is suitable at least one domain information receiving client device transmission; Network side enquiry module, is suitable for whether preserving any one at least one domain information in inquiry cloud database, obtains Query Result; Network side sending module, is suitable for Query Result to send to client device; The protector of described access to netwoks behavior comprises: drive layer module and application layer module; Drive layer module to comprise: interception module, be suitable for the packet of the network access request that intercepting and capturing program is initiated; Drive layer parsing module, be suitable for resolution data bag, obtain at least one domain information in packet; First sending module, is suitable for packet and at least one domain information thereof to send to application layer module; Application layer module comprises: the first receiver module, is suitable for packet and at least one domain information thereof of the transmission of reception first sending module; Enquiry module, is suitable for whether preserving any one at least one domain information in inquiry local data base; Stop module, be suitable for when any one inquiring at least one domain information of enquiry module belongs to the blacklist of local data base, stop the network access request of program; Clearance module, be suitable for when enquiry module inquire at least one domain information do not belong to the blacklist of local data base but any one at least one domain information belongs to the white list of local data base, the network access request of clearance program.
According to scheme provided by the invention, by the packet driving layer to intercept and capture the network access request that program is initiated, resolution data bag obtains its domain information comprised, and application layer determines the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.For the upper-layer protocol realized based on TCP/IP or UDP that program uses, domain information in the packet of network access request reflects the target of network access request, the present invention directly utilizes the target of these upper-layer protocols to judge network access request whether safety, more effectively can tackle the access to netwoks behavior of rogue program.And the domain information in the packet of network access request infrequently changes, so local data base does not need frequent renewal, thus the access to netwoks behavior of rogue program can be tackled more in time.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows the flow chart of the means of defence of the access to netwoks behavior according to first embodiment of the invention;
Fig. 2 shows the flow chart of the means of defence of the access to netwoks behavior according to second embodiment of the invention;
Fig. 3 shows the flow chart of the means of defence of the access to netwoks behavior according to third embodiment of the invention;
Fig. 4 shows the flow chart of the means of defence of the access to netwoks behavior according to four embodiment of the invention;
Fig. 5 shows the flow chart of the means of defence of the access to netwoks behavior according to fifth embodiment of the invention;
Fig. 6 shows the structural representation of the protector of the access to netwoks behavior according to sixth embodiment of the invention;
Fig. 7 shows the structural representation of the protector of the access to netwoks behavior according to seventh embodiment of the invention;
Fig. 8 shows the structural representation of the protector of the access to netwoks behavior according to eighth embodiment of the invention;
Fig. 9 shows the structural representation of the protector of the access to netwoks behavior according to ninth embodiment of the invention;
Figure 10 shows the structural representation of the guard system of the access to netwoks behavior according to tenth embodiment of the invention.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Program is a common file, is the set of a machine code instruction and data, is a static concept.Process is a program implementation on computers, is a dynamic concept.Same program can run on several data acquisition systems simultaneously, and that is same program can corresponding multiple process.Access to netwoks behavior initiated by active program (being also process).Namely the current network access behavior of program is the access to netwoks behavior initiated by the process belonging to this program.Access to netwoks behavior of a great variety, comprise HTTP access (common are download file or information upload), SMTP ask (such as sending and receiving e-mail), DNS request information such as () the IP addresses that parsing domain name is corresponding etc.
Fig. 1 shows the flow chart of the means of defence 100 of the access to netwoks behavior according to first embodiment of the invention.As shown in Figure 1, method 100 starts from step S101, wherein drives layer (ring0) to intercept and capture the packet of the network access request that program is initiated.Drive layer intercept and capture packet be program initiate transmission data request (socket send) and reception data request (socket receive) in packet.
If a usual program needs interconnection network, the API(Application Program Interface provided by operating system (as Windows) is provided, application programming interfaces) interface transmission network access request, after operating system receives this network access request of program, the packet that meeting reception program will send, and the packet received is encapsulated, afterwards by encapsulation Packet Generation to physical equipment (as network interface card etc.), finally by hardware device, packet is spread out of.Based on the flow process of such routine access network, carry out intercepting and capturing the object that can realize the current network behavior of monitoring program to the relevant information of network behavior in arbitrary link of this flow process.Alternatively, the packet driving layer to intercept and capture the network access request that program is initiated can adopt following several mode:
(1) by client registers protocol-driven or establishment filtration drive, the packet of the network access request that program is initiated is intercepted and captured.
In the process of routine access network, operating system is when processing related data, some protocol-driven or filtration drive can be used to obtain the data of access to netwoks behavior, so by client registers protocol-driven or create the filtration drive similar to operating system, intercept and capture the packet of the network access request of program initiation.Particularly, by to NDIS(NetworkDriver Interface Specification, NDIS) log-in protocol driving, or at Afd.sys(Ancillary Function Driver for winsock, the miscellaneous function of winsock drives) driving arrangement stack, Tdi.sys(Transport Dispatch Interface, transmission distribution interface) driving arrangement stack or Tcpip.sys(TransmissionControl Protocol/InternetProtocol, transmission control/network communication protocol) driving arrangement stack on create the filtration drive similar to operating system, the packet of the network access request that intercepting and capturing program is initiated.
To create filtration drive on the driving arrangement stack of Afd.sys, when sending the packet of network access request, the driving distribution function of the Afd.sys that system is called originally first can call the distribution function of the filtration drive of establishment, and profit carrys out intercepted data bag in this way.
(2) the application programming interface function utilizing operating system to provide intercepts and captures the packet of the network access request that program is initiated.
For application programming interface function for hook (hook) function, the hook function utilizing operating system to provide intercepts and captures Windows SSDT(System Services Descriptor Table, system service descriptor table) derivative function that the interface function (as NtDeviceIoControl function) that provides or Tcpip.sys drive the service function that provides or NDIS.sys to provide, obtain the packet of the network access request that program is initiated.
(3) called the request of interface for network programming function (Winsock) by takeover process, intercept and capture the packet of the network access request that program is initiated.
(4) utilize the mode of registration fire compartment wall readjustment, intercept and capture the packet of the network access request that program is initiated.
Subsequently, method 100 enters step S102, wherein drives layer to resolve the packet intercepted and captured, obtains at least one domain information in packet, packet and at least one domain information thereof are sent to application layer.In this method, layer (ring0) is driven to have the function of the packet of resolving in socket send and socket receive, obtain one or more domain informations that this packet comprises, packet and domain information thereof are sent to application layer (ring3) and process.
Subsequently, method 100 enters step S103, wherein whether preserves any one at least one domain information in application layer inquiry local data base, if so, then performs step S104; Otherwise perform step S106.The mark that a large amount of domain informations and these domain informations belong to blacklist or white list is stored in the local data base of client.Alternatively, the data memory format in local data base can be the md5(Message Digest Algorithm 5 of domain information, Message Digest Algorithm 5) value and extended byte, write the mark that domain information belongs to blacklist or white list in extended byte.
In step S104, application layer judge at least one domain information any one whether belong to the blacklist of local data base, if so, then perform step S105; Otherwise perform step S106.Application layer belongs to the mark of blacklist or white list by domain information, judge at least one domain information any one whether belong to the blacklist of local data base.
In step S105, stop the network access request of program.If any one in the packet of the network access request that certain program is initiated at least one domain information belongs to the blacklist of local data base, show that this program is rogue program, then stop the network access request of this program, also namely stop the access to netwoks behavior of this program.
In step s 106, the network access request of clearance program.If at least one domain information does not belong to the blacklist of local data base in the packet of the network access request that certain program is initiated, but wherein any one belongs to the white list of local data base, show that this program is normal procedure, the network access request of this program of then letting pass, the access to netwoks behavior of this program of also namely letting pass.If application layer inquires local data base is not preserved at least one domain information any one, show that this program is the network access request of unknown program, this program of can letting pass.As another kind of execution mode, if program is unknown program, user also can be pointed out to select, stop according to the mode of the selection of user or the network access request of this program of letting pass.
According to the method that the present embodiment provides, by the packet driving layer to intercept and capture the network access request that program is initiated, resolution data bag obtains its domain information comprised, and application layer determines the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.For the upper-layer protocol realized based on TCP/IP or UDP that program uses, domain information in the packet of network access request reflects the target of network access request, this method directly utilizes the target of these upper-layer protocols to judge network access request whether safety, more effectively can tackle the access to netwoks behavior of rogue program.And the domain information in the packet of network access request infrequently changes, so local data base does not need frequent renewal, thus the access to netwoks behavior of rogue program can be tackled more in time.
Fig. 2 shows the flow chart of the means of defence 200 of the access to netwoks behavior according to second embodiment of the invention.As shown in Figure 2, method 200 starts from step S201, wherein drives layer (ring0) to intercept and capture the packet of the network access request that program is initiated.Drive layer intercept and capture packet be program initiate transmission data request (socket send) and reception data request (socket receive) in packet.Drive the method for layer intercepted data bag see the associated description of method 100, can not repeat them here.
Subsequently, method 200 enters step S202, wherein drives layer to resolve the packet intercepted and captured, obtains at least one domain information in packet, packet and at least one domain information thereof are sent to application layer.In this method, layer (ring0) is driven to have the function of the packet of resolving in socket send and socket receive, obtain one or more domain informations that this packet comprises, packet and domain information thereof are sent to application layer (ring3) and process.
Subsequently, method 200 enters step S203, wherein whether preserves any one at least one domain information in application layer inquiry local data base, if so, then performs step S204; Otherwise perform step S205.The mark that a large amount of domain informations and these domain informations belong to blacklist or white list is stored in the local data base of client.Alternatively, the data memory format in local data base can be md5 value and the extended byte of domain information, writes the mark that domain information belongs to blacklist or white list in extended byte.
In step S204, application layer judge at least one domain information any one whether belong to the blacklist of local data base, if so, then perform step S209; Otherwise perform step S210.Application layer belongs to the mark of blacklist or white list by domain information, judge at least one domain information any one whether belong to the blacklist of local data base.
In step S205, at least one domain information is sent to network equipment by application layer.Also the mark that a large amount of domain informations and these domain informations belong to blacklist or white list is stored in the cloud database of network equipment.Network equipment judge at least one domain information any one whether belong to cloud database, if belong to cloud database, the mark of blacklist or white list is then belonged to further according to domain information, judge that this domain information belongs to blacklist or the white list of cloud database, obtain Query Result thus and return to client.
After step S205, method 200 enters step S206, and wherein application layer receives in network equipment inquiry cloud database the Query Result of any one whether preserved at least one domain information.
After step S206, method 200 enters step S207, and application layer judges whether Query Result shows to preserve any one at least one domain information in cloud database, if so, performs step S208; Otherwise, perform step S210.
In step S208, application layer judges whether Query Result shows that cloud database is preserved any one at least one domain information and belongs to blacklist, if so, performs step S209; Otherwise, perform step S210.
In step S209, stop the network access request of program.If any one in the packet of the network access request that certain program is initiated at least one domain information belongs to the blacklist of local data base or cloud database, show that this program is rogue program, then stop the network access request of this program, also namely stop the access to netwoks behavior of this program.
In step S210, the network access request of clearance program.If at least one domain information does not belong to the blacklist of local data base but wherein any one belongs to the white list of local data base in the packet of the network access request that certain program is initiated, or do not belong to the blacklist of cloud database but wherein any one belongs to the white list of cloud database, show that this program is normal procedure, the network access request of this program of then letting pass, the access to netwoks behavior of this program of also namely letting pass.If application layer inquires local data base and cloud database are not all preserved at least one domain information any one, show that this program is the network access request of unknown program, this program of can letting pass.As another kind of execution mode, if program is unknown program, user also can be pointed out to select, stop according to the mode of the selection of user or the network access request of this program of letting pass.
According to the method that the present embodiment provides, by the packet driving layer to intercept and capture the network access request that program is initiated, resolution data bag obtains its domain information comprised, first application layer inquires about local data base to determine the network access request of prevention or this program of letting pass according to this domain information, if local data base does not preserve the domain information comprised in packet, then continue the network access request that network side inquiry cloud database determines prevention or this program of letting pass.For the upper-layer protocol realized based on TCP/IP or UDP that program uses, domain information in the packet of network access request reflects the target of network access request, this method directly utilizes the target of these upper-layer protocols to judge network access request whether safety, more effectively can tackle the access to netwoks behavior of rogue program.And the domain information in the packet of network access request infrequently changes, so local data base does not need frequent renewal, the access to netwoks behavior of rogue program also can be tackled in time.This method judges network access request whether safety in conjunction with local data base and cloud database, further improves the efficiency of the access to netwoks behavior of interception rogue program.
Fig. 3 shows the flow chart of the means of defence 300 of the access to netwoks behavior according to third embodiment of the invention.In this method 300, take network access request as HTTP access request for example is described.As shown in Figure 3, method 300 starts from step S301, wherein drives layer (ring0) to intercept and capture the packet of the HTTP access request that program is initiated.Drive layer intercept and capture packet be program initiate transmission data request (socket send) and reception data request (socket receive) in packet.Drive the method for layer intercepted data bag see the associated description of method 100, can not repeat them here.
Subsequently, method 300 enters step S302, wherein drives layer to resolve the packet intercepted and captured, obtains the domain name (host) in packet.Drive layer before resolving the packet in the socket send and socket receive intercepted and captured or simultaneously, also can obtain the IP address in socket connect and port.
Subsequently, method 300 enters step S303, wherein drive layer to judge to drive the process state information whether recording this program of last time with the HTTP access request of this secondary program with identical ip addresses and port and domain name in layer internal memory (ring0 cache), if so, perform step S304; Otherwise perform step S306.In the method, after processing a HTTP access request, ring0 cache can record the IP address of current HTTP access request and port and domain name, and record the process state information of this program pin to current HTTP access request, here process state information refers to that the domain name of the current HTTP access request of this program belongs to blacklist or white list, or this program is identified as unknown program in current HTTP access request.Based on the record that ring0 cache does, in step S303, drive layer first can judge whether ring0 cache records the process state information of this program of last time with the HTTP access request of this secondary program with identical ip addresses and port and domain name.
In step s 304, whether the process state information of this program last be this program is unknown program to drive layer to judge, if so, execution step S306; Otherwise perform step S305.
In step S305, the process state information of this program last is whether the domain name of the HTTP access request of this program last belongs to blacklist to drive layer to judge, if so, then execution step S314; Otherwise perform step S315.
In step S306, drive layer that packet and domain name, IP address and port are sent to application layer.
After step S306, method 300 enters step S307, and the further resolution data bag of application layer, obtains more domain information, comprises network address (URL), Agent mark (User-Agent) and parent page information (Referer).
The example of the packet of HTTP access request is as follows:
GET/index.html HTTP/1.1\r\n
Host:www.360.cn\r\n
User-Agent:IE\r\n
Referer:http://www.qihoo.net/\r\n
For this example, driving layer resolution data bag obtains domain name and is: www.360.cn; The further resolution data bag of application layer obtain URL:http: //www.360.cn/index.html, User-Agent:IE r n, and Referer:http: //www.qihoo.net/ r n.
After step S307, method 300 enters step S308, wherein whether preserves any one in domain name, IP address and the domain information such as port, URL, User-Agent and Referer in application layer inquiry local data base, if so, then performs step S309; Otherwise perform step S310.
In step S309, application layer judge in domain name, IP address and the domain information such as port, URL, User-Agent and Referer any one whether belong to the blacklist of local data base, if so, then perform step S314; Otherwise perform step S315.
In step S310, domain name, IP address and the domain information such as port, URL, User-Agent and Referer are sent to network equipment by application layer.Also the mark that a large amount of domain informations and these domain informations belong to blacklist or white list is stored in the cloud database of network equipment.Network equipment judge in above-mentioned domain information any one whether belong to cloud database, if belong to cloud database, the mark of blacklist or white list is then belonged to further according to domain information, judge that this domain information belongs to blacklist or the white list of cloud database, obtain Query Result thus and return to client.
After step S310, method 300 enters step S311, and wherein application layer receives the Query Result of network equipment inquiry cloud database.
After step S311, method 300 enters step S312, application layer judges whether Query Result shows to preserve any one in domain name, IP address and the domain information such as port, URL, User-Agent and Referer in cloud database, if so, performs step S313; Otherwise, perform step S315.
In step S313, application layer judges whether Query Result shows that cloud database is preserved any one in domain name, IP address and the domain information such as port, URL, User-Agent and Referer and belongs to blacklist, if so, performs step S314; Otherwise, perform step S315.
In step S314, stop the HTTP access request of program.
In step S315, the HTTP access request of clearance program.
After step S314 and step S315, method 300 enters step S316, wherein in ring0 cache the IP address of the HTTP access request of minute book secondary program and port and domain name (for above-mentioned example, the content of record is: IP:220.181.24.100, port:80, Host:www.360.cn), and the process state information of minute book secondary program, the process state information of this secondary program is that any one at least one domain information of the HTTP access request of this secondary program belongs to blacklist or white list, or this secondary program is unknown program.
In this method, before packet and domain information are sent to application layer by driving layer, first judge the process state information whether recording the last HTTP access request of same program in ring0 cache, last HTTP access request refers to the HTTP access request of domain name and IP address the last time identical with this HTTP access request with port, if any record and process state information is domain information belongs to blacklist or white list, then the direct process state information according to the last time does same process, the process of inquiry local data base and cloud database is done without the need to packet and domain information being re-send to application layer, like this queries can be greatly reduced, reduce the burden on backstage, improve the efficiency of access to netwoks.And, the domain name of HTTP access request that what in this method, ring0 cache recorded is and IP address and port, do not record URL, for there is same domain name and IP address and port but there is the HTTP access request of different URL, all can do same process according to the process state information of last time, which reduce the Query Database number of times of unknown URL, further increase the efficiency of access to netwoks.
In order to improve the treatment effeciency of this method further, on the basis of above-described embodiment, ring0 cache can also record the cumulative number that same program is confirmed to be unknown program.In step s 304, if drive layer judge last time this program process state information as this program be unknown program, layer is so driven to judge whether the cumulative number that this program is confirmed to be unknown program is more than or equal to preset value further, this preset value is preferably 4, if cumulative number is more than or equal to preset value, then the network access request of this program of letting pass; Otherwise, perform step S306.Corresponding, in step S316, if the process state information of this secondary program for this secondary program be unknown program, so ring0 cache also needs refresh routine to be confirmed to be the cumulative number of unknown program, namely on former cumulative number basis, adds 1.By such process, if certain program is repeatedly confirmed as unknown program, the access to netwoks behavior of this program of so directly letting pass, improves the efficiency of access to netwoks.
In this method, after application layer receives packet, further resolution data bag, obtains more domain information.Due in the process of subsequent query local data base and cloud database, if any one in these domain informations belongs to blacklist or white list, just can determine that program is rogue program or normal procedure accordingly, therefore domain information is more, and the intercepting efficiency of access to netwoks behavior is also higher.
But also should be understandable that, step S307 is optional step.That is, application layer is when receiving packet, can no longer resolve packet, and in subsequent step, the domain information of application layer process comprises domain name, IP address and port, does not comprise the domain informations such as URL, User-Agent and Referer.
The method that above-mentioned 3rd embodiment provides is described for HTTP access request, but the method is only for being applied to HTTP access request, the means of defence that the network access request that other and HTTP access request are similar also can adopt the 3rd embodiment to provide.
Fig. 4 shows the flow chart of the means of defence 400 of the access to netwoks behavior according to four embodiment of the invention.In this method 400, take network access request as DNS access request for example is described.As shown in Figure 4, method 400 starts from step S401, wherein drives layer (ring0) to intercept and capture the packet of the DNS access request that program is initiated.Drive layer intercept and capture packet be program initiate transmission data request (socket send) and reception data request (socket receive) in packet.Drive the method for layer intercepted data bag see the associated description of method 100, can not repeat them here.
Subsequently, method 400 enters step S402, wherein drives layer to resolve the packet intercepted and captured, obtains the DNS domain name in packet.
The example of the packet of DNS access request is as follows:
Domain Name System(query)
Transaction ID:0x276b
Questions:1
Answer RRs:0
Authority RRs:0
Additional RRs:0
Queries www.360.cn:type A,class IN
For this example, driving layer resolution data bag obtains DNS domain name and is: www.360.cn.
Subsequently, method 400 enters step S403, wherein drive layer to judge to drive the process state information whether recording this program of last time with the DNS access request of this secondary program with identical DNS domain name in layer internal memory (ring0 cache), if so, perform step S404; Otherwise perform step S406.In the method, after processing a DNS access request, ring0 cache can record the DNS domain name of current DNS access request, and record the process state information of this program to current DNS access request, here process state information refers to that the DNS domain name of the current DNS access request of this program belongs to blacklist or white list, or this program is identified as unknown program in current DNS access request.Based on the record that ring0cache does, in step S403, drive layer first can judge whether ring0 cache records the process state information of this program of last time with the DNS access request of this secondary program with identical DNS domain name.
In step s 404, whether the process state information of this program last be this program is unknown program to drive layer to judge, if so, execution step S414; Otherwise perform step S405.
In step S405, the process state information of this program last is whether the DNS domain name of the DNS access request of this program last belongs to blacklist to drive layer to judge, if so, then execution step S413; Otherwise perform step S414.
In step S406, drive layer that packet and DNS domain name are sent to application layer.
After step S406, method 400 enters step S407, wherein whether preserves DNS domain name in application layer inquiry local data base, if so, then performs step S408; Otherwise perform step S409.
In step S408, application layer judges whether DNS domain name belongs to the blacklist of local data base, if so, then performs step S413; Otherwise perform step S414.
In step S409, DNS domain name is sent to network equipment by application layer.Also the mark that a large amount of DNS domain names and these DNS domain names belong to blacklist or white list is stored in the cloud database of network equipment.Network equipment judges whether DNS domain name belongs to cloud database, if belong to cloud database, then belong to the mark of blacklist or white list further according to DNS domain name, judge that this DNS domain name belongs to blacklist or the white list of cloud database, obtain Query Result thus and return to client.
After step S409, method 400 enters step S410, and wherein application layer receives the Query Result of network equipment inquiry cloud database.
After the step s 410, method 400 enters step S411, and application layer judges whether Query Result shows to preserve DNS domain name in cloud database, if so, performs step S412; Otherwise, perform step 414.
In step S412, application layer judges whether Query Result shows that cloud database preserves DNS domain name and this DNS domain name belongs to blacklist, if so, performs step S413; Otherwise, perform step S414.
In step S413, stop the DNS access request of program.
In step S414, the DNS access request of clearance program.
After step S413 and step S414, method 400 enters step S415, wherein in ring0 cache the DNS domain name of the DNS access request of minute book secondary program (for above-mentioned example, the content of record is: www.360.cn), and the process state information of minute book secondary program, the process state information of this secondary program is that the DNS domain name of the DNS access request of this secondary program belongs to blacklist or white list, or this secondary program is unknown program.
In this method, before packet and DNS domain name are sent to application layer by driving layer, first judge the process state information whether recording the last DNS access request of same program in ring0 cache, last DNS access request refers to the DNS access request of the last time that DNS domain name is identical with this DNS access request.If any record and process state information is DNS domain name belongs to blacklist or white list, then the direct process state information according to the last time does same process, be unknown program if process state information is program, the network access request of this program of then directly letting pass, the process of inquiry local data base and cloud database is done without the need to packet and domain information being re-send to application layer, can greatly reduce queries like this, reduce the burden on backstage, improve the efficiency of access to netwoks.
The method that above-mentioned 4th embodiment provides is described for DNS access request, but the method is only for being applied to DNS access request, the means of defence that other network access request also can adopt the 4th embodiment to provide.
Fig. 5 shows the flow chart of the means of defence 500 of the access to netwoks behavior according to fifth embodiment of the invention.In this method 500, take network access request as SMTP access request for example is described.As shown in Figure 5, method 500 starts from step S501, wherein drives layer (ring0) to intercept and capture the packet of the SMTP access request that program is initiated.Drive layer intercept and capture packet be program initiate transmission data request (socket send) and reception data request (socket receive) in packet.Drive the method for layer intercepted data bag see the associated description of method 100, can not repeat them here.
Subsequently, method 500 enters step S502, wherein drives layer to resolve the packet intercepted and captured, the sender in acquisition packet and/or the email address of addressee.
The example of the packet of SMTP access request is as follows:
"220 smtp.example.com ESMTP Postfix\r\n"
"HELO relay.example.org\r\n"
"250Hello relay.example.org,I am glad to meet you\r\n"
"MAIL FROM:<bob@example.org>SIZE\r\n"
"250 Ok\r\n"
"RCPT TO:<alice@example.com>\r\n"
"250Ok\r\n"
"RCPT TO:<theboss@example.com>\r\n"
"250Ok\r\n"
"DATA\r\n"
"354End data with<CR><LF>.<CR><LF>\r\n"
"From:\″Bob Example\″<bob@example.org>\r\n"
"To:\″Alice Example\″<alice@example.com>\r\n"
"Cc:theboss@example.com\r\n"
"Date:Tue,15Jan 200816:02:43-0500\r\n"
"Subject:Test message\r\n"
"\r\n"
"Hello Alice.\r\n"
"This is a test message with 5 header fields and 4 lines in the message body.\r\n"
"Your friend,\r\n"
"Bob\r\n"
".\r\n"
"250 Ok:queued as 12345\r\n"
"QUIT\r\n"
"221Bye\r\n"
For this example, the email address driving layer resolution data bag to obtain sender is bob@example.org, and the email address of addressee is: alice@example.com and theboss@example.com.
Subsequently, method 500 enters step S503, layer is wherein driven to judge to drive the process state information whether recording this program of last time with the SMTP access request of this secondary program with the email address of identical sender and/or addressee in layer internal memory (ring0 cache), if so, step S504 is performed; Otherwise perform step S506.In the method, after processing a SMTP access request, ring0 cache can record the current sender of SMTP access request and/or the email address of addressee, and record the process state information of this program to current SMTP access request, here process state information refers to that the current sender of SMTP access request of this program and/or the email address of addressee belong to blacklist or white list, or this program is identified as unknown program in current SMTP access request.Based on the record that ring0 cache does, in step S503, drive layer first can judge whether ring0 cache records the process state information of this program of last time with the SMTP access request of this secondary program with the email address of identical sender and/or addressee.
In step S504, whether the process state information of this program last be this program is unknown program to drive layer to judge, if so, execution step S514; Otherwise perform step S505.
In step S505, the process state information of this program last is whether the sender of SMTP access request of this program last and/or the email address of addressee belong to blacklist to drive layer to judge, if so, then execution step S513; Otherwise perform step S514.
In step S506, drive layer that the email address of packet and sender and/or addressee is sent to application layer.
After step S506, method 500 enters step S507, wherein whether preserves the email address of sender and/or addressee in application layer inquiry local data base, if so, then performs step S508; Otherwise perform step S509.
In step S508, application layer judges whether the email address of sender and/or addressee belongs to the blacklist of local data base, if so, then performs step S513; Otherwise perform step S514.
In step S509, the email address of sender and/or addressee is sent to network equipment by application layer.The email address of the email address and these senders and/or addressee that also store a large amount of senders and/or addressee in the cloud database of network equipment belongs to the mark of blacklist or white list.Network equipment judges whether the email address of sender and/or addressee belongs to cloud database, if belong to cloud database, the mark of blacklist or white list is then belonged to further according to the email address of sender and/or addressee, judge that the email address of this sender and/or addressee belongs to blacklist or the white list of cloud database, obtain Query Result thus and return to client.
After step S509, method 500 enters step S510, and wherein application layer receives the Query Result of network equipment inquiry cloud database.
After step S510, method 500 enters step S511, and application layer judges whether Query Result shows to preserve in cloud database the email address of sender and/or addressee, if so, performs step S512; Otherwise, perform step 514.
In step S512, application layer judges whether Query Result shows that cloud database preserves the email address of sender and/or addressee and the email address of this sender and/or addressee belongs to blacklist, if so, performs step S513; Otherwise, perform step S514.
In step S513, stop the SMTP access request of program.
In step S514, the SMTP access request of clearance program.
After step S513 and step S514, method 500 enters step S515, wherein in ring0 cache the sender of the SMTP access request of minute book secondary program and/or the email address of addressee (for above-mentioned example, the content of record is: bob@example.org, alice@example.com, theboss@example.com), and the process state information of minute book secondary program, the process state information of this secondary program is that the sender of SMTP access request of this secondary program and/or the email address of addressee belong to blacklist or white list, or this secondary program is unknown program.
In this method, before the email address driving layer by packet and sender and/or addressee is sent to application layer, first judge the process state information whether recording the last SMTP access request of same program in ring0 cache, last SMTP access request refers to the SMTP access request of the last time that the email address of sender and/or addressee is identical with this SMTP access request.If any record and the email address that process state information is sender and/or addressee belongs to blacklist or white list, then the direct process state information according to the last time does same process, be unknown program if process state information is program, the network access request of this program of then directly letting pass, the process of inquiry local data base and cloud database is done without the need to the email address of packet and sender and/or addressee being re-send to application layer, like this queries can be greatly reduced, reduce the burden on backstage, improve the efficiency of access to netwoks.
The method that above-mentioned 5th embodiment provides is described for SMTP access request, but the method is only for being applied to SMTP access request, the means of defence that other network access request also can adopt the 5th embodiment to provide.
It should be noted that, can not cloud database be inquired about in above-mentioned several embodiment of the method, only rely on inquiry local data base access to netwoks behavior is stoped or lets pass process also be optional embodiment.
Fig. 6 shows the structural representation of the protector of the access to netwoks behavior according to sixth embodiment of the invention.As shown in Figure 6, this network protection device 600 comprises driving layer module 610 and application layer module 620.Wherein, layer module 610 is driven to comprise interception module 611, drive layer parsing module 612 and the first sending module 613.Interception module 611 is suitable for the packet of the network access request that intercepting and capturing program is initiated; Drive layer parsing module 612 to be suitable for resolution data bag, obtain at least one domain information in packet; First sending module 613 is suitable for packet and at least one domain information thereof to send to application layer module 620.Application layer module 620 comprises: the first receiver module 621, enquiry module 622, prevention module 623 and clearance module 624.First receiver module 621 is suitable for packet and at least one domain information thereof of the transmission of reception first sending module 613; Enquiry module 622 is suitable for whether preserving any one at least one domain information in inquiry local data base; Stop module 623 to be suitable for when any one inquiring at least one domain information of enquiry module 622 belongs to the blacklist of local data base, stop the network access request of program; Clearance module 624 be suitable for when enquiry module 622 inquire at least one domain information do not belong to the blacklist of local data base but any one at least one domain information belongs to the white list of local data base, the network access request of clearance program.
Alternatively, clearance module 624 is also suitable for, when enquiry module 622 inquires any one that local data base do not preserve at least one domain information, showing that program is the network access request of unknown program, clearance program.
Alternatively, interception module 611 is specifically suitable for: by client registers protocol-driven or establishment filtration drive, intercept and capture the packet of the network access request that program is initiated; Or the application programming interface function utilizing operating system to provide intercepts and captures the packet of the network access request that program is initiated; Or, called the request of interface for network programming function by takeover process, intercept and capture the packet of the network access request that program is initiated; Or, utilize the mode of registration fire compartment wall readjustment, intercept and capture the packet of the network access request that program is initiated.More specifically, interception module 611 can specifically be suitable for: by driving to NDIS log-in protocol, or on driving arrangement stack, the driving arrangement stack of transmission distribution interface or the driving arrangement stack of transmission control/network communication protocol that the miscellaneous function of winsock drives, create filtration drive, intercept and capture the packet of the network access request that program is initiated.Interception module 611 also can specifically be suitable for: the derivative function that the interface function that the Hook Function interception system service descriptor table utilizing operating system to provide provides or the transmission service function that provides of controls/network communication protocol or NDIS provide, and obtains the packet of the network access request of program initiation.
According to the device that the present embodiment provides, by the packet driving layer to intercept and capture the network access request that program is initiated, resolution data bag obtains its domain information comprised, and application layer determines the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.For the upper-layer protocol realized based on TCP/IP or UDP that program uses, domain information in the packet of network access request reflects the target of network access request, this device directly utilizes the target of these upper-layer protocols to judge network access request whether safety, more effectively can tackle the access to netwoks behavior of rogue program.And the domain information in the packet of network access request infrequently changes, so local data base does not need frequent renewal, thus the access to netwoks behavior of rogue program can be tackled more in time.
Fig. 7 shows the structural representation of the protector of the access to netwoks behavior according to seventh embodiment of the invention.As shown in Figure 7, this network protection device 700 comprises driving layer module 710 and application layer module 720.
Wherein, layer module 710 is driven to comprise: interception module 711, driving layer parsing module 712 and the first sending module 713.Interception module 711 is suitable for the packet of the network access request that intercepting and capturing program is initiated; Drive layer parsing module 712 to be suitable for resolution data bag, obtain at least one domain information in packet; First sending module 713 is suitable for packet and at least one domain information thereof to send to application layer module 720.
Application layer module 720 comprises: the first receiver module 721, enquiry module 722, prevention module 723, clearance module 724, second sending module 725 and the second receiver module 726.First receiver module 721 is suitable for packet and at least one domain information thereof of the transmission of reception first sending module 713; Enquiry module 722 is suitable for whether preserving any one at least one domain information in inquiry local data base; Stop module 723 to be suitable for when any one inquiring at least one domain information of enquiry module 722 belongs to the blacklist of local data base, stop the network access request of program; Clearance module 724 be suitable for when enquiry module 722 inquire at least one domain information do not belong to the blacklist of local data base but any one at least one domain information belongs to the white list of local data base, the network access request of clearance program.Second sending module 725 is suitable for, when enquiry module 722 inquires in local data base any one of not preserving at least one domain information, at least one domain information being sent to network equipment; Second receiver module 726 is suitable for receiving in network equipment inquiry cloud database the Query Result of any one whether preserved at least one domain information; The Query Result stoping module 723 to be also suitable for receiving at the second receiver module 726 shows that cloud database is preserved any one at least one domain information and belongs to blacklist, stop the network access request of program; The Query Result that clearance module 724 is also suitable for receiving at the second receiver module 726 shows that any one of preserving at least one domain information of cloud database does not belong to blacklist and belong to white list, the network access request of clearance program.
Alternatively, clearance module 724 is also suitable for when inquiring local data base and cloud database does not all preserve any one at least one domain information, shows that program is the network access request of unknown program, clearance program.
Alternatively, the related content about interception module 711 see the description of the 6th embodiment, can not repeat them here.
According to the device that the present embodiment provides, by the packet driving layer to intercept and capture the network access request that program is initiated, resolution data bag obtains its domain information comprised, first application layer inquires about local data base to determine the network access request of prevention or this program of letting pass according to this domain information, if local data base does not preserve the domain information comprised in packet, then continue the network access request that network side inquiry cloud database determines prevention or this program of letting pass.For the upper-layer protocol realized based on TCP/IP or UDP that program uses, domain information in the packet of network access request reflects the target of network access request, this device directly utilizes the target of these upper-layer protocols to judge network access request whether safety, more effectively can tackle the access to netwoks behavior of rogue program.And the domain information in the packet of network access request infrequently changes, so local data base does not need frequent renewal, the access to netwoks behavior of rogue program also can be tackled in time.This device judges network access request whether safety in conjunction with local data base and cloud database, further improves the efficiency of the access to netwoks behavior of interception rogue program.
Fig. 8 shows the structural representation of the protector of the access to netwoks behavior according to eighth embodiment of the invention.As shown in Figure 8, this network protection device 800 comprises driving layer module 810 and application layer module 820.
Layer module 810 is driven to comprise: interception module 811, driving layer parsing module 812, acquisition module 813, driving layer internal memory 814, first judge module 815 and the first sending module 816.Application layer module 820 comprises: the first receiver module 821, application layer parsing module 822, enquiry module 823, prevention module 824 and clearance module 825.
Interception module 811 is suitable for the packet of the HTTP access request that intercepting and capturing program is initiated, and alternatively, the related content about interception module 811 see the description of the 6th embodiment, can not repeat them here; Drive layer parsing module 812 to be suitable for resolution data bag, obtain the domain name (host) comprised in packet; Acquisition module 813 is suitable for the IP address and the port that obtain HTTP access request; First judge module 815 is suitable for judging driving the process state information whether recording the upper once program with the HTTP access request of this secondary program with identical ip addresses and port and domain name in layer internal memory 814; First sending module 816 is suitable for when the first judge module 815 is judged as NO, or, when the first judge module 815 be judged as YES and on the process state information of once program be on once program is unknown program, packet and domain name are sent to the first receiver module 821 of application layer module 820.
First receiver module 821 is suitable for packet and the domain name of the transmission of reception first sending module 816; Application layer parsing module 822 is suitable for further resolution data bag, and one or more obtaining following information are as the part at least one domain information: network address, Agent mark and parent page information.Wherein application layer parsing module 822 is optional module.Enquiry module 823 is suitable for whether preserving any one at least one domain information in inquiry local data base.Module 824 is stoped to be suitable for when any one inquiring at least one domain information of enquiry module 823 belongs to the blacklist of local data base, or be judged as YES at the first judge module 815, and the process state information of last program is any one at least one domain information of the HTTP access request of last program when belonging to blacklist, stops the network access request of this program; Clearance module 825 be suitable for when enquiry module 823 inquire at least one domain information do not belong to the blacklist of local data base but wherein any one belongs to the white list of local data base, or be judged as YES at the first judge module 815, and any one at least one domain information of the once HTTP access request of program on the process state information of upper once program is belongs to white list, the network access request of clearance program.
As the optional execution mode of one, clearance module 825 is also suitable for, when enquiry module 823 inquires any one that local data base do not preserve at least one domain information, showing that program is the network access request of unknown program, clearance program.
As the optional execution mode of another kind, application layer module 820 also comprises: the second sending module and the second receiver module.Second sending module is suitable for, when enquiry module inquires in local data base any one of not preserving at least one domain information, at least one domain information being sent to network equipment; Second receiver module is suitable for receiving in network equipment inquiry cloud database the Query Result of any one whether preserved at least one domain information; The Query Result stoping module to be also suitable for receiving at the second receiver module shows that cloud database is preserved any one at least one domain information and belongs to blacklist, stop the network access request of program; The Query Result that clearance module is also suitable for receiving at the second receiver module shows that any one of preserving at least one domain information of cloud database does not belong to blacklist and belong to white list, the network access request of clearance program.Alternatively, clearance module is also suitable for when inquiring local data base and cloud database does not all preserve any one at least one domain information, shows that program is the network access request of unknown program, clearance program.
Alternatively, layer internal memory is driven to be suitable for the IP address of the HTTP access request of logging program and port and domain name, and the process state information of logging program, the process state information of program is that any one at least one domain information of the HTTP access request of program belongs to blacklist or white list, or program is unknown program.
Alternatively, drive layer internal memory to be also suitable for when the process state information of program be program is unknown program, logging program is confirmed to be the cumulative number of unknown program.
On the basis of above-described embodiment, another kind of embodiment of replacing is: the first judge module is replaced by the second judge module and the 3rd judge module, corresponding, the function of the first sending module, prevention module and clearance module also changes to some extent.Particularly, the second judge module is suitable for judging driving the process state information whether recording the upper once program with the HTTP access request of this secondary program with identical ip addresses and port and domain name in layer internal memory; 3rd judge module be suitable for when the second judge module be judged as YES and on the process state information of once program be on once program is unknown program, whether the cumulative number that determining program is confirmed to be unknown program is more than or equal to preset value; First sending module is specifically suitable for when the second judge module is judged as NO, or, when the 3rd judge module is judged as NO, packet and at least one domain information thereof are sent to application layer module; Module is stoped also to be suitable for being judged as YES at the second judge module, and the process state information of last program is any one at least one domain information of the HTTP access request of last program when belonging to blacklist, stops the network access request of program; Clearance module is also suitable for being judged as YES at the second judge module, and any one at least one domain information of the once HTTP access request of program on the process state information of upper once program is belongs to white list, the network access request of clearance program.
Fig. 9 shows the structural representation of the protector of the access to netwoks behavior according to ninth embodiment of the invention.As shown in Figure 9, this network protection device 900 comprises driving layer module 910 and application layer module 920.
Layer module 910 is driven to comprise: interception module 911, driving layer parsing module 912, driving layer internal memory 913, judge module 914 and the first sending module 915.Application layer module 920 comprises: the first receiver module 921, enquiry module 922, prevention module 923 and clearance module 924.
Interception module 911 is suitable for the packet of the network access request that intercepting and capturing program is initiated, and alternatively, the related content about interception module 911 see the description of the 6th embodiment, can not repeat them here; Drive layer parsing module 912 to be suitable for resolution data bag, obtain at least one domain information comprised in packet; Judge module 914 is suitable for judging driving the process state information whether recording the upper once program with the network access request of this secondary program with identical at least one domain information in layer internal memory 913; First sending module 915 is suitable for when judge module 914 is judged as NO, and packet and at least one domain information thereof is sent to the first receiver module 921 of application layer module 920.
First receiver module 921 is suitable for packet and at least one domain information thereof of the transmission of reception first sending module 915; Enquiry module 922 is suitable for whether preserving any one at least one domain information in inquiry local data base; Module 923 is stoped to be suitable for when any one inquiring at least one domain information of enquiry module 922 belongs to the blacklist of local data base, or be judged as YES at judge module 914, and the process state information of last program is any one at least one domain information of the network access request of last program when belonging to blacklist, stops the network access request of this program; Clearance module 924 be suitable for when enquiry module 922 inquire at least one domain information do not belong to the blacklist of local data base but wherein any one belongs to the white list of local data base, or be judged as YES at judge module 914, and the process state information that the process state information of last program is any one at least one domain information of the network access request of last program belongs to white list or last program is last program when being unknown program, the network access request of clearance program.
As the optional execution mode of one, clearance module 924 is also suitable for, when enquiry module 922 inquires any one that local data base do not preserve at least one domain information, showing that program is the network access request of unknown program, clearance program.
As the optional execution mode of another kind, application layer module 920 also comprises: the second sending module and the second receiver module.Second sending module is suitable for, when enquiry module inquires in local data base any one of not preserving at least one domain information, at least one domain information being sent to network equipment; Second receiver module is suitable for receiving in network equipment inquiry cloud database the Query Result of any one whether preserved at least one domain information; The Query Result stoping module to be also suitable for receiving at the second receiver module shows that cloud database is preserved any one at least one domain information and belongs to blacklist, stop the network access request of program; The Query Result that clearance module is also suitable for receiving at the second receiver module shows that any one of preserving at least one domain information of cloud database does not belong to blacklist and belong to white list, the network access request of clearance program.Alternatively, clearance module is also suitable for when inquiring local data base and cloud database does not all preserve any one at least one domain information, shows that program is the network access request of unknown program, clearance program.
Alternatively, layer internal memory is driven to be suitable at least one domain information of the network access request of logging program, and the process state information of logging program, the process state information of program is that any one at least one domain information of the network access request of program belongs to blacklist or white list, or program is unknown program.
Alternatively, in the present embodiment, network access request can be DNS access request, and at least one domain information comprises DNS domain name.Network access request can be also SMTP access request, and at least one domain information comprises the email address of sender and/or addressee.
Figure 10 shows the structural representation of the guard system of the access to netwoks behavior according to tenth embodiment of the invention.As shown in Figure 10, this network-safeguard system 1000 comprises client device 1010 and network equipment 1020.Wherein, client device 1010 can comprise the protector of the access to netwoks behavior in above-mentioned 7th, eight and nine embodiment described by any embodiment.Network equipment 1020 comprises: cloud database 1021, network side receiver module 1022, network side enquiry module 1023 and network side sending module 1024.Wherein, network side receiver module 1022 is connected with the second sending module in client device, is suitable at least one domain information receiving client device transmission; Network side enquiry module 1023 is suitable for whether preserving any one at least one domain information in inquiry cloud database 1021, obtains Query Result; Network side sending module 1024 is connected with the second receiver module in client device, is suitable for Query Result to send to client device.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the guard system of the access to netwoks behavior of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
Claims (14)
1. a guard system for access to netwoks behavior, comprises client device and network equipment;
Described client device comprises the protector of access to netwoks behavior;
Described network equipment comprises:
Cloud database;
Network side receiver module, is suitable at least one domain information receiving the transmission of described client device;
Network side enquiry module, is suitable for inquiring about in described cloud database any one of whether preserving in described at least one domain information, obtains Query Result;
Network side sending module, is suitable for described Query Result to send to described client device;
The protector of described access to netwoks behavior comprises: drive layer module and application layer module;
Described driving layer module comprises:
Interception module, is suitable for the packet of the network access request that intercepting and capturing program is initiated;
Drive layer parsing module, be suitable for resolving described packet, obtain at least one domain information in described packet;
First sending module, is suitable for described packet and at least one domain information thereof to send to described application layer module;
Described application layer module comprises:
First receiver module, is suitable for the described packet and at least one domain information thereof that receive described first sending module transmission;
Enquiry module, is suitable for whether preserving any one in described at least one domain information in inquiry local data base;
Stop module, be suitable for, when any one inquiring in described at least one domain information of described enquiry module belongs to the blacklist of local data base, stoping the network access request of described program;
Clearance module, be suitable for when described enquiry module inquire described at least one domain information do not belong to the blacklist of local data base but any one in described at least one domain information belongs to the white list of local data base, the network access request of described program of letting pass;
Second sending module, is suitable for, when described enquiry module inquires in local data base any one of not preserving in described at least one domain information, described at least one domain information being sent to network equipment;
Second receiver module, is suitable for receiving in network equipment inquiry cloud database the Query Result of any one whether preserved in described at least one domain information;
The Query Result that described prevention module is also suitable for receiving at described second receiver module shows that described cloud database is preserved any one in described at least one domain information and belongs to blacklist, stop the network access request of described program;
The Query Result that described clearance module is also suitable for receiving at described second receiver module shows that any one of preserving in described at least one domain information of described cloud database does not belong to blacklist and belong to white list, the network access request of described program of letting pass.
2. guard system according to claim 1, described clearance module is also suitable for when inquiring described local data base and described cloud database does not all preserve any one in described at least one domain information, show that described program is unknown program, the network access request of described program of letting pass.
3. guard system according to claim 2, described interception module is specifically suitable for the packet of the HTTP access request that intercepting and capturing program is initiated; Described at least one domain information comprises domain name;
Described driving layer module also comprises: acquisition module, is suitable for the IP address and the port that obtain HTTP access request.
4. guard system according to claim 3, described application layer module also comprises: application layer parsing module, be suitable for further resolution data bag, one or more obtaining following information are as the part at least one domain information: network address, Agent mark and parent page information.
5. the guard system according to claim 3 or 4, described driving layer module also comprises:
Drive layer internal memory;
First judge module, is suitable for the process state information judging whether to record the upper once described program with the HTTP access request of program described in this with identical ip addresses and port and domain name in described driving layer internal memory;
Described first sending module is specifically suitable for when described first judge module is judged as NO, or, when described first judge module be judged as YES and on the process state information of once described program be on once described program is unknown program, described packet and at least one domain information thereof are sent to described application layer module;
Described prevention module is also suitable for being judged as YES at described first judge module, and the process state information of last described program is any one at least one domain information of the HTTP access request of last described program when belonging to blacklist, stops the network access request of described program;
Described clearance module is also suitable for being judged as YES at described first judge module, and any one at least one domain information of the once HTTP access request of described program on the process state information of upper once described program is belongs to white list, the network access request of described program of letting pass.
6. the guard system according to claim 3 or 4, described driving layer module also comprises:
Drive layer internal memory;
Second judge module, is suitable for the process state information judging whether to record the upper once described program with the HTTP access request of program described in this with identical ip addresses and port and domain name in described driving layer internal memory;
3rd judge module, be suitable for when described second judge module be judged as YES and on the process state information of once described program be on once described program is unknown program, judge whether the cumulative number that described program is confirmed to be unknown program is more than or equal to preset value;
Described first sending module is specifically suitable for when described second judge module is judged as NO, or, when described 3rd judge module is judged as NO, described packet and at least one domain information thereof are sent to described application layer module;
Described prevention module is also suitable for being judged as YES at described second judge module, and the process state information of last described program is any one at least one domain information of the HTTP access request of last described program when belonging to blacklist, stops the network access request of described program;
Described clearance module is also suitable for being judged as YES at described second judge module, and any one at least one domain information of the once HTTP access request of described program on the process state information of upper once described program is belongs to white list, the network access request of described program of letting pass.
7. guard system according to claim 3, described driving layer internal memory is suitable for the IP address of the HTTP access request recording described program and port and domain name, and record the process state information of described program, the process state information of described program is that any one at least one domain information of the HTTP access request of described program belongs to blacklist or white list, or described program is unknown program.
8. guard system according to claim 7, described driving layer internal memory is also suitable for, when the process state information of described program be described program is unknown program, recording the cumulative number that described program is confirmed to be unknown program.
9. guard system according to claim 2, described driving layer module comprises:
Drive layer internal memory;
Judge module, is suitable for the process state information judging whether to record the upper once described program with the network access request of program described in this with identical at least one domain information in described driving layer internal memory;
Described first sending module is specifically suitable for, when described judge module is judged as NO, described packet and at least one domain information thereof being sent to described application layer module;
Described prevention module is also suitable for being judged as YES at described judge module, and the process state information of last described program is any one at least one domain information of the network access request of last described program when belonging to blacklist, stops the network access request of described program;
Described clearance module is also suitable for being judged as YES at described judge module, and the process state information that the process state information of last described program is any one at least one domain information of the network access request of last described program belongs to white list or last described program is last described program when being unknown program, the network access request of described program of letting pass.
10. guard system according to claim 9, described driving layer internal memory is suitable at least one domain information of the network access request recording described program, and record the process state information of described program, the process state information of described program is that any one at least one domain information of the network access request of described program belongs to blacklist or white list, or described program is unknown program.
11. guard systems according to claim 9 or 10,
Described network access request is DNS access request, and described at least one domain information comprises DNS domain name;
Or described network access request is SMTP access request, and described at least one domain information comprises the email address of sender and/or addressee.
12. guard systems according to claim 1, described interception module is specifically suitable for:
By in client registers protocol-driven or establishment filtration drive, intercept and capture the packet of the network access request that program is initiated;
Or the application programming interface function utilizing operating system to provide intercepts and captures the packet of the network access request that program is initiated;
Or, called the request of interface for network programming function by takeover process, intercept and capture the packet of the network access request that program is initiated;
Or, utilize the mode of registration fire compartment wall readjustment, intercept and capture the packet of the network access request that program is initiated.
13. guard systems according to claim 1, described interception module is specifically suitable for: by driving to NDIS log-in protocol, or on driving arrangement stack, the driving arrangement stack of transmission distribution interface or the driving arrangement stack of transmission control/network communication protocol that the miscellaneous function of winsock drives, create filtration drive, intercept and capture the packet of the network access request that program is initiated.
14. guard systems according to claim 1, described interception module is specifically suitable for: the derivative function that the interface function that the Hook Function interception system service descriptor table utilizing operating system to provide provides or the transmission service function that provides of controls/network communication protocol or NDIS provide, and obtains the packet of the network access request of described program initiation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210478425.4A CN102916983B (en) | 2012-11-22 | 2012-11-22 | The guard system of access to netwoks behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210478425.4A CN102916983B (en) | 2012-11-22 | 2012-11-22 | The guard system of access to netwoks behavior |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102916983A CN102916983A (en) | 2013-02-06 |
| CN102916983B true CN102916983B (en) | 2015-08-05 |
Family
ID=47615217
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210478425.4A Active CN102916983B (en) | 2012-11-22 | 2012-11-22 | The guard system of access to netwoks behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102916983B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104104666B (en) * | 2013-04-15 | 2015-06-24 | 腾讯科技(深圳)有限公司 | Method of detecting abnormal cloud service and device |
| CN104348850B (en) * | 2013-07-25 | 2017-10-20 | 凌群电脑股份有限公司 | The system for accessing cloud database data using saturating logical technology |
| US9450970B2 (en) * | 2013-08-12 | 2016-09-20 | Wal-Mart Stores, Inc. | Automatic blocking of bad actors across a network |
| CN103929418A (en) * | 2014-03-28 | 2014-07-16 | 汉柏科技有限公司 | Wireless Internet access method and system based on network safety equipment |
| US11030105B2 (en) * | 2014-07-14 | 2021-06-08 | Oracle International Corporation | Variable handles |
| CN105142130B (en) * | 2015-06-12 | 2019-05-31 | 联想(北京)有限公司 | A kind of information processing method and electronic equipment |
| CN105376222A (en) * | 2015-10-30 | 2016-03-02 | 四川九洲电器集团有限责任公司 | Intelligent defense system based on cloud computing platform |
| CN105561580A (en) * | 2015-12-24 | 2016-05-11 | 北京奇虎科技有限公司 | Network protecting method and device based on game platform |
| US11323458B1 (en) * | 2016-08-22 | 2022-05-03 | Paubox, Inc. | Method for securely communicating email content between a sender and a recipient |
| CN106131090B (en) * | 2016-08-31 | 2021-11-09 | 北京力鼎创软科技有限公司 | Method and system for user to access network under web authentication |
| CN107342999A (en) * | 2017-07-04 | 2017-11-10 | 郑州云海信息技术有限公司 | A kind of system and method based on agent protection certificate is strengthened |
| CN107528861B (en) * | 2017-10-12 | 2019-11-12 | 浪潮云信息技术有限公司 | A kind of method and device of determining IP user's access authority |
| CN107821284A (en) * | 2017-11-07 | 2018-03-23 | 河北工业大学 | A kind of intelligent fish breeding system based on cloud database |
| CN108632280A (en) * | 2018-05-08 | 2018-10-09 | 国家计算机网络与信息安全管理中心 | Flow processing method, apparatus and system, fire wall and server |
| CN109379404B (en) * | 2018-09-14 | 2022-04-01 | 厦门天锐科技股份有限公司 | Method for forwarding data based on TDI drive and effective proxy of proxy server |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101378395A (en) * | 2008-10-10 | 2009-03-04 | 福建星网锐捷网络有限公司 | Method and apparatus for preventing reject access aggression |
| CN101404654A (en) * | 2008-10-30 | 2009-04-08 | 中兴通讯股份有限公司 | Apparatus and method for preventing frequent accesses to electronic program menu server by suspicious users |
| CN101527721A (en) * | 2009-04-22 | 2009-09-09 | 中兴通讯股份有限公司 | Anti-virus method on the basis of household gateway and device thereof |
| CN101834866A (en) * | 2010-05-05 | 2010-09-15 | 北京来安科技有限公司 | CC (Communication Center) attack protective method and system thereof |
| CN102025713A (en) * | 2010-02-09 | 2011-04-20 | 中国移动通信集团北京有限公司 | Access control method, system and DNS (Domain Name Server) server |
| CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
-
2012
- 2012-11-22 CN CN201210478425.4A patent/CN102916983B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101378395A (en) * | 2008-10-10 | 2009-03-04 | 福建星网锐捷网络有限公司 | Method and apparatus for preventing reject access aggression |
| CN101404654A (en) * | 2008-10-30 | 2009-04-08 | 中兴通讯股份有限公司 | Apparatus and method for preventing frequent accesses to electronic program menu server by suspicious users |
| CN101527721A (en) * | 2009-04-22 | 2009-09-09 | 中兴通讯股份有限公司 | Anti-virus method on the basis of household gateway and device thereof |
| CN102025713A (en) * | 2010-02-09 | 2011-04-20 | 中国移动通信集团北京有限公司 | Access control method, system and DNS (Domain Name Server) server |
| CN101834866A (en) * | 2010-05-05 | 2010-09-15 | 北京来安科技有限公司 | CC (Communication Center) attack protective method and system thereof |
| CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102916983A (en) | 2013-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102916983B (en) | The guard system of access to netwoks behavior | |
| CN102932375B (en) | The means of defence of access to netwoks behavior and device | |
| US9026676B1 (en) | Systems and methods for prepending nonce labels to DNS queries to enhance security | |
| US8447856B2 (en) | Policy-managed DNS server for to control network traffic | |
| US7930413B2 (en) | System and method for controlling access to a network resource | |
| US7783741B2 (en) | Pseudonymous email address manager | |
| US7809796B1 (en) | Method of controlling access to network resources using information in electronic mail messages | |
| KR101907392B1 (en) | Method and system for inspecting malicious link addree listed on email | |
| JP5640105B2 (en) | Method and system for reducing the spread of electronic messages | |
| US20100325240A1 (en) | Querying a database as a domain name system resolver | |
| EP2521330A1 (en) | DNSSEC signing server | |
| CN103152354B (en) | To method, system and client device that dangerous website is pointed out | |
| EP2009858A1 (en) | Method and apparatus for creating predictive filters for messages | |
| CN103051617A (en) | Method, device and system for identifying network behaviors of program | |
| CN102783119A (en) | Access control method and system, and access terminal | |
| WO2014185394A1 (en) | Relay device and control method for relay device | |
| CN108616544B (en) | Method, system, and medium for detecting updates to a domain name system recording system | |
| CN101150535A (en) | Email filtering method, device and device | |
| US20210112093A1 (en) | Measuring address resolution protocol spoofing success | |
| CN103685213A (en) | Device, system and method for reducing attacks on DNS | |
| CN103532833A (en) | Business system access method, terminal and agency service system | |
| CN102752411A (en) | Redirection method and device | |
| CN103747005A (en) | DNS (domain name system) cache poisoning protection method and device | |
| EP3332533A1 (en) | Parallel detection of updates to a domain name system record system using a common filter | |
| CN112165537B (en) | Virtual IP method for ping reply |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220325 Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |
|
| TR01 | Transfer of patent right |