CN102932375A - Protection method and device for network access behavior - Google Patents

Abstract

The invention discloses a protection method and device for network access behavior. The method comprises the following steps: a driver layer intercepts a network access request packet initiated by programs, analyzes the packet, acquires information at least one domain in the packet, and sends the packet and the information of the at least domain to an application layer; the application layer queries whether any domain contained in information of the at least one domain is saved in a local database or not, and if yes, under the condition that the any domain contained in information of the at least one domain belongs to a blacklist of the local database, the network access requests of the programs are prohibited; and under the condition that the information of the at least one domain does not belong to the blacklist of the local database, while the any domain contained in information of the at least one domain belongs to a whitelist of the local database, the network access requests of the programs are allowed. The method directly utilizes objects of the high-level protocols to determine whether the network access requests are safe or not, so that network access behavior of a malicious program is effectively intercepted.

Description

The means of defence of access to netwoks behavior and device

Technical field

The present invention relates to the Network Communicate Security technical field, be specifically related to a kind of means of defence and device of access to netwoks behavior.

Background technology

Along with the develop rapidly of Internet technology and the generally reduction of cost of surfing the net, the Internet has become indispensable in a most of general public daily lifes important component part.But some programmers for show off and prove oneself ability or other aspects (such as politics, military, religion, national, patent etc.) demand, tend to write out the rogue program that some affect the normal operation of computer, thereby so that the user who is invaded and harassed by these rogue programs can not realize the purpose that oneself is surfed the Net, even meeting is so that paralysis appears in whole system.Thereby network security just becomes the focus of paying close attention to now.

Existing network protection method all is based on TCP(Transmission Control Protocol, transmission control protocol)/IP(Internet Protocol, Internet Protocol) or UDP(User Datagram Protocol, IP address User Datagram Protoco (UDP)) and port are let pass or are stoped the access to netwoks behavior of certain program.Particularly, when certain program is initiated network access request, at first initiate the request (socket connect) connect, in socket connect, can obtain IP address and the port of target to be visited, determine whether to let pass or stop the access to netwoks behavior of this program according to the IP address of target to be visited and the local database of preserving of interface querying.For unknown program, but whether prompting user is selected to let pass.

But, the procotol great majority that existing program is used are based on TCP/IP or udp protocol and the upper-layer protocol realized, HTTP(Hypertext Transport Protocol for example, HTTP), SMTP(Simple Mail TransferProtocol, Simple Mail Transfer protocol), DNS(Domain Name System, domain name system) and FTP(File TransferProtocol, file transfer protocol (FTP)) etc.When program uses these upper-layer protocols to carry out network access request, lean on merely IP address and port can't determine the purpose of network access request; And, the change of IP address and port is very frequent in network, the IP address will change thereupon when changing such as Network Provider, yet more new capital of local data base needs the regular hour, therefore adopts existing network protection method can not tackle timely and effectively the access to netwoks behavior of rogue program.

Summary of the invention

In view of the above problems, the present invention has been proposed in order to provide a kind of means of defence of the access to netwoks behavior that overcomes the problems referred to above or address the above problem at least in part and the protector of corresponding access to netwoks behavior.

According to an aspect of the present invention, provide a kind of means of defence of access to netwoks behavior, having comprised:

Drive the packet of the network access request of layer intercepting and capturing program initiation, the resolution data bag obtains at least a domain information in the packet, then packet and at least a domain information thereof is sent to application layer;

Whether preserve at least a domain information any in the application layer inquiry local data base, if then any at least a domain information belongs in the situation of blacklist of local data base, stop the network access request of program; Do not belong to the blacklist of local data base but at least a domain information any belongs in the situation of white list of local data base the network access request of clearance program at least a domain information.

According to a further aspect in the invention, provide a kind of protector of access to netwoks behavior, having comprised: driven layer module and application layer module;

Driving layer module comprises: intercept and capture module, be suitable for the packet of the network access request of intercepting and capturing program initiation; Drive layer parsing module, be suitable for the resolution data bag, obtain at least a domain information in the packet; The first sending module is suitable for packet and at least a domain information thereof are sent to application layer module;

Application layer module comprises: the first receiver module is suitable for receiving packet and at least a domain information thereof that the first sending module sends; Enquiry module is suitable for inquiring about whether preserve at least a domain information any in the local data base; Stop module, be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module, stop the network access request of program; The clearance module is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but at least a domain information any belongs in the situation of white list of local data base the network access request of clearance program at enquiry module.

According to scheme provided by the invention, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, and application layer is determined the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, the present invention directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, thus the access to netwoks behavior that can tackle more in time rogue program.

Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.

Description of drawings

By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:

Fig. 1 shows the flow chart according to the means of defence of the access to netwoks behavior of first embodiment of the invention;

Fig. 2 shows the flow chart according to the means of defence of the access to netwoks behavior of second embodiment of the invention;

Fig. 3 shows the flow chart according to the means of defence of the access to netwoks behavior of third embodiment of the invention;

Fig. 4 shows the flow chart according to the means of defence of the access to netwoks behavior of four embodiment of the invention;

Fig. 5 shows the flow chart according to the means of defence of the access to netwoks behavior of fifth embodiment of the invention;

Fig. 6 shows the structural representation according to the protector of the access to netwoks behavior of sixth embodiment of the invention;

Fig. 7 shows the structural representation according to the protector of the access to netwoks behavior of seventh embodiment of the invention;

Fig. 8 shows the structural representation according to the protector of the access to netwoks behavior of eighth embodiment of the invention;

Fig. 9 shows the structural representation according to the protector of the access to netwoks behavior of ninth embodiment of the invention;

Figure 10 shows the structural representation according to the guard system of the access to netwoks behavior of tenth embodiment of the invention.

Embodiment

Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.

Program is a common file, is the set of a machine code instruction and data, is the concept of a static state.Process is a program implementation on computers, is a dynamic concept.Same program can run on several data acquisition systems simultaneously, that is to say that same program can corresponding a plurality of processes.The access to netwoks behavior is to be initiated by active program (also being process).The current network access behavior of program namely is the access to netwoks behavior of being initiated by the process that belongs to this program.Access to netwoks behavior of a great variety comprises HTTP access (common are download file or upload information), and SMTP ask (for example sending and receiving e-mail), DNS request (information such as IP address corresponding to parsing domain name) etc.

Fig. 1 shows the flow chart according to the means of defence 100 of the access to netwoks behavior of first embodiment of the invention.As shown in Figure 1, method 100 starts from step S101, wherein drives the packet of the network access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socketreceive) of the request (socket send) of the transmission data that program initiates and receive data.

If a common program needs interconnection network, the API(Application Program Interface that needs provide by operating system (such as Windows), application programming interfaces) interface sends network access request, after operating system receives this network access request of program, the packet that the meeting reception program will send, and the packet that receives encapsulated, afterwards with the Packet Generation of encapsulation to physical equipment (such as network interface card etc.), by hardware device packet is spread out of at last.Based on the flow process of such routine access network, the relevant information of network behavior is intercepted and captured the purpose of the current network behavior that can realize monitoring program in arbitrary link of this flow process.Alternatively, the packet that drives the network access request of layer intercepting and capturing program initiation can adopt following several mode:

(1) by drives or creates filtration drive, the packet of the network access request that the intercepting and capturing program is initiated in client log-in protocol.

In the process of routine access network, operating system is when processing related data, can obtain the data of access to netwoks behavior with some protocol-driven or filtration drive, so can pass through in the driving of client log-in protocol or the establishment filtration drive similar to operating system the packet of the network access request that the intercepting and capturing program is initiated.Particularly, can pass through to NDIS(Network DriverInterface Specification, NDIS) log-in protocol drives, perhaps at Afd.sys(AncillaryFunction Driver for winsock, the miscellaneous function driving of winsock) driving arrangement stack, Tdi.sys(TransportDispatch Interface, the transmission distribution interface) driving arrangement stack or Tcpip.sys(Transmission ControlProtocol/Internet Protocol, transmission control/network communication protocol) creates the filtration drive similar to operating system on the driving arrangement stack, the packet of the network access request that the intercepting and capturing program is initiated.

Create filtration drive as example take the driving arrangement stack at Afd.sys, when sending the packet of network access request, the driving distribution function of the Afd.sys that system is called originally can call first the distribution function of the filtration drive of establishment, utilizes this method to come the intercepted data bag.

The packet of the network access request that the application programming interface function intercepting and capturing program of (2) utilizing operating system to provide is initiated.

(hook) function is example take the application programming interface function as hook, the hook function that utilizes operating system to provide is intercepted and captured Windows SSDT(System Services Descriptor Table, the system service descriptor table) derivative function that the service function that the interface function that provides (such as the NtDeviceIoControl function) or Tcpip.sys driving provide or NDIS.sys provide, the packet of the network access request that the acquisition program is initiated.

(3) by taking over the request of routine call interface for network programming function (Winsock), the packet of the network access request that the intercepting and capturing program is initiated.

(4) mode of utilizing the registration fire compartment wall to adjust back, the packet of the network access request that the intercepting and capturing program is initiated.

Subsequently, method 100 enters step S102, wherein drives layer and resolves the packet of intercepting and capturing, and obtains at least a domain information in the packet, and packet and at least a domain information thereof are sent to application layer.In this method, drive layer (ring0) and have the function of resolving the packet among socket send and the socket receive, obtain one or more domain informations that this packet comprises, packet and domain information thereof are sent to application layer (ring3) process.

Subsequently, method 100 enters step S103, wherein whether preserves at least a domain information any in the application layer inquiry local data base, if, execution in step S104 then; Otherwise execution in step S106.Store the mark that a large amount of domain informations and these domain informations belong to blacklist or white list in the local data base of client.Alternatively, the data memory format in the local data base can be the md5(Message Digest Algorithm 5 of domain information, Message Digest Algorithm 5) value and extended byte, write the mark that domain information belongs to blacklist or white list in the extended byte.

In step S104, application layer judges whether at least a domain information any belongs to the blacklist of local data base, if, execution in step S105 then; Otherwise execution in step S106.Application layer belongs to the mark of blacklist or white list by domain information, judge whether at least a domain information any belongs to the blacklist of local data base.

In step S105, stop the network access request of program.If any in the packet of the network access request that certain program is initiated at least a domain information belongs to the blacklist of local data base, show that this program is rogue program, the network access request that then stops this program also namely stops the access to netwoks behavior of this program.

In step S106, the network access request of clearance program.If at least a domain information does not belong to the blacklist of local data base in the packet of the network access request that certain program is initiated, but wherein any belongs to the white list of local data base, show that this program is normal procedure, the network access request of this program of then letting pass, the access to netwoks behavior of this program of also namely letting pass.If application layer inquires local data base and do not preserve at least a domain information any, show that this program is unknown program, the network access request of this program of can letting pass.As another kind of execution mode, if program is unknown program, also can select by prompting user, stop or the network access request of this program of letting pass according to the mode of user's selection.

The method that provides according to the present embodiment, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, and application layer is determined the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, this method directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, thus the access to netwoks behavior that can tackle more in time rogue program.

Fig. 2 shows the flow chart according to the means of defence 200 of the access to netwoks behavior of second embodiment of the invention.As shown in Figure 2, method 200 starts from step S201, wherein drives the packet of the network access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socketreceive) of the request (socket send) of the transmission data that program initiates and receive data.The method that drives layer intercepted data bag can referring to the associated description of method 100, not repeat them here.

Subsequently, method 200 enters step S202, wherein drives layer and resolves the packet of intercepting and capturing, and obtains at least a domain information in the packet, and packet and at least a domain information thereof are sent to application layer.In this method, drive layer (ring0) and have the function of resolving the packet among socket send and the socket receive, obtain one or more domain informations that this packet comprises, packet and domain information thereof are sent to application layer (ring3) process.

Subsequently, method 200 enters step S203, wherein whether preserves at least a domain information any in the application layer inquiry local data base, if, execution in step S204 then; Otherwise execution in step S205.Store the mark that a large amount of domain informations and these domain informations belong to blacklist or white list in the local data base of client.Alternatively, the data memory format in the local data base can for md5 value and the extended byte of domain information, write the mark that domain information belongs to blacklist or white list in the extended byte.

In step S204, application layer judges whether at least a domain information any belongs to the blacklist of local data base, if, execution in step S209 then; Otherwise execution in step S210.Application layer belongs to the mark of blacklist or white list by domain information, judge whether at least a domain information any belongs to the blacklist of local data base.

In step S205, application layer sends to network equipment with at least a domain information.Also store the mark that a large amount of domain informations and these domain informations belong to blacklist or white list in the high in the clouds database of network equipment.Network equipment judges whether at least a domain information any belongs to the high in the clouds database, if belong to the high in the clouds database, the mark that then further belongs to blacklist or white list according to domain information, judge that this domain information belongs to blacklist or the white list of high in the clouds database, obtains thus Query Result and returns to client.

After step S205, method 200 enters step S206, and wherein application layer receives any Query Result of whether preserving in the database of network equipment inquiry high in the clouds at least a domain information.

After step S206, method 200 enters step S207, and application layer judges whether Query Result shows and preserve at least a domain information any in the database of high in the clouds, if, execution in step S208; Otherwise, execution in step S210.

In step S208, application layer judge Query Result whether show the high in the clouds database preserve at least a domain information any and belong to blacklist, if, execution in step S209; Otherwise, execution in step S210.

In step S209, stop the network access request of program.If any in the packet of the network access request that certain program is initiated at least a domain information belongs to the blacklist of local data base or high in the clouds database, show that this program is rogue program, the network access request that then stops this program also namely stops the access to netwoks behavior of this program.

In step S210, the network access request of clearance program.If at least a domain information does not belong to the blacklist of local data base but wherein any belongs to the white list of local data base in the packet of the network access request that certain program is initiated, perhaps do not belong to the blacklist of high in the clouds database but wherein any belongs to the white list of high in the clouds database, show that this program is normal procedure, the network access request of this program of then letting pass, the access to netwoks behavior of this program of also namely letting pass.If application layer inquires local data base and high in the clouds database and all do not preserve at least a domain information any, show that this program is unknown program, the network access request of this program of can letting pass.As another kind of execution mode, if program is unknown program, also can select by prompting user, stop or the network access request of this program of letting pass according to the mode of user's selection.

The method that provides according to the present embodiment, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, application layer is at first inquired about the network access request that local data base is determined prevention or this program of letting pass according to this domain information, if local data base does not have the domain information that comprises in the save data bag, then continue the network access request that network side inquiry high in the clouds database is determined prevention or this program of letting pass.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, this method directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, also can tackle in time the access to netwoks behavior of rogue program.This method is judged whether safety of network access request in conjunction with local data base and high in the clouds database, has further improved the efficient of the access to netwoks behavior of interception rogue program.

Fig. 3 shows the flow chart according to the means of defence 300 of the access to netwoks behavior of third embodiment of the invention.In this method 300, describe as the HTTP access request as example take network access request.As shown in Figure 3, method 300 starts from step S301, wherein drives the packet of the HTTP access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socket receive) of the request (socket send) of the transmission data that program initiates and receive data.The method that drives layer intercepted data bag can referring to the associated description of method 100, not repeat them here.

Subsequently, method 300 enters step S302, wherein drives layer and resolves the packet of intercepting and capturing, and obtains the domain name (host) in the packet.Drive layer before resolving the socket send that intercepts and captures and the packet among the socket receive or simultaneously, also can obtain IP address and port among the socket connect.

Subsequently, method 300 enters step S303, wherein drive layer and judge to drive in the layer internal memory (ring0 cache) whether record the process state information that has this program of last time of identical ip addresses and port and domain name with the HTTP access request of this secondary program, if, execution in step S304; Otherwise execution in step S306.In the method, after handling a HTTP access request, ring0 cache can record IP address and port and the domain name of current HTTP access request, and record this program pin to the process state information of current HTTP access request, the process state information here refers to that the domain name of the current HTTP access request of this program belongs to blacklist or white list, and perhaps this program is identified as unknown program in current HTTP access request.Record based on ring0 cache does in step S303, drives layer and can judge first whether ring0 cache records the process state information that has this program of last time of identical ip addresses and port and domain name with the HTTP access request of this secondary program.

In step S304, drive layer and judge whether the process state information of last this program is that this program is unknown program, if, execution in step S306; Otherwise execution in step S305.

In step S305, drive process state information that layer judges last this program and whether belong to blacklist for the domain name of the HTTP access request of last this program, if, execution in step S314 then; Otherwise execution in step S315.

In step S306, drive layer packet and domain name, IP address and port are sent to application layer.

After step S306, method 300 enters step S307, and the further resolution data bag of application layer obtains more domain information, comprises network address (URL), Agent sign (User-Agent) and parent page information (Referer).

The example of the packet of HTTP access request is as follows:

GET/index.html?HTTP/1.1\r\n

Host：www.360.cn\r\n

User-Agent:IE\r\n

Referer:http://www.qihoo.net/\r\n

For this example, a driving layer resolution data bag obtains a domain name and is: www.360.cn; The further resolution data bag of application layer obtains URL:http: //www.360.cn/index.html, User-Agent:IE r n, and Referer:http: //www.qihoo.net/ r n.

After step S307, method 300 enters step S308, wherein whether preserves in domain name, IP address and the domain informations such as port, URL, User-Agent and Referer any in the application layer inquiry local data base, if, execution in step S309 then; Otherwise execution in step S310.

In step S309, application layer judges whether in domain name, IP address and the domain informations such as port, URL, User-Agent and Referer any belongs to the blacklist of local data base, if, execution in step S314 then; Otherwise execution in step S315.

In step S310, application layer sends to network equipment with domain name, IP address and the domain informations such as port, URL, User-Agent and Referer.Also store the mark that a large amount of domain informations and these domain informations belong to blacklist or white list in the high in the clouds database of network equipment.Network equipment judges whether in the above-mentioned domain information any belongs to the high in the clouds database, if belong to the high in the clouds database, the mark that then further belongs to blacklist or white list according to domain information, judge that this domain information belongs to blacklist or the white list of high in the clouds database, obtains thus Query Result and returns to client.

After step S310, method 300 enters step S311, and wherein application layer receives the Query Result of network equipment inquiry high in the clouds database.

After step S311, method 300 enters step S312, application layer judges whether Query Result shows and preserves in domain name, IP address and the domain informations such as port, URL, User-Agent and Referer any in the database of high in the clouds, if, execution in step S313; Otherwise, execution in step S315.

In step S313, application layer judge Query Result whether show the high in the clouds database preserve in domain name, IP address and the domain informations such as port, URL, User-Agent and Referer any and belong to blacklist, if, execution in step S314; Otherwise, execution in step S315.

In step S314, stop the HTTP access request of program.

In step S315, the HTTP access request of clearance program.

After step S314 and step S315, method 300 enters step S316, wherein in ring0 cache the IP address of the HTTP access request of minute book secondary program and port and domain name (for above-mentioned example, the content of record is: IP:220.181.24.100, port:80, Host:www.360.cn), and the process state information of minute book secondary program, the process state information of this secondary program belongs to blacklist or white list at least a domain information of the HTTP access request of this secondary program any, and perhaps this secondary program is unknown program.

In this method, driving before layer sends to application layer with packet and domain information, judge first the process state information that whether records the last HTTP access request of same program among the ring0cache, last HTTP access request refers to the HTTP access request of the last time that domain name and IP address are identical with this HTTP access request with port, if any the record and process state information be that domain information belongs to blacklist or white list, then directly do same processing according to the process state information of last time, need not packet and domain information are re-send to the processing that application layer is done inquiry local data base and high in the clouds database, can greatly reduce the inquiry amount like this, reduce the burden on backstage, improve the efficient of access to netwoks.And, ring0 cache record is domain name and IP address and the port of HTTP access request in this method, do not record URL, for having same domain name and IP address with port but have the HTTP access request of different URL, all can do same processing according to the process state information of last time, reduce so the Query Database number of times of unknown URL, further improved the efficient of access to netwoks.

In order further to improve the treatment effeciency of this method, on the basis of above-described embodiment, ring0 cache can also record the cumulative number that same program is confirmed to be unknown program.In step S304, judge that the process state information of last this program is unknown program for this program if drive layer, drive so layer and further judge that whether this program is confirmed to be the cumulative number of unknown program more than or equal to preset value, this preset value is preferably 4, if cumulative number is more than or equal to preset value, the network access request of this program of then letting pass; Otherwise, execution in step S306.Corresponding, in step S316, if the process state information of this secondary program is unknown program for this secondary program, ring0 cache also needs refresh routine to be confirmed to be the cumulative number of unknown program so, namely adds 1 on former cumulative number basis.By such processing, if certain program is repeatedly confirmed as unknown program, the access to netwoks behavior of this program of so directly letting pass has improved the efficient of access to netwoks.

In this method, after application layer received packet, further the resolution data bag obtained more domain information.Because in the process of subsequent query local data base and high in the clouds database, if any in these domain informations belongs to blacklist or white list, they can determine procedures be rogue program or normal procedure just accordingly, so domain information is more, the intercepting efficiency of access to netwoks behavior be also just higher.

But also should be understandable that, step S307 is optional step.That is, application layer can no longer be resolved packet when receiving packet, and in subsequent step, the domain information of application layer process comprises domain name, IP address and port, does not comprise the domain informations such as URL, User-Agent and Referer.

The method that above-mentioned the 3rd embodiment provides describes as an example of the HTTP access request example, but the method is only for being applied to the HTTP access request, the means of defence that other and the similar network access request of HTTP access request also can adopt the 3rd embodiment to provide.

Fig. 4 shows the flow chart according to the means of defence 400 of the access to netwoks behavior of four embodiment of the invention.In this method 400, describe as the DNS access request as example take network access request.As shown in Figure 4, method 400 starts from step S401, wherein drives the packet of the DNS access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socket receive) of the request (socket send) of the transmission data that program initiates and receive data.The method that drives layer intercepted data bag can referring to the associated description of method 100, not repeat them here.

Subsequently, method 400 enters step S402, wherein drives layer and resolves the packet of intercepting and capturing, and obtains the DNS domain name in the packet.

The example of the packet of DNS access request is as follows:

Domain?Name?System(query)

Transaction?ID:0x276b

Questions:1

Answer?RRs:0

Authority?RRs:0

Additional?RRs:0

Queries?www.360.cn:type?A,class?IN

For this example, a driving layer resolution data bag obtains a DNS domain name and is: www.360.cn.

Subsequently, method 400 enters step S403, wherein drive layer and judge to drive in the layer internal memory (ring0 cache) whether record the process state information that has this program of last time of identical DNS domain name with the DNS access request of this secondary program, if, execution in step S404; Otherwise execution in step S406.In the method, after handling a DNS access request, ring0cache can record the DNS domain name of current DNS access request, and record this program to the process state information of current DNS access request, the process state information here refers to that the DNS domain name of the current DNS access request of this program belongs to blacklist or white list, and perhaps this program is identified as unknown program in current DNS access request.Record based on ring0 cache does in step S403, drives layer and can judge first whether ring0 cache records the process state information that has this program of last time of identical DNS domain name with the DNS access request of this secondary program.

In step S404, drive layer and judge whether the process state information of last this program is that this program is unknown program, if, execution in step S414; Otherwise execution in step S405.

In step S405, drive process state information that layer judges last this program and whether belong to blacklist for the DNS domain name of the DNS access request of last this program, if, execution in step S413 then; Otherwise execution in step S414.

In step S406, drive layer packet and DNS domain name are sent to application layer.

After step S406, method 400 enters step S407, wherein whether preserves the DNS domain name in the application layer inquiry local data base, if, execution in step S408 then; Otherwise execution in step S409.

In step S408, application layer judges whether the DNS domain name belongs to the blacklist of local data base, if, execution in step S413 then; Otherwise execution in step S414.

In step S409, application layer sends to network equipment with the DNS domain name.Also store the mark that a large amount of DNS domain names and these DNS domain names belong to blacklist or white list in the high in the clouds database of network equipment.Network equipment judges whether the DNS domain name belongs to the high in the clouds database, if belong to the high in the clouds database, the mark that then further belongs to blacklist or white list according to the DNS domain name judges that this DNS domain name belongs to blacklist or the white list of high in the clouds database, obtains thus Query Result and returns to client.

After step S409, method 400 enters step S410, and wherein application layer receives the Query Result of network equipment inquiry high in the clouds database.

After step S410, method 400 enters step S411, and application layer judges whether Query Result shows and preserve the DNS domain name in the database of high in the clouds, if, execution in step S412; Otherwise, execution in step 414.

In step S412, application layer judges whether Query Result shows that the high in the clouds database is preserved the DNS domain name and this DNS domain name belongs to blacklist, if, execution in step S413; Otherwise, execution in step S414.

In step S413, stop the DNS access request of program.

In step S414, the DNS access request of clearance program.

After step S413 and step S414, method 400 enters step S415, wherein in ring0cache the DNS domain name of the DNS access request of minute book secondary program (for above-mentioned example, the content of record is: www.360.cn), and the process state information of minute book secondary program, the process state information of this secondary program belongs to blacklist or white list for the DNS domain name of the DNS access request of this secondary program, and perhaps this secondary program is unknown program.

In this method, driving before layer sends to application layer with packet and DNS domain name, judge first the process state information that whether records the last DNS access request of same program among the ring0 cache, last DNS access request refers to the DNS access request of the last time that the DNS domain name is identical with this DNS access request.If any the record and process state information be that the DNS domain name belongs to blacklist or white list, then directly do same processing according to the process state information of last time, be that program is unknown program such as process state information, the network access request of this program of then directly letting pass, need not packet and domain information are re-send to the processing that application layer is done inquiry local data base and high in the clouds database, can greatly reduce the inquiry amount like this, reduce the burden on backstage, improve the efficient of access to netwoks.

The method that above-mentioned the 4th embodiment provides describes as an example of the DNS access request example, but the method is only for being applied to the DNS access request, the means of defence that other network access request also can adopt the 4th embodiment to provide.

Fig. 5 shows the flow chart according to the means of defence 500 of the access to netwoks behavior of fifth embodiment of the invention.In this method 500, describe as the SMTP access request as example take network access request.As shown in Figure 5, method 500 starts from step S501, wherein drives the packet of the SMTP access request of layer (ring0) intercepting and capturing program initiation.Drive packet that layer intercepts and captures and be the packet in the request (socket receive) of the request (socket send) of the transmission data that program initiates and receive data.The method that drives layer intercepted data bag can referring to the associated description of method 100, not repeat them here.

Subsequently, method 500 enters step S502, wherein drives layer and resolves a packet of intercepting and capturing, and obtains sender in the packet and/or addressee's email address.

The example of the packet of SMTP access request is as follows:

For this example, the email address that drives layer resolution data bag acquisition sender is bob@example.org, and addressee's email address is: alice@example.com and theboss@example.com.

Subsequently, method 500 enters step S503, wherein drive layer and judge to drive whether record the process state information of this program of last time that has identical sender and/or addressee's email address with the SMTP access request of this secondary program in the layer internal memory (ring0 cache), if, execution in step S504; Otherwise execution in step S506.In the method, after handling a SMTP access request, ring0 cache can record sender and/or the addressee's of current SMTP access request email address, and record this program to the process state information of current SMTP access request, the process state information here refers to that the sender of the current SMTP access request of this program and/or addressee's email address belong to blacklist or white list, and perhaps this program is identified as unknown program in current SMTP access request.The record of doing based on ring0 cache, in step S503, drive layer and can judge first whether ring0 cache records the process state information of this program of last time that has identical sender and/or addressee's email address with the SMTP access request of this secondary program.

In step S504, drive layer and judge whether the process state information of last this program is that this program is unknown program, if, execution in step S514; Otherwise execution in step S505.

In step S505, drive process state information that layer judges last this program and whether belong to blacklist for the sender of the SMTP access request of last this program and/or addressee's email address, if, execution in step S513 then; Otherwise execution in step S514.

In step S506, drive layer email address with packet and sender and/or addressee and send to application layer.

After step S506, method 500 enters step S507, wherein whether preserves sender and/or addressee's email address in the application layer inquiry local data base, if, execution in step S508 then; Otherwise execution in step S509.

In step S508, application layer judges whether sender and/or addressee's email address belongs to the blacklist of local data base, if, execution in step S513 then; Otherwise execution in step S514.

In step S509, application layer sends to network equipment with sender and/or addressee's email address.The email address that also stores a large amount of senders and/or addressee's email address and these senders and/or addressee in the high in the clouds database of network equipment belongs to the mark of blacklist or white list.Network equipment judges whether sender and/or addressee's email address belongs to the high in the clouds database, if belong to the high in the clouds database, the mark that then further belongs to blacklist or white list according to sender and/or addressee's email address, judge that this sender and/or addressee's email address belongs to blacklist or the white list of high in the clouds database, obtains thus Query Result and returns to client.

After step S509, method 500 enters step S510, and wherein application layer receives the Query Result of network equipment inquiry high in the clouds database.

After step S510, method 500 enters step S511, and application layer judges whether Query Result shows the email address of preserving sender and/or addressee in the database of high in the clouds, if, execution in step S512; Otherwise, execution in step 514.

In step S512, application layer judges whether Query Result shows that the high in the clouds database is preserved sender and/or addressee's email address and this sender and/or addressee's email address belongs to blacklist, if, execution in step S513; Otherwise, execution in step S514.

In step S513, stop the SMTP access request of program.

In step S514, the SMTP access request of clearance program.

After step S513 and step S514, method 500 enters step S515, wherein in ring0 cache the sender of the SMTP access request of minute book secondary program and/or addressee's email address (for above-mentioned example, the content of record is: bob@example.org, alice@example.com, theboss@example.com), and the process state information of minute book secondary program, the process state information of this secondary program belongs to blacklist or white list for the sender of the SMTP access request of this secondary program and/or addressee's email address, and perhaps this secondary program is unknown program.

In this method, before the driving layer email address with packet and sender and/or addressee sends to application layer, judge first the process state information that whether records the last SMTP access request of same program among the ring0 cache, last SMTP access request refers to the SMTP access request of the last time that sender and/or addressee's email address is identical with this SMTP access request.Belong to blacklist or white list if any record and process state information for sender and/or addressee's email address, then directly do same processing according to the process state information of last time, be that program is unknown program such as process state information, the network access request of this program of then directly letting pass, need not packet and sender and/or addressee's email address is re-send to the processing that application layer is done inquiry local data base and high in the clouds database, can greatly reduce the inquiry amount like this, reduce the burden on backstage, improve the efficient of access to netwoks.

The method that above-mentioned the 5th embodiment provides describes as an example of the SMTP access request example, but the method is only for being applied to the SMTP access request, the means of defence that other network access request also can adopt the 5th embodiment to provide.

Need to prove, in above-mentioned several embodiments of the method, can not inquire about the high in the clouds database, only rely on the inquiry local data base that the access to netwoks behavior is stoped or the processing of letting pass also is optional embodiment.

Fig. 6 shows the structural representation according to the protector of the access to netwoks behavior of sixth embodiment of the invention.As shown in Figure 6, this network protection device 600 comprises driving layer module 610 and application layer module 620.Wherein, driving layer module 610 comprises intercepting and capturing module 611, drives layer parsing module 612 and the first sending module 613.Intercept and capture the packet that module 611 is suitable for the network access request of intercepting and capturing program initiation; Drive layer parsing module 612 and be suitable for the resolution data bag, obtain at least a domain information in the packet; The first sending module 613 is suitable for packet and at least a domain information thereof are sent to application layer module 620.Application layer module 620 comprises: the first receiver module 621, enquiry module 622, prevention module 623 and clearance module 624.The first receiver module 621 is suitable for receiving packet and at least a domain information thereof that the first sending module 613 sends; Enquiry module 622 is suitable for inquiring about whether preserve at least a domain information any in the local data base; Stop module 623 to be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module 622, stop the network access request of program; Clearance module 624 is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but at least a domain information any belongs in the situation of white list of local data base the network access request of clearance program at enquiry module 622.

Alternatively, clearance module 624 also is suitable for inquiring local data base at enquiry module 622 does not preserve in any situation at least a domain information, shows that program is unknown program, the network access request of clearance program.

Alternatively, intercept and capture module 611 and specifically be suitable for: by drive or create filtration drive, the packet of the network access request that the intercepting and capturing program is initiated in client log-in protocol; The packet of the network access request that the application programming interface function intercepting and capturing program of perhaps, utilizing operating system to provide is initiated; Perhaps, by taking over the request of routine call interface for network programming function, the packet of the network access request that the intercepting and capturing program is initiated; Perhaps, utilize the mode of registration fire compartment wall readjustment, the packet of the network access request that the intercepting and capturing program is initiated.More specifically, intercepting and capturing module 611 can specifically be suitable for: by driving to NDIS log-in protocol, the driving arrangement stack of the driving arrangement stack of the driving arrangement stack that perhaps drives in the miscellaneous function of winsock, transmission distribution interface or transmission control/network communication protocol creates filtration drive, the packet of the network access request of intercepting and capturing program initiation.Intercepting and capturing module 611 also can specifically be suitable for: the derivative function that the service function that the interface function that the Hook Function interception system service descriptor table that utilizes operating system to provide provides or transmission control/network communication protocol provide or NDIS provide, the packet of the network access request that the acquisition program is initiated.

The device that provides according to the present embodiment, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, and application layer is determined the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, this device directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, thus the access to netwoks behavior that can tackle more in time rogue program.

Fig. 7 shows the structural representation according to the protector of the access to netwoks behavior of seventh embodiment of the invention.As shown in Figure 7, this network protection device 700 comprises driving layer module 710 and application layer module 720.

Wherein, driving layer module 710 comprises: intercept and capture module 711, drive layer parsing module 712 and the first sending module 713.Intercept and capture the packet that module 711 is suitable for the network access request of intercepting and capturing program initiation; Drive layer parsing module 712 and be suitable for the resolution data bag, obtain at least a domain information in the packet; The first sending module 713 is suitable for packet and at least a domain information thereof are sent to application layer module 720.

Application layer module 720 comprises: the first receiver module 721, enquiry module 722, prevention module 723, clearance module 724, the second sending module 725 and the second receiver module 726.The first receiver module 721 is suitable for receiving packet and at least a domain information thereof that the first sending module 713 sends; Enquiry module 722 is suitable for inquiring about whether preserve at least a domain information any in the local data base; Stop module 723 to be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module 722, stop the network access request of program; Clearance module 724 is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but at least a domain information any belongs in the situation of white list of local data base the network access request of clearance program at enquiry module 722.The second sending module 725 is suitable for inquiring in any situation of not preserving in the local data base at least a domain information at enquiry module 722, and at least a domain information is sent to network equipment; The second receiver module 726 is suitable for receiving any Query Result of whether preserving in the database of network equipment inquiry high in the clouds at least a domain information; Stop module 723 also be suitable for the Query Result that the second receiver module 726 receives show the high in the clouds database preserve at least a domain information any and belong in the situation of blacklist, stop the network access request of program; Clearance module 724 also is suitable for showing that at the Query Result that the second receiver module 726 receives the high in the clouds database preserves at least a domain information any and do not belong to blacklist and belong in the situation of white list the network access request of clearance program.

Alternatively, clearance module 724 also is suitable for all not preserving in any situation at least a domain information inquiring local data base and high in the clouds database, shows that program is unknown program, the network access request of clearance program.

Alternatively, can referring to the description of the 6th embodiment, not repeat them here about the related content of intercepting and capturing module 711.

The device that provides according to the present embodiment, by driving layer packet of the network access request that the intercepting and capturing program is initiated, the resolution data bag obtains its domain information that comprises, application layer is at first inquired about the network access request that local data base is determined prevention or this program of letting pass according to this domain information, if local data base does not have the domain information that comprises in the save data bag, then continue the network access request that network side inquiry high in the clouds database is determined prevention or this program of letting pass.The upper-layer protocol based on TCP/IP or UDP realization for the program use, domain information in the packet of network access request has reflected the target of network access request, this device directly utilizes the target of these upper-layer protocols to judge whether safety of network access request, the access to netwoks behavior that more can effectively tackle rogue program.And the domain information in the packet of network access request is often change not, so local data base does not need frequent renewal, also can tackle in time the access to netwoks behavior of rogue program.This device is judged whether safety of network access request in conjunction with local data base and high in the clouds database, has further improved the efficient of the access to netwoks behavior of interception rogue program.

Fig. 8 shows the structural representation according to the protector of the access to netwoks behavior of eighth embodiment of the invention.As shown in Figure 8, this network protection device 800 comprises driving layer module 810 and application layer module 820.

Driving layer module 810 comprises: intercept and capture module 811, a driving layer parsing module 812, acquisition module 813, drive layer internal memory 814, the first judge module 815 and the first sending module 816.Application layer module 820 comprises: the first receiver module 821, application layer parsing module 822, enquiry module 823, prevention module 824 and clearance module 825.

Intercept and capture the packet that module 811 is suitable for the HTTP access request of intercepting and capturing program initiation, alternatively, can referring to the description of the 6th embodiment, not repeat them here about the related content of intercepting and capturing module 811; Drive layer parsing module 812 and be suitable for the resolution data bag, obtain the domain name (host) that comprises in the packet; Acquisition module 813 is suitable for obtaining IP address and the port of HTTP access request; The first judge module 815 is suitable for judging in driving layer internal memory 814 whether record the process state information that has the upper once program of identical ip addresses and port and domain name with the HTTP access request of this secondary program; The first sending module 816 is suitable in the situation that the first judge module 815 is judged as no, perhaps, the first judge module 815 be judged as be and on once the process state information of program be on once program be in the situation of unknown program, packet and domain name are sent to the first receiver module 821 of application layer module 820.

The first receiver module 821 is suitable for receiving packet and the domain name that the first sending module 816 sends; Application layer parsing module 822 is suitable for further resolution data bag, and one or more that obtain following information are as the part at least a domain information: network address, Agent sign and parent page information.Wherein application layer parsing module 822 is optional module.Enquiry module 823 is suitable for inquiring about whether preserve at least a domain information any in the local data base.Stop module 824 to be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module 823, perhaps be judged as at the first judge module 815 and be, and the process state information of last program is that at least a domain information of HTTP access request of last program any belongs in the situation of blacklist, stops the network access request of this program; Clearance module 825 is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but wherein any belongs in the situation of white list of local data base at enquiry module 823, perhaps be judged as at the first judge module 815 and be, and once any at least a domain information of the HTTP access request of program belongs in the situation of white list the network access request of clearance program on the process state information of upper once program is.

As a kind of optional execution mode, clearance module 825 also is suitable for inquiring local data base at enquiry module 823 does not preserve in any situation at least a domain information, shows that program is unknown program, the network access request of clearance program.

As the optional execution mode of another kind, application layer module 820 also comprises: the second sending module and the second receiver module.The second sending module is suitable for inquiring in any situation of not preserving in the local data base at least a domain information at enquiry module, and at least a domain information is sent to network equipment; The second receiver module is suitable for receiving any Query Result of whether preserving in the database of network equipment inquiry high in the clouds at least a domain information; Stop module also be suitable for the Query Result that the second receiver module receives show the high in the clouds database preserve at least a domain information any and belong in the situation of blacklist, stop the network access request of program; The clearance module also is suitable for showing that at the Query Result that the second receiver module receives the high in the clouds database preserves at least a domain information any and do not belong to blacklist and belong in the situation of white list the network access request of clearance program.Alternatively, the clearance module also is suitable for all not preserving in any situation at least a domain information inquiring local data base and high in the clouds database, shows that program is unknown program, the network access request of clearance program.

Alternatively, drive IP address and port and domain name that layer internal memory is suitable for the HTTP access request of logging program, and the process state information of logging program, the process state information of program is that at least a domain information of HTTP access request of program any belongs to blacklist or white list, and perhaps program is unknown program.

Alternatively, the process state information that driving layer internal memory also is suitable in program is that program is in the situation of unknown program, and logging program is confirmed to be the cumulative number of unknown program.

On the basis of above-described embodiment, the another kind of embodiment that replaces is: the first judge module is replaced by the second judge module and the 3rd judge module, corresponding, the function of the first sending module, prevention module and clearance module also changes to some extent.Particularly, the second judge module is suitable for judging in driving layer internal memory whether record the process state information that has the upper once program of identical ip addresses and port and domain name with the HTTP access request of this secondary program; The 3rd judge module be suitable for the second judge module be judged as be and on once the process state information of program be on once program be in the situation of unknown program, whether determining program is confirmed to be the cumulative number of unknown program more than or equal to preset value; The first sending module specifically is suitable for perhaps, in the situation that the 3rd judge module is judged as is no, packet and at least a domain information thereof being sent to application layer module in the situation that the second judge module is judged as noly; Stop module also to be suitable for being judged as at the second judge module to be, and the process state information of last program is that at least a domain information of HTTP access request of last program any belongs in the situation of blacklist, stops the network access request of program; The clearance module also is suitable for being judged as at the second judge module, and once any at least a domain information of the HTTP access request of program belongs in the situation of white list the network access request of clearance program on the process state information of upper once program is.

Fig. 9 shows the structural representation according to the protector of the access to netwoks behavior of ninth embodiment of the invention.As shown in Figure 9, this network protection device 900 comprises driving layer module 910 and application layer module 920.

Driving layer module 910 comprises: intercept and capture module 911, drive layer parsing module 912, drive layer internal memory 913, judge module 914 and the first sending module 9l5.Application layer module 920 comprises: the first receiver module 921, enquiry module 922, prevention module 923 and clearance module 924.

Intercept and capture the packet that module 911 is suitable for the network access request of intercepting and capturing program initiation, alternatively, can referring to the description of the 6th embodiment, not repeat them here about the related content of intercepting and capturing module 911; Drive layer parsing module 912 and be suitable for the resolution data bag, obtain at least a domain information that comprises in the packet; Judge module 914 is suitable for judging in driving layer internal memory 913 whether record the process state information that has the upper once program of identical at least a domain information with the network access request of this secondary program; The first sending module 9l5 is suitable for packet and at least a domain information thereof being sent to the first receiver module 921 of application layer module 920 in the situation that judge module 914 is judged as noly.

The first receiver module 921 is suitable for receiving packet and at least a domain information thereof that the first sending module 915 sends; Enquiry module 922 is suitable for inquiring about whether preserve at least a domain information any in the local data base; Stop module 923 to be suitable for inquiring in the situation of blacklist that at least a domain information any belong to local data base at enquiry module 922, perhaps be judged as at judge module 914 and be, and the process state information of last program is that at least a domain information of network access request of last program any belongs in the situation of blacklist, stops the network access request of this program; Clearance module 924 is suitable for inquiring that at least a domain information does not belong to the blacklist of local data base but wherein any belongs in the situation of white list of local data base at enquiry module 922, perhaps be judged as at judge module 914 and be, and the process state information of last program is that any process state information that belongs to white list or last program at least a domain information of network access request of last program is that last program is in the situation of unknown program, the network access request of clearance program.

As a kind of optional execution mode, clearance module 924 also is suitable for inquiring local data base at enquiry module 922 does not preserve in any situation at least a domain information, shows that program is unknown program, the network access request of clearance program.

As the optional execution mode of another kind, application layer module 920 also comprises: the second sending module and the second receiver module.The second sending module is suitable for inquiring in any situation of not preserving in the local data base at least a domain information at enquiry module, and at least a domain information is sent to network equipment; The second receiver module is suitable for receiving any Query Result of whether preserving in the database of network equipment inquiry high in the clouds at least a domain information; Stop module also be suitable for the Query Result that the second receiver module receives show the high in the clouds database preserve at least a domain information any and belong in the situation of blacklist, stop the network access request of program; The clearance module also is suitable for showing that at the Query Result that the second receiver module receives the high in the clouds database preserves at least a domain information any and do not belong to blacklist and belong in the situation of white list the network access request of clearance program.Alternatively, the clearance module also is suitable for all not preserving in any situation at least a domain information inquiring local data base and high in the clouds database, shows that program is unknown program, the network access request of clearance program.

Alternatively, drive at least a domain information that layer internal memory is suitable for the network access request of logging program, and the process state information of logging program, the process state information of program is that at least a domain information of network access request of program any belongs to blacklist or white list, and perhaps program is unknown program.

Alternatively, in the present embodiment, network access request can be the DNS access request, and at least a domain information comprises the DNS domain name.Network access request also can be the SMTP access request, and at least a domain information comprises sender and/or addressee's email address.

Figure 10 shows the structural representation according to the guard system of the access to netwoks behavior of tenth embodiment of the invention.As shown in figure 10, this network-safeguard system 1000 comprises client device 1010 and network equipment 1020.Wherein, client device 1010 can comprise the protector of the described access to netwoks behavior of arbitrary embodiment among above-mentioned the 7th, eight and nine embodiment.Network equipment 1020 comprises: high in the clouds database 1021, network side receiver module 1022, network side enquiry module 1023 and network side sending module 1024.Wherein, network side receiver module l022 is connected with the second sending module in the client device, is suitable for receiving at least a domain information that client device sends; Network side enquiry module 1023 is suitable for inquiring about whether preserve at least a domain information any in the high in the clouds database 1021, obtains Query Result; Network side sending module 1024 is connected with the second receiver module in the client device, is suitable for Query Result is sent to client device.

Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.

In the specification that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be in the situation that there be these details to put into practice.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this specification (comprising claim, summary and the accompanying drawing followed).

In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.

All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to the protector of the access to netwoks behavior of the embodiment of the invention and some or all some or repertoire of parts in the system.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.

It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.

Herein disclosed is the means of defence of A1, a kind of access to netwoks behavior, comprise: the packet that drives the network access request of layer intercepting and capturing program initiation, resolve described packet, obtain at least a domain information in the described packet, then described packet and at least a domain information thereof are sent to application layer; Whether preserve in the described at least a domain information any in the application layer inquiry local data base, if then any in described at least a domain information belongs in the situation of blacklist of local data base, stop the network access request of described program; Do not belong to the blacklist of local data base but in the described at least a domain information any belongs in the situation of white list of local data base the network access request of the described program of letting pass at described at least a domain information.A2, according to the described method of A1, also comprise: do not preserve in the described at least a domain information any if application layer inquires described local data base, show that described program is unknown program, the network access request of the described program of letting pass.A3, according to the described method of A1, also comprise: do not preserve in the described at least a domain information any in the local data base if application layer inquires, then described at least a domain information is sent to network equipment, receive any Query Result of whether preserving in the database of network equipment inquiry high in the clouds in the described at least a domain information; If described Query Result show described high in the clouds database preserve in the described at least a domain information any and belong to blacklist, then stop the network access request of described program; Perhaps, preserve in the described at least a domain information any and do not belong to blacklist and belong to white list, the network access request of the described program of then letting pass if described Query Result shows described high in the clouds database.A4, according to the described method of A3, also comprise: all do not preserve in the described at least a domain information any if application layer inquires described local data base and described high in the clouds database, show that described program is unknown program, the network access request of the described program of letting pass.A5, according to A2 or the described method of A4, the step of the packet of the network access request that described driving layer intercepting and capturing program is initiated comprises: a packet that drives the HTTP access request that layer intercepting and capturing program initiates; Described at least a domain information comprises domain name; Described method also comprises: drive IP address and port that layer obtains the HTTP access request.A6, according to the described method of A5, also comprise: the further resolution data bag of application layer, one or more that obtain following information are as the part at least a domain information: network address, Agent sign and parent page information.A7, according to A5 or the described method of A6, before the described step that described packet and at least a domain information thereof is sent to application layer, also comprise: judge to drive in the layer internal memory whether record the process state information that has the upper once described program of identical ip addresses and port and domain name with the HTTP access request of this described program; If not, then carry out the described step that described packet and at least a domain information thereof is sent to application layer; If, then on the process state information of upper once described program is once any at least a domain information of the HTTP access request of described program belong in the situation of blacklist, stop the network access request of described program; Once any at least a domain information of the HTTP access request of described program belongs in the situation of white list the network access request of the described program of letting pass on the process state information of upper once described program is; Once described program is in the situation of unknown program on the process state information of upper once described program is, carries out the described step that described packet and at least a domain information thereof is sent to application layer.A8, according to A5 or the described method of A6, before the described step that described packet and at least a domain information thereof is sent to application layer, also comprise: judge to drive in the layer internal memory whether record the process state information that has the upper once described program of identical ip addresses and port and domain name with the HTTP access request of this described program; If not, then carry out the described step that described packet and at least a domain information thereof is sent to application layer; If, then on the process state information of upper once described program is once any at least a domain information of the HTTP access request of described program belong in the situation of blacklist, stop the network access request of described program; Once any at least a domain information of the HTTP access request of described program belongs in the situation of white list the network access request of the described program of letting pass on the process state information of upper once described program is; Once described program is in the situation of unknown program on the process state information of upper once described program is, judge that whether described program is confirmed to be the cumulative number of unknown program more than or equal to preset value, if, the network access request of the described program of then letting pass, otherwise, carry out the described step that described packet and at least a domain information thereof is sent to application layer.A9, according to each described method of A5 to A8, after the step of the network access request of described prevention or the described program of letting pass, also comprise: IP address and port and the domain name of the HTTP access request of this described program of record in driving layer internal memory, and record the process state information of this described program, the process state information of this described program belongs to blacklist or white list at least a domain information of the HTTP access request of this described program any, and perhaps this described program is unknown program.A10, according to the described method of A9, also comprise after the step of the network access request of described prevention or the described program of letting pass: if the process state information of this described program is unknown program for this described program, then the described program of record is confirmed to be the cumulative number of unknown program in driving layer internal memory.A11, according to A2 or the described method of A4, before the described step that described packet and at least a domain information thereof is sent to application layer, also comprise: judge to drive in the layer internal memory whether record the process state information that has the upper once described program of identical at least a domain information with the network access request of this described program; If not, then carry out the described step that described packet and at least a domain information thereof is sent to application layer; If, then on the process state information of upper once described program is once any at least a domain information of the network access request of described program belong in the situation of blacklist, stop the network access request of described program; Once any at least a domain information of described program belongs in the situation of white list the network access request of the described program of letting pass on the process state information of upper once described program is; Once described program is in the situation of unknown program on the process state information of upper once described program is, the network access request of the described program of letting pass.A12, according to the described method of A11, after the step of the network access request of described prevention or the described program of letting pass, also comprise: at least a domain information of the network access request of this described program of record in driving layer internal memory, and record the process state information of this described program, the process state information of this described program belongs to blacklist or white list at least a domain information of the network access request of this described program any, and perhaps this described program is unknown program.A13, according to A11 or the described method of A12, described network access request is the DNS access request, described at least a domain information comprises the DNS domain name; Perhaps, described network access request is the SMTP access request, and described at least a domain information comprises sender and/or addressee's email address.A14, according to each described method of A1 to A13, the described layer step of the packet of the network access request that the intercepting and capturing program is initiated that drive is specially: by drive or create filtration drive, the packet of the network access request that the intercepting and capturing program is initiated in client log-in protocol; The packet of the network access request that the application programming interface function intercepting and capturing program of perhaps, utilizing operating system to provide is initiated; Perhaps, by taking over the request of routine call interface for network programming function, the packet of the network access request that the intercepting and capturing program is initiated; Perhaps, utilize the mode of registration fire compartment wall readjustment, the packet of the network access request that the intercepting and capturing program is initiated.A15, according to the described method of A14, described by drive or create filtration drive in client log-in protocol, the step of the packet of the network access request that the intercepting and capturing program is initiated is specially: by driving to NDIS log-in protocol, the driving arrangement stack of the driving arrangement stack of the driving arrangement stack that perhaps drives in the miscellaneous function of winsock, transmission distribution interface or transmission control/network communication protocol creates filtration drive, the packet of the network access request of intercepting and capturing program initiation.A16, according to the described method of A14, the described step of the packet of the network access request that application programming interface function intercepting and capturing program that operating system provides initiates of utilizing is specially: the derivative function that the service function that the interface function that the Hook Function interception system service descriptor table that utilizes operating system to provide provides or transmission control/network communication protocol provide or NDIS provide obtains the packet of the network access request of described program initiation.

Herein disclosed is the protector of B17, a kind of access to netwoks behavior, comprising: drive layer module and application layer module; Described driving layer module comprises: intercept and capture module, be suitable for the packet of the network access request of intercepting and capturing program initiation; Drive layer parsing module, be suitable for resolving described packet, obtain at least a domain information in the described packet; The first sending module is suitable for described packet and at least a domain information thereof are sent to described application layer module; Described application layer module comprises: the first receiver module is suitable for receiving described packet and at least a domain information thereof that described the first sending module sends; Enquiry module is suitable for inquiring about whether preserve in the described at least a domain information any in the local data base; Stop module, be suitable for inquiring in the situation of blacklist that in the described at least a domain information any belong to local data base at described enquiry module, stop the network access request of described program; The clearance module, be suitable for inquiring that described at least a domain information does not belong to the blacklist of local data base but in the described at least a domain information any belongs in the situation of white list of local data base the network access request of the described program of letting pass at described enquiry module.B18, according to the described device of B17, described clearance module also is suitable for inquiring described local data base at described enquiry module and does not preserve in any situation in the described at least a domain information, show that described program is unknown program, the network access request of the described program of letting pass.B19, according to the described device of B17, described application layer module also comprises: the second sending module, be suitable for inquiring in any situation of not preserving in the local data base in the described at least a domain information at described enquiry module, described at least a domain information is sent to network equipment; The second receiver module is suitable for receiving any Query Result of whether preserving in the database of network equipment inquiry high in the clouds in the described at least a domain information; Described prevention module also be suitable for the Query Result that described the second receiver module receives show described high in the clouds database preserve in the described at least a domain information any and belong in the situation of blacklist, stop the network access request of described program; Described clearance module also is suitable for showing that at the Query Result that described the second receiver module receives described high in the clouds database preserves in the described at least a domain information any and do not belong to blacklist and belong in the situation of white list the network access request of the described program of letting pass.B20, according to the described device of B19, described clearance module also is suitable for all not preserving in any situation in the described at least a domain information inquiring described local data base and described high in the clouds database, show that described program is unknown program, the network access request of the described program of letting pass.B21, according to B18 or the described device of B20, described intercepting and capturing module specifically is suitable for the packet of the HTTP access request that the intercepting and capturing program initiates; Described at least a domain information comprises domain name; A described driving layer module also comprises: acquisition module is suitable for obtaining IP address and the port of HTTP access request.B22, according to the described device of B21, described application layer module also comprises: the application layer parsing module, be suitable for further resolution data bag, one or more that obtain following information are as the part at least a domain information: network address, Agent sign and parent page information.B23, according to B21 or the described device of B22, described driving layer module also comprises: drive a layer internal memory; The first judge module is suitable for judging in described driving layer internal memory whether record the process state information that has the upper once described program of identical ip addresses and port and domain name with the HTTP access request of this described program; Described the first sending module specifically is suitable in the situation that described the first judge module is judged as no, perhaps, described the first judge module be judged as be and on once the process state information of described program be on once described program be in the situation of unknown program, described packet and at least a domain information thereof are sent to described application layer module; Described prevention module also is suitable for being judged as at described the first judge module, and the process state information of last described program is that at least a domain information of HTTP access request of last described program any belongs in the situation of blacklist, stops the network access request of described program; Described clearance module also is suitable for being judged as at described the first judge module, and once any at least a domain information of the HTTP access request of described program belongs in the situation of white list the network access request of the described program of letting pass on the process state information of upper once described program is.B24, according to B21 or the described device of B22, described driving layer module also comprises: drive a layer internal memory; The second judge module is suitable for judging in described driving layer internal memory whether record the process state information that has the upper once described program of identical ip addresses and port and domain name with the HTTP access request of this described program; The 3rd judge module, be suitable for described the second judge module be judged as be and on once the process state information of described program be on once described program be in the situation of unknown program, judge that whether described program is confirmed to be the cumulative number of unknown program more than or equal to preset value; Described the first sending module specifically is suitable for perhaps, in the situation that described the 3rd judge module is judged as is no, described packet and at least a domain information thereof being sent to described application layer module in the situation that described the second judge module is judged as noly; Described prevention module also is suitable for being judged as at described the second judge module, and the process state information of last described program is that at least a domain information of HTTP access request of last described program any belongs in the situation of blacklist, stops the network access request of described program; Described clearance module also is suitable for being judged as at described the second judge module, and once any at least a domain information of the HTTP access request of described program belongs in the situation of white list the network access request of the described program of letting pass on the process state information of upper once described program is.B25, according to each described device of B21 to B24, describedly drive IP address and port and the domain name that layer internal memory is suitable for recording the HTTP access request of described program, and record the process state information of described program, the process state information of described program is that at least a domain information of HTTP access request of described program any belongs to blacklist or white list, and perhaps described program is unknown program.B26, according to the described device of B25, the process state information that described driving layer internal memory also is suitable in described program is that described program is in the situation of unknown program, records the cumulative number that described program is confirmed to be unknown program.B27, according to B18 or the described device of B20, described driving layer module comprises: drive a layer internal memory; Judge module is suitable for judging in described driving layer internal memory whether record the process state information that has the upper once described program of identical at least a domain information with the network access request of this described program; Described the first sending module specifically is suitable in the situation that described judge module is judged as noly described packet and at least a domain information thereof being sent to described application layer module; Described prevention module also is suitable for being judged as at described judge module, and the process state information of last described program is that at least a domain information of network access request of last described program any belongs in the situation of blacklist, stops the network access request of described program; Described clearance module also is suitable for being judged as at described judge module, and the process state information of last described program is that any process state information that belongs to white list or last described program at least a domain information of network access request of last described program is that last described program is in the situation of unknown program, the network access request of the described program of letting pass.B28, according to the described device of B27, describedly drive at least a domain information that layer internal memory is suitable for recording the network access request of described program, and record the process state information of described program, the process state information of described program is that at least a domain information of network access request of described program any belongs to blacklist or white list, and perhaps described program is unknown program.B29, according to B27 or the described device of B28, described network access request is the DNS access request, described at least a domain information comprises the DNS domain name; Perhaps, described network access request is the SMTP access request, and described at least a domain information comprises sender and/or addressee's email address.B30, according to each described device of B17 to B29, described intercepting and capturing module specifically is suitable for: by drive or create filtration drive, the packet of the network access request that the intercepting and capturing program is initiated in client log-in protocol; The packet of the network access request that the application programming interface function intercepting and capturing program of perhaps, utilizing operating system to provide is initiated; Perhaps, by taking over the request of routine call interface for network programming function, the packet of the network access request that the intercepting and capturing program is initiated; Perhaps, utilize the mode of registration fire compartment wall readjustment, the packet of the network access request that the intercepting and capturing program is initiated.B3l, according to each described device of B17 to B29, described intercepting and capturing module specifically is suitable for: by driving to NDIS log-in protocol, the driving arrangement stack of the driving arrangement stack of the driving arrangement stack that perhaps drives in the miscellaneous function of winsock, transmission distribution interface or transmission control/network communication protocol creates filtration drive, the packet of the network access request of intercepting and capturing program initiation.B32, according to each described device of Bi7 to B29, described intercepting and capturing module specifically is suitable for: the derivative function that the interface function that the Hook Function interception system service descriptor table that utilizes operating system to provide provides or the transmission service function that provides of control/network communication protocol or NDIS provide obtains the packet of the network access request of described program initiation.

Claims (20)

1. the means of defence of an access to netwoks behavior comprises:

Drive the packet of the network access request of layer intercepting and capturing program initiation, resolve described packet, obtain at least a domain information in the described packet, then described packet and at least a domain information thereof are sent to application layer;

Whether preserve in the described at least a domain information any in the application layer inquiry local data base, if then any in described at least a domain information belongs in the situation of blacklist of local data base, stop the network access request of described program; Do not belong to the blacklist of local data base but in the described at least a domain information any belongs in the situation of white list of local data base the network access request of the described program of letting pass at described at least a domain information.

2. method according to claim 1 also comprises:

If application layer inquires described local data base and do not preserve in the described at least a domain information any, show that described program is unknown program, the network access request of the described program of letting pass.

3. method according to claim 1 also comprises:

If application layer inquires and does not preserve in the described at least a domain information any in the local data base, then described at least a domain information is sent to network equipment, receive any Query Result of whether preserving in the database of network equipment inquiry high in the clouds in the described at least a domain information;

If described Query Result show described high in the clouds database preserve in the described at least a domain information any and belong to blacklist, then stop the network access request of described program; Perhaps, preserve in the described at least a domain information any and do not belong to blacklist and belong to white list, the network access request of the described program of then letting pass if described Query Result shows described high in the clouds database.

4. method according to claim 3 also comprises:

If application layer inquires described local data base and described high in the clouds database and all do not preserve in the described at least a domain information any, show that described program is unknown program, the network access request of the described program of letting pass.

5. according to claim 2 or 4 described methods, the step of the packet of the network access request initiated of described driving layer intercepting and capturing program comprises: a packet that drives the HTTP access request that layer intercepting and capturing program initiates; Described at least a domain information comprises domain name;

Described method also comprises: drive IP address and port that layer obtains the HTTP access request.

6. method according to claim 5 also comprises: the further resolution data bag of application layer, one or more that obtain following information are as the part at least a domain information: network address, Agent sign and parent page information.

7. before the described step that described packet and at least a domain information thereof is sent to application layer, also comprise according to claim 5 or 6 described methods:

Whether judgement records the process state information that has the upper once described program of identical ip addresses and port and domain name with the HTTP access request of this described program in driving layer internal memory;

If not, then carry out the described step that described packet and at least a domain information thereof is sent to application layer;

If, then on the process state information of upper once described program is once any at least a domain information of the HTTP access request of described program belong in the situation of blacklist, stop the network access request of described program; Once any at least a domain information of the HTTP access request of described program belongs in the situation of white list the network access request of the described program of letting pass on the process state information of upper once described program is; Once described program is in the situation of unknown program on the process state information of upper once described program is, carries out the described step that described packet and at least a domain information thereof is sent to application layer.

8. before the described step that described packet and at least a domain information thereof is sent to application layer, also comprise according to claim 5 or 6 described methods:

Whether judgement records the process state information that has the upper once described program of identical ip addresses and port and domain name with the HTTP access request of this described program in driving layer internal memory;

If not, then carry out the described step that described packet and at least a domain information thereof is sent to application layer;

If, then on the process state information of upper once described program is once any at least a domain information of the HTTP access request of described program belong in the situation of blacklist, stop the network access request of described program; Once any at least a domain information of the HTTP access request of described program belongs in the situation of white list the network access request of the described program of letting pass on the process state information of upper once described program is; Once described program is in the situation of unknown program on the process state information of upper once described program is, judge that whether described program is confirmed to be the cumulative number of unknown program more than or equal to preset value, if, the network access request of the described program of then letting pass, otherwise, carry out the described step that described packet and at least a domain information thereof is sent to application layer.

9. according to claim 5 to 8 each described methods, after the step of the network access request of described prevention or the described program of letting pass, also comprise:

IP address and port and the domain name of the HTTP access request of this described program of record in driving layer internal memory, and record the process state information of this described program, the process state information of this described program belongs to blacklist or white list at least a domain information of the HTTP access request of this described program any, and perhaps this described program is unknown program.

10. method according to claim 9 also comprises after the step of the network access request of described prevention or the described program of letting pass:

If the process state information of this described program is unknown program for this described program, then in driving layer internal memory, record the cumulative number that described program is confirmed to be unknown program.

11. before the described step that described packet and at least a domain information thereof is sent to application layer, also comprise according to claim 2 or 4 described methods:

Whether judgement records the process state information that has the upper once described program of identical at least a domain information with the network access request of this described program in driving layer internal memory;

If not, then carry out the described step that described packet and at least a domain information thereof is sent to application layer;

If, then on the process state information of upper once described program is once any at least a domain information of the network access request of described program belong in the situation of blacklist, stop the network access request of described program; Once any at least a domain information of described program belongs in the situation of white list the network access request of the described program of letting pass on the process state information of upper once described program is; Once described program is in the situation of unknown program on the process state information of upper once described program is, the network access request of the described program of letting pass.

12. method according to claim 11 also comprises after the step of the network access request of described prevention or the described program of letting pass:

At least a domain information of the network access request of this described program of record in driving layer internal memory, and record the process state information of this described program, the process state information of this described program belongs to blacklist or white list at least a domain information of the network access request of this described program any, and perhaps this described program is unknown program.

13. according to claim 11 or 12 described methods,

Described network access request is the DNS access request, and described at least a domain information comprises the DNS domain name;

Perhaps, described network access request is the SMTP access request, and described at least a domain information comprises sender and/or addressee's email address.

14. according to claim 1 to 13 each described methods, the step of the packet of the network access request that described driving layer intercepting and capturing program is initiated is specially:

By drive or create filtration drive, the packet of the network access request that the intercepting and capturing program is initiated in client log-in protocol;

The packet of the network access request that the application programming interface function intercepting and capturing program of perhaps, utilizing operating system to provide is initiated;

Perhaps, by taking over the request of routine call interface for network programming function, the packet of the network access request that the intercepting and capturing program is initiated;

Perhaps, utilize the mode of registration fire compartment wall readjustment, the packet of the network access request that the intercepting and capturing program is initiated.

15. method according to claim 14, described by drive or create filtration drive in client log-in protocol, the step of the packet of the network access request that the intercepting and capturing program is initiated is specially:

By driving to NDIS log-in protocol, the driving arrangement stack of the driving arrangement stack of the driving arrangement stack that perhaps drives in the miscellaneous function of winsock, transmission distribution interface or transmission control/network communication protocol creates filtration drive, the packet of the network access request of intercepting and capturing program initiation.

16. method according to claim 14, the step of the packet of the network access request that the described application programming interface function intercepting and capturing program of utilizing operating system to provide is initiated is specially:

The derivative function that the interface function that the Hook Function interception system service descriptor table that utilizes operating system to provide provides or the transmission service function that provides of control/network communication protocol or NDIS provide obtains the packet of the network access request of described program initiation.

17. the protector of an access to netwoks behavior comprises: drive layer module and application layer module;

Described driving layer module comprises:

Intercept and capture module, be suitable for the packet of the network access request of intercepting and capturing program initiation;

Drive layer parsing module, be suitable for resolving described packet, obtain at least a domain information in the described packet;

The first sending module is suitable for described packet and at least a domain information thereof are sent to described application layer module;

Described application layer module comprises:

The first receiver module is suitable for receiving described packet and at least a domain information thereof that described the first sending module sends;

Enquiry module is suitable for inquiring about whether preserve in the described at least a domain information any in the local data base;

Stop module, be suitable for inquiring in the situation of blacklist that in the described at least a domain information any belong to local data base at described enquiry module, stop the network access request of described program;

The clearance module, be suitable for inquiring that described at least a domain information does not belong to the blacklist of local data base but in the described at least a domain information any belongs in the situation of white list of local data base the network access request of the described program of letting pass at described enquiry module.

18. device according to claim 17, described clearance module also is suitable for inquiring described local data base at described enquiry module and does not preserve in any situation in the described at least a domain information, show that described program is unknown program, the network access request of the described program of letting pass.

19. device according to claim 17, described application layer module also comprises:

The second sending module is suitable for inquiring in any situation of not preserving in the local data base in the described at least a domain information at described enquiry module, and described at least a domain information is sent to network equipment;

The second receiver module is suitable for receiving any Query Result of whether preserving in the database of network equipment inquiry high in the clouds in the described at least a domain information;

Described prevention module also be suitable for the Query Result that described the second receiver module receives show described high in the clouds database preserve in the described at least a domain information any and belong in the situation of blacklist, stop the network access request of described program;

Described clearance module also is suitable for showing that at the Query Result that described the second receiver module receives described high in the clouds database preserves in the described at least a domain information any and do not belong to blacklist and belong in the situation of white list the network access request of the described program of letting pass.

20. device according to claim 19, described clearance module also is suitable for all not preserving in any situation in the described at least a domain information inquiring described local data base and described high in the clouds database, show that described program is unknown program, the network access request of the described program of letting pass.

Images