CN102932375B - The means of defence of access to netwoks behavior and device - Google Patents

The means of defence of access to netwoks behavior and device Download PDF

Info

Publication number
CN102932375B
CN102932375B CN201210479261.7A CN201210479261A CN102932375B CN 102932375 B CN102932375 B CN 102932375B CN 201210479261 A CN201210479261 A CN 201210479261A CN 102932375 B CN102932375 B CN 102932375B
Authority
CN
China
Prior art keywords
program
access request
domain information
network access
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210479261.7A
Other languages
Chinese (zh)
Other versions
CN102932375A (en
Inventor
熊昱之
张聪
刘海粟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qizhi Business Consulting Co ltd
Beijing Qihoo Technology Co Ltd
360 Digital Security Technology Group Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201210479261.7A priority Critical patent/CN102932375B/en
Publication of CN102932375A publication Critical patent/CN102932375A/en
Application granted granted Critical
Publication of CN102932375B publication Critical patent/CN102932375B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of means of defence and device of access to netwoks behavior.Wherein method comprises: drive layer to intercept and capture the packet of the network access request that program is initiated, resolution data bag, obtain at least one domain information in packet, then packet and at least one domain information thereof are sent to application layer; Whether preserve at least one domain information in application layer inquiry local data base any one, any one if so, then at least one domain information belongs to the blacklist of local data base, stop the network access request of program; When at least one domain information does not belong to the blacklist of local data base but any one at least one domain information belongs to the white list of local data base, the network access request of clearance program.The present invention directly utilizes the target of these upper-layer protocols to judge network access request whether safety, more effectively can tackle the access to netwoks behavior of rogue program.

Description

The means of defence of access to netwoks behavior and device
Technical field
The present invention relates to Network Communicate Security technical field, be specifically related to a kind of means of defence and device of access to netwoks behavior.
Background technology
Along with the develop rapidly of Internet technology and the generally reduction of cost of surfing the net, the Internet has become an important component part indispensable in most of general public daily life.But some programmers are in order to show off and prove that oneself ability or other aspects are (as politics, military, religion, national, patent etc.) demand, often write out some and affect the rogue program that computer normally runs, thus make the object that can not be realized oneself online by the user that these rogue programs are invaded and harassed, whole system even can be made to occur paralysis.Thus, network security just becomes the focus paid close attention to now.
Existing network protection method is all based on TCP(Transmission Control Protocol, transmission control protocol)/IP(Internet Protocol, Internet Protocol) or UDP(User Datagram Protocol, User Datagram Protoco (UDP)) IP address and port let pass or stop the access to netwoks behavior of certain program.Particularly, when certain program initiates network access request, first the request (socket connect) connected is initiated, IP address and the port of target to be visited can be obtained in socket connect, determine whether clearance according to the database that IP address and interface querying this locality of target to be visited are preserved or stop the access to netwoks behavior of this program.For unknown program, user can be pointed out to select whether to let pass.
But, the procotol great majority that existing program uses are the upper-layer protocols realized based on TCP/IP or udp protocol, such as HTTP(Hypertext Transport Protocol, HTTP), SMTP(Simple Mail TransferProtocol, Simple Mail Transfer protocol), DNS(Domain Name System, domain name system) and FTP(File TransferProtocol, file transfer protocol (FTP)) etc.When program uses these upper-layer protocols to carry out network access request, the simple object cannot determining network access request by IP address and port; And, the variation of IP address and port is very frequent in a network, as when Network Provider changes, IP address will change thereupon, but more new capital of local data base needs the regular hour, therefore adopt existing network protection method can not tackle the access to netwoks behavior of rogue program timely and effectively.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or the means of defence of access to netwoks behavior solved the problem at least in part and the protector of corresponding access to netwoks behavior.
According to an aspect of the present invention, provide a kind of means of defence of access to netwoks behavior, comprising:
Drive layer to intercept and capture the packet of the network access request that program is initiated, resolution data bag, obtain at least one domain information in packet, then packet and at least one domain information thereof are sent to application layer;
Whether preserve at least one domain information in application layer inquiry local data base any one, any one if so, then at least one domain information belongs to the blacklist of local data base, stop the network access request of program; When at least one domain information does not belong to the blacklist of local data base but any one at least one domain information belongs to the white list of local data base, the network access request of clearance program.
According to a further aspect in the invention, provide a kind of protector of access to netwoks behavior, comprising: drive layer module and application layer module;
Drive layer module to comprise: interception module, be suitable for the packet of the network access request that intercepting and capturing program is initiated; Drive layer parsing module, be suitable for resolution data bag, obtain at least one domain information in packet; First sending module, is suitable for packet and at least one domain information thereof to send to application layer module;
Application layer module comprises: the first receiver module, is suitable for packet and at least one domain information thereof of the transmission of reception first sending module; Enquiry module, is suitable for whether preserving any one at least one domain information in inquiry local data base; Stop module, be suitable for when any one inquiring at least one domain information of enquiry module belongs to the blacklist of local data base, stop the network access request of program; Clearance module, be suitable for when enquiry module inquire at least one domain information do not belong to the blacklist of local data base but any one at least one domain information belongs to the white list of local data base, the network access request of clearance program.
According to scheme provided by the invention, by the packet driving layer to intercept and capture the network access request that program is initiated, resolution data bag obtains its domain information comprised, and application layer determines the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.For the upper-layer protocol realized based on TCP/IP or UDP that program uses, domain information in the packet of network access request reflects the target of network access request, the present invention directly utilizes the target of these upper-layer protocols to judge network access request whether safety, more effectively can tackle the access to netwoks behavior of rogue program.And the domain information in the packet of network access request infrequently changes, so local data base does not need frequent renewal, thus the access to netwoks behavior of rogue program can be tackled more in time.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows the flow chart of the means of defence of the access to netwoks behavior according to first embodiment of the invention;
Fig. 2 shows the flow chart of the means of defence of the access to netwoks behavior according to second embodiment of the invention;
Fig. 3 shows the flow chart of the means of defence of the access to netwoks behavior according to third embodiment of the invention;
Fig. 4 shows the flow chart of the means of defence of the access to netwoks behavior according to four embodiment of the invention;
Fig. 5 shows the flow chart of the means of defence of the access to netwoks behavior according to fifth embodiment of the invention;
Fig. 6 shows the structural representation of the protector of the access to netwoks behavior according to sixth embodiment of the invention;
Fig. 7 shows the structural representation of the protector of the access to netwoks behavior according to seventh embodiment of the invention;
Fig. 8 shows the structural representation of the protector of the access to netwoks behavior according to eighth embodiment of the invention;
Fig. 9 shows the structural representation of the protector of the access to netwoks behavior according to ninth embodiment of the invention;
Figure 10 shows the structural representation of the guard system of the access to netwoks behavior according to tenth embodiment of the invention.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Program is a common file, is the set of a machine code instruction and data, is a static concept.Process is a program implementation on computers, is a dynamic concept.Same program can run on several data acquisition systems simultaneously, and that is same program can corresponding multiple process.Access to netwoks behavior initiated by active program (being also process).Namely the current network access behavior of program is the access to netwoks behavior initiated by the process belonging to this program.Access to netwoks behavior of a great variety, comprise HTTP access (common are download file or information upload), SMTP ask (such as sending and receiving e-mail), DNS request information such as () the IP addresses that parsing domain name is corresponding etc.
Fig. 1 shows the flow chart of the means of defence 100 of the access to netwoks behavior according to first embodiment of the invention.As shown in Figure 1, method 100 starts from step S101, wherein drives layer (ring0) to intercept and capture the packet of the network access request that program is initiated.Drive layer intercept and capture packet be program initiate transmission data request (socket send) and reception data request (socketreceive) in packet.
If a usual program needs interconnection network, the API(Application Program Interface provided by operating system (as Windows) is provided, application programming interfaces) interface transmission network access request, after operating system receives this network access request of program, the packet that meeting reception program will send, and the packet received is encapsulated, afterwards by encapsulation Packet Generation to physical equipment (as network interface card etc.), finally by hardware device, packet is spread out of.Based on the flow process of such routine access network, carry out intercepting and capturing the object that can realize the current network behavior of monitoring program to the relevant information of network behavior in arbitrary link of this flow process.Alternatively, the packet driving layer to intercept and capture the network access request that program is initiated can adopt following several mode:
(1) by client registers protocol-driven or establishment filtration drive, the packet of the network access request that program is initiated is intercepted and captured.
In the process of routine access network, operating system is when processing related data, some protocol-driven or filtration drive can be used to obtain the data of access to netwoks behavior, so by client registers protocol-driven or create the filtration drive similar to operating system, intercept and capture the packet of the network access request of program initiation.Particularly, by to NDIS(Network DriverInterface Specification, NDIS) log-in protocol driving, or at Afd.sys(AncillaryFunction Driver for winsock, the miscellaneous function of winsock drives) driving arrangement stack, Tdi.sys(TransportDispatch Interface, transmission distribution interface) driving arrangement stack or Tcpip.sys(Transmission ControlProtocol/Internet Protocol, transmission control/network communication protocol) driving arrangement stack on create the filtration drive similar to operating system, the packet of the network access request that intercepting and capturing program is initiated.
To create filtration drive on the driving arrangement stack of Afd.sys, when sending the packet of network access request, the driving distribution function of the Afd.sys that system is called originally first can call the distribution function of the filtration drive of establishment, and profit carrys out intercepted data bag in this way.
(2) the application programming interface function utilizing operating system to provide intercepts and captures the packet of the network access request that program is initiated.
For application programming interface function for hook (hook) function, the hook function utilizing operating system to provide intercepts and captures Windows SSDT(System Services Descriptor Table, system service descriptor table) derivative function that the interface function (as NtDeviceIoControl function) that provides or Tcpip.sys drive the service function that provides or NDIS.sys to provide, obtain the packet of the network access request that program is initiated.
(3) called the request of interface for network programming function (Winsock) by takeover process, intercept and capture the packet of the network access request that program is initiated.
(4) utilize the mode of registration fire compartment wall readjustment, intercept and capture the packet of the network access request that program is initiated.
Subsequently, method 100 enters step S102, wherein drives layer to resolve the packet intercepted and captured, obtains at least one domain information in packet, packet and at least one domain information thereof are sent to application layer.In this method, layer (ring0) is driven to have the function of the packet of resolving in socket send and socket receive, obtain one or more domain informations that this packet comprises, packet and domain information thereof are sent to application layer (ring3) and process.
Subsequently, method 100 enters step S103, wherein whether preserves any one at least one domain information in application layer inquiry local data base, if so, then performs step S104; Otherwise perform step S106.The mark that a large amount of domain informations and these domain informations belong to blacklist or white list is stored in the local data base of client.Alternatively, the data memory format in local data base can be the md5(Message Digest Algorithm 5 of domain information, Message Digest Algorithm 5) value and extended byte, write the mark that domain information belongs to blacklist or white list in extended byte.
In step S104, application layer judge at least one domain information any one whether belong to the blacklist of local data base, if so, then perform step S105; Otherwise perform step S106.Application layer belongs to the mark of blacklist or white list by domain information, judge at least one domain information any one whether belong to the blacklist of local data base.
In step S105, stop the network access request of program.If any one in the packet of the network access request that certain program is initiated at least one domain information belongs to the blacklist of local data base, show that this program is rogue program, then stop the network access request of this program, also namely stop the access to netwoks behavior of this program.
In step s 106, the network access request of clearance program.If at least one domain information does not belong to the blacklist of local data base in the packet of the network access request that certain program is initiated, but wherein any one belongs to the white list of local data base, show that this program is normal procedure, the network access request of this program of then letting pass, the access to netwoks behavior of this program of also namely letting pass.If application layer inquires local data base is not preserved at least one domain information any one, show that this program is the network access request of unknown program, this program of can letting pass.As another kind of execution mode, if program is unknown program, user also can be pointed out to select, stop according to the mode of the selection of user or the network access request of this program of letting pass.
According to the method that the present embodiment provides, by the packet driving layer to intercept and capture the network access request that program is initiated, resolution data bag obtains its domain information comprised, and application layer determines the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.For the upper-layer protocol realized based on TCP/IP or UDP that program uses, domain information in the packet of network access request reflects the target of network access request, this method directly utilizes the target of these upper-layer protocols to judge network access request whether safety, more effectively can tackle the access to netwoks behavior of rogue program.And the domain information in the packet of network access request infrequently changes, so local data base does not need frequent renewal, thus the access to netwoks behavior of rogue program can be tackled more in time.
Fig. 2 shows the flow chart of the means of defence 200 of the access to netwoks behavior according to second embodiment of the invention.As shown in Figure 2, method 200 starts from step S201, wherein drives layer (ring0) to intercept and capture the packet of the network access request that program is initiated.Drive layer intercept and capture packet be program initiate transmission data request (socket send) and reception data request (socketreceive) in packet.Drive the method for layer intercepted data bag see the associated description of method 100, can not repeat them here.
Subsequently, method 200 enters step S202, wherein drives layer to resolve the packet intercepted and captured, obtains at least one domain information in packet, packet and at least one domain information thereof are sent to application layer.In this method, layer (ring0) is driven to have the function of the packet of resolving in socket send and socket receive, obtain one or more domain informations that this packet comprises, packet and domain information thereof are sent to application layer (ring3) and process.
Subsequently, method 200 enters step S203, wherein whether preserves any one at least one domain information in application layer inquiry local data base, if so, then performs step S204; Otherwise perform step S205.The mark that a large amount of domain informations and these domain informations belong to blacklist or white list is stored in the local data base of client.Alternatively, the data memory format in local data base can be md5 value and the extended byte of domain information, writes the mark that domain information belongs to blacklist or white list in extended byte.
In step S204, application layer judge at least one domain information any one whether belong to the blacklist of local data base, if so, then perform step S209; Otherwise perform step S210.Application layer belongs to the mark of blacklist or white list by domain information, judge at least one domain information any one whether belong to the blacklist of local data base.
In step S205, at least one domain information is sent to network equipment by application layer.Also the mark that a large amount of domain informations and these domain informations belong to blacklist or white list is stored in the cloud database of network equipment.Network equipment judge at least one domain information any one whether belong to cloud database, if belong to cloud database, the mark of blacklist or white list is then belonged to further according to domain information, judge that this domain information belongs to blacklist or the white list of cloud database, obtain Query Result thus and return to client.
After step S205, method 200 enters step S206, and wherein application layer receives in network equipment inquiry cloud database the Query Result of any one whether preserved at least one domain information.
After step S206, method 200 enters step S207, and application layer judges whether Query Result shows to preserve any one at least one domain information in cloud database, if so, performs step S208; Otherwise, perform step S210.
In step S208, application layer judges whether Query Result shows that cloud database is preserved any one at least one domain information and belongs to blacklist, if so, performs step S209; Otherwise, perform step S210.
In step S209, stop the network access request of program.If any one in the packet of the network access request that certain program is initiated at least one domain information belongs to the blacklist of local data base or cloud database, show that this program is rogue program, then stop the network access request of this program, also namely stop the access to netwoks behavior of this program.
In step S210, the network access request of clearance program.If at least one domain information does not belong to the blacklist of local data base but wherein any one belongs to the white list of local data base in the packet of the network access request that certain program is initiated, or do not belong to the blacklist of cloud database but wherein any one belongs to the white list of cloud database, show that this program is normal procedure, the network access request of this program of then letting pass, the access to netwoks behavior of this program of also namely letting pass.If application layer inquires local data base and cloud database are not all preserved at least one domain information any one, show that this program is the network access request of unknown program, this program of can letting pass.As another kind of execution mode, if program is unknown program, user also can be pointed out to select, stop according to the mode of the selection of user or the network access request of this program of letting pass.
According to the method that the present embodiment provides, by the packet driving layer to intercept and capture the network access request that program is initiated, resolution data bag obtains its domain information comprised, first application layer inquires about local data base to determine the network access request of prevention or this program of letting pass according to this domain information, if local data base does not preserve the domain information comprised in packet, then continue the network access request that network side inquiry cloud database determines prevention or this program of letting pass.For the upper-layer protocol realized based on TCP/IP or UDP that program uses, domain information in the packet of network access request reflects the target of network access request, this method directly utilizes the target of these upper-layer protocols to judge network access request whether safety, more effectively can tackle the access to netwoks behavior of rogue program.And the domain information in the packet of network access request infrequently changes, so local data base does not need frequent renewal, the access to netwoks behavior of rogue program also can be tackled in time.This method judges network access request whether safety in conjunction with local data base and cloud database, further improves the efficiency of the access to netwoks behavior of interception rogue program.
Fig. 3 shows the flow chart of the means of defence 300 of the access to netwoks behavior according to third embodiment of the invention.In this method 300, take network access request as HTTP access request for example is described.As shown in Figure 3, method 300 starts from step S301, wherein drives layer (ring0) to intercept and capture the packet of the HTTP access request that program is initiated.Drive layer intercept and capture packet be program initiate transmission data request (socket send) and reception data request (socket receive) in packet.Drive the method for layer intercepted data bag see the associated description of method 100, can not repeat them here.
Subsequently, method 300 enters step S302, wherein drives layer to resolve the packet intercepted and captured, obtains the domain name (host) in packet.Drive layer before resolving the packet in the socket send and socket receive intercepted and captured or simultaneously, also can obtain the IP address in socket connect and port.
Subsequently, method 300 enters step S303, wherein drive layer to judge to drive the process state information whether recording this program of last time with the HTTP access request of this secondary program with identical ip addresses and port and domain name in layer internal memory (ring0 cache), if so, perform step S304; Otherwise perform step S306.In the method, after processing a HTTP access request, ring0 cache can record the IP address of current HTTP access request and port and domain name, and record the process state information of this program pin to current HTTP access request, here process state information refers to that the domain name of the current HTTP access request of this program belongs to blacklist or white list, or this program is identified as unknown program in current HTTP access request.Based on the record that ring0 cache does, in step S303, drive layer first can judge whether ring0 cache records the process state information of this program of last time with the HTTP access request of this secondary program with identical ip addresses and port and domain name.
In step s 304, whether the process state information of this program last be this program is unknown program to drive layer to judge, if so, execution step S306; Otherwise perform step S305.
In step S305, the process state information of this program last is whether the domain name of the HTTP access request of this program last belongs to blacklist to drive layer to judge, if so, then execution step S314; Otherwise perform step S315.
In step S306, drive layer that packet and domain name, IP address and port are sent to application layer.
After step S306, method 300 enters step S307, and the further resolution data bag of application layer, obtains more domain information, comprises network address (URL), Agent mark (User-Agent) and parent page information (Referer).
The example of the packet of HTTP access request is as follows:
GET/index.html HTTP/1.1\r\n
Host:www.360.cn\r\n
User-Agent:IE\r\n
Referer:http://www.qihoo.net/\r\n
For this example, driving layer resolution data bag obtains domain name and is: www.360.cn; The further resolution data bag of application layer obtain URL:http: //www.360.cn/index.html, User-Agent:IE r n, and Referer:http: //www.qihoo.net/ r n.
After step S307, method 300 enters step S308, wherein whether preserves any one in domain name, IP address and the domain information such as port, URL, User-Agent and Referer in application layer inquiry local data base, if so, then performs step S309; Otherwise perform step S310.
In step S309, application layer judge in domain name, IP address and the domain information such as port, URL, User-Agent and Referer any one whether belong to the blacklist of local data base, if so, then perform step S314; Otherwise perform step S315.
In step S310, domain name, IP address and the domain information such as port, URL, User-Agent and Referer are sent to network equipment by application layer.Also the mark that a large amount of domain informations and these domain informations belong to blacklist or white list is stored in the cloud database of network equipment.Network equipment judge in above-mentioned domain information any one whether belong to cloud database, if belong to cloud database, the mark of blacklist or white list is then belonged to further according to domain information, judge that this domain information belongs to blacklist or the white list of cloud database, obtain Query Result thus and return to client.
After step S310, method 300 enters step S311, and wherein application layer receives the Query Result of network equipment inquiry cloud database.
After step S311, method 300 enters step S312, application layer judges whether Query Result shows to preserve any one in domain name, IP address and the domain information such as port, URL, User-Agent and Referer in cloud database, if so, performs step S313; Otherwise, perform step S315.
In step S313, application layer judges whether Query Result shows that cloud database is preserved any one in domain name, IP address and the domain information such as port, URL, User-Agent and Referer and belongs to blacklist, if so, performs step S314; Otherwise, perform step S315.
In step S314, stop the HTTP access request of program.
In step S315, the HTTP access request of clearance program.
After step S314 and step S315, method 300 enters step S316, wherein in ring0 cache the IP address of the HTTP access request of minute book secondary program and port and domain name (for above-mentioned example, the content of record is: IP:220.181.24.100, port:80, Host:www.360.cn), and the process state information of minute book secondary program, the process state information of this secondary program is that any one at least one domain information of the HTTP access request of this secondary program belongs to blacklist or white list, or this secondary program is unknown program.
In this method, before packet and domain information are sent to application layer by driving layer, first judge the process state information whether recording the last HTTP access request of same program in ring0cache, last HTTP access request refers to the HTTP access request of domain name and IP address the last time identical with this HTTP access request with port, if any record and process state information is domain information belongs to blacklist or white list, then the direct process state information according to the last time does same process, the process of inquiry local data base and cloud database is done without the need to packet and domain information being re-send to application layer, like this queries can be greatly reduced, reduce the burden on backstage, improve the efficiency of access to netwoks.And, the domain name of HTTP access request that what in this method, ring0 cache recorded is and IP address and port, do not record URL, for there is same domain name and IP address and port but there is the HTTP access request of different URL, all can do same process according to the process state information of last time, which reduce the Query Database number of times of unknown URL, further increase the efficiency of access to netwoks.
In order to improve the treatment effeciency of this method further, on the basis of above-described embodiment, ring0 cache can also record the cumulative number that same program is confirmed to be unknown program.In step s 304, if drive layer judge last time this program process state information as this program be unknown program, layer is so driven to judge whether the cumulative number that this program is confirmed to be unknown program is more than or equal to preset value further, this preset value is preferably 4, if cumulative number is more than or equal to preset value, then the network access request of this program of letting pass; Otherwise, perform step S306.Corresponding, in step S316, if the process state information of this secondary program for this secondary program be unknown program, so ring0 cache also needs refresh routine to be confirmed to be the cumulative number of unknown program, namely on former cumulative number basis, adds 1.By such process, if certain program is repeatedly confirmed as unknown program, the access to netwoks behavior of this program of so directly letting pass, improves the efficiency of access to netwoks.
In this method, after application layer receives packet, further resolution data bag, obtains more domain information.Due in the process of subsequent query local data base and cloud database, if any one in these domain informations belongs to blacklist or white list, just can determine that program is rogue program or normal procedure accordingly, therefore domain information is more, and the intercepting efficiency of access to netwoks behavior is also higher.
But also should be understandable that, step S307 is optional step.That is, application layer is when receiving packet, can no longer resolve packet, and in subsequent step, the domain information of application layer process comprises domain name, IP address and port, does not comprise the domain informations such as URL, User-Agent and Referer.
The method that above-mentioned 3rd embodiment provides is described for HTTP access request, but the method is only for being applied to HTTP access request, the means of defence that the network access request that other and HTTP access request are similar also can adopt the 3rd embodiment to provide.
Fig. 4 shows the flow chart of the means of defence 400 of the access to netwoks behavior according to four embodiment of the invention.In this method 400, take network access request as DNS access request for example is described.As shown in Figure 4, method 400 starts from step S401, wherein drives layer (ring0) to intercept and capture the packet of the DNS access request that program is initiated.Drive layer intercept and capture packet be program initiate transmission data request (socket send) and reception data request (socket receive) in packet.Drive the method for layer intercepted data bag see the associated description of method 100, can not repeat them here.
Subsequently, method 400 enters step S402, wherein drives layer to resolve the packet intercepted and captured, obtains the DNS domain name in packet.
The example of the packet of DNS access request is as follows:
Domain Name System(query)
Transaction ID:0x276b
Questions:1
Answer RRs:0
Authority RRs:0
Additional RRs:0
Queries www.360.cn:type A,class IN
For this example, driving layer resolution data bag obtains DNS domain name and is: www.360.cn.
Subsequently, method 400 enters step S403, wherein drive layer to judge to drive the process state information whether recording this program of last time with the DNS access request of this secondary program with identical DNS domain name in layer internal memory (ring0 cache), if so, perform step S404; Otherwise perform step S406.In the method, after processing a DNS access request, ring0cache can record the DNS domain name of current DNS access request, and record the process state information of this program to current DNS access request, here process state information refers to that the DNS domain name of the current DNS access request of this program belongs to blacklist or white list, or this program is identified as unknown program in current DNS access request.Based on the record that ring0 cache does, in step S403, drive layer first can judge whether ring0 cache records the process state information of this program of last time with the DNS access request of this secondary program with identical DNS domain name.
In step s 404, whether the process state information of this program last be this program is unknown program to drive layer to judge, if so, execution step S414; Otherwise perform step S405.
In step S405, the process state information of this program last is whether the DNS domain name of the DNS access request of this program last belongs to blacklist to drive layer to judge, if so, then execution step S413; Otherwise perform step S414.
In step S406, drive layer that packet and DNS domain name are sent to application layer.
After step S406, method 400 enters step S407, wherein whether preserves DNS domain name in application layer inquiry local data base, if so, then performs step S408; Otherwise perform step S409.
In step S408, application layer judges whether DNS domain name belongs to the blacklist of local data base, if so, then performs step S413; Otherwise perform step S414.
In step S409, DNS domain name is sent to network equipment by application layer.Also the mark that a large amount of DNS domain names and these DNS domain names belong to blacklist or white list is stored in the cloud database of network equipment.Network equipment judges whether DNS domain name belongs to cloud database, if belong to cloud database, then belong to the mark of blacklist or white list further according to DNS domain name, judge that this DNS domain name belongs to blacklist or the white list of cloud database, obtain Query Result thus and return to client.
After step S409, method 400 enters step S410, and wherein application layer receives the Query Result of network equipment inquiry cloud database.
After the step s 410, method 400 enters step S411, and application layer judges whether Query Result shows to preserve DNS domain name in cloud database, if so, performs step S412; Otherwise, perform step 414.
In step S412, application layer judges whether Query Result shows that cloud database preserves DNS domain name and this DNS domain name belongs to blacklist, if so, performs step S413; Otherwise, perform step S414.
In step S413, stop the DNS access request of program.
In step S414, the DNS access request of clearance program.
After step S413 and step S414, method 400 enters step S415, wherein in ring0cache the DNS domain name of the DNS access request of minute book secondary program (for above-mentioned example, the content of record is: www.360.cn), and the process state information of minute book secondary program, the process state information of this secondary program is that the DNS domain name of the DNS access request of this secondary program belongs to blacklist or white list, or this secondary program is unknown program.
In this method, before packet and DNS domain name are sent to application layer by driving layer, first judge the process state information whether recording the last DNS access request of same program in ring0 cache, last DNS access request refers to the DNS access request of the last time that DNS domain name is identical with this DNS access request.If any record and process state information is DNS domain name belongs to blacklist or white list, then the direct process state information according to the last time does same process, be unknown program if process state information is program, the network access request of this program of then directly letting pass, the process of inquiry local data base and cloud database is done without the need to packet and domain information being re-send to application layer, can greatly reduce queries like this, reduce the burden on backstage, improve the efficiency of access to netwoks.
The method that above-mentioned 4th embodiment provides is described for DNS access request, but the method is only for being applied to DNS access request, the means of defence that other network access request also can adopt the 4th embodiment to provide.
Fig. 5 shows the flow chart of the means of defence 500 of the access to netwoks behavior according to fifth embodiment of the invention.In this method 500, take network access request as SMTP access request for example is described.As shown in Figure 5, method 500 starts from step S501, wherein drives layer (ring0) to intercept and capture the packet of the SMTP access request that program is initiated.Drive layer intercept and capture packet be program initiate transmission data request (socket send) and reception data request (socket receive) in packet.Drive the method for layer intercepted data bag see the associated description of method 100, can not repeat them here.
Subsequently, method 500 enters step S502, wherein drives layer to resolve the packet intercepted and captured, the sender in acquisition packet and/or the email address of addressee.
The example of the packet of SMTP access request is as follows:
For this example, the email address driving layer resolution data bag to obtain sender is bob@example.org, and the email address of addressee is: alice@example.com and theboss@example.com.
Subsequently, method 500 enters step S503, layer is wherein driven to judge to drive the process state information whether recording this program of last time with the SMTP access request of this secondary program with the email address of identical sender and/or addressee in layer internal memory (ring0 cache), if so, step S504 is performed; Otherwise perform step S506.In the method, after processing a SMTP access request, ring0 cache can record the current sender of SMTP access request and/or the email address of addressee, and record the process state information of this program to current SMTP access request, here process state information refers to that the current sender of SMTP access request of this program and/or the email address of addressee belong to blacklist or white list, or this program is identified as unknown program in current SMTP access request.Based on the record that ring0 cache does, in step S503, drive layer first can judge whether ring0 cache records the process state information of this program of last time with the SMTP access request of this secondary program with the email address of identical sender and/or addressee.
In step S504, whether the process state information of this program last be this program is unknown program to drive layer to judge, if so, execution step S514; Otherwise perform step S505.
In step S505, the process state information of this program last is whether the sender of SMTP access request of this program last and/or the email address of addressee belong to blacklist to drive layer to judge, if so, then execution step S513; Otherwise perform step S514.
In step S506, drive layer that the email address of packet and sender and/or addressee is sent to application layer.
After step S506, method 500 enters step S507, wherein whether preserves the email address of sender and/or addressee in application layer inquiry local data base, if so, then performs step S508; Otherwise perform step S509.
In step S508, application layer judges whether the email address of sender and/or addressee belongs to the blacklist of local data base, if so, then performs step S513; Otherwise perform step S514.
In step S509, the email address of sender and/or addressee is sent to network equipment by application layer.The email address of the email address and these senders and/or addressee that also store a large amount of senders and/or addressee in the cloud database of network equipment belongs to the mark of blacklist or white list.Network equipment judges whether the email address of sender and/or addressee belongs to cloud database, if belong to cloud database, the mark of blacklist or white list is then belonged to further according to the email address of sender and/or addressee, judge that the email address of this sender and/or addressee belongs to blacklist or the white list of cloud database, obtain Query Result thus and return to client.
After step S509, method 500 enters step S510, and wherein application layer receives the Query Result of network equipment inquiry cloud database.
After step S510, method 500 enters step S511, and application layer judges whether Query Result shows to preserve in cloud database the email address of sender and/or addressee, if so, performs step S512; Otherwise, perform step 514.
In step S512, application layer judges whether Query Result shows that cloud database preserves the email address of sender and/or addressee and the email address of this sender and/or addressee belongs to blacklist, if so, performs step S513; Otherwise, perform step S514.
In step S513, stop the SMTP access request of program.
In step S514, the SMTP access request of clearance program.
After step S513 and step S514, method 500 enters step S515, wherein in ring0 cache the sender of the SMTP access request of minute book secondary program and/or the email address of addressee (for above-mentioned example, the content of record is: bob@example.org, alice@example.com, theboss@example.com), and the process state information of minute book secondary program, the process state information of this secondary program is that the sender of SMTP access request of this secondary program and/or the email address of addressee belong to blacklist or white list, or this secondary program is unknown program.
In this method, before the email address driving layer by packet and sender and/or addressee is sent to application layer, first judge the process state information whether recording the last SMTP access request of same program in ring0 cache, last SMTP access request refers to the SMTP access request of the last time that the email address of sender and/or addressee is identical with this SMTP access request.If any record and the email address that process state information is sender and/or addressee belongs to blacklist or white list, then the direct process state information according to the last time does same process, be unknown program if process state information is program, the network access request of this program of then directly letting pass, the process of inquiry local data base and cloud database is done without the need to the email address of packet and sender and/or addressee being re-send to application layer, like this queries can be greatly reduced, reduce the burden on backstage, improve the efficiency of access to netwoks.
The method that above-mentioned 5th embodiment provides is described for SMTP access request, but the method is only for being applied to SMTP access request, the means of defence that other network access request also can adopt the 5th embodiment to provide.
It should be noted that, can not cloud database be inquired about in above-mentioned several embodiment of the method, only rely on inquiry local data base access to netwoks behavior is stoped or lets pass process also be optional embodiment.
Fig. 6 shows the structural representation of the protector of the access to netwoks behavior according to sixth embodiment of the invention.As shown in Figure 6, this network protection device 600 comprises driving layer module 610 and application layer module 620.Wherein, layer module 610 is driven to comprise interception module 611, drive layer parsing module 612 and the first sending module 613.Interception module 611 is suitable for the packet of the network access request that intercepting and capturing program is initiated; Drive layer parsing module 612 to be suitable for resolution data bag, obtain at least one domain information in packet; First sending module 613 is suitable for packet and at least one domain information thereof to send to application layer module 620.Application layer module 620 comprises: the first receiver module 621, enquiry module 622, prevention module 623 and clearance module 624.First receiver module 621 is suitable for packet and at least one domain information thereof of the transmission of reception first sending module 613; Enquiry module 622 is suitable for whether preserving any one at least one domain information in inquiry local data base; Stop module 623 to be suitable for when any one inquiring at least one domain information of enquiry module 622 belongs to the blacklist of local data base, stop the network access request of program; Clearance module 624 be suitable for when enquiry module 622 inquire at least one domain information do not belong to the blacklist of local data base but any one at least one domain information belongs to the white list of local data base, the network access request of clearance program.
Alternatively, clearance module 624 is also suitable for, when enquiry module 622 inquires any one that local data base do not preserve at least one domain information, showing that program is the network access request of unknown program, clearance program.
Alternatively, interception module 611 is specifically suitable for: by client registers protocol-driven or establishment filtration drive, intercept and capture the packet of the network access request that program is initiated; Or the application programming interface function utilizing operating system to provide intercepts and captures the packet of the network access request that program is initiated; Or, called the request of interface for network programming function by takeover process, intercept and capture the packet of the network access request that program is initiated; Or, utilize the mode of registration fire compartment wall readjustment, intercept and capture the packet of the network access request that program is initiated.More specifically, interception module 611 can specifically be suitable for: by driving to NDIS log-in protocol, or on driving arrangement stack, the driving arrangement stack of transmission distribution interface or the driving arrangement stack of transmission control/network communication protocol that the miscellaneous function of winsock drives, create filtration drive, intercept and capture the packet of the network access request that program is initiated.Interception module 611 also can specifically be suitable for: the derivative function that the interface function that the Hook Function interception system service descriptor table utilizing operating system to provide provides or the transmission service function that provides of controls/network communication protocol or NDIS provide, and obtains the packet of the network access request of program initiation.
According to the device that the present embodiment provides, by the packet driving layer to intercept and capture the network access request that program is initiated, resolution data bag obtains its domain information comprised, and application layer determines the network access request of prevention or this program of letting pass according to this domain information inquiry local data base.For the upper-layer protocol realized based on TCP/IP or UDP that program uses, domain information in the packet of network access request reflects the target of network access request, this device directly utilizes the target of these upper-layer protocols to judge network access request whether safety, more effectively can tackle the access to netwoks behavior of rogue program.And the domain information in the packet of network access request infrequently changes, so local data base does not need frequent renewal, thus the access to netwoks behavior of rogue program can be tackled more in time.
Fig. 7 shows the structural representation of the protector of the access to netwoks behavior according to seventh embodiment of the invention.As shown in Figure 7, this network protection device 700 comprises driving layer module 710 and application layer module 720.
Wherein, layer module 710 is driven to comprise: interception module 711, driving layer parsing module 712 and the first sending module 713.Interception module 711 is suitable for the packet of the network access request that intercepting and capturing program is initiated; Drive layer parsing module 712 to be suitable for resolution data bag, obtain at least one domain information in packet; First sending module 713 is suitable for packet and at least one domain information thereof to send to application layer module 720.
Application layer module 720 comprises: the first receiver module 721, enquiry module 722, prevention module 723, clearance module 724, second sending module 725 and the second receiver module 726.First receiver module 721 is suitable for packet and at least one domain information thereof of the transmission of reception first sending module 713; Enquiry module 722 is suitable for whether preserving any one at least one domain information in inquiry local data base; Stop module 723 to be suitable for when any one inquiring at least one domain information of enquiry module 722 belongs to the blacklist of local data base, stop the network access request of program; Clearance module 724 be suitable for when enquiry module 722 inquire at least one domain information do not belong to the blacklist of local data base but any one at least one domain information belongs to the white list of local data base, the network access request of clearance program.Second sending module 725 is suitable for, when enquiry module 722 inquires in local data base any one of not preserving at least one domain information, at least one domain information being sent to network equipment; Second receiver module 726 is suitable for receiving in network equipment inquiry cloud database the Query Result of any one whether preserved at least one domain information; The Query Result stoping module 723 to be also suitable for receiving at the second receiver module 726 shows that cloud database is preserved any one at least one domain information and belongs to blacklist, stop the network access request of program; The Query Result that clearance module 724 is also suitable for receiving at the second receiver module 726 shows that any one of preserving at least one domain information of cloud database does not belong to blacklist and belong to white list, the network access request of clearance program.
Alternatively, clearance module 724 is also suitable for when inquiring local data base and cloud database does not all preserve any one at least one domain information, shows that program is the network access request of unknown program, clearance program.
Alternatively, the related content about interception module 711 see the description of the 6th embodiment, can not repeat them here.
According to the device that the present embodiment provides, by the packet driving layer to intercept and capture the network access request that program is initiated, resolution data bag obtains its domain information comprised, first application layer inquires about local data base to determine the network access request of prevention or this program of letting pass according to this domain information, if local data base does not preserve the domain information comprised in packet, then continue the network access request that network side inquiry cloud database determines prevention or this program of letting pass.For the upper-layer protocol realized based on TCP/IP or UDP that program uses, domain information in the packet of network access request reflects the target of network access request, this device directly utilizes the target of these upper-layer protocols to judge network access request whether safety, more effectively can tackle the access to netwoks behavior of rogue program.And the domain information in the packet of network access request infrequently changes, so local data base does not need frequent renewal, the access to netwoks behavior of rogue program also can be tackled in time.This device judges network access request whether safety in conjunction with local data base and cloud database, further improves the efficiency of the access to netwoks behavior of interception rogue program.
Fig. 8 shows the structural representation of the protector of the access to netwoks behavior according to eighth embodiment of the invention.As shown in Figure 8, this network protection device 800 comprises driving layer module 810 and application layer module 820.
Layer module 810 is driven to comprise: interception module 811, driving layer parsing module 812, acquisition module 813, driving layer internal memory 814, first judge module 815 and the first sending module 816.Application layer module 820 comprises: the first receiver module 821, application layer parsing module 822, enquiry module 823, prevention module 824 and clearance module 825.
Interception module 811 is suitable for the packet of the HTTP access request that intercepting and capturing program is initiated, and alternatively, the related content about interception module 811 see the description of the 6th embodiment, can not repeat them here; Drive layer parsing module 812 to be suitable for resolution data bag, obtain the domain name (host) comprised in packet; Acquisition module 813 is suitable for the IP address and the port that obtain HTTP access request; First judge module 815 is suitable for judging driving the process state information whether recording the upper once program with the HTTP access request of this secondary program with identical ip addresses and port and domain name in layer internal memory 814; First sending module 816 is suitable for when the first judge module 815 is judged as NO, or, when the first judge module 815 be judged as YES and on the process state information of once program be on once program is unknown program, packet and domain name are sent to the first receiver module 821 of application layer module 820.
First receiver module 821 is suitable for packet and the domain name of the transmission of reception first sending module 816; Application layer parsing module 822 is suitable for further resolution data bag, and one or more obtaining following information are as the part at least one domain information: network address, Agent mark and parent page information.Wherein application layer parsing module 822 is optional module.Enquiry module 823 is suitable for whether preserving any one at least one domain information in inquiry local data base.Module 824 is stoped to be suitable for when any one inquiring at least one domain information of enquiry module 823 belongs to the blacklist of local data base, or be judged as YES at the first judge module 815, and the process state information of last program is any one at least one domain information of the HTTP access request of last program when belonging to blacklist, stops the network access request of this program; Clearance module 825 be suitable for when enquiry module 823 inquire at least one domain information do not belong to the blacklist of local data base but wherein any one belongs to the white list of local data base, or be judged as YES at the first judge module 815, and any one at least one domain information of the once HTTP access request of program on the process state information of upper once program is belongs to white list, the network access request of clearance program.
As the optional execution mode of one, clearance module 825 is also suitable for, when enquiry module 823 inquires any one that local data base do not preserve at least one domain information, showing that program is the network access request of unknown program, clearance program.
As the optional execution mode of another kind, application layer module 820 also comprises: the second sending module and the second receiver module.Second sending module is suitable for, when enquiry module inquires in local data base any one of not preserving at least one domain information, at least one domain information being sent to network equipment; Second receiver module is suitable for receiving in network equipment inquiry cloud database the Query Result of any one whether preserved at least one domain information; The Query Result stoping module to be also suitable for receiving at the second receiver module shows that cloud database is preserved any one at least one domain information and belongs to blacklist, stop the network access request of program; The Query Result that clearance module is also suitable for receiving at the second receiver module shows that any one of preserving at least one domain information of cloud database does not belong to blacklist and belong to white list, the network access request of clearance program.Alternatively, clearance module is also suitable for when inquiring local data base and cloud database does not all preserve any one at least one domain information, shows that program is the network access request of unknown program, clearance program.
Alternatively, layer internal memory is driven to be suitable for the IP address of the HTTP access request of logging program and port and domain name, and the process state information of logging program, the process state information of program is that any one at least one domain information of the HTTP access request of program belongs to blacklist or white list, or program is unknown program.
Alternatively, drive layer internal memory to be also suitable for when the process state information of program be program is unknown program, logging program is confirmed to be the cumulative number of unknown program.
On the basis of above-described embodiment, another kind of embodiment of replacing is: the first judge module is replaced by the second judge module and the 3rd judge module, corresponding, the function of the first sending module, prevention module and clearance module also changes to some extent.Particularly, the second judge module is suitable for judging driving the process state information whether recording the upper once program with the HTTP access request of this secondary program with identical ip addresses and port and domain name in layer internal memory; 3rd judge module be suitable for when the second judge module be judged as YES and on the process state information of once program be on once program is unknown program, whether the cumulative number that determining program is confirmed to be unknown program is more than or equal to preset value; First sending module is specifically suitable for when the second judge module is judged as NO, or, when the 3rd judge module is judged as NO, packet and at least one domain information thereof are sent to application layer module; Module is stoped also to be suitable for being judged as YES at the second judge module, and the process state information of last program is any one at least one domain information of the HTTP access request of last program when belonging to blacklist, stops the network access request of program; Clearance module is also suitable for being judged as YES at the second judge module, and any one at least one domain information of the once HTTP access request of program on the process state information of upper once program is belongs to white list, the network access request of clearance program.
Fig. 9 shows the structural representation of the protector of the access to netwoks behavior according to ninth embodiment of the invention.As shown in Figure 9, this network protection device 900 comprises driving layer module 910 and application layer module 920.
Layer module 910 is driven to comprise: interception module 911, driving layer parsing module 912, driving layer internal memory 913, judge module 914 and the first sending module 9l5.Application layer module 920 comprises: the first receiver module 921, enquiry module 922, prevention module 923 and clearance module 924.
Interception module 911 is suitable for the packet of the network access request that intercepting and capturing program is initiated, and alternatively, the related content about interception module 911 see the description of the 6th embodiment, can not repeat them here; Drive layer parsing module 912 to be suitable for resolution data bag, obtain at least one domain information comprised in packet; Judge module 914 is suitable for judging driving the process state information whether recording the upper once program with the network access request of this secondary program with identical at least one domain information in layer internal memory 913; First sending module 9l5 is suitable for when judge module 914 is judged as NO, and packet and at least one domain information thereof is sent to the first receiver module 921 of application layer module 920.
First receiver module 921 is suitable for packet and at least one domain information thereof of the transmission of reception first sending module 915; Enquiry module 922 is suitable for whether preserving any one at least one domain information in inquiry local data base; Module 923 is stoped to be suitable for when any one inquiring at least one domain information of enquiry module 922 belongs to the blacklist of local data base, or be judged as YES at judge module 914, and the process state information of last program is any one at least one domain information of the network access request of last program when belonging to blacklist, stops the network access request of this program; Clearance module 924 be suitable for when enquiry module 922 inquire at least one domain information do not belong to the blacklist of local data base but wherein any one belongs to the white list of local data base, or be judged as YES at judge module 914, and the process state information that the process state information of last program is any one at least one domain information of the network access request of last program belongs to white list or last program is last program when being unknown program, the network access request of clearance program.
As the optional execution mode of one, clearance module 924 is also suitable for, when enquiry module 922 inquires any one that local data base do not preserve at least one domain information, showing that program is the network access request of unknown program, clearance program.
As the optional execution mode of another kind, application layer module 920 also comprises: the second sending module and the second receiver module.Second sending module is suitable for, when enquiry module inquires in local data base any one of not preserving at least one domain information, at least one domain information being sent to network equipment; Second receiver module is suitable for receiving in network equipment inquiry cloud database the Query Result of any one whether preserved at least one domain information; The Query Result stoping module to be also suitable for receiving at the second receiver module shows that cloud database is preserved any one at least one domain information and belongs to blacklist, stop the network access request of program; The Query Result that clearance module is also suitable for receiving at the second receiver module shows that any one of preserving at least one domain information of cloud database does not belong to blacklist and belong to white list, the network access request of clearance program.Alternatively, clearance module is also suitable for when inquiring local data base and cloud database does not all preserve any one at least one domain information, shows that program is the network access request of unknown program, clearance program.
Alternatively, layer internal memory is driven to be suitable at least one domain information of the network access request of logging program, and the process state information of logging program, the process state information of program is that any one at least one domain information of the network access request of program belongs to blacklist or white list, or program is unknown program.
Alternatively, in the present embodiment, network access request can be DNS access request, and at least one domain information comprises DNS domain name.Network access request can be also SMTP access request, and at least one domain information comprises the email address of sender and/or addressee.
Figure 10 shows the structural representation of the guard system of the access to netwoks behavior according to tenth embodiment of the invention.As shown in Figure 10, this network-safeguard system 1000 comprises client device 1010 and network equipment 1020.Wherein, client device 1010 can comprise the protector of the access to netwoks behavior in above-mentioned 7th, eight and nine embodiment described by any embodiment.Network equipment 1020 comprises: cloud database 1021, network side receiver module 1022, network side enquiry module 1023 and network side sending module 1024.Wherein, network side receiver module l022 is connected with the second sending module in client device, is suitable at least one domain information receiving client device transmission; Network side enquiry module 1023 is suitable for whether preserving any one at least one domain information in inquiry cloud database 1021, obtains Query Result; Network side sending module 1024 is connected with the second receiver module in client device, is suitable for Query Result to send to client device.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the protector of the access to netwoks behavior of the embodiment of the present invention and system.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
The means of defence of A1, a kind of access to netwoks behavior is disclosed herein, comprise: drive layer to intercept and capture the packet of the network access request that program is initiated, resolve described packet, obtain at least one domain information in described packet, then described packet and at least one domain information thereof are sent to application layer; Whether preserve in described at least one domain information in application layer inquiry local data base any one, any one if so, then in described at least one domain information belongs to the blacklist of local data base, stop the network access request of described program; When described at least one domain information does not belong to the blacklist of local data base but any one in described at least one domain information belongs to the white list of local data base, the network access request of described program of letting pass.A2, method according to A1, also comprise: if application layer inquires described local data base is not preserved in described at least one domain information any one, show that described program is unknown program, the network access request of described program of letting pass.A3, method according to A1, also comprise: if application layer inquires in local data base any one of not preserving in described at least one domain information, then described at least one domain information is sent to network equipment, receives in network equipment inquiry cloud database the Query Result of any one whether preserved in described at least one domain information; If described Query Result shows that described cloud database is preserved any one in described at least one domain information and belongs to blacklist, then stop the network access request of described program; Or if described Query Result shows described cloud database, any one of preserving in described at least one domain information does not belong to blacklist and belongs to white list, then the network access request of described program of letting pass.A4, method according to A3, also comprise: if application layer inquires described local data base and described cloud database are not all preserved in described at least one domain information any one, show that described program is unknown program, the network access request of described program of letting pass.A5, method according to A2 or A4, the step that described driving layer intercepts and captures the packet of the network access request that program is initiated comprises: drive layer to intercept and capture the packet of the HTTP access request that program is initiated; Described at least one domain information comprises domain name; Described method also comprises: drive layer to obtain IP address and the port of HTTP access request.A6, method according to A5, also comprise: the further resolution data bag of application layer, and one or more obtaining following information are as the part at least one domain information: network address, Agent mark and parent page information.A7, method according to A5 or A6, described described packet and at least one domain information thereof be sent to the step of application layer before also comprise: judge driving the process state information whether recording the upper once described program with the HTTP access request of program described in this with identical ip addresses and port and domain name in layer internal memory; If not, then the described step described packet and at least one domain information thereof being sent to application layer is performed; If so, any one then at least one domain information of the once HTTP access request of described program on the process state information of upper once described program is belongs to blacklist, the network access request of described program is stoped; Any one at least one domain information of the once HTTP access request of described program on the process state information of upper once described program is belongs to white list, the network access request of described program of letting pass; When once described program is unknown program on the process state information of upper once described program is, perform the described step described packet and at least one domain information thereof being sent to application layer.A8, method according to A5 or A6, described described packet and at least one domain information thereof be sent to the step of application layer before also comprise: judge driving the process state information whether recording the upper once described program with the HTTP access request of program described in this with identical ip addresses and port and domain name in layer internal memory; If not, then the described step described packet and at least one domain information thereof being sent to application layer is performed; If so, any one then at least one domain information of the once HTTP access request of described program on the process state information of upper once described program is belongs to blacklist, the network access request of described program is stoped; Any one at least one domain information of the once HTTP access request of described program on the process state information of upper once described program is belongs to white list, the network access request of described program of letting pass; When on the process state information of upper once described program is, once described program is unknown program, judge whether the cumulative number that described program is confirmed to be unknown program is more than or equal to preset value, if, the network access request of described program of then letting pass, otherwise, perform the described step described packet and at least one domain information thereof being sent to application layer.A9, method according to any one of A5 to A8, also comprise after the step of the network access request of described prevention or described program of letting pass: driving the IP address and port and domain name of in layer internal memory, recording the HTTP access request of program described in this, and record the process state information of program described in this, any one at least one domain information of the HTTP access request that the process state information of program described in this is program described in this belongs to blacklist or white list, or program described in this is unknown program.A10, method according to A9, also comprise after the step of the network access request of described prevention or described program of letting pass: if the process state information of program described in this is unknown program for program described in this, then in driving layer internal memory, record the cumulative number that described program is confirmed to be unknown program.A11, method according to A2 or A4, described described packet and at least one domain information thereof be sent to the step of application layer before also comprise: judge driving the process state information whether recording the upper once described program with the network access request of program described in this with identical at least one domain information in layer internal memory; If not, then the described step described packet and at least one domain information thereof being sent to application layer is performed; If so, any one then at least one domain information of the once network access request of described program on the process state information of upper once described program is belongs to blacklist, the network access request of described program is stoped; Any one at least one domain information of once described program on the process state information of upper once described program is belongs to white list, the network access request of described program of letting pass; When on the process state information of upper once described program is, once described program is unknown program, the network access request of described program of letting pass.A12, method according to A11, also comprise after the step of the network access request of described prevention or described program of letting pass: driving at least one domain information recording the network access request of program described in this in layer internal memory, and record the process state information of program described in this, any one at least one domain information that the process state information of program described in this is the network access request of program described in this belongs to blacklist or white list, or program described in this is unknown program.A13, method according to A11 or A12, described network access request is DNS access request, and described at least one domain information comprises DNS domain name; Or described network access request is SMTP access request, and described at least one domain information comprises the email address of sender and/or addressee.A14, method according to any one of A1 to A13, the step that described driving layer intercepts and captures the packet of the network access request that program is initiated is specially: by client registers protocol-driven or establishment filtration drive, intercept and capture the packet of the network access request that program is initiated; Or the application programming interface function utilizing operating system to provide intercepts and captures the packet of the network access request that program is initiated; Or, called the request of interface for network programming function by takeover process, intercept and capture the packet of the network access request that program is initiated; Or, utilize the mode of registration fire compartment wall readjustment, intercept and capture the packet of the network access request that program is initiated.A15, method according to A14, described by client registers protocol-driven or create filtration drive, the step of the packet of the network access request that intercepting and capturing program is initiated is specially: by driving to NDIS log-in protocol, or on driving arrangement stack, the driving arrangement stack of transmission distribution interface or the driving arrangement stack of transmission control/network communication protocol that the miscellaneous function of winsock drives, create filtration drive, intercept and capture the packet of the network access request that program is initiated.A16, method according to A14, the step of packet that the described application programming interface function utilizing operating system to provide intercepts and captures the network access request that program is initiated is specially: the interface function that the Hook Function interception system service descriptor table utilizing operating system to provide provides or the service function that transmission controls/network communication protocol provides or the derivative function that NDIS provides, obtain the packet of the network access request of described program initiation.
Disclosed herein is the protector of B17, a kind of access to netwoks behavior, comprising: drive layer module and application layer module; Described driving layer module comprises: interception module, is suitable for the packet of the network access request that intercepting and capturing program is initiated; Drive layer parsing module, be suitable for resolving described packet, obtain at least one domain information in described packet; First sending module, is suitable for described packet and at least one domain information thereof to send to described application layer module; Described application layer module comprises: the first receiver module, is suitable for the described packet and at least one domain information thereof that receive described first sending module transmission; Enquiry module, is suitable for whether preserving any one in described at least one domain information in inquiry local data base; Stop module, be suitable for, when any one inquiring in described at least one domain information of described enquiry module belongs to the blacklist of local data base, stoping the network access request of described program; Clearance module, be suitable for when described enquiry module inquire described at least one domain information do not belong to the blacklist of local data base but any one in described at least one domain information belongs to the white list of local data base, the network access request of described program of letting pass.B18, device according to B17, described clearance module is also suitable for when described enquiry module inquires any one that described local data base do not preserve in described at least one domain information, show that described program is unknown program, the network access request of described program of letting pass.B19, device according to B17, described application layer module also comprises: the second sending module, be suitable for, when described enquiry module inquires in local data base any one of not preserving in described at least one domain information, described at least one domain information being sent to network equipment; Second receiver module, is suitable for receiving in network equipment inquiry cloud database the Query Result of any one whether preserved in described at least one domain information; The Query Result that described prevention module is also suitable for receiving at described second receiver module shows that described cloud database is preserved any one in described at least one domain information and belongs to blacklist, stop the network access request of described program; The Query Result that described clearance module is also suitable for receiving at described second receiver module shows that any one of preserving in described at least one domain information of described cloud database does not belong to blacklist and belong to white list, the network access request of described program of letting pass.B20, device according to B19, described clearance module is also suitable for when inquiring described local data base and described cloud database does not all preserve any one in described at least one domain information, show that described program is unknown program, the network access request of described program of letting pass.B21, device according to B18 or B20, described interception module is specifically suitable for the packet of the HTTP access request that intercepting and capturing program is initiated; Described at least one domain information comprises domain name; Described driving layer module also comprises: acquisition module, is suitable for the IP address and the port that obtain HTTP access request.B22, device according to B21, described application layer module also comprises: application layer parsing module, be suitable for further resolution data bag, one or more obtaining following information are as the part at least one domain information: network address, Agent mark and parent page information.B23, device according to B21 or B22, described driving layer module also comprises: drive layer internal memory; First judge module, is suitable for the process state information judging whether to record the upper once described program with the HTTP access request of program described in this with identical ip addresses and port and domain name in described driving layer internal memory; Described first sending module is specifically suitable for when described first judge module is judged as NO, or, when described first judge module be judged as YES and on the process state information of once described program be on once described program is unknown program, described packet and at least one domain information thereof are sent to described application layer module; Described prevention module is also suitable for being judged as YES at described first judge module, and the process state information of last described program is any one at least one domain information of the HTTP access request of last described program when belonging to blacklist, stops the network access request of described program; Described clearance module is also suitable for being judged as YES at described first judge module, and any one at least one domain information of the once HTTP access request of described program on the process state information of upper once described program is belongs to white list, the network access request of described program of letting pass.B24, device according to B21 or B22, described driving layer module also comprises: drive layer internal memory; Second judge module, is suitable for the process state information judging whether to record the upper once described program with the HTTP access request of program described in this with identical ip addresses and port and domain name in described driving layer internal memory; 3rd judge module, be suitable for when described second judge module be judged as YES and on the process state information of once described program be on once described program is unknown program, judge whether the cumulative number that described program is confirmed to be unknown program is more than or equal to preset value; Described first sending module is specifically suitable for when described second judge module is judged as NO, or, when described 3rd judge module is judged as NO, described packet and at least one domain information thereof are sent to described application layer module; Described prevention module is also suitable for being judged as YES at described second judge module, and the process state information of last described program is any one at least one domain information of the HTTP access request of last described program when belonging to blacklist, stops the network access request of described program; Described clearance module is also suitable for being judged as YES at described second judge module, and any one at least one domain information of the once HTTP access request of described program on the process state information of upper once described program is belongs to white list, the network access request of described program of letting pass.B25, device according to any one of B21 to B24, described driving layer internal memory is suitable for the IP address of the HTTP access request recording described program and port and domain name, and record the process state information of described program, the process state information of described program is that any one at least one domain information of the HTTP access request of described program belongs to blacklist or white list, or described program is unknown program.B26, device according to B25, described driving layer internal memory is also suitable for, when the process state information of described program be described program is unknown program, recording the cumulative number that described program is confirmed to be unknown program.B27, device according to B18 or B20, described driving layer module comprises: drive layer internal memory; Judge module, is suitable for the process state information judging whether to record the upper once described program with the network access request of program described in this with identical at least one domain information in described driving layer internal memory; Described first sending module is specifically suitable for, when described judge module is judged as NO, described packet and at least one domain information thereof being sent to described application layer module; Described prevention module is also suitable for being judged as YES at described judge module, and the process state information of last described program is any one at least one domain information of the network access request of last described program when belonging to blacklist, stops the network access request of described program; Described clearance module is also suitable for being judged as YES at described judge module, and the process state information that the process state information of last described program is any one at least one domain information of the network access request of last described program belongs to white list or last described program is last described program when being unknown program, the network access request of described program of letting pass.B28, device according to B27, described driving layer internal memory is suitable at least one domain information of the network access request recording described program, and record the process state information of described program, the process state information of described program is that any one at least one domain information of the network access request of described program belongs to blacklist or white list, or described program is unknown program.B29, device according to B27 or B28, described network access request is DNS access request, and described at least one domain information comprises DNS domain name; Or described network access request is SMTP access request, and described at least one domain information comprises the email address of sender and/or addressee.B30, device according to any one of B17 to B29, described interception module is specifically suitable for: by client registers protocol-driven or create filtration drive, intercept and capture the packet of the network access request that program is initiated; Or the application programming interface function utilizing operating system to provide intercepts and captures the packet of the network access request that program is initiated; Or, called the request of interface for network programming function by takeover process, intercept and capture the packet of the network access request that program is initiated; Or, utilize the mode of registration fire compartment wall readjustment, intercept and capture the packet of the network access request that program is initiated.B3l, device according to any one of B17 to B29, described interception module is specifically suitable for: by driving to NDIS log-in protocol, or on driving arrangement stack, the driving arrangement stack of transmission distribution interface or the driving arrangement stack of transmission control/network communication protocol that the miscellaneous function of winsock drives, create filtration drive, intercept and capture the packet of the network access request that program is initiated.B32, device according to any one of Bi7 to B29, described interception module is specifically suitable for: the derivative function that the interface function that the Hook Function interception system service descriptor table utilizing operating system to provide provides or the transmission service function that provides of controls/network communication protocol or NDIS provide, and obtains the packet of the network access request of described program initiation.

Claims (16)

1. a means of defence for access to netwoks behavior, comprising:
Drive layer to intercept and capture the packet of the network access request that program is initiated, resolve described packet, obtain at least one domain information in described packet, then described packet and at least one domain information thereof are sent to application layer;
Whether preserve in described at least one domain information in application layer inquiry local data base any one, any one if so, then in described at least one domain information belongs to the blacklist of local data base, stop the network access request of described program; When described at least one domain information does not belong to the blacklist of local data base but any one in described at least one domain information belongs to the white list of local data base, the network access request of described program of letting pass;
If application layer inquires in local data base any one of not preserving in described at least one domain information, then described at least one domain information is sent to network equipment, receives in network equipment inquiry cloud database the Query Result of any one whether preserved in described at least one domain information;
If described Query Result shows that described cloud database is preserved any one in described at least one domain information and belongs to blacklist, then stop the network access request of described program; Or if described Query Result shows described cloud database, any one of preserving in described at least one domain information does not belong to blacklist and belongs to white list, then the network access request of described program of letting pass.
2. method according to claim 1, also comprises:
If application layer inquires described local data base and described cloud database are not all preserved in described at least one domain information any one, show that described program is unknown program, the network access request of described program of letting pass.
3. method according to claim 1, the step that described driving layer intercepts and captures the packet of the network access request that program is initiated comprises: drive layer to intercept and capture the packet of the HTTP access request that program is initiated; Described at least one domain information comprises domain name;
Described method also comprises: drive layer to obtain IP address and the port of HTTP access request.
4. method according to claim 3, also comprises: the further resolution data bag of application layer, and one or more obtaining following information are as the part at least one domain information: network address, Agent mark and parent page information.
5. the method according to claim 3 or 4, described described packet and at least one domain information thereof be sent to the step of application layer before also comprise:
Judge driving the process state information whether recording the upper once described program with the HTTP access request of program described in this with identical ip addresses and port and domain name in layer internal memory;
If not, then the described step described packet and at least one domain information thereof being sent to application layer is performed;
If so, any one then at least one domain information of the once HTTP access request of described program on the process state information of upper once described program is belongs to blacklist, the network access request of described program is stoped; Any one at least one domain information of the once HTTP access request of described program on the process state information of upper once described program is belongs to white list, the network access request of described program of letting pass; When once described program is unknown program on the process state information of upper once described program is, perform the described step described packet and at least one domain information thereof being sent to application layer.
6. the method according to claim 3 or 4, described described packet and at least one domain information thereof be sent to the step of application layer before also comprise:
Judge driving the process state information whether recording the upper once described program with the HTTP access request of program described in this with identical ip addresses and port and domain name in layer internal memory;
If not, then the described step described packet and at least one domain information thereof being sent to application layer is performed;
If so, any one then at least one domain information of the once HTTP access request of described program on the process state information of upper once described program is belongs to blacklist, the network access request of described program is stoped; Any one at least one domain information of the once HTTP access request of described program on the process state information of upper once described program is belongs to white list, the network access request of described program of letting pass; When on the process state information of upper once described program is, once described program is unknown program, judge whether the cumulative number that described program is confirmed to be unknown program is more than or equal to preset value, if, the network access request of described program of then letting pass, otherwise, perform the described step described packet and at least one domain information thereof being sent to application layer.
7. the method according to claim 3 or 4, also comprises after the step of the network access request of described prevention or described program of letting pass:
Driving the IP address and port and domain name of in layer internal memory, recording the HTTP access request of program described in this, and record the process state information of program described in this, any one at least one domain information of the HTTP access request that the process state information of program described in this is program described in this belongs to blacklist or white list, or program described in this is unknown program.
8. method according to claim 7, also comprises after the step of the network access request of described prevention or described program of letting pass:
If the process state information of program described in this is unknown program for program described in this, then in driving layer internal memory, record the cumulative number that described program is confirmed to be unknown program.
9. method according to claim 1 and 2, described described packet and at least one domain information thereof be sent to the step of application layer before also comprise:
Judge driving the process state information whether recording the upper once described program with the network access request of program described in this with identical at least one domain information in layer internal memory;
If not, then the described step described packet and at least one domain information thereof being sent to application layer is performed;
If so, any one then at least one domain information of the once network access request of described program on the process state information of upper once described program is belongs to blacklist, the network access request of described program is stoped; Any one at least one domain information of once described program on the process state information of upper once described program is belongs to white list, the network access request of described program of letting pass; When on the process state information of upper once described program is, once described program is unknown program, the network access request of described program of letting pass.
10. method according to claim 9, also comprises after the step of the network access request of described prevention or described program of letting pass:
Driving at least one domain information recording the network access request of program described in this in layer internal memory, and record the process state information of program described in this, any one at least one domain information that the process state information of program described in this is the network access request of program described in this belongs to blacklist or white list, or program described in this is unknown program.
11. methods according to claim 9,
Described network access request is DNS access request, and described at least one domain information comprises DNS domain name;
Or described network access request is SMTP access request, and described at least one domain information comprises the email address of sender and/or addressee.
12. methods according to claim 1, the step that described driving layer intercepts and captures the packet of the network access request that program is initiated is specially:
By in client registers protocol-driven or establishment filtration drive, intercept and capture the packet of the network access request that program is initiated;
Or the application programming interface function utilizing operating system to provide intercepts and captures the packet of the network access request that program is initiated;
Or, called the request of interface for network programming function by takeover process, intercept and capture the packet of the network access request that program is initiated;
Or, utilize the mode of registration fire compartment wall readjustment, intercept and capture the packet of the network access request that program is initiated.
13. methods according to claim 12, described by client registers protocol-driven or create filtration drive, the step of packet of the network access request that intercepting and capturing program is initiated is specially:
By driving to NDIS log-in protocol, or on driving arrangement stack, the driving arrangement stack of transmission distribution interface or the driving arrangement stack of transmission control/network communication protocol that the miscellaneous function of winsock drives, create filtration drive, intercept and capture the packet of the network access request that program is initiated.
14. methods according to claim 12, the step that the described application programming interface function utilizing operating system to provide intercepts and captures the packet of the network access request that program is initiated is specially:
The derivative function that the interface function that the Hook Function interception system service descriptor table utilizing operating system to provide provides or the transmission service function that provides of controls/network communication protocol or NDIS provide, obtains the packet of the network access request of described program initiation.
The protector of 15. 1 kinds of access to netwoks behaviors, comprising: drive layer module and application layer module;
Described driving layer module comprises:
Interception module, is suitable for the packet of the network access request that intercepting and capturing program is initiated;
Drive layer parsing module, be suitable for resolving described packet, obtain at least one domain information in described packet;
First sending module, is suitable for described packet and at least one domain information thereof to send to described application layer module;
Described application layer module comprises:
First receiver module, is suitable for the described packet and at least one domain information thereof that receive described first sending module transmission;
Enquiry module, is suitable for whether preserving any one in described at least one domain information in inquiry local data base;
Stop module, be suitable for, when any one inquiring in described at least one domain information of described enquiry module belongs to the blacklist of local data base, stoping the network access request of described program;
Clearance module, be suitable for when described enquiry module inquire described at least one domain information do not belong to the blacklist of local data base but any one in described at least one domain information belongs to the white list of local data base, the network access request of described program of letting pass;
Second sending module, is suitable for, when described enquiry module inquires in local data base any one of not preserving in described at least one domain information, described at least one domain information being sent to network equipment;
Second receiver module, is suitable for receiving in network equipment inquiry cloud database the Query Result of any one whether preserved in described at least one domain information;
The Query Result that described prevention module is also suitable for receiving at described second receiver module shows that described cloud database is preserved any one in described at least one domain information and belongs to blacklist, stop the network access request of described program;
The Query Result that described clearance module is also suitable for receiving at described second receiver module shows that any one of preserving in described at least one domain information of described cloud database does not belong to blacklist and belong to white list, the network access request of described program of letting pass.
16. devices according to claim 15, described clearance module is also suitable for when inquiring described local data base and described cloud database does not all preserve any one in described at least one domain information, show that described program is unknown program, the network access request of described program of letting pass.
CN201210479261.7A 2012-11-22 2012-11-22 The means of defence of access to netwoks behavior and device Active CN102932375B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210479261.7A CN102932375B (en) 2012-11-22 2012-11-22 The means of defence of access to netwoks behavior and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210479261.7A CN102932375B (en) 2012-11-22 2012-11-22 The means of defence of access to netwoks behavior and device

Publications (2)

Publication Number Publication Date
CN102932375A CN102932375A (en) 2013-02-13
CN102932375B true CN102932375B (en) 2015-10-07

Family

ID=47647077

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210479261.7A Active CN102932375B (en) 2012-11-22 2012-11-22 The means of defence of access to netwoks behavior and device

Country Status (1)

Country Link
CN (1) CN102932375B (en)

Families Citing this family (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104104666B (en) * 2013-04-15 2015-06-24 腾讯科技(深圳)有限公司 Method of detecting abnormal cloud service and device
US9582584B2 (en) 2013-04-23 2017-02-28 Tencent Technology (Shenzhen) Company Limited Method, apparatus and system for filtering data of web page
CN104123120B (en) * 2013-04-23 2016-03-16 腾讯科技(深圳)有限公司 A kind of browser page data filtering method, device and system
CN104348799B (en) * 2013-07-31 2019-02-05 腾讯科技(深圳)有限公司 A kind of filter method and device of network access request
CN103561036A (en) * 2013-11-12 2014-02-05 深信服网络科技(深圳)有限公司 Request intercepting method and device in white-list internet surfing environment
CN103634315B (en) * 2013-11-29 2017-11-10 哈尔滨工业大学(威海) The front-end control method and system of name server
CN103825900A (en) * 2014-02-28 2014-05-28 广州云宏信息科技有限公司 Website access method and device and filter form downloading and updating method and system
CN103929418A (en) * 2014-03-28 2014-07-16 汉柏科技有限公司 Wireless Internet access method and system based on network safety equipment
CN105099991B (en) * 2014-04-28 2019-05-31 北京奇虎科技有限公司 The method and device of network packet is grabbed in the terminal
CN105991634A (en) * 2015-04-29 2016-10-05 杭州迪普科技有限公司 Access control method and apparatus
CA2983742A1 (en) * 2015-04-30 2016-11-03 Visa International Service Association Method of securing connected devices on a network
CN106209753B (en) * 2015-05-08 2019-11-19 深圳市腾讯计算机系统有限公司 Service control method, management server, client, service server and system
CN105022335B (en) * 2015-07-03 2017-07-11 北京科技大学 A kind of PLC Hostlink order filter methods and device based on RS232 communications protocol
CN105245466A (en) * 2015-10-14 2016-01-13 北京锐安科技有限公司 Flow control method, flow control device and flow control equipment
CN105376222A (en) * 2015-10-30 2016-03-02 四川九洲电器集团有限责任公司 Intelligent defense system based on cloud computing platform
CN105912933A (en) * 2016-04-27 2016-08-31 北京金山安全软件有限公司 Method and device for processing network disconnection instruction and electronic equipment
CN106131090B (en) * 2016-08-31 2021-11-09 北京力鼎创软科技有限公司 Method and system for user to access network under web authentication
CN106385450A (en) * 2016-09-13 2017-02-08 宇龙计算机通信科技(深圳)有限公司 Data filtering method and system
CN106657006A (en) * 2016-11-17 2017-05-10 北京中电普华信息技术有限公司 Software information safety protection method and device
CN106453436B (en) * 2016-12-21 2019-05-31 北京奇虎科技有限公司 A kind of detection method and device of network security
CN109086143B (en) * 2017-06-14 2022-02-08 北京小米移动软件有限公司 Application interaction method and device
CN109218275B (en) * 2017-07-07 2021-09-21 北京小米移动软件有限公司 Application interaction method and device
EP3627322A4 (en) 2017-06-14 2020-04-29 Beijing Xiaomi Mobile Software Co., Ltd. Application interaction method, interaction method and device
CN109218374B (en) * 2017-07-07 2021-11-30 北京小米移动软件有限公司 Application interaction method and device
CN107395655A (en) * 2017-09-15 2017-11-24 郑州云海信息技术有限公司 A kind of system and method that network access is controlled using blacklist
CN107821284A (en) * 2017-11-07 2018-03-23 河北工业大学 A kind of intelligent fish breeding system based on cloud database
CN108737409A (en) * 2018-05-14 2018-11-02 四川迅游网络科技股份有限公司 A kind of data transmission method based on NDIS drivings
CN110798438A (en) * 2018-08-09 2020-02-14 北京安天网络安全技术有限公司 Method, system and storage medium for implementing firewall in application
CN109361779A (en) * 2018-10-22 2019-02-19 江苏满运软件科技有限公司 The management method of domain name and system, node server in distributed system
CN112929326B (en) * 2019-12-05 2022-05-24 华为技术有限公司 Malicious domain name access detection method and device and computer readable storage medium
CN115065397A (en) * 2022-05-18 2022-09-16 亚太卫星宽带通信(深圳)有限公司 System and method for payment by using semi-open satellite network without mobile network

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025713A (en) * 2010-02-09 2011-04-20 中国移动通信集团北京有限公司 Access control method, system and DNS (Domain Name Server) server
CN102413142A (en) * 2011-11-30 2012-04-11 华中科技大学 Active defense method based on cloud platform

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025713A (en) * 2010-02-09 2011-04-20 中国移动通信集团北京有限公司 Access control method, system and DNS (Domain Name Server) server
CN102413142A (en) * 2011-11-30 2012-04-11 华中科技大学 Active defense method based on cloud platform

Also Published As

Publication number Publication date
CN102932375A (en) 2013-02-13

Similar Documents

Publication Publication Date Title
CN102932375B (en) The means of defence of access to netwoks behavior and device
CN102916983B (en) The guard system of access to netwoks behavior
CN103051617B (en) The method of the network behavior of recognizer, Apparatus and system
US9026676B1 (en) Systems and methods for prepending nonce labels to DNS queries to enhance security
US8447856B2 (en) Policy-managed DNS server for to control network traffic
CN103152354B (en) To method, system and client device that dangerous website is pointed out
CN103973704B (en) Based on the domain name analytic method of WIFI equipment, apparatus and system
KR101907392B1 (en) Method and system for inspecting malicious link addree listed on email
US20080301312A1 (en) Tunneling IPv6 Packets
CN102783119A (en) Access control method and system, and access terminal
JP5640105B2 (en) Method and system for reducing the spread of electronic messages
CN105100223A (en) File sharing method, device and system based on cloud storage
US10454952B2 (en) Threat protection in documents
CN103368978A (en) System and method for achieving leak application and communication safety detection of smart mobile terminal
CN103368941A (en) User network access scenario-based protection method and device
CN104780209A (en) Portable equipment and server for realizing sharing interface scenario
CN104092691A (en) Implementation method for implementing root-authority-free networking firewall and client-side
CN108418780A (en) Filter method and device, system, the dns server of IP address
CN105430009A (en) Network access method, terminal and gateway server
CN104159231A (en) Method for optimizing background flow of client, and client
CN105282153A (en) Method for achieving data transmission and terminal equipment
CN105208029A (en) Data processing method and terminal device
CN103747005A (en) DNS (domain name system) cache poisoning protection method and device
CN112165537B (en) Virtual IP method for ping reply
US11160139B2 (en) Method for optimizing per message type data exchange between connected objects

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee after: Beijing Qizhi Business Consulting Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220329

Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Beijing Qizhi Business Consulting Co.,Ltd.