Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
Traditional program network behavior identifying schemes is started with by known data mostly, attempts to find which partly is known in the data that is:, finds useful part again from these known data, is used for judging whether these data have threat.In case be unknown but the disadvantage of this thinking is the application layer data of network data, the effective known data that can take so will be seldom, so just be difficult to whether exist threat to make accurate judgement to network behavior, be easy to let slip the unknown network behavior with Cyberthreat.
For this reason, a kind of program network behavior recognition methods that the embodiment of the invention proposes, Apparatus and system, the data structure that its thinking is based on application layer in the ICP/IP protocol system has higher customizable characteristic, in case detect and comprise self-defining data structure in the application layer data, can think that there is risk in current network behavior, the program network behavior recognition methods of the present invention's proposition mainly is thus, whether comprise unknown agreement in the application layer data of the current network behavior by determining program, if all be known agreement, then the current network behavior of program is designated the network behavior of the program that can identify; If comprise unknown agreement, then the current network behavior of program is designated the network behavior of suspicious program.
The flow chart of the program network behavior recognition methods 100 that specifies according to an embodiment of the invention, is suitable for solving the problems of the technologies described above below in conjunction with Fig. 1.As shown in Figure 1, the method 100 of the embodiment of the invention starts from step S101.Subsequently, in step S102, in the process of routine access network, obtain the application layer data of the current network behavior of program.
Need to prove that program is a common file, is the set of a machine code instruction and data, is the concept of a static state.A program implementation on computers is a dynamic concept during process.Same program can run on several data acquisition systems simultaneously, that is to say that same program can corresponding a plurality of processes.Network behavior is to be initiated by active program (also being process).The current network behavior of program that is to say the network behavior of being initiated by the process that belongs to this program.
For the ease of understanding this step, at first simply introduce network behavior.Network behavior can be understood as the various actions that need to be undertaken by network, of a great variety, for example comprise: HTTP(Hypertext Transport Protocol, HTTP) access (common are download file or upload information), SMTP(Simple Mail Transfer Protocol, Simple Mail Transfer protocol) request (sending and receiving e-mail), DNS(Domain Name System, domain name system) request (resolving the information such as IP address corresponding to domain name) etc.
Secondly, introduce again the flow process of application access network: if a common program needs interconnection network, the API(Application Program Interface that needs provide by operating system (such as Windows), application programming interfaces) interface sends the request of interconnection network, after operating system receives this network request of application program, can receive the data that application program will send, and the data that receive are encapsulated, afterwards the data of encapsulation are sent to physical equipment (such as network interface card etc.), last hardware device spreads out of data.
Based on the flow process of above application access network, the information of network behavior is intercepted and captured the purpose of the current network behavior that can realize monitoring program in any one link of this flow process.The execution mode of concrete monitoring can but be not limited to following several mode: by the information that drives in client log-in protocol, is created in the similar filtration drive of operating system, the application programming interface function (such as the hook function) that utilizes operating system to provide is intercepted and captured the current network behavior, take over the request of routine call interface for network programming function (Winsock) or utilize the mode such as registration fire compartment wall readjustment, intercept and capture the information of the current network behavior of program.The below carries out specific description:
In the process of application access network, operating system is when processing related data, can obtain with some protocol-driven and filtration drive the data of network behavior, so can the log-in protocol driving or the similar filtration drive of filtration drive used of establishment and operating system, and then get access to the data of network behavior.Embodiment can be: to NDIS(Network Driver Interface Specification, NDIS) log-in protocol drives, also can be at Afd.sys(Ancillary Function Driver for Winsock, the miscellaneous function of Winsock drives) the driving arrangement stack, Tdi.sys(Transport Dispatch Interface, the transmission distribution interface) driving arrangement stack or Tcpip.sys(Transmission Control Protocol/Internet Protocol, transmission control/network communication protocol) the increase filtration drive similar to operating system on the driving arrangement stack.
In addition, the application layer data that obtains in the current network behavior of program can also be realized in the following manner: utilize the hook function with the Data acquisition of network behavior.Embodiment can be: intercept and capture Windows SSDT(System Services Descriptor Table with the hook function, the system service descriptor table) in kernel provide with device communication interface NtDeviceIoControl function, obtain the data of all application devices communications, filter the request that wherein Afd.sys is sent; Can also be to utilize the hook function to intercept and capture Tcpip.sys to drive interface that the service function that provides or NDIS.sys derive etc., come by the way the network behavior of monitoring program.Can certainly come in the following manner the network behavior of program is monitored: according to the LSP(Layered Service Provider of Windows, layered service provider), can say that LSP mechanism expands, after using oneself dll file to take over the request of all application call Winsock, being forwarded among the mswsock.dll of Windows self again and going, perhaps also can be to drive to Windows system IP device to send IOCTL_IP_SET_FIREWALL_HOOK registration fire compartment wall readjustment etc.In practice, during the network behavior of monitoring program, can select above different mode according to actual conditions, the mode of monitor network behavior also is not limited to above cited mode certainly.
Subsequently, in step S104, judge whether comprise unknown agreement in the application layer data, in certain embodiments, can according to the form of known agreement, judge whether comprise unknown agreement in the application layer data.For example: known agreement comprises at least one in following at least: http protocol, DNS Protocol, smtp protocol, File Transfer Protocol (File Transfer Protocol, file transfer protocol (FTP)), snmp protocol (Simple Network Management Protocol, Simple Network Management Protocol) and POP3 agreement (the 3rd release protocol of post office protocol).
Alternatively, collect in advance the abundant known agreement of quantity on client, this known agreement comprises: three kinds of agreements such as http protocol, DNS Protocol, smtp protocol, also can comprise some cryptographic protocols, such as: File Transfer Protocol etc.Cryptographic protocol mainly is in packet the agreement of the unknown to be carried out unified encryption format to encapsulate, the more additional discernible common protocol in packet the inside, these agreements commonly used can comprise: snmp protocol, POP3 agreement, eMule/eDonkey agreement, perhaps BITTORRENT agreement etc.Because different agreements itself has some set forms, therefore but for form of known agreement detection protocol itself, for example http protocol comprises protocol header, but there is not the agreement tail, the field such as Host, Refer all belongs to the content that comprises in the protocol header, and form common in the protocol header comprises: the field parts such as Host, Refer, User-agent, Url.
If comprise unknown agreement in the application layer data, then can think to have risk.Although application layer data can arbitrarily be specified by the software developer, for the convenience of transfer of data in the Internet, in actual application, formed cover puppy parc (also can be described as a known agreement) standard.Known agreement such as DNS Protocol, http protocol, File Transfer Protocol, smtp protocol, SSL/TLS agreement, SSH agreement, uTorrent agreement, eMule/eDonkey agreement, BitTorrent agreement etc., above-mentioned known agreement has occupied the overwhelming majority in the network data.As long as can effectively identify and analyze the data structure of above-mentioned known agreement, so the agreement of remaining the unknown will be only a few.Because known agreement can satisfy all transfer of data demands substantially, so have reason to think that every custom protocol (i.e. unknown agreement) of needing carries out transfer of data, all should be certain specific demand is arranged and in the specific environment of a certain very low range, to use, and should not be in wide-scale distribution in the middle of the Internet.Classify as suspiciously so will include the application layer data of unknown agreement, be necessary to carry out indicating risk to the user.
In the flow process specific to method 100, can collect in advance the form of known agreement, known agreement includes but not limited to DNS Protocol, http protocol, File Transfer Protocol, smtp protocol, the SSL/TLS agreement, the SSH agreement, the uTorrent agreement, the eMule/eDonkey agreement, BitTorrent agreement etc., then in step S104, form according to the known agreement of collecting in advance, the agreement of using in the layer data is identified, if the agreement in the application layer data can both be identified, then judge in the application layer data it all is known agreement, if there is at least part of agreement not identify in the application layer data, then judge to comprise unknown agreement in the application layer data.
If the agreement of judging in the application layer data all is known agreement, then carry out step S106 in step S104.In step S106, the current network behavior of program is designated the network behavior of the program that can identify.
Namely, when the agreement in the application layer data of network behavior all is known agreement, means and to identify this network behavior, in step S106, this network behavior can be designated the network behavior of the program that can identify this moment.For example by identifier " 1 " network behavior is designated the network behavior of the program that can identify.What certainly can understand is not limit in an embodiment of the present invention the concrete form of identifier.
After step S106, can enter ending step S121.But whether the network behavior of the program that can identify for further judgement is the network behavior of rogue program, can after step S106, enter step S110, in step S110, whether the network behavior of the program that judgement can be identified is the network behavior of rogue program.
Rogue program typically refers to one section program that the operation side with attack intension writes.These threats can be divided into two classifications: need threat and the threat independent of each other of host program.The former is the usability of program fragments that can not be independent of certain actual application program, utility program or system program basically; The latter is the self-contained program that can be operated system call and operation.Rogue program comprises: trapdoor, logic bomb, Trojan Horse, worm, bacterium and virus etc.
In certain embodiments, can adopt following dual mode to judge whether the network behavior of the program that can identify is the network behavior of rogue program, wherein
Mode one is used for the black and white lists in storage black and white lists storehouse in the default module of client, can judge by black and white lists and the characteristic information that obtains whether network behavior is the network behavior of rogue program by client.
Alternatively, the black and white lists that cyber-defence is relevant can carry out different check items for different agreement.For example: (1) general check item comprises: check far-end ip address, local port, remote port, transport layer protocol (being generally one of TCP or UDP).(2) protocol type inspection, some known protocol may be used for the transmission of data by wooden horse control far away, and in a single day this type of known protocol is found to be judged as the data protocol bag that is used by rogue program.(3) protocol details inspection, other known protocols, obtain the object itself that reference value is wherein arranged and can not relate to detection according to the distinctive structure of agreement, the standard of judging as black and white on this basis, this protocol details can be according to the difference of agreement and detailed programs also can be different, as: the field after client detects URL, Host, Referer, User-Agent etc. in the http protocol and encrypts; Field after Name in the Queries information in the detection DNS Protocol and Type etc. encrypt.
Particularly, client is obtained the characteristic information in the application layer data of network behavior of the program that can identify, and this characteristic information can be partial code, the packet in the application layer data or the one piece of data in the packet in the application layer data in the application layer data; According to the black and white lists on the client, and the characteristic information that obtains, whether the network behavior of the program that judgement can be identified is the network behavior of rogue program.
Be that HTTP access behavior is introduced with network behavior, in above-mentioned steps, in step S102, obtain the application layer data of HTTP access behavior.In step S104, judging the agreement that this HTTP access behavior comprises according to the form of known http protocol all is known agreement.Then in step S106, HTTP access behavior is designated the network behavior of the program that can identify.Then in step S110, obtain the characteristic information in the application layer data of HTTP access behavior, such as Host field, Url field, IP address field etc., and judge according to the black and white lists in the black and white lists storehouse whether above-mentioned characteristic information belongs to the characteristic information in the network behavior of rogue program, if belong to, then this network behavior belongs to the network behavior of rogue program, enter into step S112, if do not belong to, then this network behavior belongs to normal network behavior, enters into step S114.
Need to prove that for different agreements, the project of the detection in mode one is different, for example for DNS Protocol, mainly is the domain name mapping for the request bag, judges the character string of the domain name of resolving, and DNS whether return the IP address come etc. unusual.Mainly be to judge whether name field part is unusual, for example detect mail sender, recipient, sender's title and domain name, and whether recipient's title and domain name etc. is unusual for smtp protocol.For File Transfer Protocol and http protocol, mainly be to judge whether domain name and Url field be unusual.If above-mentioned field is consistent with blacklist in cloud server or the client, think that then this agreement is risky, be necessary to carry out indicating risk to the user.For all data that obtain in the smtp protocol all can MD5 etc. cryptographic Hash upload again cloud server after processing, black and white lists only detects the MD5 value of the data in the smtp protocol beyond the clouds in the server, does not relate to Mail Contents itself.
Mode two, preset beyond the clouds a database on the server, this database is used for the black and white lists in storage black and white lists storehouse, client sends to cloud server with the characteristic information that obtains, and judges according to black and white lists and the characteristic information that receives whether network behavior is the network behavior of rogue program by cloud server.
Particularly, at first client is obtained the characteristic information in the application layer data in the network behavior of the program that can identify, and this characteristic information can be partial code (for example Host field or Url field), the packet in the application layer data or the one piece of data in the packet in the application layer data in the application layer data.Generally, except comprising the field for transmission, also have some self-defining data in the application layer data.For example the user with HTTP or FTP to the website or during server up transfer file, except some necessary identifying informations of being uploaded by field designated users such as URL and Host, the file that the user uploads itself will be used as a packet, is attached in HTTP or the File Transfer Protocol and transmits to given server.At this moment, the file content that the user uploads just belongs to the packet (certainly, the words that file is large might be split into a plurality of packets and transmit) in the above-mentioned application layer protocol.This only is a more common example, and for different agreement and different application scenario, this packet can be with multi-form appearance.Certainly, also may not exist this packet or packet for empty under some situation.
Then, client is sent to cloud server with characteristic information, judge according to the black and white lists in the black and white lists storehouse whether above-mentioned characteristic information belongs to the characteristic information in the network behavior of rogue program by cloud server, and return judged result to client, if belong to, then this network behavior belongs to the network behavior of rogue program, enter into step S112, if do not belong to, then this network behavior belongs to normal network behavior, enters into step S114.Because the memory space of cloud server will be far longer than client, so can pre-stored black and white lists as much as possible storehouse on the cloud server, and then can improve the accuracy of network behavior identification.Simultaneously, can in time upgrade processing for after the up-to-date black and white lists storehouse of collecting on the server beyond the clouds.
Get back in the flow process of said method 100, if in step S110, judge it is the network behavior of rogue program, then enter into step S112, in step S112, then the current network behavior of the program that transmission indicating risk information and/or interception can be identified enters ending step S121.For example, if current network behavior that can determine procedures is the network behavior of rogue program, can suspend first the network connection of this program, and send information to the user, inform that this program of user is for unusual, make final selection by the user, if the user selection interception, this network behavior will thoroughly be stoped so.On the contrary, if judge it is not the network behavior of rogue program in step S110, then enter into step S114, the current network behavior of the program that can identify is designated normal network behavior, then enters ending step S121.Normal network behavior does not have risk or has extremely low risk, allows this normal network behavior accesses network.
On the contrary, comprise unknown agreement in the application layer data if in step S104, judge, then carry out step S108.In step S108, the current network behavior of program is designated the network behavior of suspicious program.Namely, the agreement of the application layer data of the network behavior of program and general agreement are compared, when comprising unknown agreement in the application layer data of the network behavior of program, can think that then the network behavior of this program temporarily can't accurately identify, can think that there is risk in this network behavior, can be designated the network behavior of this program the network behavior of suspicious program this moment.For example by identifier " 0 " network behavior is designated the network behavior of suspicious program.What certainly can understand is not limit in an embodiment of the present invention the concrete form of identifier.
After step S108, can enter ending step S121.But in order further to judge whether the network behavior of suspicious program is the network behavior of rogue program, can enter step S116 after step S108.In step S116, judge whether the network behavior of suspicious program is the network behavior of rogue program.
Rogue program typically refers to one section program of writing with attack intension, and these threats can be divided into two classifications: need threat and the threat independent of each other of host program.The former is the usability of program fragments that can not be independent of certain actual application program, utility program or system program basically; The latter is the self-contained program that can be operated system call and operation, and rogue program comprises: trapdoor, logic bomb, Trojan Horse, worm, bacterium and virus etc.
In certain embodiments, can adopt following dual mode to judge whether the network behavior of suspicious program is the network behavior of rogue program, wherein
Mode one is used for the black and white lists in storage black and white lists storehouse in the default module of client, judges by black and white lists and the characteristic information that obtains whether network behavior is the network behavior of rogue program by client.
Particularly, client is obtained the characteristic information in the application layer data of network behavior of suspicious program, and this characteristic information can be partial code, the packet in the application layer data or the one piece of data in the packet in the application layer data in the application layer data; According to the black and white lists on the client, and the characteristic information that obtains, whether the network behavior of judging suspicious program is the network behavior of rogue program, if belong to, then this network behavior belongs to the network behavior of rogue program, enters into step S118, if do not belong to, then this network behavior belongs to risky network behavior, enters into step S120
Need to prove that for different agreements, the project of detection is different, for example for DNS Protocol, mainly is the domain name mapping for the request bag, judges the character string of the domain name of resolving, and DNS whether return the IP address come etc. unusual.Mainly be to judge name field part for smtp protocol, comprise: mail sender, recipient, sender's title and domain name, and whether recipient's title and domain name etc. are unusual.For http protocol, mainly judge Host, URL, whether the fields such as User-Agent, Referer and Method are unusual.The unusual judgement for whether, mainly be two large classes: (1) is coupling precisely: such as having found a wooden horse, find that this wooden horse has connected certain IP address or URL, and this IP address or URL do not find to have other proper purposes, when finding to have program to remove to connect this IP address or URL so again, just think that this program has unusually (more more complex criterion can also be arranged, and such as the particular port that connects certain specific IP, just thinking has unusually); (2) fuzzy matching, long-term monitoring and the analysis of the application program of process server end find that a large amount of wooden horses all are to point to same IP section or same TLD, and seldom occur or do not occur at all normal website on this IP section or the TLD.Can think that so the program that is connected under this IP section or the TLD just all has unusual.This kind situation can have more complicated criterion, for example utilize game456 to carry out the example that wooden horse is propagated: official's domain name of game456 is game456.com and game456.net, and the domain name that a lot of wooden horses connect is all very near official's domain name, such as game456.me, game456.3322.org, game456.com.abcd.org etc.Can think so every game456 of being similar to official domain name to have certain fraudulent these domain names, just all have unusual.
Mode two, a default module is used for storing the black and white lists in black and white lists storehouse on the server beyond the clouds, client sends to cloud server with the characteristic information that obtains, and judges according to black and white lists and the characteristic information that receives whether network behavior is the network behavior of rogue program by cloud server.Client upload can be passed through encryption to the characteristic information of cloud server, for example: the cryptographic Hash that can calculate whole URL, main frame URL, domain name URL, classification domain name URL, query path URL by the MD5 algorithm, this MD5 cryptographic Hash is sent to cloud server, cloud server returns encrypt data to client together with the MD5 cryptographic Hash, and encrypt data comprises the MD5 cryptographic Hash.
Particularly, client is obtained the characteristic information in the application layer data in the network behavior of suspicious program, and this characteristic information can be partial code (for example Host field or Url field), the packet in the application layer data or the one piece of data in the packet in the application layer data in the application layer data; Client is sent to cloud server with characteristic information, judge according to the black and white lists in the black and white lists storehouse whether above-mentioned characteristic information belongs to the characteristic information in the network behavior of rogue program by cloud server, and return judged result to client, if belong to, then this network behavior belongs to the network behavior of rogue program, enters into step S118, if do not belong to, then this network behavior belongs to risky network behavior, enters into step S120.
Because the memory space of cloud server will be far longer than client, so can pre-stored black and white lists as much as possible storehouse on the cloud server, and then can improve the accuracy of network behavior identification.Simultaneously, can in time process for after the up-to-date black and white lists storehouse of collecting.In certain embodiments, for the local resource of saving client and the performance cost that reduces client, simultaneously also in order to improve response speed, can be large data volume, change is saved on the cloud server than some black and white lists more frequently, and a part of black and white lists that some are relatively fixed, hit very precisely, data volume is very little is saved on the client.
If in step S116, judge it is the network behavior of rogue program, then enter into step S118.In step S118, send the current network behavior that indicating risk information and/or interception are designated suspicious program, then enter ending step S121.For example, if current network behavior that can determine procedures is the network behavior of rogue program, can suspend first the network connection of this program, and send information to the user, inform that this program of user is for unusual, make final selection by the user, if the user selection interception, this network behavior will thoroughly be stoped so.
On the contrary, if in step S116, judge it is not the network behavior of rogue program, then enter into step S120.In step S120, send indicating risk information, then enter ending step S121.Namely, although the network behavior of suspicious program is not the network behavior of rogue program, there is risk in the network behavior of the program that this is suspicious, therefore sends indicating risk information by step S120 to the user, makes final selection by the user.
Need to prove, method shown in Figure 1 do not limit by shown in the order of each step carry out, can adjust as required the sequencing of each step, in addition, described step also is not limited to above-mentioned steps and divides, and above-mentioned steps can split into further more that multi-step also can be merged into still less step.
Below in conjunction with Fig. 2 explanation in accordance with another embodiment of the present invention, a kind of program network behavior recognition device 200 of being suitable for addressing the above problem.
As shown in Figure 2, this program network behavior recognition device 200 comprises: acquisition module 202, the first judge module 204 and identification module 206, wherein: acquisition module 202, for the application layer data of the current network behavior of obtaining program; The first judge module 204 is used for judging whether application layer data comprises unknown agreement; Identification module 206 when being used for agreement at application layer data and all being known agreement, is designated the current network behavior of program the network behavior of the program that can identify; And when comprising unknown agreement in the application layer data, the current network behavior of program is designated the network behavior of suspicious program.
In certain embodiments, the first judge module 202 is further used for the form according to known agreement, judges whether comprise unknown agreement in the application layer data.For example, the abundant known agreement of pre-stored quantity on client, this known agreement comprises: three kinds of agreements such as http protocol, DNS Protocol, smtp protocol, also can comprise some cryptographic protocols, such as: File Transfer Protocol etc.Cryptographic protocol mainly is in packet the agreement of the unknown to be carried out unified encryption format to encapsulate, the more additional discernible common protocol in packet the inside, these agreements commonly used can comprise: snmp protocol, POP3 agreement, EDONKEY agreement, perhaps BITTORRENT agreement etc.Because different agreements itself has some set forms, therefore but for form of known agreement detection protocol itself, for example: http protocol detection protocol head and agreement tail, Host, the field parts such as Refer, http protocol comprises protocol header, but does not have the agreement tail, the field such as Host, Refer all belongs to the content that comprises in the protocol header, and form common in the protocol header comprises: the field parts such as Host, Refer, User-agent, Url.Unknown agreement is then thought risky, if unknown agreement in the included scope of discernible agreement, then might not have self-defining agreement inside.
Referring to Fig. 2, in another embodiment of the present invention, device 200 also comprises: the second judge module 208 and the first processing module 210, and wherein the second judge module 208 is used for judging whether the network behavior of the program that can identify is the network behavior of rogue program; The first processing module 210 is used for sending indicating risk information, and/or tackling the current network behavior of the program that can identify when the second judge module 208 judges that the network behavior of the program that can identify is the network behavior of rogue program; Judge that when the second judge module 208 network behavior of the program that can identify is not the network behavior of rogue program, normal network behavior is identified in the current network behavior of the program that can identify.
In certain embodiments, the second judge module 208 comprises: the first acquiring unit and the first judging unit, wherein the first acquiring unit is for the characteristic information in the application layer data of the network behavior that obtains the program that can identify,, characteristic information can be partial code, the packet in the application layer data or the one piece of data in the packet in the application layer data in the application layer data; The first judging unit is used for according to characteristic information, and whether the network behavior of the program that judgement can be identified is the network behavior of rogue program.
In certain embodiments, the second judge module 208 also comprises: second acquisition unit, the first transmitting element and the first receiving element, wherein second acquisition unit is for the characteristic information in the application layer data of the network behavior that obtains the program that can identify, and characteristic information can be partial code, the packet in the application layer data or the one piece of data in the packet in the application layer data in the application layer data; The first transmitting element is used for characteristic information is sent to cloud server, judges according to characteristic information whether the network behavior of the program that can identify is the network behavior of rogue program by cloud server; And first receiving element be used for receiving the judged result that described cloud server returns.
Continuation is referring to Fig. 2, and device 200 also comprises: the 3rd judge module 212 and the second processing module 214, and wherein the 3rd judge module 212 is used for judging whether the network behavior that is designated suspicious program is the network behavior of rogue program; The second processing module 214 is used for send indicating risk information, and/or interception being designated the current network behavior of suspicious program when the 3rd judge module 212 judges that the network behavior of suspicious program is the network behavior of rogue program; Judge that when the 3rd judge module 212 network behavior of suspicious program is not the network behavior of rogue program, send indicating risk information.
In certain embodiments, the 3rd judge module 212 comprises: the 3rd acquiring unit and the second judging unit, wherein the 3rd acquiring unit is for the characteristic information in the application layer data of the network behavior that obtains the program that can identify, and characteristic information can be partial code, the packet in the application layer data or the one piece of data in the packet in the application layer data in the application layer data; The second judging unit is used for according to characteristic information, and whether the network behavior of the program that judgement can be identified is the network behavior of rogue program.
In certain embodiments, the 3rd judge module 212 also comprises: the 4th acquiring unit, the second transmitting element and the second receiving element, wherein the 4th acquiring unit is for the characteristic information in the application layer data that obtains the network behavior that is designated suspicious program, and characteristic information can be partial code, the packet in the application layer data or the one piece of data in the packet in the application layer data in the application layer data; The second transmitting element is used for characteristic information is sent to cloud server, according to characteristic information, judges whether the network behavior that is designated suspicious program is the network behavior of rogue program by cloud server; And second receiving element be used for to receive the judged result that cloud server returns.
Below in conjunction with Fig. 3 a kind of program network behavior recognition system 300 another embodiment, that be suitable for addressing the above problem is described according to the present invention.
As shown in Figure 3, according to this program network behavior recognition system 300 of an aspect of the embodiment of the invention, this system comprises: client 302 and cloud server 304, wherein
Client 302 is used for the process at the routine access network, obtains the application layer data in the current network behavior of program; Judge and whether comprise unknown agreement in the application layer data; If the agreement in the application layer data all is known agreement, then the current network behavior of program is designated the network behavior of the program that can identify; If comprise unknown agreement in the application layer data, then the current network behavior of program is designated the network behavior of suspicious program, the characteristic information of the network behavior of the network behavior of the program that then can identify or suspicious program is sent to cloud server; Alternatively, this client can be mobile phone, panel computer or personal computer etc.;
Cloud server 304 is used for judging according to characteristic information whether the network behavior of the program that can identify or the network behavior of suspicious program are the network behavior of rogue program, and returns judged result to client.
In certain embodiments, comprise in the cloud server 304 that one is used for the database in storage black and white lists storehouse, cloud server is according to the black and white lists in the black and white lists storehouse, and whether the network behavior of the network behavior of the program that judgement can be identified or suspicious program is the network behavior of rogue program.
As shown in Figure 3, according to this program network behavior recognition system 300 of another aspect of the invention process, comprising: client 302 and cloud server 304, wherein
Client 302 is used for the process at the routine access network, obtains the packet in the current network behavior of program, and packet comprises: application layer data, and receive the recognition result that cloud server 304 returns;
High in the clouds service end 304 be used for to receive the current network behavior packet of the program that client 302 obtains, and judges the agreement that whether comprises the unknown in the application layer data; If the agreement in the application layer data all is known agreement, then the current network behavior of program is designated the network behavior of the program that can identify; If comprise unknown agreement in the application layer data, then the current network behavior of program is designated the network behavior of suspicious program, send recognition result to client.
In certain embodiments, cloud server 304 also can obtain the characteristic information of the network behavior of the network behavior of the program that can identify or suspicious program, judge according to characteristic information whether the network behavior of the described program that can identify or the network behavior of described suspicious program are the network behavior of rogue program, and returning judged result to client 304, this characteristic information comprises: the one piece of data in the partial code in the application layer data, the packet in the application layer data or the packet in the application layer data.
In certain embodiments, this client 302 also can comprise memory (it can comprise one or more computer-readable recording mediums), Memory Controller, one or more processing units (CPU), Peripheral Interface, the RF circuit, voicefrequency circuit, loud speaker, microphone, I/O (I/O) subsystem, other inputs can be controlled client, and outside port.Client can comprise one or more optical pickocffs, and these parts can be communicated by letter by one or more communication buss or holding wire.
Should be appreciated that client 302 only is an example of portable multifunction device, and client can have than shown more or less parts, can make up two or more parts, perhaps can have different component configuration or setting.
Memory can comprise high-speed random access memory, and can comprise nonvolatile memory, for example one or more disk memory, flush memory device or other nonvolatile memories.The miscellaneous part such as CPU and Peripheral Interface of client can be controlled by Memory Controller the access of memory.
Peripheral Interface is couple to CPU and memory with the input and output peripheral hardware of client.One or more processor operations or execution are stored in various software programs and/or the instruction set in the memory, to realize various functions and the deal with data of client.
In certain embodiments, Peripheral Interface, CPU and Memory Controller can be realized at the one single chip such as chip.In some other embodiment, they can be realized at discrete chip.
The RF(radio frequency) circuit receives and sends the RF signal.The RF circuit is converted to electromagnetic signal/electromagnetic signal is converted to the signal of telecommunication with the signal of telecommunication, and communicates by this electromagnetic signal and communication network and other communication equipments.The RF circuit can comprise that for the known circuit of carrying out these functions it includes but not limited to antenna system, RF transceiver, one or more amplifier, tuner, one or more oscillator, digital signal processor, CODEC chipset, Subscriber Identity Module (SIM) card, memory etc.
Voicefrequency circuit, loud speaker and microphone provide the audio interface between user and the client.Voicefrequency circuit is converted to the signal of telecommunication from Peripheral Interface audio reception data with this voice data, and this signal of telecommunication is sent to loud speaker.Loud speaker is with the audible sound wave of this signal of telecommunication conversion behaviour.Voicefrequency circuit also receives the signal of telecommunication that microphone comes from the sound wave conversion.Voicefrequency circuit is converted to voice data with the signal of telecommunication, and this voice data is sent to Peripheral Interface in order to process.Can be by Peripheral Interface from memory and/or RF circuit retrieves voice data and/or voice data is sent to memory and/or RF circuit.
The I/O subsystem is couple to Peripheral Interface with the I/O peripheral hardware on the client.The I/O subsystem can comprise display controller and be used for other inputs or one or more input control devices of control client.One or more input control devices from/to other inputs or control client/transmission signal of telecommunication.Other inputs/control client can comprise physical button, dial, slide switch, joystick, click roller etc.In some alternative embodiment, the input control device can be couple to lower any: keyboard, infrared port, USB port and such as the indicating equipment of mouse.
The touch sensitive touch-screen provides input interface and the output interface between client and the user.Display controller from/receive and/or send the signal of telecommunication to touch-screen.Touch-screen with visual output display to the user.Visual output can comprise figure, text, icon, video with and combination in any (being referred to as " figure ").
Touch-screen has for contacting touch sensitive surface, transducer or the transducer group of accepting from user's input based on sense of touch and/or sense of touch.Touch-screen and display controller detect the contact on the touch-screen, and the contact that will detect is converted to and is presented at the mutual of user interface object on the touch-screen.In an example embodiment, touch-screen is corresponding to user's finger with contact point between the user.Also can adopt other Display Techniques in other embodiments.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the specification that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or similar purpose alternative features replaces in this specification (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the program network behavior recognition system of the embodiment of the invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.