CN112152970A - Method and apparatus for restricting malicious applications from using network, router and medium - Google Patents
Method and apparatus for restricting malicious applications from using network, router and medium Download PDFInfo
- Publication number
- CN112152970A CN112152970A CN201910570854.6A CN201910570854A CN112152970A CN 112152970 A CN112152970 A CN 112152970A CN 201910570854 A CN201910570854 A CN 201910570854A CN 112152970 A CN112152970 A CN 112152970A
- Authority
- CN
- China
- Prior art keywords
- message
- identifier
- application
- malicious application
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 230000000903 blocking effect Effects 0.000 claims abstract description 58
- 230000004044 response Effects 0.000 claims abstract description 32
- 238000012790 confirmation Methods 0.000 claims description 17
- 238000000605 extraction Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 8
- 238000007726 management method Methods 0.000 description 7
- 238000012549 training Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000013136 deep learning model Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000032683 aging Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a method and a device for limiting malicious applications from using a network, a router and a medium, wherein the method comprises the following steps: receiving and temporarily storing a first message sent by a user terminal; extracting a first feature identifier of the first message; judging whether the first characteristic identifier is an identifier corresponding to a malicious application; if yes, blocking the forwarding of the first message, or blocking the forwarding of a first response message to the user terminal; wherein: the first response message is a message which is sent by the server and responds to the first message. By blocking the forwarding of the first message or the first response message corresponding to the first message, the malicious application can be prevented from using network resources; namely, under the condition that the network using authority of normal application of the user terminal is not cut off, the control of using the network by malicious application is realized.
Description
Technical Field
The application relates to the technical field of network traffic monitoring and identification, in particular to a method and a device for limiting malicious applications from using a network; the application further relates to a router and a medium.
Background
The use users of the mobile terminal show the trend of aging, namely more and more teenagers use the mobile terminal to browse the webpage content and play games; because of no reasonable identification capability, a teenager may install a malicious application program on the mobile terminal when using the mobile terminal; such malicious applications may steal the user's private information or various types of account information. Under the current situation, under the situation that the mobile terminal cannot be checked, parents of teenagers cannot monitor the situation that the application is installed on the mobile terminal, and therefore management and control over the application program installed on the mobile terminal cannot be achieved.
Disclosure of Invention
The application provides a method and a device for blocking a malicious application from using a network, the malicious application is determined by identifying a message, and the malicious application is limited from using network resources by blocking the forwarding of the message.
In one aspect, the present application provides a method for restricting malicious applications from using a network, including:
receiving and temporarily storing a first message sent by a user terminal;
extracting a first feature identifier of the first message;
judging whether the first characteristic identifier is an identifier corresponding to a malicious application;
if yes, blocking the forwarding of the first message, or blocking the forwarding of a first response message to the user terminal;
wherein: the first response message is a message which is sent by the server and responds to the first message.
Optionally, the determining whether the first feature identifier is an identifier indicating a malicious application includes:
and comparing the first characteristic identifier with application identifier information stored in a preset database to judge whether the first characteristic identifier is an identifier corresponding to the malicious application.
Optionally, the determining whether the first feature identifier is an identifier indicating a malicious application includes:
judging whether the historical message flow received in a first time period and with the characteristic identifier being the first characteristic identifier is larger than a preset flow or not;
if yes, judging that the first feature identifier is an identifier representing malicious application;
wherein: the first time period is a time period which is earlier than the time of receiving the first message and is connected with the time of receiving the first message.
Optionally, the determining whether the first feature identifier is an identifier corresponding to a malicious application includes:
searching a corresponding application name according to the first characteristic identifier;
generating a control prompt message, and sending the control prompt message to a control terminal;
receiving a return message of the control terminal;
extracting a confirmation instruction in the return text, judging whether the application program is a malicious application according to the confirmation instruction, and then judging whether the first characteristic identifier is an identifier corresponding to the malicious application;
wherein; the management and control prompt message comprises the application name.
Optionally, the method further includes:
receiving and temporarily storing a second message;
extracting a second feature identifier of the second message;
judging whether the second feature identifier is the same as the first feature identifier;
if yes, blocking the forwarding of the second message, or blocking the forwarding of the second response message to the user terminal;
wherein: the second message is a message which is generated by the malicious application triggering the user terminal and is later than the first message; the second response message is a message which is sent by the server and responds to the second message.
Optionally, the method further includes:
generating an alarm prompt message and sending the alarm prompt message to the user terminal;
wherein: the alert prompt message includes information of the malicious application.
In another aspect, the present application provides an apparatus for blocking a malicious application from using a network, including:
the storage unit is used for receiving and temporarily storing a first message sent by the user terminal;
a feature extraction unit, configured to extract a first feature identifier of the first packet;
the judging unit is used for judging whether the first characteristic identifier is an identifier representing malicious application;
a blocking unit, configured to block forwarding of the first packet and/or block forwarding of a first response packet when the determining unit determines that the first feature identifier is an identifier indicating a malicious application;
wherein: the first response message is a message which is sent by a server and responds to the first message and/or the historical message; the history message is a message which is generated by the malicious application triggering the user terminal and is earlier than the first message.
Optionally, the determining unit compares the first feature identifier with application identifier information stored in a preset database to determine whether the first feature identifier is an identifier corresponding to a malicious application.
Optionally, the determining unit determines whether the first feature identifier is an identifier indicating a malicious application, including:
judging whether the flow of the historical message which is received in a first time period and contains the first characteristic identifier is larger than a preset flow or not;
if yes, judging that the first feature identifier is an identifier representing malicious application;
wherein: the first time period is a time period which is earlier than the time of receiving the first message and is connected with the time of receiving the first message.
Optionally, the determining unit determines whether the first feature identifier is an identifier corresponding to a malicious application, including:
searching the name of the corresponding application according to the first characteristic identifier;
generating a control prompt message and sending the control prompt message to a control terminal;
receiving a return message of the control terminal;
extracting a confirmation instruction in the return text, judging whether the application program is a malicious application according to the confirmation instruction, and then judging whether the first characteristic identifier is an identifier corresponding to the malicious application;
wherein; the management and control prompt message comprises the application name.
Optionally, the storage unit is further configured to receive and temporarily store a second message;
the extracting unit is further configured to extract a second feature identifier of the second packet;
the judging unit is further configured to judge whether the second feature identifier is the same as the first feature identifier;
the blocking unit is further configured to block forwarding of the second packet, or block forwarding of the second response packet to the user terminal;
wherein: the second message is a message which is generated by the malicious application triggering the user terminal and is later than the first message; the second response message is a message which is sent by the server and responds to the second message.
Optionally, the apparatus further includes an alarm prompting unit, configured to generate an alarm prompting message, and send the alarm prompting message to the user terminal;
wherein: the alert prompt message includes information of the malicious application.
The application also provides a router, which comprises a memory and a processor;
the memory is to store a plurality of instructions;
the processor is configured to implement the instructions;
the instructions are adapted to be loaded by the processor and to perform the method of restricting malicious applications from using a network as described above.
The present application also provides a medium, which is a storage medium; the storage medium stores a plurality of instructions adapted to be loaded by a processor and to perform the method of restricting the use of a network by a malicious application as described above.
According to the method and the device for blocking the malicious application from using the network, the first characteristic identifier is firstly identified, and after the first characteristic identifier is determined to be the identifier corresponding to the malicious application, the first message can be determined to be generated by the user terminal triggered by the malicious application; by blocking the forwarding of the first message or the first response message corresponding to the first message, the malicious application can be prevented from using network resources; namely, under the condition that the network using authority of normal application of the user terminal is not cut off, the control of using the network by malicious application is realized.
Drawings
FIG. 1 is a flowchart illustrating a method for restricting malicious applications from using a network according to an embodiment;
FIG. 2 is a flowchart of a method for restricting malicious applications from using a network according to the second embodiment;
FIG. 3 is a flowchart of a method for restricting malicious applications from using a network according to a third embodiment;
fig. 4 is a schematic structural diagram of an apparatus for blocking a malicious application from using a network according to a fourth embodiment;
wherein: 11-storage unit, 12-feature extraction unit, 13-judgment unit and 14-blocking unit.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
The application provides a method for limiting malicious applications from using a network, which analyzes a message sent by a user terminal and determines whether an application triggering the user terminal to generate the message is the malicious application; if yes, blocking the malicious application from using the network resource in a message forwarding blocking mode.
Example one
Fig. 1 is a flowchart of a method for restricting a malicious application from using a network according to an embodiment. As shown in fig. 1, a method for restricting a malicious application from using a network according to an embodiment includes steps S101 to S105.
It should be noted that the device for performing the following steps in this embodiment is a router of a network, that is, a gateway device capable of implementing packet forwarding in the network. Of course, in other embodiments, the device performing the following steps may include both the router and other devices connected to the router for implementing message analysis.
S101: receiving and temporarily storing a first message sent by a user terminal.
When the user terminal is used, if the user terminal has a requirement of using network resources, various applications on the user terminal call a processing module for executing a bottom-layer communication protocol, and the processing module is used for sending the first message to a router of the Internet. After receiving the first message, the router temporarily stores the first message and determines how to process the first message according to the subsequent execution condition.
S102: and extracting a first feature identifier of the first message.
After temporarily storing the first message, the router identifies the first message and extracts the first feature identifier of the first message. It should be noted that the first signature described herein is only used for illustrating that the first signature is associated with the first packet, and does not mean that the first packet further includes other signatures. In addition, it should be noted that the first feature identifier is not only one identifier, but may be identifiers of a plurality of items.
The way of extracting the first feature identifier may comprise one or more, preferably all, of the following: (1) analyzing the IP frame header data of the first message, and determining a source IP address and a destination IP address; (2) analyzing a transmission layer packet header of the first message, and determining a source port and a destination port number; (3) analyzing the main part of the transmission layer of the first message, and determining other identification information which can represent the message characteristics; the corresponding first feature identifier may include the following: source IP address, destination IP address, source port number, destination port number, other identification.
In the specific application: (1) and (2) when executing, the first message is analyzed and processed according to the corresponding protocol rule to obtain the first message; (3) when executed, there are several options: [1] if the application layer protocol adopted by the main part of the data of the transmission layer can be determined and the corresponding application layer protocol does not encrypt the transmission content, the corresponding data can be analyzed and identified by using the application layer protocol; [2] if the application layer protocol adopted by the main part of the data of the transmission layer cannot be determined or the corresponding application layer protocol encrypts the transmission content, the data can be subjected to overall feature recognition by adopting a feature recognition algorithm.
The feature recognition algorithm mentioned in the previous paragraph may be obtained by training a deep learning model with a sufficient number of sample packets, where the deep learning model may be a neural network model or other types of data models. In practical application, considering that the feature recognition algorithm training needs enough data samples and consumes a large amount of resources, the feature recognition algorithm can be trained by a specific terminal (such as a server) and then issued to a router.
S103: judging whether the first characteristic identifier is an identifier corresponding to the malicious application; if not, executing S104; if yes, go to step S105.
S104: and forwarding the first message.
S105: and blocking the forwarding of the first message.
In the embodiment of the application, the process of judging whether the first feature identifier is the identifier corresponding to the malicious application is realized by comparing the first feature identifier with the identifier information in the preset database.
The preset database stores name identification information of various applications and identification information of whether various applications are malicious applications. For example, in a preset database, the following information { application 1, malicious application }, { application 2, goodwill application } is stored.
If the first characteristic identification is 'application 1', the first characteristic identification is an identification corresponding to the malicious application; correspondingly, the application triggering the user terminal to initiate the first message is also a malicious application; in order to avoid the malicious application from acquiring the network resource, or sending the secret information of the user terminal to other devices through the first message, S105 is executed to block the forwarding of the first message. If the first feature identifier is "application 2", the first feature identifier is an identifier corresponding to a goodwill application, and correspondingly, the application triggering the user terminal to initiate the first packet is the goodwill application, and S104 may be executed to forward the first packet.
It should be noted that the preset database is a database determined for processing and identifying a large number of messages, and the application corresponding to the message for training the database is determined, and whether the application is a malicious application or not is calibrated in advance.
As can be seen from the foregoing description, in the method for restricting malicious applications from using a network provided in the embodiments of the present application, first, a first feature identifier is identified, and after it is determined that the first feature identifier is an identifier corresponding to a malicious application, it may be determined that a first packet is generated by a user terminal triggered by the malicious application; by blocking the forwarding of the first message, the malicious application can be prevented from sending the privacy information obtained from the user terminal to the remote server through the first message, and then the problem of user information loss is avoided.
In the embodiment of the application, whether the corresponding feature identifier is the identifier of the malicious application is determined by calibrating whether the application is malicious or not through the preset database. Of course, in other embodiments, the determination of whether the first feature identifier is an identifier corresponding to a malicious application is not limited to the foregoing method, and in other embodiments, it may also be determined by other ways whether the first feature identifier is an identifier corresponding to a malicious application.
In the embodiment of the application, the fact that malicious applications possibly utilize the first message to send the privacy information of the user terminal to the corresponding server is considered; in other embodiments, the malicious application may also be an application that requests to download a large amount of resources in the server (for example, an application that downloads an illegal video), and correspondingly, in other embodiments, blocking forwarding of the first message by S105 may also be changed to blocking forwarding of a corresponding message to the user terminal, where the first response message is a message that is sent by the server and responds to the first message. That is, in other embodiments, even if the first packet is already forwarded to the server, by blocking the forwarding of the first response packet to the user terminal, the user terminal may be prevented from acquiring corresponding illegal resources, thereby implementing malicious application to acquire network resources.
Example two
Fig. 2 is a flowchart of a method for restricting malicious applications from using a network according to the second embodiment. As shown in fig. 2, in the second embodiment, the foregoing method includes steps S201 to S205.
Similar to the embodiment, in the second embodiment, the device that performs the following steps may be a router, or a router and other devices for extracting and processing a packet.
S201: receiving and temporarily storing a first message sent by a user terminal.
If the network resource is needed, various applications on the user terminal call a processing module executing a bottom layer communication protocol, and the processing module is used for sending the first message to a router of the Internet. After receiving the first message, the router temporarily stores the first message and determines how to process the first message according to the subsequent execution condition.
S202: and extracting a first feature identifier of the first message.
After temporarily storing the first message, the router identifies the first message and extracts the first feature identifier of the first message. It should be noted that the first signature described herein is only used for illustrating that the first signature is associated with the first packet, and does not mean that the first packet further includes other signatures. In addition, it should be noted that the first feature identifier is not only one identifier, but may be identifiers of a plurality of items. The way of extracting the first feature identifier may comprise one or more, preferably all, of the following: (1) analyzing the IP frame header data of the first message, and determining a source IP address and a destination IP address; (2) analyzing a transmission layer packet header of the first message, and determining a source port and a destination port number; (3) analyzing the main part of the transmission layer of the first message, and determining other identification information which can represent the message characteristics; the corresponding first feature identifier may include the following: source IP address, destination IP address, source port number, destination port number, other identification.
S203: judging whether the flow of a historical message which is received in a first time period and contains a first characteristic identifier is larger than a preset flow or not; if not, executing S204; if yes, go to step S205.
S204: and forwarding the first message.
S205: and blocking the forwarding of the first message.
In practical applications, some malicious programs may generate a large amount of spam messages in a short time, so as to cause network congestion and other problems due to forwarding of the spam messages to a plurality of specific destination addresses. Moreover, it is not well determined what type of application the malicious application is, and therefore, it is not possible to preset to identify the malicious application as the application. However, messages sent by such applications in consecutive time periods have the same first feature identifier, so that whether the application is a malicious application can be determined through traffic statistics on historical messages received in a time period and having the feature identifier of the first feature identifier.
In this embodiment of the application, the first time period is a time period which is earlier than the time when the first message is received and is connected with the time when the first message is received. If the historical message flow received in the first time period and with the characteristic identifier of the first characteristic identifier is larger than the preset flow, judging that the application triggering the user terminal to initiate the first message is malicious application; in order to avoid network congestion caused by a message sent by a malicious application, the forwarding of the first message is directly blocked.
EXAMPLE III
Fig. 3 is a flowchart of a method for restricting malicious applications from using a network according to a third embodiment. As shown in fig. 3, the method comprises steps S301-S308.
S301: receiving and temporarily storing a first message sent by a user terminal.
S302: and extracting a first feature identifier of the first message.
In the embodiment of the present application, the possible implementation processes of S301 and S302 are similar to the embodiment, and will not be repeated here, and specific contents may be referred to in embodiment one.
S303: and searching the corresponding application name according to the first characteristic identifier.
In the embodiment of the application, after the first feature identifier is determined, the application name corresponding to the first feature identifier is determined by searching a preset database. The preset database is determined by processing and identifying a large number of messages, and the application corresponding to the messages for training the database is determined. Information like the following is included in the preset database: { name 1, feature identification 1} … … { name N, feature identification N }.
If the first feature identification is feature identification 1, the name of the application may be determined to be name 1.
S304: and generating a control prompt message and sending the control prompt message to the control terminal.
After determining the application name corresponding to the first feature identifier, the router determines that the application triggering the user terminal to initiate the first packet is the application corresponding to the name, that is, the type of the application can be determined.
Then, the router generates a control prompt message and sends the control prompt message to the control terminal; wherein: the management and control prompt message comprises an application name. And after receiving the control prompt message, the control terminal outputs the application name after analyzing the prompt message so as to prompt the control personnel to input a confirmation instruction. After receiving the identification instruction, the control terminal generates a return message and returns the return message to the router; the identification instruction is an instruction for determining whether the application corresponding to the application name is a malicious application.
S305: and receiving a return message of the control terminal.
S306: extracting a confirmation instruction in the return text, and judging whether the application program is a malicious application or not according to the confirmation instruction; if not, executing S307; if yes, go to step S308.
S307: and forwarding the first message.
S308: and blocking the forwarding of the first message.
After receiving the return message of the control terminal, the router analyzes the return message to obtain a confirmation instruction, and determines whether the application corresponding to the application name is malicious cause public according to the information of the confirmation instruction. If the application is malicious application, blocking the forwarding of the first message; and if the malicious application is not the malicious application, forwarding the message.
According to the method for blocking the malicious application from using the network, after the application name of the first message is determined to be triggered and formed through the first feature identifier, the application name is sent to the control terminal, whether the application is the malicious application or not is determined by a control staff of the control terminal, and how to process the first message is determined according to a determination result of the control staff, so that the control and blocking of the malicious application from using the network are achieved.
Further, on the basis of the method provided by the third embodiment, the method for blocking the malicious application from using the network provided by the other embodiments may further include steps S309 to S313.
S309: and receiving and temporarily storing the second message.
The second message is a message generated by the malicious application triggering user terminal, and the time when the router receives the second message is later than the time when the router receives the first message.
S310: and extracting a second feature identifier of the second message.
S311: judging whether the second characteristic mark is the same as the first characteristic mark; if yes, go to S312; if not, go to S313.
S312: and blocking the forwarding of the second message.
S313: and forwarding the second message.
In practical applications, a malicious application installed in a user terminal may not send only a first message (i.e., send only one message), but may send messages intermittently after sending the first message; in this embodiment, after determining that the first packet is generated by the malicious application triggering user terminal, the router may determine that the first feature identifier is an identifier representing the malicious application; at this point, the router stores the first feature identification.
Subsequently, after the second message is received, after the second message is determined to have the corresponding second feature identifier the same as the first feature identifier through the feature analysis of the second message, it can be determined that the second message is also generated by the malicious application triggering user terminal, so that the forwarding of the second message is blocked.
By adopting the method for processing the second message to block the forwarding of the second message, the resource consumption and the time consumption generated by sending the characteristic identifier corresponding to the second message to the control terminal can be avoided, and the user of the user terminal is also prevented from being disturbed. Certainly, in some cases, if the control terminal needs to know the running time characteristic of the malicious application, the control terminal may also generate the control prompt message after receiving the second characteristic identifier, and the control prompt message has application information corresponding to the second message, so that the control terminal determines whether to block forwarding of the second message.
In the methods for blocking malicious applications from using the network provided in the foregoing three embodiments, after determining that the first packet or the second packet is a packet corresponding to a malicious application, the method may include generating an alarm notification packet, and sending the alarm notification packet to a user terminal, where the alarm notification packet includes information of the malicious application. After receiving the alarm prompt message, the user terminal extracts and outputs the information of the malicious application in the alarm prompt message so as to prompt a user using the user terminal to remove the malicious application installed on the user terminal.
In addition to providing the aforementioned method for blocking a malicious application from using a network, some embodiments of the present application also provide an apparatus for blocking a malicious application from using a network.
Example four
Fig. 4 is a schematic structural diagram of an apparatus for blocking a malicious application from using a network according to a fourth embodiment. As shown in fig. 4, in one embodiment, the apparatus for blocking a malicious application from using a network includes a storage unit 11, a feature extraction unit 12, a determination unit 13, and a blocking unit 14.
The storage unit 11 is configured to receive and temporarily store a first message sent by a user terminal; the feature extraction unit 12 is configured to extract a first feature identifier of the first packet; the judging unit 13 is configured to judge whether the first feature identifier is an identifier indicating a malicious application; the blocking unit 14 is configured to block forwarding of the first packet and/or block forwarding of the first response packet, if the determining unit 13 determines that the first feature identifier is an identifier indicating a malicious application. The first response message is a message which is sent by the server and responds to the first message and/or the historical message; the history message is a message which is generated by the malicious application triggering user terminal and is earlier than the first message.
Given the foregoing embodiment, in another embodiment, there is provided an apparatus, wherein the judging unit 13 compares the first feature identifier with application identification information stored in a preset database to judge whether the first feature identifier is an identifier corresponding to a malicious application.
In another embodiment, the determining unit 13 determines whether the first feature identifier is an identifier indicating a malicious application, including: judging whether the flow of a historical message which is received in a first time period and contains a first characteristic identifier is larger than a preset flow or not;
if so, judging that the first characteristic mark is a mark representing malicious application;
wherein: the first time period is a time period which is earlier than the time of receiving the first message and is connected with the time of receiving the first message.
In another embodiment, the determining unit 13 determines whether the first feature identifier is an identifier corresponding to a malicious application, including: searching the name of the corresponding application according to the first characteristic identifier; generating a control prompt message and sending the control prompt message to a control terminal; receiving a return message of the control terminal; extracting a confirmation instruction in the returned text, judging whether the application program is a malicious application according to the confirmation instruction, and then judging whether the first characteristic identifier is an identifier corresponding to the malicious application; wherein; the management and control prompt message comprises an application name.
Based on the embodiment provided in the previous paragraph, the storage unit 11 is further configured to receive and temporarily store the second message; the extracting unit is further configured to extract a second feature identifier of the second packet; the judging unit 13 is further configured to judge whether the second feature identifier is the same as the first feature identifier; the blocking unit 14 is further configured to block forwarding of the second message, or block forwarding of the second response message to the user terminal; wherein: the second message is a message which is generated by the malicious application triggering user terminal and is later than the first message; the second response message is a message which is sent by the server and responds to the second message.
In some other embodiments, the device for blocking the malicious application from using the network may further include an alarm prompting unit. The alarm prompting unit is used for generating an alarm prompting message and sending the alarm prompting message to the user terminal; wherein: the alert prompt message includes information of the malicious application.
The embodiment of the invention also provides a storage medium, wherein the storage medium stores a plurality of instructions, and the instructions are used for being loaded by the processor and executing the method for limiting the malicious application from using the network.
In addition, an embodiment of the present application further provides a router, which includes a storage medium and a processor; the processor is used for realizing each instruction, the memory is used for storing a plurality of instructions, and the instructions are suitable for being loaded by the processor and executing the method for limiting the malicious application from using the network.
A1. A method of restricting malicious applications from using a network, comprising:
receiving and temporarily storing a first message sent by a user terminal;
extracting a first feature identifier of the first message;
judging whether the first characteristic identifier is an identifier corresponding to a malicious application;
if yes, blocking the forwarding of the first message, or blocking the forwarding of a first response message to the user terminal;
wherein: the first response message is a message which is sent by the server and responds to the first message.
A2. According to the method of controlling a malicious application to restrict use of a network described in a1,
judging whether the first feature identifier is an identifier representing malicious application, including:
and comparing the first characteristic identifier with application identifier information stored in a preset database to judge whether the first characteristic identifier is an identifier corresponding to the malicious application.
A3. According to the method for restricting the malicious application from using the network described in a1,
judging whether the first feature identifier is an identifier representing malicious application, including:
judging whether the historical message flow received in a first time period and with the characteristic identifier being the first characteristic identifier is larger than a preset flow or not;
if yes, judging that the first feature identifier is an identifier representing malicious application;
wherein: the first time period is a time period which is earlier than the time of receiving the first message and is connected with the time of receiving the first message.
A4. According to the method for restricting the malicious application from using the network described in a1, the determining whether the first feature identifier is an identifier of a corresponding malicious application includes:
searching a corresponding application name according to the first characteristic identifier;
generating a control prompt message, and sending the control prompt message to a control terminal;
receiving a return message of the control terminal;
extracting a confirmation instruction in the return text, judging whether the application program is a malicious application according to the confirmation instruction, and then judging whether the first characteristic identifier is an identifier corresponding to the malicious application;
wherein; the management and control prompt message comprises the application name.
A5. The method for blocking malicious applications from using the network according to A4, further comprising:
receiving and temporarily storing a second message;
extracting a second feature identifier of the second message;
judging whether the second feature identifier is the same as the first feature identifier;
if yes, blocking the forwarding of the second message, or blocking the forwarding of the second response message to the user terminal;
wherein: the second message is a message which is generated by the malicious application triggering the user terminal and is later than the first message; the second response message is a message which is sent by the server and responds to the second message.
A6. The method of restricting malicious applications from using a network of any of A1-A5, further comprising:
generating an alarm prompt message and sending the alarm prompt message to the user terminal;
wherein: the alert prompt message includes information of the malicious application.
A7. An apparatus for blocking malicious applications from using a network, comprising:
the storage unit is used for receiving and temporarily storing a first message sent by the user terminal;
a feature extraction unit, configured to extract a first feature identifier of the first packet;
the judging unit is used for judging whether the first characteristic identifier is an identifier representing malicious application;
a blocking unit, configured to block forwarding of the first packet and/or block forwarding of a first response packet when the determining unit determines that the first feature identifier is an identifier indicating a malicious application;
wherein: the first response message is a message which is sent by a server and responds to the first message and/or the historical message; the history message is a message which is generated by the malicious application triggering the user terminal and is earlier than the first message.
A8. According to the apparatus for blocking a malicious application from using a network as described in a7, the determining unit compares the first feature identifier with application identifier information stored in a preset database to determine whether the first feature identifier is an identifier corresponding to the malicious application.
A9. The apparatus for blocking a malicious application from using a network according to a7, where the determining unit determines whether the first feature identifier is an identifier indicating a malicious application, and includes:
judging whether the flow of the historical message which is received in a first time period and contains the first characteristic identifier is larger than a preset flow or not;
if yes, judging that the first feature identifier is an identifier representing malicious application;
wherein: the first time period is a time period which is earlier than the time of receiving the first message and is connected with the time of receiving the first message.
A10. According to the apparatus for blocking a malicious application from using a network described in a7, the determining unit determines whether the first feature identifier is an identifier of a corresponding malicious application, including:
searching the name of the corresponding application according to the first characteristic identifier;
generating a control prompt message and sending the control prompt message to a control terminal;
receiving a return message of the control terminal;
extracting a confirmation instruction in the return text, judging whether the application program is a malicious application according to the confirmation instruction, and then judging whether the first characteristic identifier is an identifier corresponding to the malicious application;
wherein; the management and control prompt message comprises the application name.
A11. According to the apparatus for blocking a malicious application from using a network described in a10, the storage unit is further configured to receive and temporarily store a second message;
the extracting unit is further configured to extract a second feature identifier of the second packet;
the judging unit is further configured to judge whether the second feature identifier is the same as the first feature identifier;
the blocking unit is further configured to block forwarding of the second packet, or block forwarding of the second response packet to the user terminal;
wherein: the second message is a message which is generated by the malicious application triggering the user terminal and is later than the first message; the second response message is a message which is sent by the server and responds to the second message.
A12. The apparatus to block malicious applications from using a network of any of claims a7-a 11:
the alarm prompting unit is used for generating an alarm prompting message and sending the alarm prompting message to the user terminal;
wherein: the alert prompt message includes information of the malicious application.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus for controlling network usage behavior described above may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
It should be noted that the algorithms and displays provided in the embodiments are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Claims (10)
1. A method of restricting malicious applications from using a network, comprising:
receiving and temporarily storing a first message sent by a user terminal;
extracting a first feature identifier of the first message;
judging whether the first characteristic identifier is an identifier corresponding to a malicious application;
if yes, blocking the forwarding of the first message, or blocking the forwarding of a first response message to the user terminal;
wherein: the first response message is a message which is sent by the server and responds to the first message.
2. The method of controlling restricting usage of a network by a malicious application according to claim 1,
judging whether the first feature identifier is an identifier representing malicious application, including:
and comparing the first characteristic identifier with application identifier information stored in a preset database to judge whether the first characteristic identifier is an identifier corresponding to the malicious application.
3. The method of restricting malicious application from using a network according to claim 1,
judging whether the first feature identifier is an identifier representing malicious application, including:
judging whether the historical message flow received in a first time period and with the characteristic identifier being the first characteristic identifier is larger than a preset flow or not;
if yes, judging that the first feature identifier is an identifier representing malicious application;
wherein: the first time period is a time period which is earlier than the time of receiving the first message and is connected with the time of receiving the first message.
4. The method of restricting malicious application from using a network according to claim 1,
the determining whether the first feature identifier is an identifier corresponding to a malicious application includes:
searching a corresponding application name according to the first characteristic identifier;
generating a control prompt message, and sending the control prompt message to a control terminal;
receiving a return message of the control terminal;
extracting a confirmation instruction in the return text, judging whether the application program is a malicious application according to the confirmation instruction, and then judging whether the first characteristic identifier is an identifier corresponding to the malicious application;
wherein; the management and control prompt message comprises the application name.
5. The method for blocking malicious applications from using the network according to claim 4, further comprising:
receiving and temporarily storing a second message;
extracting a second feature identifier of the second message;
judging whether the second feature identifier is the same as the first feature identifier;
if yes, blocking the forwarding of the second message, or blocking the forwarding of the second response message to the user terminal;
wherein: the second message is a message which is generated by the malicious application triggering the user terminal and is later than the first message; the second response message is a message which is sent by the server and responds to the second message.
6. The method of restricting malicious application from using a network according to any one of claims 1 to 5, further comprising:
generating an alarm prompt message and sending the alarm prompt message to the user terminal;
wherein: the alert prompt message includes information of the malicious application.
7. An apparatus for blocking malicious applications from using a network, comprising:
the storage unit is used for receiving and temporarily storing a first message sent by the user terminal;
a feature extraction unit, configured to extract a first feature identifier of the first packet;
the judging unit is used for judging whether the first characteristic identifier is an identifier representing malicious application;
a blocking unit, configured to block forwarding of the first packet and/or block forwarding of a first response packet when the determining unit determines that the first feature identifier is an identifier indicating a malicious application;
wherein: the first response message is a message which is sent by a server and responds to the first message and/or the historical message; the history message is a message which is generated by the malicious application triggering the user terminal and is earlier than the first message.
8. An apparatus for blocking malicious applications from using a network according to claim 7, wherein:
the judging unit compares the first characteristic mark with application mark information stored in a preset database to judge whether the first characteristic mark is a mark corresponding to a malicious application.
9. A router, comprising a memory and a processor;
the memory is to store a plurality of instructions;
the processor is configured to implement the instructions;
the instructions are adapted to be loaded by the processor and to perform the method of restricting malicious application use of a network as claimed in any of claims 1-6.
10. A medium, wherein the medium is a storage medium; the storage medium stores a plurality of instructions adapted to be loaded by a processor and to perform the method of restricting the use of a network by a malicious application according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910570854.6A CN112152970A (en) | 2019-06-28 | 2019-06-28 | Method and apparatus for restricting malicious applications from using network, router and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910570854.6A CN112152970A (en) | 2019-06-28 | 2019-06-28 | Method and apparatus for restricting malicious applications from using network, router and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112152970A true CN112152970A (en) | 2020-12-29 |
Family
ID=73869087
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910570854.6A Pending CN112152970A (en) | 2019-06-28 | 2019-06-28 | Method and apparatus for restricting malicious applications from using network, router and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112152970A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105262722A (en) * | 2015-09-07 | 2016-01-20 | 深信服网络科技(深圳)有限公司 | Terminal malicious traffic rule updating method, cloud server and security gateway |
| CN105791323A (en) * | 2016-05-09 | 2016-07-20 | 国家电网公司 | Novel defending method and device for unknown malicious software |
| CN106650436A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | Safety detecting method and device based on local area network |
| CN107579995A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | The network protection method and device of onboard system |
-
2019
- 2019-06-28 CN CN201910570854.6A patent/CN112152970A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105262722A (en) * | 2015-09-07 | 2016-01-20 | 深信服网络科技(深圳)有限公司 | Terminal malicious traffic rule updating method, cloud server and security gateway |
| CN105791323A (en) * | 2016-05-09 | 2016-07-20 | 国家电网公司 | Novel defending method and device for unknown malicious software |
| CN106650436A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | Safety detecting method and device based on local area network |
| CN107579995A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | The network protection method and device of onboard system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10445502B1 (en) | Susceptible environment detection system | |
| CN110798472B (en) | Data leakage detection method and device | |
| US10250641B2 (en) | Natural language dialog-based security help agent for network administrator | |
| US9003552B2 (en) | Online privacy management | |
| CN1771709B (en) | Network attack signature generation method and apparatus | |
| US10805340B1 (en) | Infection vector and malware tracking with an interactive user display | |
| CN111800412B (en) | Advanced sustainable threat tracing method, system, computer equipment and storage medium | |
| CN103607385A (en) | Method and apparatus for security detection based on browser | |
| CN106936791B (en) | Method and device for intercepting malicious website access | |
| CN111651757A (en) | Attack behavior monitoring method, device, equipment and storage medium | |
| CN104484259A (en) | Application program traffic monitoring method and device, and mobile terminal | |
| CN108965267B (en) | Network attack processing method and device and vehicle | |
| CN105897947B (en) | The Network Access Method and device of mobile terminal | |
| CN113676449B (en) | Network attack processing method and device | |
| US10659335B1 (en) | Contextual analyses of network traffic | |
| CN112165445B (en) | Method, device, storage medium and computer equipment for detecting network attack | |
| CN114257413B (en) | Reaction blocking method and device based on application container engine and computer equipment | |
| CN106789486B (en) | Method and device for detecting shared access, electronic equipment and computer readable storage medium | |
| CN106921671B (en) | network attack detection method and device | |
| CN110913011B (en) | Session holding method, session holding device, readable storage medium and electronic device | |
| CN113132293A (en) | Attack detection method and device and public honeypot system | |
| CN111565196B (en) | KNXnet/IP protocol intrusion detection method, device, equipment and medium | |
| CN112152970A (en) | Method and apparatus for restricting malicious applications from using network, router and medium | |
| CN114070624B (en) | Message monitoring method, device, electronic equipment and medium | |
| CN107241297A (en) | Communicate hold-up interception method and device, server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |