TWI434173B - Monitor method, monitor apparatus and computer program product thereof for monitoring a data of a hardware - Google Patents
Monitor method, monitor apparatus and computer program product thereof for monitoring a data of a hardware Download PDFInfo
- Publication number
- TWI434173B TWI434173B TW98141136A TW98141136A TWI434173B TW I434173 B TWI434173 B TW I434173B TW 98141136 A TW98141136 A TW 98141136A TW 98141136 A TW98141136 A TW 98141136A TW I434173 B TWI434173 B TW I434173B
- Authority
- TW
- Taiwan
- Prior art keywords
- data
- processing unit
- information
- system call
- address
- Prior art date
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Description
本發明係關於一種用於監控一硬體之一資料之監控方法、監控裝置及其電腦程式產品;更詳細地說,本發明係關於一種避免具有私有(private)資訊之資料遭到不當傳輸之監控方法、監控裝置及其電腦程式產品。The present invention relates to a monitoring method, a monitoring device and a computer program product thereof for monitoring data of a piece of hardware; more particularly, the present invention relates to avoiding improper transmission of data having private information. Monitoring methods, monitoring devices and their computer program products.
隨著資訊工業的發展,電腦與網路已在日常生活中佔有不可或缺之地位。舉例而言,以電腦處理各種資料或是以網路搜尋各種資訊、購物以及資料交換等等,皆是許多人已習以為常的生活方式。更進一步地說,網路信用卡結帳、網路購物下單以及網路提款機(web ATM)等,更是被經常使用之網路服務。With the development of the information industry, computers and networks have become indispensable in daily life. For example, the use of computers to process a variety of materials or to search for information, shopping and data exchange on the Internet is a lifestyle that many people have become accustomed to. Furthermore, online credit card checkouts, online shopping orders, and web ATMs are frequently used Internet services.
在應用前述網路服務之情況下,使用者通常皆需透過網路將夾帶與其相關之私有資訊的資料傳送至網路服務提供廠商,這些私有資訊包含帳號/密碼資訊、身分證字號或是線上交易記錄等。一般而言,這些夾帶與使用者相關之私有資訊的資料係透過瀏覽器介面被傳送。因此,許多駭客便利用瀏覽器介面的漏洞竊取這些使用者傳送至網路服務提供廠商的資料,進而導致現今私有資訊被外洩的事件層出不窮。In the case of applying the aforementioned network services, the user usually needs to transmit the data entrained with the related private information to the network service provider through the network, and the private information includes account/password information, identity card number or online. Transaction records, etc. In general, these data entraining private information about the user are transmitted through the browser interface. As a result, many hackers facilitate the use of browser interface vulnerabilities to steal data transmitted by these users to Internet service providers, leading to the emergence of today's private information being leaked.
舉例而言,當使用者利用瀏覽器,於網路服務提供廠商(如Yahoo)之網頁中輸入帳號/密碼並登入會員頁面之後,使用者的電腦便以一儲存路徑以及一資料名稱,儲存使用者輸入之具有相關於Yahoo之帳號/密碼的資料,當使用者欲再次利用瀏覽器登入Yahoo之網頁時,電腦即可經由前述之儲存路徑及資料名稱存取具有相關於Yahoo之帳號/密碼的資料,以直接登入會員頁面。在此一過程中,駭客即可利用瀏覽器漏洞,透過編碼之後的腳本語言(例如Javascript或VBscript)執行惡意程式,並透過瀏覽器,將具有相關於Yahoo之帳號/密碼的資料傳送至駭客先行指定之網路位址。For example, when a user uses a browser to enter an account/password on a webpage of a network service provider (such as Yahoo) and logs in to the member page, the user's computer is stored and stored using a storage path and a file name. The user has entered the account/password related to Yahoo. When the user wants to use the browser to log in to Yahoo's webpage again, the computer can access the account/password associated with Yahoo via the above storage path and data name. Information to log in directly to the member page. In this process, the hacker can use the browser vulnerability to execute malicious programs through the encoded scripting language (such as Javascript or VBscript), and send the data related to Yahoo's account/password to the browser through the browser. The network address specified by the customer first.
針對此問題,習知技術提供一種用於偵測惡意程式之軟體,其係藉由分析不同惡意程式,並建立不同種類之惡意程式特徵的資料庫,以進一步藉由這些惡意程式特徵偵測並阻止駭客利用惡意程式並透過瀏覽器,將夾帶與使用者相關之私有資訊的資料傳送至其先行指定之網路位址。In response to this problem, the prior art provides a software for detecting malicious programs by analyzing different malicious programs and establishing a database of different kinds of malicious program features to further detect and detect these malicious program features. Prevents hackers from using malicious programs and transmitting information about the private information associated with the user to their pre-designated network address through the browser.
然而,基於腳本語言的特性,習知偵測惡意程式之軟體將相當難以偵測藉由腳本語言所執行之惡意程式,並無法建立具有通用的惡意程式特徵之資料庫。換言之,只要用以執行惡意程式之腳本語言經過其它編碼方式處理,習知偵測惡意程式之軟體即無法進行偵測及分析。However, based on the nature of the scripting language, it is quite difficult to detect malware executed by the scripting language and it is impossible to create a database with common malware features. In other words, as long as the scripting language used to execute the malicious program is processed by other encoding methods, the software for detecting malicious programs cannot be detected and analyzed.
有鑑於此,在網路服務日漸成熟且惡意程式日益氾濫的情況之下,要如何避免私有資訊遭到惡意程式的不當傳輸,係為業界亟需決之問題。In view of this, in the case of the maturity of Internet services and the increasing proliferation of malicious programs, how to avoid the improper transmission of private information by malicious programs is an urgent problem for the industry.
本發明之一目的在於提供一種用於監控一硬體之一資料之監控裝置。該資料具有一私有資訊、一識別資訊以及至少一第一網路傳輸位址。該監控裝置包含一儲存單元以及一處理單元。該儲存單元用以儲存一標記資訊表並根據該識別資訊儲存該資料。該處理單元用以將該資料之識別資訊以及至少一第一網路傳輸位址記錄於該標記資訊表;因應一存取系統呼叫,根據該識別資訊存取該資料;同時,因應一傳輸系統呼叫安排(arrange)該資料之私有資訊之一傳輸。其中,該存取系統呼叫係相關於該識別資訊,且該傳輸系統呼叫具有一第二網路傳輸位址。最後,該處理單元將根據該標記資訊表記錄之該資料之識別資訊以及至少一第一網路傳輸位址,判斷該至少一第一網路傳輸位址以及該第二網路傳輸位址是否相同,當該至少一第一網路傳輸位址以及該第二網路傳輸位址不同時,該處理單元即輸出一訊號。It is an object of the present invention to provide a monitoring apparatus for monitoring data of a piece of hardware. The data has a private message, an identification message, and at least a first network transmission address. The monitoring device includes a storage unit and a processing unit. The storage unit is configured to store a tag information table and store the data according to the identification information. The processing unit is configured to record the identification information of the data and the at least one first network transmission address in the marking information table; accessing the data according to the identification information in response to an access system call; and simultaneously responding to the transmission system Call Arrange A transmission of one of the private information of the material. The access system call is related to the identification information, and the transmission system call has a second network transmission address. Finally, the processing unit determines, according to the identification information of the data recorded by the tag information table and the at least one first network transmission address, whether the at least one first network transmission address and the second network transmission address are Similarly, when the at least one first network transmission address and the second network transmission address are different, the processing unit outputs a signal.
本發明之另一目的在於提供一種用於監控一硬體之一資料之監控方法。該資料具有一私有資訊、一識別資訊以及至少一第一網路傳輸位址,且該資料根據該識別資訊被儲存於一儲存單元。該監控方法包含以下步驟:令一處理單元將該資料之識別資訊以及至少一第一網路傳輸位址記錄於一標記資訊表,其中,該標記資訊表係儲存於該儲存單元;因應一存取系統呼叫,令該處理單元根據該識別資訊存取該資料,其中,該存取系統呼叫係相關於該識別資訊;因應一傳輸系統呼叫,令該處理單元安排該資料之私有資訊之一傳輸,其中,該傳輸系統呼叫具有一第二網路傳輸位址;根據該標記資訊表記錄之該資料之識別資訊以及至少一第一網路傳輸位址,令該處理單元判斷該至少一第一網路傳輸位址以及該第二網路傳輸位址是否相同;以及當該至少一第一網路傳輸位址以及該第二網路傳輸位址不同時,令該處理單元輸出一訊號。Another object of the present invention is to provide a monitoring method for monitoring data of a piece of hardware. The data has a private information, an identification information, and at least a first network transmission address, and the data is stored in a storage unit according to the identification information. The monitoring method includes the following steps: causing a processing unit to record the identification information of the data and the at least one first network transmission address in a tag information table, wherein the tag information table is stored in the storage unit; Taking a system call, causing the processing unit to access the data according to the identification information, wherein the access system call is related to the identification information; in response to a transmission system call, the processing unit arranges one of the private information of the data transmission The transmission system call has a second network transmission address; the processing unit determines the at least one first according to the identification information of the data recorded by the mark information table and the at least one first network transmission address And determining whether the network transmission address and the second network transmission address are the same; and when the at least one first network transmission address and the second network transmission address are different, causing the processing unit to output a signal.
另外,為達前段所述之目的,本發明更提供一種電腦程式產品,內儲用於監控一硬體之一資料之監控方法的程式,該程式經由電腦被載入一監控裝置後可執行並可完成前段所述之監控方法。In addition, for the purpose of the foregoing paragraph, the present invention further provides a computer program product, which stores a program for monitoring a data monitoring method of a piece of hardware, and the program can be loaded into a monitoring device via a computer and executed. The monitoring method described in the previous paragraph can be completed.
綜上所述,本發明所揭露之用於監控一硬體之一資料之監控方法、監控裝置及其電腦程式產品可將具有私有資訊之資料的識別資訊及其應被傳送之網路傳輸位址儲存於標記資訊表中。同時,本發明將根據系統呼叫以及被儲存於標記資訊表之識別資訊,於具有私有資訊之資料被安排傳輸時,進行被儲存於標記資訊表之網路傳輸網址以及被安排傳輸之網路傳輸網址的比對,以避免私有資訊遭到惡意程式的不當傳輸。In summary, the monitoring method, the monitoring device and the computer program product for monitoring data of one piece of hardware disclosed in the present invention can identify the information of the information having the private information and the network transmission bit to be transmitted. The address is stored in the tag information table. At the same time, according to the system call and the identification information stored in the marked information table, the present invention performs the network transmission URL stored in the marked information table and the network transmission scheduled to be transmitted when the information with the private information is scheduled to be transmitted. URL comparisons to avoid improper transmission of private information by malicious programs.
在參閱圖式及隨後描述之實施方式後,本發明所屬技術領域具有通常知識者便可瞭解本發明之其它目的、優點以及本發明之技術手段及實施態樣。Other objects, advantages, and technical means and embodiments of the present invention will become apparent to those skilled in the <RTIgt;
以下將透過實施例來解釋本發明之內容,本發明係關於一種用以監控一硬體之一資料之監控方法、監控裝置其電腦程式產品,其優點在於可防止夾帶私有資訊之資料被傳輸至惡意程式指定之網路傳輸位址。需說明者,以下實施例及圖式中,與本發明非直接相關之元件均已省略而未繪示;且圖式中各元件間之尺寸關係僅為求容易瞭解,非用以限制實際比例。The content of the present invention will be explained by way of embodiments. The present invention relates to a monitoring method for monitoring data of a piece of hardware, and a computer program product of the monitoring device, which has the advantages of preventing the data entrained with private information from being transmitted to The network transmission address specified by the malware. It should be noted that in the following embodiments and drawings, elements that are not directly related to the present invention have been omitted and are not shown; and the dimensional relationship between the elements in the drawings is only for easy understanding, and is not intended to limit the actual ratio. .
如第1A圖所示,本發明之第一實施例係為一種用於監控一硬體1之一資料之監控裝置11。硬體1具有一記憶體13以及一顯示單元15,使用者則可藉由一作業系統(圖未繪示)控制硬體1之各部元件。作業系統可以是市面上發售之各種作業系統,例如微軟視窗(Windows)作業系統、蘋果電腦麥金塔作業系統、Linux作業系統或是Unix作業系統等,於第一實施例中,作業系統係為微軟視窗作業系統。而硬體1則可以是個人電腦(Personal Computer;PC)或是蘋果電腦公司販售之麥金塔電腦(Macintosh;MAC),於第一實施例中,硬體1則為個人電腦(Personal Computer;PC)。需注意者,本發明並不限制作業系統以及硬體1的種類,所屬技術領域的通常知識者亦可使用其它種類的作業系統、硬體以及其搭配來完成本發明,故在此不再贅述。As shown in FIG. 1A, the first embodiment of the present invention is a monitoring device 11 for monitoring data of a hardware 1. The hardware 1 has a memory 13 and a display unit 15. The user can control the components of the hardware 1 by an operating system (not shown). The operating system may be various operating systems available on the market, such as a Microsoft Windows operating system, an Apple Macintosh operating system, a Linux operating system, or a Unix operating system. In the first embodiment, the operating system is Microsoft Windows operating system. The hardware 1 can be a personal computer (PC) or a Macintosh computer (Macintosh; MAC) sold by Apple Computer. In the first embodiment, the hardware 1 is a personal computer (Personal Computer). ;PC). It should be noted that the present invention does not limit the types of the operating system and the hardware 1. Those skilled in the art can also use other types of operating systems, hardware, and combinations thereof to complete the present invention, and thus will not be described herein. .
監控裝置11包含一儲存單元111以及一處理單元113。監控裝置11係電性連接至記憶體13以及顯示單元15。儲存單元111用以儲存一標記資訊表10。當使用者透過瀏覽器(圖未繪示)以及硬體1,準備傳送具有私有資訊之資料2至一第一網路傳輸位址20時,處理單元113將根據一儲存路徑以及一資料名稱,儲存資料2於儲存單元111及/或記憶體13中。其中,前述儲存路徑以及資料名稱即為資料2之識別資訊22。同時,處理單元113將資料2之識別資訊22以及第一網路傳輸位址20儲存於標記資訊表10中。The monitoring device 11 comprises a storage unit 111 and a processing unit 113. The monitoring device 11 is electrically connected to the memory 13 and the display unit 15. The storage unit 111 is configured to store a tag information table 10. When the user prepares to transmit the private information 2 to the first network transmission address 20 through the browser (not shown) and the hardware 1, the processing unit 113 will use a storage path and a data name. The data 2 is stored in the storage unit 111 and/or the memory 13. The storage path and the data name are the identification information 22 of the data 2. At the same time, the processing unit 113 stores the identification information 22 of the data 2 and the first network transmission address 20 in the tag information table 10.
舉例來說,當使用者透過瀏覽器以及硬體1,準備傳送具有帳號/密碼之私有資訊之資料2至網路服務提供廠商(如Yahoo)之伺服器之第一網路傳輸位址20(如209.191.93.53)時,處理單元113將根據儲存路徑(如C:\Documents and Settings\user\Local Settings\Cookies\cookie:user@yahoo.com)以及資料名稱(如cookie:user@yahoo.com),儲存資料2於儲存單元111及/或記憶體13中。同時,處理單元113將儲存路徑「C:\Documents and Settings\user\Local Settings\Cookies\cookie:user@yahoo.com」、資料名稱「cookie:user@yahoo.com」以及第一網路傳輸位址「209.191.93.53」儲存於標記資訊表10中。For example, when the user browses through the browser and the hardware 1, it is ready to transmit the private information of the account/password 2 to the first network transmission address 20 of the server of the network service provider (such as Yahoo) ( For example, 209.191.93.53), the processing unit 113 will be based on the storage path (such as C:\Documents and Settings\user\Local Settings\Cookies\cookie:user@yahoo.com) and the name of the data (eg cookie: user@yahoo.com) The data 2 is stored in the storage unit 111 and/or the memory 13. At the same time, the processing unit 113 will store the path "C:\Documents and Settings\user\Local Settings\Cookies\cookie:user@yahoo.com", the data name "cookie:user@yahoo.com", and the first network transmission bit. The address "209.191.93.53" is stored in the tag information table 10.
需特別說明的是,本發明並不限制標記資訊表10儲存之第一網路傳輸位址20的數量,即使用者可透過瀏覽器以及硬體1,將具有同一識別資訊22之資料2同時傳送至複數個第一網路傳輸位址20,所屬技術領域具有通常知識者可依據前述說明進一步儲存其它第一網路傳輸位址20,故在此不再贅述。It should be noted that the present invention does not limit the number of first network transmission addresses 20 stored in the tag information table 10, that is, the user can simultaneously access the data 2 having the same identification information 22 through the browser and the hardware 1. The first network transmission address 20 is transmitted to a plurality of first network transmission addresses 20, and those skilled in the art can further store the other first network transmission address 20 according to the foregoing description, and therefore no further details are provided herein.
同時,私有資訊係使用者之機敏資訊,例如:帳號/密碼(account and password)資訊、電腦記錄(cookie)資訊以及瀏覽器自動完成資料(browser auto complete data)資訊。本發明並不限制私有資訊之種類,所屬技術領域具有通常知識者亦可自行設定私有資訊之種類以及數量,故在此不再贅述。At the same time, private information is user-friendly information such as account and password information, computer record (cookie) information, and browser auto complete data. The present invention does not limit the type of private information. Those skilled in the art can also set the type and quantity of private information by themselves, and therefore will not be described herein.
當處理單元113因應一存取系統呼叫12,根據識別資訊22存取資料2時,處理單元113將進行一系列程序。需特別說明的是,存取系統呼叫12係相關於識別資訊22。舉例而言,存取系統呼叫12可為一資料開啟系統呼叫、一資料讀取系統呼叫、一資料複製系統呼叫、一資料移動系統呼叫、一資料關閉系統呼叫或一清除記憶體系統呼叫。When processing unit 113 accesses data 2 in accordance with identification information 22 in response to an access system call 12, processing unit 113 will perform a series of procedures. It should be noted that the access system call 12 is related to the identification information 22. For example, the access system call 12 can be a data open system call, a data read system call, a data copy system call, a data move system call, a data off system call, or a clear memory system call.
於本實施例中,處理單元113將因應一資料開啟系統呼叫,根據識別資訊22開啟資料2,其中,資料開啟系統呼叫具有一傳遞參數,且傳遞參數係對應於識別資訊22。詳細地說,處理單元113將根據下列程式碼,判斷資料2之開啟:其中,「OpenFile」代表前述之資料開啟系統呼叫;「cookie:user@yahoo.com」則代表資料2之資料名稱;「HANDLE」則為對應於識別資訊22之傳遞參數,換言之,若其它系統呼叫中具有傳遞參數「HANDLE」,即與識別資訊22相關,表示這些系統呼叫皆是對資料2進行存取動作。當處理單元113根據標記資訊表10之識別資訊22判斷資料2被開啟,隨即開始監控並記錄所有相關之系統呼叫。In this embodiment, the processing unit 113 opens the system call according to the data, and opens the data 2 according to the identification information 22. The data opening system call has a delivery parameter, and the delivery parameter corresponds to the identification information 22. In detail, the processing unit 113 will judge the opening of the data 2 according to the following code: Among them, "OpenFile" represents the above data to open the system call; "cookie: user@yahoo.com" represents the data name of the data 2; "HANDLE" is the delivery parameter corresponding to the identification information 22, in other words, if other system calls There is a transfer parameter "HANDLE", which is related to the identification information 22, indicating that these system calls are all accessing the data 2. When the processing unit 113 judges that the material 2 is turned on based on the identification information 22 of the mark information table 10, it starts monitoring and recording all related system calls.
接著,處理單元113因應一資料讀取系統呼叫,將資料2之私有資訊儲存至一第一記憶體位址131,其中,資料讀取系統呼叫具有前述之傳遞參數,且傳遞參數對應於第一記憶體位址131。更進一步而言,處理單元113將根據下列程式碼,判斷資料2之讀取: 其中,「ReadFileEx」代表資料讀取系統呼叫。由於傳遞參數「HANDLE」與識別資訊22相關,因此處理單元113將藉此判斷資料2之讀取。此外,參數「lpBuffer」代表資料2被儲存至記憶體13之第一記憶體位址131(如0x04e463b9)。同時,處理單元131將儲存資料2之私有資訊的記憶體位址(即第一記憶體位址131)記錄於儲存單元111中。Then, the processing unit 113 stores the private information of the data 2 to a first memory address 131 in response to a data reading system call, wherein the data reading system call has the foregoing delivery parameter, and the delivery parameter corresponds to the first memory. Body address 131. Further, the processing unit 113 will judge the reading of the data 2 according to the following code: Among them, "ReadFileEx" represents a data reading system call. Since the transfer parameter "HANDLE" is associated with the identification information 22, the processing unit 113 will thereby determine the reading of the material 2. Further, the parameter "lpBuffer" represents that the material 2 is stored to the first memory address 131 of the memory 13 (e.g., 0x04e463b9). At the same time, the processing unit 131 records the memory address (ie, the first memory address 131) of the private information storing the data 2 in the storage unit 111.
於本實施例中,處理單元113更將因應資料複製系統呼叫及/或資料移動系統呼叫,將資料2之私有資訊由記憶體13之第一記憶體位址131複製及/或移動至一第二記憶體位址133。同時,於資料2之私有資訊複製及/或移動之後,處理單元113將儲存資料2之私有資訊的記憶體位址(即第一記憶體位址131及/或第二記憶體位址133)記錄及/或更新於儲存單元111中。資料複製系統呼叫以及資料移動系統呼叫之說明將分述如下。In this embodiment, the processing unit 113 further copies and/or moves the private information of the data 2 from the first memory address 131 of the memory 13 to a second in response to the data replication system call and/or the data mobile system call. Memory address 133. At the same time, after the private information of the data 2 is copied and/or moved, the processing unit 113 records the memory address of the private information storing the data 2 (ie, the first memory address 131 and/or the second memory address 133) and/or Or updated in the storage unit 111. The description of the data replication system call and the data movement system call will be described below.
具體而言,處理單元113將根據下列程式碼,判斷資料2之私有資訊自第一記憶體位址131複製至第二記憶體位址133:其中,「memcpy」代表資料複製系統呼叫;參數「*dest」代表第二記憶體位址133(如0x00123456);參數「*src」代表第一記 憶體位址131(即0x04e463b9)。另一方面,處理單元113將根據下列程式碼,判斷資料2之私有資訊自第一記憶體位址131移動至第二記憶體位址133:mov eax[ebx];「mov」代表資料移動系統呼叫;參數「eax」代表第二記憶體位址133(例如:0x00123456);參數「ebx」代表第一記憶體位址131(即0x04e463b9)。Specifically, the processing unit 113 determines that the private information of the data 2 is copied from the first memory address 131 to the second memory address 133 according to the following code: The "memcpy" represents the data replication system call; the parameter "*dest" represents the second memory address 133 (eg, 0x00123456); the parameter "*src" represents the first memory address 131 (ie, 0x04e463b9). On the other hand, the processing unit 113 will determine that the private information of the data 2 is moved from the first memory address 131 to the second memory address 133 according to the following code: mov eax[ebx]; "mov" represents the data mobile system call; The parameter "eax" represents the second memory address 133 (for example: 0x00123456); the parameter "ebx" represents the first memory address 131 (ie, 0x04e463b9).
需特別說明的是,若處理單元113因應資料關閉系統呼叫或清除記憶體系統呼叫進行資料2之關閉或清除,則處理單元113將持續地根據標記資訊表10繼續監控是否有其它具有私有資訊之資料被存取。於另一實施態樣中,處理單元113將根據下列程式碼,判斷資料2被關閉或清除: It should be specially noted that if the processing unit 113 closes or clears the data 2 according to the data off system call or the clear memory system call, the processing unit 113 will continue to monitor whether there are other private information according to the mark information table 10 continuously. The data is accessed. In another embodiment, the processing unit 113 determines that the data 2 is turned off or cleared according to the following code:
其中,「FileClose」以及「free」分別代表資料關閉系統呼叫以及清除記憶體系統呼叫。由於傳遞參數「HANDLE」與識別資訊 22相關,因此處理單元113將藉此判斷資料2之關閉。此外,參數「*ptr」代表欲關閉資料之記憶體位址;參數「eax」代表被清除資料之記憶體位址。處理單元113將比較參數「*ptr」或參數「eax」之值是否等於資料2之私有資訊目前儲存之記憶體位址(即第二記憶體位址133);若是,則表示資料2被關閉或被清除。Among them, "FileClose" and "free" represent data off system calls and clear memory system calls, respectively. Passing the parameter "HANDLE" and identifying information 22 is related, so the processing unit 113 will thereby determine the closure of the material 2. In addition, the parameter "*ptr" represents the memory address of the data to be closed; the parameter "eax" represents the memory address of the data to be cleared. The processing unit 113 compares whether the value of the parameter "*ptr" or the parameter "eax" is equal to the memory address currently stored in the private information of the data 2 (ie, the second memory address 133); if so, the data 2 is turned off or Clear.
由上述說明可知,有別於習知單純比對資料庫以偵測惡意行為之方法,本發明之監控裝置11將根據各系統呼叫之傳遞參數,判斷是否有存取系統呼叫對資料2之私有資訊進行存取,同時根據對應於傳遞參數之記憶體位址,記錄及/或更新儲存資料2之私有資訊的記憶體位址,進而完成後續之監控。It can be seen from the above description that, unlike the conventional method for simply comparing the database to detect malicious behavior, the monitoring device 11 of the present invention will determine whether there is an access system call to the private data 2 according to the transmission parameters of each system call. The information is accessed, and the memory address of the private information storing the data 2 is recorded and/or updated according to the memory address corresponding to the parameter, thereby completing the subsequent monitoring.
隨後,處理單元113將因應一傳輸系統呼叫14,安排資料2之一傳輸。具體而言,傳輸系統呼叫14具有一傳輸資料記憶體位址以及一第二網路傳輸位址(圖未繪示)。於本實施例中,第二網路傳輸位址係惡意程式設定之網路傳輸位址(如129.342.33.22)。具體而言,處理單元113將根據下列程式碼,安排資料2傳輸至第二網路傳輸位址: 其中,「connect」代表一建立遠端連線之系統呼叫;「send」代表一透過已建立好之連線傳送資料2之系統呼叫;參數「*name」代表第二網路傳輸位址(即129.342.33.22);參數「*buf」代表傳輸資料記憶體位址。處理單元113將擷取傳輸系統呼叫14之傳輸資料記憶體位址(即參數「*buf」之值),並判斷傳輸資料記憶體位址與儲存資料2之私有資訊的記憶體位址(即第一記憶體位址131及/或第二記憶體位址133)是否相同。Processing unit 113 will then schedule transmission of one of the data 2 in response to a transmission system call 14. Specifically, the transmission system call 14 has a transmission data memory address and a second network transmission address (not shown). In this embodiment, the second network transmission address is a network transmission address set by the malicious program (such as 129.342.33.22). Specifically, the processing unit 113 will schedule the transmission of the data 2 to the second network transmission address according to the following code: "connect" represents a system call that establishes a remote connection; "send" represents a system call that transmits data 2 through an established connection; the parameter "*name" represents a second network transmission address (ie, 129.342.33.22); The parameter "*buf" represents the transfer data memory address. The processing unit 113 will retrieve the transmission data memory address of the transmission system call 14 (ie, the value of the parameter "*buf"), and determine the memory address of the private data of the data memory address and the stored data 2 (ie, the first memory) Whether the body address 131 and/or the second memory address 133) are the same.
當處理單元113判斷傳輸資料記憶體位址(即參數「*buf」之值)與第一記憶體位址131(即0x04e463b9)及/或第二記憶體位址133(即0x00123456)相同時,即表示資料2將被傳送至第二網路傳輸位址。接著,處理單元113即根據標記資訊表10記錄之資料2之識別資訊22以及第一網路傳輸位址20,判斷第二網路傳輸位址與第一網路傳輸位址20是否相同。於本實施例中,由於第二網路傳輸位址(即129.342.33.22)與第一網路傳輸位址20(即209.191.93.53)不同,此即代表資料2將被傳送至惡意程式指定之網路傳輸位址。此時處理單元113便輸出一訊號100至顯示單元15。When the processing unit 113 determines that the transmission data memory address (ie, the value of the parameter "*buf") is the same as the first memory address 131 (ie, 0x04e463b9) and/or the second memory address 133 (ie, 0x00123456), the data is indicated. 2 will be transmitted to the second network transmission address. Next, the processing unit 113 determines whether the second network transmission address and the first network transmission address 20 are the same according to the identification information 22 of the data 2 recorded by the mark information table 10 and the first network transmission address 20. In this embodiment, since the second network transmission address (ie, 129.342.33.22) is different from the first network transmission address 20 (ie, 209.191.93.53), this means that the data 2 will be transmitted to the malicious program. Network transmission address. At this time, the processing unit 113 outputs a signal 100 to the display unit 15.
顯示單元15將根據訊號100顯示一警示訊息,同時,處理單元113將根據訊號100停止資料2之傳輸。相反的,若第二網路傳輸 位址與第一網路傳輸位址20相同,處理單元113即將資料2傳送至第二網路傳輸位址。The display unit 15 will display a warning message according to the signal 100, and at the same time, the processing unit 113 will stop the transmission of the data 2 according to the signal 100. Conversely, if the second network transmits The address is the same as the first network transmission address 20, and the processing unit 113 transmits the data 2 to the second network transmission address.
於其它實施態樣中,若處理單元113判斷傳輸資料記憶體位址(即參數「*buf」之值)與第一記憶體位址131及/或第二記憶體位址133不同時,則表示目前欲傳送之資料並非私有資訊,處理單元113將進行資料之傳輸,同時監控裝置11之處理單元113將不會進行比較網路傳輸位址之步驟。In other implementations, if the processing unit 113 determines that the transmission data memory address (ie, the value of the parameter "*buf") is different from the first memory address 131 and/or the second memory address 133, it indicates that the current desire is The transmitted data is not private information, and the processing unit 113 will transmit the data while the processing unit 113 of the monitoring device 11 will not perform the step of comparing the network transmission addresses.
接著,處理單元113將繼續監控系統呼叫是否持續地對於資料2進行傳輸的動作,同時根據標記資訊表10持續地監控是否有其它具有私有資訊之資料被存取。Next, the processing unit 113 will continue to monitor whether the system call continues to transmit data 2, while continuously monitoring whether other materials with private information are accessed based on the tag information table 10.
本發明之第二實施例如第2圖所示,係為一種用於監控一硬體之一資料之監控方法。本發明之監控方法可用於一監控裝置,例如第一實施例所述之監控裝置11。監控裝置包含一儲存單元以及一處理單元。其中,資料具有一私有資訊、一識別資訊以及至少一第一網路傳輸位址,且資料係根據識別資訊被儲存於儲存單元。私有資訊可為一帳號/密碼資訊、一電腦記錄資訊以及一瀏覽器自動完成資料資訊其中之一。A second embodiment of the present invention, as shown in FIG. 2, is a monitoring method for monitoring data of a piece of hardware. The monitoring method of the present invention can be applied to a monitoring device such as the monitoring device 11 described in the first embodiment. The monitoring device comprises a storage unit and a processing unit. The data has a private information, an identification information, and at least a first network transmission address, and the data is stored in the storage unit according to the identification information. Private information can be one of an account/password information, a computer record information, and a browser auto-complete information.
具體而言,第二實施例所描述之監控方法可由一電腦程式產品執行,當監控裝置由一電腦載入該電腦程式產品並執行該電腦程式產品所包含之複數個指令後,即可完成第二實施例所述之監控方法。前述之電腦程式產品可儲存於電腦可讀取記錄媒體中,例如唯讀記憶體(read only memory;ROM)、快閃記憶體、軟碟、硬碟、光碟、隨身碟、磁帶、可由網路存取之資料庫或熟習此項 技藝者所習知且具有相同功能之任何其它儲存媒體中。Specifically, the monitoring method described in the second embodiment can be executed by a computer program product. When the monitoring device loads the computer program product from a computer and executes a plurality of instructions included in the computer program product, the The monitoring method described in the second embodiment. The aforementioned computer program product can be stored in a computer readable recording medium, such as read only memory (ROM), flash memory, floppy disk, hard disk, optical disk, flash drive, tape, network available Access to the database or familiar with this item Any other storage medium known to the skilled artisan and having the same function.
第二實施例之監控方法包含以下步驟。首先執行步驟201,處理單元將資料之識別資訊以及至少一第一網路傳輸位址記錄於一標記資訊表,其中,標記資訊表係儲存於儲存單元中。識別資訊包含一儲存路徑以及一資料名稱,資料係根據儲存路徑以及資料名稱儲存於儲存單元。The monitoring method of the second embodiment includes the following steps. First, in step 201, the processing unit records the identification information of the data and the at least one first network transmission address in a tag information table, where the tag information table is stored in the storage unit. The identification information includes a storage path and a data name, and the data is stored in the storage unit according to the storage path and the data name.
於步驟202中,因應一存取系統呼叫,處理單元根據識別資訊存取資料,其中,存取系統呼叫係相關於識別資訊。In step 202, in response to an access system call, the processing unit accesses the data based on the identification information, wherein the access system call is related to the identification information.
舉例而言,於步驟202中,處理單元將因應一資料開啟系統呼叫,根據識別資訊開啟資料,其中,資料開啟系統呼叫具有一傳遞參數,且傳遞參數對應於識別資訊;隨後處理單元更將因應一資料讀取系統呼叫,將資料之私有資訊儲存至一第一記憶體位址,其中資料讀取系統呼叫亦具有前述之傳遞參數,且傳遞參數對應於第一記憶體位址。For example, in step 202, the processing unit will open a system call according to a data, and open the data according to the identification information, wherein the data opening system call has a delivery parameter, and the delivery parameter corresponds to the identification information; then the processing unit will respond accordingly A data reading system call stores the private information of the data to a first memory address, wherein the data reading system call also has the foregoing delivery parameter, and the delivery parameter corresponds to the first memory address.
於一實施態樣中,處理單元因應一資料複製系統呼叫,將資料之私有資訊由第一記憶體位址複製至一第二記憶體位址;或者於另一實施態樣中,處理單元將因應一資料移動系統呼叫,將資料之私有資訊由第一記憶體位址移動至第二記憶體位址。最後,於步驟202中,處理單元將儲存資料之私有資訊的記憶體位址(即第一記憶體位址及/或第二記憶體位位址)記錄於儲存單元中,有關步驟202之實施細節已於第一實施例中進行說明,故在此不再贅述。In an implementation aspect, the processing unit copies the private information of the data from the first memory address to a second memory address in response to a data replication system call; or in another embodiment, the processing unit responds to The data mobile system calls to move the private information of the data from the first memory address to the second memory address. Finally, in step 202, the processing unit records the memory address (ie, the first memory address and/or the second memory address) of the private information of the stored data in the storage unit, and the implementation details of step 202 are The description is made in the first embodiment, and therefore will not be described herein.
於步驟203,處理單元將因應一傳輸系統呼叫安排資料之一傳輸,其中,傳輸系統呼叫具有一傳輸資料記憶體位址以及一第二網路傳輸位址。接著於步驟204中,處理單元將擷取傳輸系統呼叫之傳輸資料記憶體位址,並判斷傳輸記憶體位址與儲存資料之私有資訊的記憶體位址(即第一記憶體位址及/或第二記憶體位址)是否相同。若是,則執行步驟205,處理單元將根據標記資訊表記錄之資料之識別資訊以及至少一第一網路傳輸位址,判斷至少一第一網路傳輸位址以及第二網路傳輸位址是否相同。In step 203, the processing unit transmits a response to one of the transmission system call schedules, wherein the transmission system call has a transport data memory address and a second network transport address. Next, in step 204, the processing unit retrieves the transmission data memory address of the transmission system call, and determines a memory address (ie, the first memory address and/or the second memory) that transfers the memory address and the private information of the stored data. Whether the body address) is the same. If yes, proceed to step 205, the processing unit determines, according to the identification information of the data recorded in the tag information table, and the at least one first network transmission address, whether the at least one first network transmission address and the second network transmission address are the same.
若處理單元於步驟205判斷至少一第一網路傳輸位址以及第二網路傳輸位址相同時,則執行步驟206,將資料之資訊傳送至第二網路傳輸位址,並返回步驟202,等候其它存取系統呼叫,以存取其它資料。若處理單元於步驟205判斷至少一第一網路傳輸位址以及第二網路傳輸位址不同時,則執行步驟207,使處理單元輸出一訊號。接著於步驟208,令一顯示單元根據前述之訊號顯示一警示訊息。最後,執行步驟209,處理單元根據訊號停止資料之私有資訊之傳輸,並返回步驟202,等候其它存取系統呼叫,以存取其它資料。If the processing unit determines in step 205 that the at least one first network transmission address and the second network transmission address are the same, step 206 is executed to transmit the information of the data to the second network transmission address, and return to step 202. Waiting for other access system calls to access other data. If the processing unit determines in step 205 that the at least one first network transmission address and the second network transmission address are different, step 207 is executed to enable the processing unit to output a signal. Next, in step 208, a display unit displays a warning message according to the foregoing signal. Finally, in step 209, the processing unit stops the transmission of the private information of the data according to the signal, and returns to step 202 to wait for other access system calls to access other materials.
若處理單元於步驟204判斷傳輸記憶體位址與第一記憶體位址及/或第二記憶體位址不同時,表示欲傳輸的資料之資訊並非私有資訊,接著執行步驟206,將資料之資訊傳送至第二網路傳輸位址,並返回步驟202,等候其它存取系統呼叫,以存取其它資料。If the processing unit determines in step 204 that the transmission memory address is different from the first memory address and/or the second memory address, the information indicating that the data to be transmitted is not private information, and then step 206 is performed to transmit the information of the data to The second network transmits the address and returns to step 202 to wait for other access system calls to access other data.
除了上述步驟,本發明之監控方法亦能執行第一實施例所描述之所有操作及功能,所屬技術領域具有通常知識者可直接瞭解本發明之監控方法如何基於上述第一實施例以執行此等操作及功能,故在此不再贅述。In addition to the above steps, the monitoring method of the present invention can also perform all the operations and functions described in the first embodiment, and those skilled in the art can directly understand how the monitoring method of the present invention is based on the above-described first embodiment to perform such operations. Operation and function, so I won't go into details here.
綜合上述,本發明之監控方法、監控裝置及其電腦程式產品將先行於標記資訊表中,記錄具有私有資訊之資料的識別資訊及其應被傳送之網路傳輸位址。隨後,即根據系統呼叫進行具有私有資訊之資料的監控,若傳輸系統呼叫準備將具有私有資訊之資料傳送至標記資訊表未記錄之網路傳輸網址時,則停止具有私有資訊之資料的傳送。據此,本發明將可避免私有資訊遭到惡意程式的不當傳輸。In summary, the monitoring method, monitoring device and computer program product of the present invention will first be in the tag information table, and record the identification information of the data with private information and the network transmission address to be transmitted. Subsequently, the monitoring of the data with the private information is performed according to the system call, and if the transmission system call is ready to transmit the data with the private information to the network transmission address not recorded by the marked information table, the transmission of the data with the private information is stopped. Accordingly, the present invention will prevent improper transmission of private information by malicious programs.
上述之實施例僅用來例舉本發明之實施態樣,以及闡釋本發明之技術特徵,並非用來限制本發明之保護範疇。任何熟悉此技術者可輕易完成之改變或均等性之安排均屬於本發明所主張之範圍,本發明之權利保護範圍應以申請專利範圍為準。The embodiments described above are only intended to illustrate the embodiments of the present invention, and to explain the technical features of the present invention, and are not intended to limit the scope of protection of the present invention. Any changes or equivalents that can be easily made by those skilled in the art are within the scope of the invention. The scope of the invention should be determined by the scope of the claims.
1...硬體1. . . Hardware
2...資料2. . . data
10...標記資訊表10. . . Marking information sheet
11...監控裝置11. . . Monitoring device
12...存取系統呼叫12. . . Access system call
13...記憶體13. . . Memory
14...傳輸系統呼叫14. . . Transmission system call
15...顯示單元15. . . Display unit
100...訊號100. . . Signal
111...儲存單元111. . . Storage unit
113...處理單元113. . . Processing unit
131...第一記憶體位址131. . . First memory address
133...第二記憶體位址133. . . Second memory address
20...第一網路傳輸位址20. . . First network transmission address
22...識別資訊twenty two. . . Identification information
第1A圖係為根據本發明之第一實施例之監控裝置之示意圖;1A is a schematic view of a monitoring device according to a first embodiment of the present invention;
第1B圖係為根據本發明之第一實施例之標記資訊表之示意圖;以及1B is a schematic diagram of a tag information table according to a first embodiment of the present invention;
第2圖係為本發明之第二實施例之監控方法之流程圖。Figure 2 is a flow chart of the monitoring method of the second embodiment of the present invention.
1...硬體1. . . Hardware
2...資料2. . . data
10...標記資訊表10. . . Marking information sheet
11...監控裝置11. . . Monitoring device
12...存取系統呼叫12. . . Access system call
13...記憶體13. . . Memory
14...傳輸系統呼叫14. . . Transmission system call
15...顯示單元15. . . Display unit
100...訊號100. . . Signal
111...儲存單元111. . . Storage unit
113...處理單元113. . . Processing unit
131...第一記憶體位址131. . . First memory address
133...第二記憶體位址133. . . Second memory address
20...第一網路傳輸位址20. . . First network transmission address
22...識別資訊twenty two. . . Identification information
Claims (30)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW98141136A TWI434173B (en) | 2009-12-02 | 2009-12-02 | Monitor method, monitor apparatus and computer program product thereof for monitoring a data of a hardware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW98141136A TWI434173B (en) | 2009-12-02 | 2009-12-02 | Monitor method, monitor apparatus and computer program product thereof for monitoring a data of a hardware |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201120635A TW201120635A (en) | 2011-06-16 |
| TWI434173B true TWI434173B (en) | 2014-04-11 |
Family
ID=45045250
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW98141136A TWI434173B (en) | 2009-12-02 | 2009-12-02 | Monitor method, monitor apparatus and computer program product thereof for monitoring a data of a hardware |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI434173B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103853624A (en) * | 2012-12-04 | 2014-06-11 | 中山大学深圳研究院 | Monitoring method and monitoring device of hardware data |
| TWI640891B (en) * | 2017-12-25 | 2018-11-11 | 中華電信股份有限公司 | Method and apparatus for detecting malware |
-
2009
- 2009-12-02 TW TW98141136A patent/TWI434173B/en active
Also Published As
| Publication number | Publication date |
|---|---|
| TW201120635A (en) | 2011-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8943585B2 (en) | Access monitoring method, information processing apparatus, and computer-readable medium storing access monitoring program | |
| JP7025354B2 (en) | Automation of image validation | |
| US10599679B2 (en) | Platform data aggregation and semantic modeling | |
| US10515212B1 (en) | Tracking sensitive data in a distributed computing environment | |
| US10148675B1 (en) | Block-level forensics for distributed computing systems | |
| CN101986292B (en) | Method and system for processing forms based on an image | |
| CN108334436B (en) | Application software optimization method, device, equipment and computer readable storage medium | |
| JP6503357B2 (en) | Approve payment by reading QR code generated by separate user or device | |
| US20160173486A1 (en) | Method and system for automating submission of issue reports | |
| US10565385B1 (en) | Substitute web content generation for detection and avoidance of automated agent interaction | |
| JP5936798B2 (en) | Log analysis device, unauthorized access audit system, log analysis program, and log analysis method | |
| CN101874249B (en) | Security management program, security management method, and portable terminal | |
| US8225396B1 (en) | Systems and methods for detecting and warning users about hidden sensitive information contained in webpages | |
| TWI434173B (en) | Monitor method, monitor apparatus and computer program product thereof for monitoring a data of a hardware | |
| US11381584B1 (en) | System and methods using ephemeral accounts to limit risk of exposing sensitive data | |
| US20240078549A1 (en) | Systems and methods for transaction authorization | |
| US11127045B2 (en) | Consumer identity and security at points of sale | |
| WO2017129068A1 (en) | Event execution method and device and system therefor | |
| CN108364219A (en) | A kind of single monitoring method of record and terminal | |
| US8286258B2 (en) | Monitor method and monitor apparatus for monitoring data of hardware | |
| WO2017007149A1 (en) | Automated payment device and operation method therefor | |
| TW201740323A (en) | Method, system and computer program product for product data management | |
| GB2475877A (en) | Monitoring the retransmission of private information to a different network address | |
| CN110827024A (en) | Immotile production and production united selling system and operation method thereof | |
| US11356453B1 (en) | System and methods using ephemeral accounts to protect user accounts with sensitive data |