CN102868694B

CN102868694B - Control the detection method of client-access network, device and system

Info

Publication number: CN102868694B
Application number: CN201210345506.7A
Authority: CN
Inventors: 江爱军; 谭合力; 张波
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2012-09-17
Filing date: 2012-09-17
Publication date: 2015-08-19
Anticipated expiration: 2032-09-17
Also published as: CN105100092A; CN102868694A; WO2014040571A1; CN105100092B

Abstract

The invention discloses a kind of detection method, device and the system that control client-access network, relate to communication technical field, can detect from multiple dimension such as system kernel and Operation system setting and repair rogue program to the destruction of client application accesses network.A kind of detection method controlling client-access network that the embodiment of the present invention provides comprises: arrange selecting system according to FTP client FTP and arrange detection; Utilize Operation system setting detection and client application to need the communication information of the network object of access, the communication between client application and network object is detected; When testing result instruction communication abnormality, repair system arranges detection, when testing result instruction communication is normal, allows client application accesses network object; When repair system arranges detection failure, driving detection is detected, when testing result instruction communication abnormality, repair and drive detection, when testing result instruction communication is normal, allow client application accesses network object.

Description

Control the detection method of client-access network, device and system

Technical field

The present invention relates to communication technical field, particularly a kind of detection method, device and system controlling client-access network.

Background technology

Current safety securing software, in order to identify rapidly and the new wooden horse of killing, simultaneously in order to alleviate the resource consumption of client, can improve wooden horse killing function by means of the webserver.Such as, under cloud security technology, the server at client secure softward interview cloud security center, the feature of apocrypha is passed to the server at cloud security center, made a determination safely to it by cloud security center, the information that then client secure software is passed back according to cloud security center is reported wooden horse and processes.

But, trojan horse and some other rogue program are in order to hide the detection of fail-safe software, the network communication between client secure software and the webserver can be destroyed by every means, stop the client secure softward interview webserver, cause client cannot the virus base of upgrade of network server end, None-identified and the new wooden horse of removing, weaken the security protection performance of client secure software.For this problem, some client secure softwares are to main frame (Host) file or DNS((Domain Name System, domain name system) carry out detecting and repairing, this only to carry out the wooden horse killing effect of the scheme detected for certain point poor, and the existing normal communication to how ensureing between client secure software and the webserver does not also propose effective solution.

Summary of the invention

In view of the above problems, the present invention is proposed to provide a kind of detection method, device and the system that overcome the problems referred to above or the control client-access network that solves the problem at least in part.

According to one aspect of the present invention, provide a kind of detection method controlling client-access network, comprising:

Selecting system is set according to FTP client FTP detection is set;

Utilize described Operation system setting detection and client application to need the communication information of the network object of access, the communication between client application and described network object is detected;

When indicating communication abnormality to the testing result of Operation system setting detection, repair described Operation system setting detection, when testing result instruction communication is normal, allow client application to access described network object;

When repairing the failure of described Operation system setting detection, the driving detection chosen is detected, when indicating communication abnormality to the testing result of driving detection, repair described driving detection, when to when driving the testing result of detection instruction communication normal, client application is allowed to access described network object.

The domain name of above-mentioned packets includes network object and IP address, said system arranges that detection comprises the procotol fail safe setting of FTP client FTP, the setting of system fire compartment wall, local ip address, route entry, domain name system DNS are arranged and/or Hosts file, the above-mentioned communication information utilizing Operation system setting detection and client application to need the network object of access, carries out detection to the communication between client application and network object and comprises:

Whether there is the communication information of network object in the prevention list that the procotol fail safe detecting FTP client FTP is arranged, if so, testing result instruction communication abnormality, if not, testing result instruction communication is normal;

And/or,

Whether there is the IP address of network object and the title of client application in the rule entries of the prevention list that the system fire compartment wall detecting FTP client FTP is arranged, if so, testing result instruction communication abnormality, if not, testing result instruction communication is normal; And/or,

Whether detect FTP client FTP to exist and the local ip address of the IP address of network object at the same network segment, if so, testing result instruction communication abnormality, if not, testing result instruction communication is normal; And/or,

Whether detect in the route entry of FTP client FTP and exist and the IP address of the IP address of network object at the same network segment, if so, testing result instruction communication abnormality, if not, testing result instruction communication is normal;

And/or,

Detect the DNS of FTP client FTP arrange in IP address whether forbidding in DNS list, if so, testing result instruction communication abnormality, if not, testing result instruction communication is normal; And/or,

Detect the domain name whether comprising network object in each entry of the Hosts file of FTP client FTP, if so, testing result instruction communication abnormality, if not, testing result instruction communication is normal.

When testing result instruction communication abnormality, repair system arranges detection and comprises:

When there is the communication information of network object in the prevention list of procotol fail safe setting FTP client FTP being detected, the communication information of network object is removed from the prevention list that procotol fail safe is arranged; And/or,

When there is the title of the IP address of network object and client application in the rule entries prevention list that the system fire compartment wall of FTP client FTP is arranged being detected, this rule entries of the IP address or client application title that contain network object is removed from the prevention list that system fire compartment wall is arranged; And/or,

When detecting that FTP client FTP exists with the IP address of network object when the local ip address of the same network segment, remove in FTP client FTP with the local ip address of the IP address of network object at the same network segment;

And/or,

When there is the IP address with the IP address of network object at the same network segment in route entry FTP client FTP being detected, remove existing in FTP client FTP at the route entry of the IP address of the same network segment with the IP address of network object; And/or,

When detecting that the IP address during the DNS of FTP client FTP is arranged is when forbidding in DNS list, reliable dns server address is revised as in the IP address in being arranged by DNS; And/or,

When each entry of Hosts file FTP client FTP being detected comprises the domain name of network object, entry FTP client FTP being comprised the Hosts file of the domain name of network object is removed.

The above-mentioned driving detection chosen is networks filter driver, and this method is carried out detection to the driving detection chosen and comprised:

Whether Sampling network filtration drive is present in blacklist, if so, testing result instruction communication abnormality; If not, testing result instruction communication is normal;

When testing result instruction communication abnormality, repair networks filter driver and make testing result indicate communication normal, when testing result instruction communication is normal, allow client application accesses network object.

Above-mentioned reparation networks filter driver comprises: after the networks filter driver backup in blacklist, removed by this networks filter driver, testing result instruction communication is normal, allows client application accesses network object.

After by the networks filter driver backup in blacklist, removed by this networks filter driver from blacklist, testing result instruction communication is normal, and after allowing client application accesses network object, this method also comprises:

When the failure of client application accesses network object, if client application can not successful access trust third party's network object, confirm that client application cannot accesses network, if client application can successful access trust third party's network object, judge whether client application has the networks filter driver be not present in blacklist and white list, if do not have, confirm that client application cannot accesses network, if have, remove after the backup of this networks filter driver, allow client application accesses network object.

According to a further aspect in the invention, provide a kind of checkout gear controlling client-access network, this device comprises:

Detection chooses unit, is suitable for arranging selecting system according to FTP client FTP and arranges detection;

Detecting unit, is suitable for utilizing described Operation system setting detection and client application to need the communication information of the network object of access, detects the communication between client application and described network object;

Access control unit, is suitable for, when indicating communication abnormality to the testing result of Operation system setting detection, repairing described Operation system setting detection, when testing result instruction communication is normal, allows client application to access described network object;

Described detection chooses unit, is also suitable for choosing driving detection to detect; Described detecting unit, is also suitable for, when repairing the failure of described Operation system setting detection, detecting the driving detection chosen;

Described access control unit, is also suitable for, when indicating communication abnormality to the testing result of driving detection, repairing described driving detection, when to when driving the testing result of detection instruction communication normal, allows client application to access described network object.

The domain name of above-mentioned packets includes network object and IP address, said system arranges that detection comprises the procotol fail safe setting of FTP client FTP, the setting of system fire compartment wall, local ip address, route entry, domain name system DNS are arranged and/or Hosts file, detecting unit, the communication information of network object whether is there is in the prevention list that the procotol fail safe being specifically suitable for detecting FTP client FTP is arranged, if, testing result instruction communication abnormality, if not, testing result instruction communication is normal; And/or,

And/or,

Above-mentioned access control unit, is suitable for, when testing result instruction communication abnormality, arranging detection by following manner repair system:

When there is the title of the IP address of network object and client application in the rule entries prevention list that the system fire compartment wall of FTP client FTP is arranged being detected, this rule entries of the IP address and client application title that contain network object is removed from the prevention list that system fire compartment wall is arranged; And/or,

When there is the IP address with the IP address of network object at the same network segment in route entry FTP client FTP being detected, the route entry that there is the IP address identical with the IP address of network object in FTP client FTP is removed; And/or,

Above-mentioned detection chooses unit, is also suitable for choosing the networks filter driver of FTP client FTP as Operation system setting detection;

Detecting unit, is also suitable for after access control unit allows client application accesses network object, and when the failure of client application accesses network object, whether Sampling network filtration drive is present in blacklist, if so, testing result instruction communication abnormality; If not, testing result instruction communication is normal;

Access control unit, is also suitable for, when testing result instruction communication abnormality, repairing networks filter driver and making testing result indicate communication normal, when testing result instruction communication is normal, allows client application accesses network object.

Above-mentioned access control unit, is suitable for repairing networks filter driver by following manner:

After the networks filter driver backup in blacklist, removed by this networks filter driver, testing result instruction communication is normal, allows client application accesses network object.

Above-mentioned access control unit, also be suitable for after the networks filter driver in blacklist is backed up, this networks filter driver is removed from blacklist, testing result instruction communication is normal, after allowing client application accesses network object, when the failure of client application accesses network object, if client application can not successful access trust third party's network object, confirm that client application cannot accesses network, if client application can successful access trust third party's network object, judge whether client application has the networks filter driver be not present in blacklist and white list, if do not have, confirm that client application cannot accesses network, if have, remove after the backup of this networks filter driver, allow client application accesses network object.

A kind of communication system that the embodiment of the present invention provides comprises client device, and described client device comprises the checkout gear of above-mentioned control client-access network,

The client application that client device runs needs the network object of access to be cloud security central server;

When controlling the checkout gear permission client application access cloud security central server of client-access network, this client application, be suitable for the information of apocrypha to be sent to cloud security central server, and receive the analysis result of the information to apocrypha that cloud security central server issues.

From the above mentioned, the embodiment of the present invention arranges detection by selecting system and drives detection, utilize Operation system setting detection, drive the communication information of detection and network object to conduct interviews the technological means controlled, can from system kernel to Operation system setting etc. multiple dimension detection of malicious program to the destruction of client application access system network, effectively repair the destruction that rogue program causes communication between client application and network object, ensure that the normal access of client application to network object.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.

Accompanying drawing explanation

By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:

Fig. 1 shows a kind of according to an embodiment of the invention detection method flow chart controlling client-access network;

Fig. 2 shows according to the reparation rogue program of the filtration drive Network Based of another embodiment of the present invention the method flow diagram of the destruction of client application accesses network object; And

Fig. 3 shows a kind of according to an embodiment of the invention structure of the detecting device schematic diagram controlling client-access network.

Fig. 4 shows the structural representation of a kind of communication system that the embodiment of the present invention provides.

Embodiment

Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.

The application can be applied to computer system/server, and it can operate with other universal or special computing system environment numerous or together with configuring.The example of the well-known computing system being suitable for using together with computer system/server, environment and/or configuration includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, system based on microprocessor, Set Top Box, programmable consumer electronics, NetPC Network PC, minicomputer system large computer system and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.

Computer system/server can describe under the general linguistic context of the computer system executable instruction (such as program module) performed by computer system.Usually, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they perform specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in distributed cloud computing environment, task is performed by the remote processing devices by communication network links.In distributed cloud computing environment, program module can be positioned at and comprise on the Local or Remote computing system storage medium of memory device.

Computer system/server also can communicate with one or more external equipment---such as keyboard, sensing equipment, display etc.---, the devices communicating that user can be mutual with computer system/server is made with one or more, and/or can communicate with any equipment of other computing device communication one or more (such as network interface card, modulator-demodulator etc.) with making computer system/server.This communication can be undertaken by I/O (I/O) interface.Further, computer system/server can also by network adapter and one or more network---such as Local Area Network, wide area network (WAN) and/or public network (such as internet)---communication.As shown in the figure, network adapter is by other module communication of bus and computer system/server.It should be understood that other hardware and/or software module can use together with computer system/server.Example includes but not limited to: microcode, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and data backup storage system, etc.

A kind of detection method controlling client-access network that one embodiment of the invention provides, see Fig. 1, described method comprises:

S100: detection is set according to FTP client FTP selecting system, described Operation system setting detection comprises procotol fail safe (Internet Protocol Security, the IPSec) setting of FTP client FTP, the setting of system fire compartment wall, local ip address, route entry, DNS are arranged and one or more in Hosts file.

S102: utilize described Operation system setting detection and client application to need the communication information of the network object of access, the communication between client application and described network object is detected.

In the present embodiment, usually by the detection based on the Operation system setting detection chosen in above-mentioned steps S100, and in this step above-mentioned all Operation system setting detections are detected, be appreciated that and also can only detect above-mentioned part communication detection item in this step.By the detection to Operation system setting detection, this programme can detect client application access system network and repair from the dimension of Operation system setting.

Above-mentioned network object is the network equipment that will access of client application or system, if network object can be the cloud security central server etc. under Windows system.

S104: when normal to the testing result instruction communication of Operation system setting detection, allow client application to access described network object.

S106: when indicating communication abnormality to the testing result of Operation system setting detection, repairs described Operation system setting detection and makes testing result indicate communication normal, allow client application to access described network object when communication is normal.

S108: when repairing the failure of described Operation system setting detection, detecting, enter step S110 to the driving detection chosen, when repairing the success of described Operation system setting detection, showing that communication is normal, allowing client application to access described network object.By the detection to driving detection, this programme can detect client application access system network and repair from the dimension of system kernel.

S110: when indicating communication abnormality to the testing result of driving detection, repair described driving detection, when to when driving the testing result of detection instruction communication normal, allows client application to access described network object.

Another embodiment of the present invention for client application be client secure application for ensureing client network safety, client application needs the network object of access to be described for the scene of cloud security central server.

One or more cloud computing node that the local computing device that cloud computing environment comprises cloud computing consumer use can communicate with it, local computing device is individual digital auxiliary equipment (PDA) or mobile phone such as, desktop computer, notebook computer, and/or Automotive Computer System.Can intercom mutually between node.In at one or more network---such as privately owned cloud as above, community's cloud, public cloud or mixed cloud or their combination---, node can be carried out physics or virtual group (not shown).This allow cloud computing environment provide cloud consumer without the need to maintenance resources on local computing device just can ask namely architecture serves, platform is namely served and/or namely software serve.It should be understood that computing node and cloud computing environment can with on the network of any type and/or network addressable connection on the computing equipment (such as using web browser) of any type communicate.

Cloud security framework realizes based on cloud computing environment, that all cloud security clients are connected in real time with cloud security service device, client constantly gathers and reports renewal, a huge rogue program database is formed at server end, and the analyses and comparison of Initiative Defense operation is placed on server end and completes, thus whole cloud security network is made to become an Initiative Defense instrument; Carry out collecting for the program behavior with threat and be kept in the database of server, supporting that when server end carries out malware analysis rogue program judgement is carried out in direct service routine behavior;

In addition, the embodiment of the present invention is by the behavior of client collection procedure and be associated with performance of program, thus the program behavior of logging program feature and correspondence thereof in a database, according to the incidence relation of the program behavior collected and performance of program, analytic induction can be carried out in a database to sample, thus contribute to discriminant classification software or program being carried out to black and white, corresponding removal or restoration measure can also be formulated for the Malware in blacklist.

But, trojan horse and some other rogue program are in order to hide the detection of fail-safe software, client secure software and the webserver can be destroyed by every means, such as, network communication between cloud security service device, stop the client secure softward interview webserver, cause client cannot the virus base of upgrade of network server end, None-identified and remove new wooden horse.

The domain name of the packets includes network object of network object and IP address, the IP address list that the domain name list formed cloudlike multiple domain names of security centre's server and multiple IP address are formed, this domain name list can be expressed as CloudSecCentre (Domain)={ D1, D2 ..., Dn}, this IP address list can be expressed as CloudSecCentre (IP)={ IP1, IP2 ..., IPn}.

Then utilize Operation system setting detection and client application to need the communication information of the network object of access, can comprise as follows to the detection that the communication between client application and described network object is carried out:

(1) IPSec is arranged

Consider that the cloud security central server IP address of security firm or domain name can join in the prevention list of IPSec setting by rogue program (as wooden horse) and destroy network communication, the communication information of network object whether is there is in the prevention list that the procotol fail safe detecting FTP client FTP in the present embodiment is arranged, if, testing result instruction communication abnormality, if not, testing result instruction communication is normal.

Such as, the IPSec reading FTP client FTP is arranged, check in the prevention list of setting option whether there is the domain name CloudSecCentre (Domain) at cloud security center and the project of IP address CloudSecCentre (IP), if existed, removed, if there is no, IPSec setting is not modified.Optionally, also all information in can directly arranging IPSec in the present embodiment detect, and judge that the communication information of network object is whether in IPSec is arranged, if removed from IPSec is arranged by the communication information of network object, if do not exist, IPSec is kept to arrange constant.

(2) system fire compartment wall is arranged

Consider that wooden horse can revise Vista and with the discrepancy inbound rule of the system fire compartment wall of upper mounting plate, the rule entries comprising cloud security central server IP address or client secure Apply Names is added to stop in list and destroys network communication, the IP address of network object or the title of client application whether is there is in the rule entries of the prevention list that the system fire compartment wall detecting FTP client FTP in the present embodiment is arranged, if, testing result instruction communication abnormality, if not, testing result instruction communication is normal.

Such as, the system fire compartment wall reading FTP client FTP is arranged, whether the rule entries in the prevention list of check system fire compartment wall one by one exists the title of IP address, cloud security center CloudSecCentre (IP) or client secure application, if exist, removed, remove from the prevention list that system fire compartment wall is arranged by the IP address of network object or the rule entries of client application title, if do not exist, keep the setting of original system fire compartment wall.

(3) local ip address

Consider that wooden horse can by adding with cloud security central server at the IP address of the same network segment and invalid gateway address in client, make client application cannot access cloud security central server IP to destroy communication, whether the present embodiment detects FTP client FTP exists and the local ip address of the IP address of network object at the same network segment, if, testing result instruction communication abnormality, if not, testing result instruction communication is normal.

Such as, all IP addresses of reading FTP client FTP are arranged, check whether one by one and have a certain IP in IP address and cloud security central server IP address CloudSecCentre (IP) in the same network segment, if existed, remove this IP address entry of client, remove with the local ip address of the IP address of network object at the same network segment by FTP client FTP, if there is no, the IP address of FTP client FTP is kept to arrange.

(4) route entry

Consider that wooden horse can arrange wrong route entry and cause client application cannot access cloud security central server IP address to destroy communication, whether the present embodiment detects in the route entry of FTP client FTP exists and the IP address of the IP address of network object at the same network segment, if, testing result instruction communication abnormality, if not, testing result instruction communication is normal.

Such as, read all route entries of FTP client FTP, check that whether the network address of route entry is identical with the network address in cloud security central server IP address CloudSecCentre (IP) one by one, if the same this route entry is removed, remove at the route entry of the IP address of the same network segment with the IP address of network object by existing in FTP client FTP, if different, keep former route entry.

(5) DNS is arranged

Consider that wooden horse can revise the DNS setting of FTP client FTP, client is pointed to the black dns server that wooden horse author controls, cause resolving cloud security center domain name, thus cannot normal communication, the present embodiment is when detecting that the IP address during the DNS of FTP client FTP is arranged is when forbidding in DNS list, and reliable dns server address is revised as in the IP address in being arranged by DNS.This forbids that DNS list is by the illegal IP address known or forbid that the IP address that client application is accessed is formed, and also can be referred to as black DNS list.

Such as, the network DNS reading FTP client FTP is arranged, check whether the IP address of DNS is forbidding in DNS list, if, reliable dns server address is revised as in IP address in then being arranged by DNS, as DNS is modified to preset dns server address: 8.8.8.8 and 8.8.4.4, if not, keep the network DNS of FTP client FTP to arrange constant.

(6) Hosts file (Hosts)

Consider that wooden horse can add cloud security central server domain name and make it point to wrong IP address to destroy communication in the Hosts file of FTP client FTP, the present embodiment is when each entry of Hosts file FTP client FTP being detected comprises the domain name of network object, and entry FTP client FTP being comprised the Hosts file of the domain name of network object is removed.Hosts file is usually by the information structure of multirow, and often row visualization of information is an entry, is provided with domain-name information etc. in entry.

Such as, Hosts file be usually located at FTP client FTP c: windows system32 drivers under etc catalogue, read the Hosts file of FTP client FTP, check whether the domain name in each entry wherein comprises the domain name CloudSecCentre (Domain) at cloud security center one by one, if comprised, the entry then FTP client FTP being comprised the Hosts file of the domain name of network object is removed, if do not comprised, then keeps the entry of Hosts file constant.

Therefore the mode of the reparation adopted in the present embodiment comprises following at least one or its combination:

When there is the communication information of network object in the prevention list of IPSec setting FTP client FTP being detected, the communication information of network object is removed from the prevention list that IPSec is arranged;

When there is the title of the IP address of network object or client application in the rule entries prevention list that the system fire compartment wall of FTP client FTP is arranged being detected, the IP address of network object or the rule entries of client application title are removed from the prevention list that system fire compartment wall is arranged;

When there is the IP address with the IP address of network object at the same network segment in route entry FTP client FTP being detected, remove existing in FTP client FTP at the route entry of the IP address of the same network segment with the IP address of network object;

When detecting that the IP address during the DNS of FTP client FTP is arranged is when forbidding in DNS list, reliable dns server address is revised as in the IP address in being arranged by DNS;

In the present embodiment, said system arranges choosing of detection, and the concrete mode etc. detecting and repair is being resisted in practice process sum up out with wooden horse (as typical " hurricane wooden horse "), effectively can repair the destruction that wooden horse causes the communication of cloud security central site network, to ensure the normal communication at client secure software and cloud security center, for wooden horse killing below provides reliable network environment, fail-safe software is made to play best wooden horse killing effect.

Due in most cases, after the operation executing above-mentioned main points point, can detect and repair the destruction of rogue program to client application access Windows grid, then now allow client secure application access cloud security central server, thus can ensure that apocrypha is reported cloud security central server by client in time rapidly.

If after the trojan horse detection executing above-mentioned main points point and reparation, client secure application also cannot access cloud security central server, then the present embodiment also comprises the networks filter driver of choosing FTP client FTP as driving detection, based on NDIS(Network Driver Interface Specification, Network Driver Interface specification) networks filter driver carries out wooden horse killing.

(7) networks filter driver

Networks filter driver generally includes networks filter driver file and registry information, and whether the present embodiment Sampling network filtration drive is present in blacklist, if so, testing result instruction communication abnormality; If not, testing result instruction communication is normal;

When testing result instruction communication abnormality, repair described networks filter driver and make testing result indicate communication normal, when testing result instruction communication is normal, allow client application to access described network object.See Fig. 2, show the reparation rogue program of filtration drive Network Based to the method flow diagram of the destruction of client application accesses network object, concrete process is as follows:

S200: judge that can client application accesses network object.

If after the detection executing above-mentioned main points point and reparation, client application energy accesses network object, communication is normal, then detect end.

If execute above-mentioned main points point detection and after repairing, client application can't accesses network object, performs step S202.

S202: the identification information obtaining the all-network filtration drive in FTP client FTP.

The identification information of networks filter driver comprises signing messages and/or the version information of networks filter driver.By enumerate registration table HLM SYSTEM CurrentControlSet Control all-network filtration drive in Network and INetCfg network configuration interface reading system.

S204: check that networks filter driver is whether in blacklist and white list.

Have recorded the identification information of the networks filter driver of permission in white list, in blacklist, have recorded the identification information of the networks filter driver forbidden.

The state of the networks filter driver being arranged in blacklist is set to black, wherein, black represent insincere, the state of the networks filter driver being arranged in white list is set to white, Bai represents credible, the state being neither arranged in blacklist and not also being arranged in the networks filter driver of white list is set to ash, and ash represents the unknown.

If the all-network filtration drive in FTP client FTP is all arranged in white list, then do not carrying out subsequent treatment, detecting and terminate, otherwise, perform step S206.

S206: if there is black networks filter driver in FTP client FTP, then by after the networks filter driver backup in blacklist, removed by the networks filter driver in blacklist, testing result instruction communication is now normal, allow client application to access described network object, perform step S208.

S208: judge that can client application now accesses network object, if so, communication is normal, end operation, if not, performs step S210.

S210: judge whether client can access third party's network object of trust under current user environment, if can, perform step S212, if can not, illustrate that the access of client itself goes wrong, client cannot accesses network, end operation.Under user environment, detect the access of client application to network object by above-mentioned, this programme also detects from the dimension of User space client application access system network and repairs.

As from the foregoing, this programme can from system kernel to User space and multiple dimension complete detection rogue program such as Operation system setting to the destruction of client application access system network, ensure before the killing carrying out rogue program, have a reliable network communication environment.

S212: judge whether client application has the networks filter driver be not present in blacklist and white list, namely whether there is the networks filter driver of ash, if do not have the networks filter driver of ash, confirm that client application cannot accesses network, if have, perform step S214.

S214: remove after the backup of the networks filter driver of this ash, allows client application to access described network object.

Be appreciated that and also can perform with above-mentioned main points point the detection of networks filter driver simultaneously.

One embodiment of the invention additionally provides a kind of checkout gear controlling client-access network, and see Fig. 3, this device comprises:

Detection chooses unit 300, be suitable for arranging detection according to FTP client FTP selecting system, wherein this Operation system setting detection comprises the procotol fail safe setting of FTP client FTP, the setting of system fire compartment wall, local ip address, route entry, domain name system DNS arrange and/or Hosts file;

Detecting unit 302, is suitable for utilizing Operation system setting detection and client application to need the communication information of the network object of access, detects the communication between client application and network object;

Access control unit 304, is suitable for, when indicating communication abnormality to the testing result of Operation system setting detection, repairing described Operation system setting detection, when testing result instruction communication is normal, allows client application to access described network object;

Detection chooses unit 300, is also suitable for choosing driving detection to detect; Detecting unit 302, is also suitable for, when repairing the failure of described Operation system setting detection, detecting the driving detection chosen;

Access control unit 304, is also suitable for, when indicating communication abnormality to the testing result of driving detection, repairing described driving detection, when to when driving the testing result of detection instruction communication normal, allows client application to access described network object.

Wherein, the domain name of above-mentioned packets includes network object and IP address, detecting unit 302, the communication information of network object whether is there is in the prevention list that the procotol fail safe being specifically suitable for detecting FTP client FTP is arranged, if, testing result instruction communication abnormality, if not, testing result instruction communication is normal; And/or,

Whether there is the IP address of network object or the title of client application in the rule entries of the prevention list that the system fire compartment wall detecting FTP client FTP is arranged, if so, testing result instruction communication abnormality, if not, testing result instruction communication is normal; And/or,

And/or,

Wherein, access control unit 304, is suitable for, when testing result instruction communication abnormality, arranging detection by following manner repair system:

When there is the title of the IP address of network object or client application in the rule entries prevention list that the system fire compartment wall of FTP client FTP is arranged being detected, the rule entries of the IP address or client application title that comprise network object is removed from the prevention list that system fire compartment wall is arranged; And/or,

And/or,

Optionally, detection chooses unit 300, is specifically suitable for choosing networks filter driver as described driving detection;

Whether detecting unit 302, be also suitable for Sampling network filtration drive and be present in blacklist, if so, testing result instruction communication abnormality; If not, testing result instruction communication is normal;

Access control unit 304, is also suitable for, when testing result instruction communication abnormality, repairing networks filter driver and making testing result indicate communication normal, when testing result instruction communication is normal, allows client application accesses network object.

Wherein, above-mentioned detecting unit 302, is specifically suitable for by following manner, and whether Sampling network filtration drive is present in blacklist: from the registration table and network configuration interface of FTP client FTP, obtain networks filter driver signing messages and version information; When the signing messages of networks filter driver and version information are arranged in blacklist, confirm that this networks filter driver is present in blacklist, when the signing messages of networks filter driver and version information are not arranged in blacklist, confirm that this networks filter driver is not present in blacklist.

Wherein, access control unit 304, is suitable for repairing networks filter driver by following manner: after the networks filter driver backup in blacklist, removed by this networks filter driver, testing result instruction communication is normal, allows client application accesses network object.

Further, access control unit 304, also be suitable for after the networks filter driver in blacklist is backed up, this networks filter driver is removed from blacklist, testing result instruction communication is normal, after allowing client application accesses network object, when the failure of client application accesses network object, if client application can not successful access trust third party's network object, confirm that client application cannot accesses network, if client application can successful access trust third party's network object, signing messages and/or the version information of networks filter driver is obtained from the registration table and network configuration interface of FTP client FTP, judge whether client application has the networks filter driver be not present in blacklist and white list according to the signing messages of networks filter driver and/or version information, if do not have, confirm that client application cannot accesses network, if have, remove after the backup of this networks filter driver, allow client application accesses network object.

Detecting unit 302, is specifically suitable for by following manner, and whether Sampling network filtration drive is present in blacklist: from the registration table and network configuration interface of FTP client FTP, obtain networks filter driver signing messages and/or version information; When the signing messages of networks filter driver and/or version information are arranged in blacklist, confirm that this networks filter driver is present in blacklist, when the signing messages of networks filter driver and/or version information are not arranged in blacklist, confirm that this networks filter driver is not present in blacklist;

Detecting unit 302, is specifically suitable for by following manner, judges whether client application has the networks filter driver be not present in blacklist and white list:

When the signing messages of networks filter driver and/or version information are not present in blacklist and white list, confirm that client application has the networks filter driver be not present in blacklist and white list, otherwise, confirm that client application does not have the networks filter driver be not present in blacklist and white list.

In apparatus of the present invention embodiment, the specific works mode of each unit see embodiment of the method for the present invention, can not repeat them here.

From the above mentioned, the embodiment of the present invention is arranged by choosing procotol fail safe, system fire compartment wall is arranged, local ip address, route entry, DNS setting and Hosts file are as Operation system setting detection, the communication information of Operation system setting detection and network object is utilized to conduct interviews the technological means controlled, can from system kernel to User space and multiple dimension detection of malicious program such as Operation system setting to the destruction of client application access Windows grid, effectively repair the destruction that rogue program causes communication between client application and network object, ensure that the normal access of client application to network object.

The embodiment of the present invention additionally provides a kind of communication system, and see Fig. 4, this communication system comprises client device 400, and client device 400 comprises the checkout gear 402 of the control client-access network of at least one provided as above-described embodiment,

The client application 406 that client device 400 runs needs the network object of access to be cloud security central server 404;

When the checkout gear 402 of control client-access network allows client application to access cloud security central server 404, client application 406, be suitable for the information of apocrypha to be sent to cloud security central server 404, and receive the analysis result of the information to this apocrypha that cloud security central server 404 issues.

Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.

In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.

In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.

All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the checkout gear of the control client-access network of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.

The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.

Claims

1. control a detection method for client-access network, described method comprises:

Selecting system is set according to FTP client FTP detection is set; Described Operation system setting detection comprises the procotol fail safe setting of FTP client FTP, the setting of system fire compartment wall, local ip address, route entry, domain name system DNS are arranged and/or Hosts file;

When repairing the failure of described Operation system setting detection, detect the driving detection chosen, wherein, the driving detection chosen is networks filter driver;

When indicating communication abnormality to the testing result of driving detection, repair described driving detection, when to when driving the testing result of detection instruction communication normal, allow client application to access described network object.

2. method according to claim 1, wherein, the domain name of described packets includes network object and IP address, the described communication information utilizing described Operation system setting detection and client application to need the network object of access, carries out detection to the communication between client application and described network object and comprises:

And/or,

3. method according to claim 2, wherein, described when testing result instruction communication abnormality, repair described Operation system setting detection and comprise:

When there is the title of the IP address of network object or client application in the rule entries prevention list that the system fire compartment wall of FTP client FTP is arranged being detected, this rule entries is removed from the prevention list that system fire compartment wall is arranged; And/or,

And/or,

4. the method according to any one of claims 1 to 3, the described driving detection to choosing carries out detection and comprises:

Whether Sampling network filtration drive is present in blacklist, if so, to the testing result instruction communication abnormality of networks filter driver; If not, normal to the testing result instruction communication of networks filter driver.

5. method according to claim 4, wherein, the described networks filter driver of described reparation comprises:

After the networks filter driver backup in blacklist, this networks filter driver is removed, when testing result instruction communication is normal, allow client application to access described network object.

6. method according to claim 5, wherein, after the described networks filter driver backup by blacklist, this networks filter driver is removed from blacklist, testing result instruction communication is normal, and after permission client application accesses described network object, described method also comprises:

When client application access needs the network object failure of access, if client application can not successful access trust third party's network object, confirm that client application cannot accesses network, if client application can successful access trust third party's network object, judge whether client application has the networks filter driver be not present in blacklist and white list, if do not have, confirm that client application cannot accesses network, if have, remove after the backup of this networks filter driver, allow the described network object needing access of client application access.

7. method according to claim 6, is characterized in that,

Whether described Sampling network filtration drive is present in blacklist comprises:

Signing messages and/or the version information of networks filter driver is obtained from the registration table and network configuration interface of FTP client FTP;

When the signing messages of networks filter driver and/or version information are arranged in blacklist, confirm that this networks filter driver is present in blacklist, when the signing messages of networks filter driver and/or version information are not arranged in blacklist, confirm that this networks filter driver is not present in blacklist;

Describedly judge whether client application has the networks filter driver be not present in blacklist and white list and comprise:

8. control a checkout gear for client-access network, described device comprises:

Detection chooses unit, is suitable for arranging selecting system according to FTP client FTP and arranges detection; Described Operation system setting detection comprises the procotol fail safe setting of FTP client FTP, the setting of system fire compartment wall, local ip address, route entry, domain name system DNS are arranged and/or Hosts file;

Described detection chooses unit, is also suitable for choosing driving detection to detect; Wherein, the driving detection chosen is networks filter driver;

Described detecting unit, is also suitable for, when repairing the failure of described Operation system setting detection, detecting the driving detection chosen;

9. device according to claim 8, wherein, the domain name of described packets includes network object and IP address,

Whether described detecting unit, exist the communication information of network object, if so, testing result instruction communication abnormality in the prevention list that the procotol fail safe being specifically suitable for detecting FTP client FTP is arranged, if not, testing result instruction communication is normal; And/or,

Whether there is the IP address of network object or the title of client application in rule entries in the prevention list that the system fire compartment wall detecting FTP client FTP is arranged, if so, testing result instruction communication abnormality, if not, testing result instruction communication is normal; And/or,

And/or,

10. device according to claim 8, wherein, described access control unit, is suitable for, when testing result instruction communication abnormality, repairing described Operation system setting detection by following manner:

When the title of IP address or the client application that there is network object in the rule entries in the prevention list that the system fire compartment wall of FTP client FTP is arranged being detected, this rule entries is removed from the prevention list that system fire compartment wall is arranged; And/or,

And/or,

11. devices according to claim 8, wherein,

Whether described detecting unit, be also suitable for Sampling network filtration drive and be present in blacklist, if so, to the testing result instruction communication abnormality of networks filter driver; If not, normal to the testing result instruction communication of networks filter driver.

12. devices according to claim 11, wherein,

Described access control unit, be suitable for repairing described networks filter driver by following manner: after the networks filter driver backup in blacklist, removed by this networks filter driver, testing result instruction communication is normal, allows client application to access described network object.

13. devices according to claim 12, wherein, described access control unit, also be suitable for after the described networks filter driver backup by blacklist, this networks filter driver is removed from blacklist, testing result instruction communication is normal, after permission client application accesses described network object, when client application access needs the network object failure of access, if client application can not successful access trust third party's network object, confirm that client application cannot accesses network, if client application can successful access trust third party's network object, judge whether client application has the networks filter driver be not present in blacklist and white list, if do not have, confirm that client application cannot accesses network, if have, remove after the backup of this networks filter driver, allow the described network object needing access of client application access.

14. devices according to claim 13, wherein,

Described detecting unit, is specifically suitable for by following manner, and whether Sampling network filtration drive is present in blacklist: from the registration table and network configuration interface of FTP client FTP, obtain networks filter driver signing messages and/or version information; When the signing messages of networks filter driver and/or version information are arranged in blacklist, confirm that this networks filter driver is present in blacklist, when the signing messages of networks filter driver and/or version information are not arranged in blacklist, confirm that this networks filter driver is not present in blacklist;

Described detecting unit, is specifically suitable for by following manner, judges whether client application has the networks filter driver be not present in blacklist and white list:

15. 1 kinds of communication systems, described system comprises client device, and described client device comprises the checkout gear of the control client-access network as described in any one of the claims 8 to 14,

The client application that described client device runs needs the network object of access to be cloud security central server;

When the checkout gear of described control client-access network allows client application to access cloud security central server, described client application, be suitable for the information of apocrypha to be sent to cloud security central server, and receive the analysis result of the information to described apocrypha that cloud security central server issues.