CN101431521A - Anti-Trojan network security system and method - Google Patents
Anti-Trojan network security system and method Download PDFInfo
- Publication number
- CN101431521A CN101431521A CNA2008102272823A CN200810227282A CN101431521A CN 101431521 A CN101431521 A CN 101431521A CN A2008102272823 A CNA2008102272823 A CN A2008102272823A CN 200810227282 A CN200810227282 A CN 200810227282A CN 101431521 A CN101431521 A CN 101431521A
- Authority
- CN
- China
- Prior art keywords
- trojan
- service end
- application layer
- layer data
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to network safety system and method, more concretely a network safety system and method for preventing Trojan. A control terminal (240) is connected with server (210) through Internet (230) so that control terminal (240) transmits instruction to server (210) and /or server (210) transmits data back to control terminal (240). The network safety system of the invention identifies Trojan virus through virus identification module (221), performs protection operation for server (210) through strategy control module (222). In one embodiment, Trojan virus is identified based on data of application layer, while in another embodiment based on data of application layer and TCP head or IP head information, and based on relation between data packet during connection. The network safety system and method for preventing Trojan of the invention are widely used among LAN and single PC.
Description
Technical field
The present invention relates to a kind of network safety system and method, relate in particular to a kind of network safety system and method for defending wooden horse.
Background technology
Computer networking technology has influence on the various aspects of individual and enterprise at present.Nearly all computer, even personal communication apparatus as mobile phone, all have been connected on the Internet, and the Internet has been deep into the every nook and cranny of society.The universal information security that makes of the Internet becomes important social concern, many unique program developers are write a large amount of Trojan Horse (abbreviation wooden horse) program, in order to spying on other people privacy and to steal other people confidential information such as Web bank's account number etc., and then try to gain economic interests.
Trojan Horse (abbreviation wooden horse) program normally when affectedly carrying out some operation, is carried out the undesirable operation of user.For example, a trojan horse program will oneself show as a logging program, and the prompting user inputs number of the account and password, collects important information whereby, the secret then control end that sends to.Wooden horse is actual to be exactly a kind of program of stealing other people data that is specifically designed to, be implanted to user's computer when wooden horse after, computer will be monitored.The lighter sends to information such as network number of the account, password hacker's mailbox with the form of mail.Weight person, the wooden horse producer can control user's machine as the machine of operation oneself, even can remote monitoring user all operations.Usually wooden horse has three kinds of working methods, and controlled data theft type, particular data are stolen type and puppet's type wooden horse.Fig. 1 is the working method of controlled data theft type wooden horse, and wherein, service end is an end that has been mounted trojan horse program, and control end is an end of remote control service end.For controlled data theft type wooden horse, control end 112 is according to himself needs selection passback data, and the concrete course of work is as follows:
1. set up being connected between service end 111 and the control end 112, connected mode has two kinds:
(1) initiate the connection of service-oriented end 111 by control end 112, promptly control end 112 is stolen data from service end 111 targetedly, and this connected mode appears in the directed wooden horse implantation pattern usually;
(2) implantation of wooden horse is not at certain special services end, and control end 112 waits for that service end 111 initiations of having implanted wooden horse connect, and this connected mode appears in the non-directional wooden horse implantation pattern usually.
2. control end 112 sends instruction, obtains the data of service end 111;
3. service end 111 receives instruction, the data of passback service end 111.
Steal the type wooden horse for particular data, service end sends the data directly to control end, does not need control end to send instruction.Particular data is stolen the type wooden horse and is had purpose and specific aim, and promptly to steal the type wooden horse be the trojan horse of stealing customizing messages at the special services end to particular data.
For puppet's type wooden horse, control end directly sends instructions to service end, does not need service end passback data to control end, and the purpose of puppet's type wooden horse is control and monitor service end.
The method of present defence wooden horse has multiple, mainly is pre-anti-Trojan (as fire compartment wall) and checking and killing Trojan (as antivirus software).Fire compartment wall is by monitoring PORT COM and agreement PORT COM to be limited the invasion that prevents virus, and major function is that intrusive viruses is isolated and prevented hacker attacks, and is very faint for the preventive and therapeutic effect of wooden horse.The checking and killing Trojan instrument that exists on the market is when moving in system, the system file of preserving on process in the scanning system internal memory and the hard disk, and coupling correlated characteristic file, thus find wooden horse.
Wooden horse is actual to be exactly one and to slip into service end inside, obtains the program of its operating right, and this program does not have aggressiveness to system itself.Therefore, even service end has suffered wooden horse, as long as before information sends to control end, can success be blocked, wooden horse has also just lost the effect of control service end.In view of this kind characteristics of wooden horse and the significant damage of wooden horse, service end still has been mounted under the situation of wooden horse on the basis of pre-anti-Trojan and checking and killing Trojan, still needs a kind of method that user data is sent to control end that effectively prevents to remedy anti-deficiency of killing wooden horse.
Summary of the invention
The present invention is directed to above deficiency, provide a kind of control end that can effectively prevent to steal the system and method for service end confidential information by trojan horse.
In first aspect, the invention provides a kind of network equipment of anti-Trojan, comprise viral identification module and strategic control module; Control end links to each other with service end by the Internet, so that control end sends instruction to service end, and/or service end returns data to control end; The analysis of virus identification module is discerned trojan horse from control end and/or from the application layer data in the packet of service end; Recognizing under the situation of trojan horse, strategic control module is taked the protection operation to service end.
In second aspect, the invention provides a kind of computer system of anti-Trojan, comprise viral identification module and strategic control module; Control end links to each other with this computer system by the Internet, so that control end sends instruction to this computer system, and/or this computer system returns data to control end; The analysis of virus identification module is discerned trojan horse from the application layer data in the packet of control end and/or this computer system; Recognizing under the situation of trojan horse, strategic control module is taked the protection operation to this computer system.
In the third aspect; the invention provides a kind of network security method of anti-Trojan; this method is; intercepting and capturing are sent and/or are sent to the packet of service end by service end; according to the application layer data in packet identification trojan horse, service end is taked the protection operation recognizing under the situation of trojan horse.
In one embodiment of the invention, based on the application layer data in the packet and TCP head and/or IP header identification trojan horse; In another embodiment of the present invention, based on the relation recognition trojan horse between a plurality of packets in once connecting; In yet another embodiment of the present invention, based on the relation recognition trojan horse between the packet in repeatedly connecting.
The present invention promptly sends the application layer data in the data packets for transmission in instruction and/or the passback data procedures, identification trojan horse by analyzing by analyzing the feature of wooden horse transmission data.Strategic control module is taked the protection operation to service end.System and method of the present invention has prevented that effectively service end from being stolen important information by other people, remedied pre-anti-Trojan and checking and killing Trojan after service end still be mounted the deficiency that wooden horse brought.
Description of drawings
Below with reference to accompanying drawings specific embodiments of the present invention is described in detail, in the accompanying drawings:
The working method of the controlled data theft type of Fig. 1 wooden horse;
The system block diagram of Fig. 2 defence wooden horse of the present invention;
Fig. 3 is based on the schematic diagram of application layer data identification wooden horse;
Fig. 4 is based on the flow chart of application layer data identification wooden horse;
Fig. 5 is based on the flow chart of IP header and application layer data identification wooden horse;
Fig. 6 is based on the schematic diagram of link information identification wooden horse;
Fig. 7 is based on the flow chart of link information identification wooden horse;
Fig. 8 is based on the flow chart of relation recognition wooden horse between connecting.
Embodiment
In order to make purpose of the present invention and technical scheme more clear, the network safety system and the method for anti-Trojan of the present invention are elaborated below in conjunction with accompanying drawing and embodiment.
Fig. 2 is a defence wooden horse system block diagram of the present invention.This system comprises control end 240, service end 210, the Internet 230 and the network equipment 220.Control end 240 is sides that service end 210 carried out Long-distance Control, and service end 210 is sides of controlled terminal 240 Long-distance Control; The Internet 230 is network carriers that 240 pairs of service ends of control end 210 are carried out Long-distance Control; The network equipment 220 is connected between control end 240 and the service end 210, is positioned at service end 210 1 sides, and its hardware entities is generally router, switch, gateway etc.
The network equipment 220 comprises viral identification module 221 and strategic control module 222, and viral identification module 221 and strategic control module 222 are used for discerning the trojan horse with Control Network.Need to prove to have a module with viral identification module 221 and strategic control module 222 said functions also within protection scope of the present invention.
Virus identification module 221 is checked TCP head and/or IP header, and the application layer data in the packet is analyzed the relation between a plurality of packets, and according to the information Recognition trojan horse in the trojan horse storehouse.222 pairs of strategic control modules have suffered the service end 210 of trojan horse and have taked the protection operation, and concrete mode is to stop the transmission by caused this packet of trojan horse; Disconnect the connection that sends this packet, promptly disconnect by the caused connection of trojan horse; Notification service end 210 has suffered certain wooden horse, so that the user of service end 210 is to service end 210 checking and killing Trojans.
Among Fig. 2, control end 240 is 230 transmission instructions through the Internet, and this instruction is intercepted and captured by the network equipment 220; Whether the transmission of virus identification module 221 these instructions of identification is caused by trojan horse; If the transmission of this instruction is caused that by trojan horse viral identification module 221 transmission information 202 are to strategic control module 222; Thus, strategic control module 222 transmission information 203, notification service end 210 has suffered certain trojan horse, and strategic control module 222 disconnects and connects 201 simultaneously; If the transmission of this instruction is caused that by trojan horse viral identification module 221 transmission information 202 are to strategic control module 222; Strategic control module 222 sends to service end 210 with this command information.
Service end 210 passback data, these data are intercepted and captured by the network equipment 220, and whether the transmission of viral identification module 221 these data of identification is caused by trojan horse; If the transmission of these data is caused that by trojan horse viral identification module 221 transmission information 205 are to strategic control module 222; Thus, strategic control module 222 transmission information 207, notification service end 210 has suffered certain trojan horse, and strategic control module 222 disconnects and connects 206 simultaneously.If the transmission of these data is caused that by trojan horse viral identification module 221 transmission information 205 are to strategic control module 222; Strategic control module 222 sends to control end 240 with these data.Among the figure, the passback circuit represents that with solid line command link dots.
In the present invention, when service end 210 has been mounted trojan horse program, control end 240 receives in instruction and the process according to these instruction passback data to data and the service end 210 that service end 210 transmission command requests obtain service end 210, by analysis instruction feature, data transmission characteristics and transport behavior feature identification trojan horse, and then prevent the information leakage of service end 210.
Control end 240 sends the process of instruction and service end 210 process to control end passback data to service end 210, all is the process of data packet transmission.Therefore, analyze the TCP head and/or the IP header of packet, the application layer data in the packet, sequence that packet is formed or the annexation between a plurality of packet, just can learn i.e. this transmission instruction of transmission of this packet or return data, whether by the caused operation of trojan horse.
In one embodiment of the invention, by analyzing the application layer data in the packet, check whether the transmission of this packet is caused by trojan horse, and then learn whether service end 210 has been mounted trojan horse program.
Fig. 3 is based on the schematic diagram of application layer data identification wooden horse.Packet 310 among Fig. 3 and packet 320 are partial contents of two packets in the transmission; The dark part 311 of packet 310 and the dark part 321 of packet 320 are respectively the application layer data of packet 310 and the application layer data of packet 320.Virus identification module 221 is checked the application layer data 311 of packet 310 and the application layer data 321 of packet 320, learn that by analysis application layer data 311 and application layer data 321 all comprise hexadecimal string---and " fe 12 00 00 ", with this character string " fe 12 00 00 " compare with the content in trojan horse storehouse, if trojan horse comprise in the storehouse " fe 12 00 00 " information, then application layer data 311 and application layer data 321 have the trojan horse feature, and the transmission of packet 310 and packet 320 is caused by trojan horse.
Need to prove, application layer data 311 and application layer data 321 can be service end 210 with control end 240 between set up twice and be connected the data of being transmitted, also can be service end 210 with control end 240 between set up and once be connected the data of being transmitted.Therefore, the method for discerning trojan horse according to the application layer data in the packet is applicable to that service end 210 is connected repeatedly with control end 240, and each situation that connects the one or more packets of transmission; Simultaneously, be applicable to that also service end 210 is connected once with control end 240, and transmit the situation of one or more packets.
Fig. 4 is based on the flow chart of application layer data identification wooden horse.
Service end 210 needs through the network equipment 220 sending packet and receiving in the process of packet.As shown in Figure 4, packet is intercepted and captured by it through the network equipment 220 time; Virus identification module 221 is analyzed the application layer data in the packet that intercepts, and this application layer data and trojan horse storehouse are compared; If when some content of this application layer data is consistent with some content in the trojan horse storehouse, confirm that the transmission of this packet is caused by trojan horse; Strategic control module 222 is searched the service end 210 that is mounted wooden horse, disconnects the connection that sends this packet, and notification service end 210 has suffered certain trojan horse.
In another embodiment of the present invention, by analyzing IP header and application layer data identification trojan horse.For conspicuous trojan horse, viral identification module 221 determines by the analyzing IP header whether this IP head has the feature of trojan horse.For example, virus identification module 221 is analyzed the IP header of certain packet, the destination interface of learning this packet is 8374, according to the trojan horse storehouse as can be known, port 8374 is ports of the control end 240 of transmission wooden horse, therefore can reach a conclusion, the IP head of this packet has the feature of trojan horse, and the transmission with packet of this IP head is caused by trojan horse.Yet the IP header of at present a lot of packets does not comprise the information that is easy to discern the wooden horse feature, comprises the port 21 of FTP as the IP header of some packet, or the port 80 of http, or other known port, and then the concealment trojan horse, prevent that the user from identifying it easily.
For this type of and the not obvious IP head that comprises the packet of trojan horse feature, whether the transmission that can't discern the packet with this IP head is easily caused by trojan horse, the present invention is by further analyzing the application layer data identification trojan horse in the packet, the method identification trojan horse that promptly adopts analyzing IP header and application layer data to combine.
Fig. 5 is based on the flow chart of IP header and application layer data identification wooden horse.
Service end 210 needs through the network equipment 220 sending packet and receiving in the process of packet.As shown in Figure 5, packet is intercepted and captured by it through the network equipment 220 time; Virus identification module 221 is analyzed the IP header of the packet that intercepts, if this IP header comprises the trojan horse feature, strategic control module 222 will disconnect the connection of this packet of transmission, and notification service end 210 has suffered certain trojan horse; If the not obvious trojan horse characteristic information that comprises of the IP header of this packet is then further checked the application layer data in this packet; The IP header and the application layer data of this packet are compared with the trojan horse storehouse, and then judge whether the transmission of this packet is caused by trojan horse; If determine to exist trojan horse, strategic control module 222 disconnects the connection of this packet of transmission, and the notification service end has suffered certain trojan horse.
Though preamble embodiment puts down in writing first analyzing IP header analytical applications layer data and then identification trojan horse again, need to prove, also can first analytical applications layer data analyzing IP header again, just, in identification wooden horse process, there are not sequencing in analyzing IP header and analytical applications layer data.
In yet another embodiment, the invention provides the method that a kind of TCP header by the analysis packet is discerned trojan horse, this method has identical execution mode with the method for the IP header identification trojan horse of analyzing packet.
In another embodiment, the invention provides a kind of method of discerning trojan horse by the TCP header and the application layer data of analysis packet.
In yet another embodiment, the invention provides a kind of method identification trojan horse by analyzing IP header, TCP header and application layer data.
For trojan horse with distinguishing feature, only need to analyze a small amount of application layer data or a small amount of TCP head and/or IP header and add application layer data, just can determine whether the transmission of this packet is caused by trojan horse.Yet, for trojan horse not easy to identify, as wooden horse through mutation, by discerning the feature string in a spot of packet, whether the transmission that can't determine this packet is caused by trojan horse that the feature string that therefore needs to analyze the mass data bag can even can not confirm still whether the transmission of this packet is caused by trojan horse.
In yet another embodiment of the present invention, still can't determine whether to exist the situation of trojan horse, propose a kind of method based on packet link information identification wooden horse for the feature string of having analyzed the mass data bag.This method at be to send a plurality of packets in connection procedure, on the basis of the application layer data in checking packet, analyze the logical relation between each packet, promptly analyze the rule between the data packets for transmission in connection procedure, and with this rule and the contrast of trojan horse storehouse, and then identification trojan horse.
Fig. 6 is based on the application layer data in the packet of link information identification wooden horse, the certain applications layer data of the packet of each line display among the figure.Among Fig. 6, the first line character string comprises feature string " tGP7 ", and promptly Chuan Shu this packet comprises feature string " tGP7 ", and contrast trojan horse storehouse is found to have the packet danger close of this character string, but can not be determined whether to exist trojan horse; Further analyze the application layer data in other packet, find that the 3rd packet comprises feature string " iGQ6 "; Contrast trojan horse storehouse as can be known, successively character string " tGP7 " appears and " iGQ6 " is the feature of trojan horse in connection procedure, therefore this connection is the connection that is caused by trojan horse, and the transmission of all packets in this connection all is by the caused transmission of trojan horse.
Fig. 7 is based on the flow chart of link information identification wooden horse.
Service end 210 and control end 240 are in connection procedure, transmission plurality of data bag, the present invention distinguishes the logical relation between each packet by analyzing the application layer data in each packet in this connection procedure, and should concerning and the contrast of trojan horse storehouse, and then identification trojan horse.Detailed process as shown in Figure 7, all packets of transmission during the network equipment 220 is intercepted and captured and once connected; Virus identification module 221 is analyzed the application layer data in each packet one by one; When finding suspicious information in the application layer data of viral identification module 221 at certain packet and can not determine whether this information is the wooden horse feature, viral identification module 221 continues to analyze other packet in this connection; When viral identification module 221 finds that there is another suspicious information in the application layer data of other packet, contrast trojan horse storehouse; If when earlier the suspicious information of suspicious information of finding and back discovery and trojan horse stock some content of putting was consistent, this was connected to the connection that trojan horse causes; Strategic control module 222 disconnects this connection, and notification service end 210 has suffered certain trojan horse.
For the stronger wooden horse of some disguise,, can't determine whether to exist trojan horse by analyzing the relation between the data in connection bag one time.
In another embodiment of the present invention, by analyze repeatedly connect in relation between the packet, relation between promptly connecting, and should concern with the trojan horse storehouse and compare, and then discern trojan horse.Described repeatedly connect be service end 210 with control end 240 between repeatedly be connected; Analyzing the relation between repeatedly connecting, is on the application layer data basis of analyzing all packets, searches the relation between all connections.The type of described relation has multiple, and for example certain application layer data that once connects comprises the IP address of another time connection; Another example is to have certain rule between some time connects, comprise identical feature string as the application layer data in some packet of transmission in the odd number time connection, the application layer data during even number connects in some packet of transmission comprises other one group of identical feature string; Another example is once to connect the application layer data that the application layer data in the data packets for transmission is connected with another time in the data packets for transmission to exist " response relation ", the application layer data that promptly once connects in certain packet that transmits is the inquiry that once connects in addition, and the application layer data in certain packet of another time connection transmission is the answer that this is once connected.Between belonging to all that present embodiment is described and be connected, above-described relation and rule concern, relation has countless versions between connection, this specification just schematically illustrates, need to prove so long as repeatedly in the connection procedure, data packets for transmission exists certain relation or rule all to belong between connection of the present invention and concerns.If relation is present in the trojan horse storehouse between this connection, then this repeatedly to connect be by the caused connection of trojan horse.
Fig. 8 is based on the flow chart of the relation recognition wooden horse between connection.
Service end 210 and control end 240 are in connection procedure repeatedly, transmission plurality of data bag, the present invention distinguishes the relation between each connection by analyzing the application layer data in all packets in repeatedly connecting, and should concerning and the contrast of trojan horse storehouse, and then identification trojan horse.Detailed process as shown in Figure 8, the network equipment 220 is intercepted and captured all packets in repeatedly connecting; Virus identification module 221 is analyzed each the connection one by one, searches the relation between all connections; Relation that virus identification module 221 will identify and the contrast of trojan horse storehouse, and then determine whether to exist trojan horse; Strategic control module 222 disconnects all connections that have this kind relation, and notification service end 210 has suffered certain trojan horse.
The present invention also provides a kind of computer system of anti-Trojan, comprises viral identification module and strategic control module, and they have identical functions with previously described viral identification module 221 and strategic control module 222 respectively.Control end links to each other with this computer system by the Internet, so that control end returns data to this computer system transmission instruction and/or this computer system to control end.The virus identification module is discerned trojan horse based on from the application layer data in the packet of application layer data in the director data bag of control end and/or the passback of computer system plan; After viral identification module recognized trojan horse, strategic control module disconnection control end was connected with this computer system, and notifies this computer system to suffer certain trojan horse.
The present invention provides a kind of anti-Trojan equipment that is positioned in the computer or in the network equipment again, comprises viral identification module and the strategic control module described in the preamble enforcement, and this equipment can provide the function of anti-Trojan for PC; The present invention also provides a kind of software systems, and this system can be present in the PC in the mode of standalone version, and these software systems have the function of the anti-Trojan that viral identification module and strategic control module have.
Obviously, under the prerequisite that does not depart from true spirit of the present invention and scope, the present invention described here can have many variations.Therefore, the change that all it will be apparent to those skilled in the art that all should be included within the scope that these claims contain.The present invention's scope required for protection is only limited by described claims.
Claims (22)
1. the network equipment of an anti-Trojan (220), wherein a control end (240) links to each other with a service end (210) through the network equipment (220) by the Internet (230), so that control end (240) sends instruction to service end (210), and/or service end (210) is to control end (240) passback data; It is characterized in that the described network equipment (220) comprising:
Virus identification module (221) based on from the application layer data in the director data bag of control end (240) and/or from the application layer data in the passback packet of service end (210), is discerned trojan horse; With
Strategic control module (222) recognizes at viral identification module (221) under the situation of trojan horse service end (210) is taked the protection operation.
2. the network equipment of a kind of anti-Trojan as claimed in claim 1 (220) is characterized in that viral identification module (221) is based on application layer data and TCP head and/or IP header identification trojan horse.
3. the network equipment of a kind of anti-Trojan as claimed in claim 1 or 2 (220), it is characterized in that described application layer data, perhaps application layer data and TCP head and/or IP header belong between service end (210) and the control end (240) and are connected the situation of once transmitting a plurality of packets.
4. the network equipment of a kind of anti-Trojan as claimed in claim 1 or 2 (220) is characterized in that described application layer data or application layer data and TCP head and/or IP header belong between service end (210) and the control end (240) and is connected the situation of repeatedly transmitting a plurality of packets.
5. the network equipment of a kind of anti-Trojan as claimed in claim 1 (220) is characterized in that viral identification module (221) is also based on the relation recognition trojan horse between a plurality of packets in once connecting.
6. the network equipment of a kind of anti-Trojan as claimed in claim 1 (220) is characterized in that viral identification module (221) is also based on the relation recognition trojan horse between a plurality of packets in repeatedly connecting.
7. the network equipment of a kind of anti-Trojan as claimed in claim 1 (220) is characterized in that, the protection operation that strategic control module (222) is taked service end (210) is to stop transmits data packets between service end (210) and the control end (240).
8. the network equipment of a kind of anti-Trojan as claimed in claim 1 (220) is characterized in that, the protection operation that strategic control module (222) is taked service end (210) is to disconnect being connected between service end (210) and the control end (240).
9. the network equipment of a kind of anti-Trojan as claimed in claim 1 (220) is characterized in that, the protection operation that strategic control module (222) is taked service end (210) is that notification service end (210) has been mounted trojan horse program.
10. the computer system of an anti-Trojan, wherein a control end links to each other with this computer system by the Internet, so that control end sends instruction to this computer system, and/or this computer system returns data to control end; It is characterized in that described computer system comprises:
The virus identification module based on from the application layer data in the packet of application layer data in the director data bag of control end and/or the passback of computer system plan, is discerned trojan horse; With
Strategic control module recognizes at viral identification module under the situation of trojan horse computer system is taked the protection operation.
11. an anti-Trojan equipment that places computer, wherein a control end links to each other with this computer by the anti-Trojan equipment of the Internet in this computer, so that control end sends instruction to this computer, and/or this computer returns data to control end; It is characterized in that described anti-Trojan equipment comprises:
The virus identification module based on from the application layer data in the packet of application layer data in the director data bag of control end and/or the passback of this computer plan, is discerned trojan horse; With
Strategic control module recognizes at viral identification module under the situation of trojan horse computer is taked the protection operation.
12. an anti-Trojan equipment that places the network equipment, wherein a control end links to each other with service end through this anti-Trojan equipment by the Internet, so that control end sends instruction to service end, and/or service end returns data to control end; It is characterized in that described anti-Trojan equipment comprises:
The virus identification module based on from the application layer data in the packet of application layer data in the director data bag of control end and/or the passback of service end plan, is discerned trojan horse; With
Strategic control module recognizes at viral identification module under the situation of trojan horse service end is taked the protection operation.
13. the network security method of an anti-Trojan comprises
Intercepting and capturing control ends (240) pass the packet that passes past control end (240) by the Internet toward the packet and/or the service end (210) of service end (210) by the Internet (230);
According to the identification of the application layer data in packet trojan horse;
Service end is taked the protection operation recognizing under the situation of trojan horse.
14. the network security method of a kind of anti-Trojan as claimed in claim 13 is characterized in that, is intercepted and captured by it during the packet process network equipment (220), and discerns in the network equipment (220) and the control trojan horse.
15. the network security method of a kind of anti-Trojan as claimed in claim 13 is characterized in that, packet is located by its intercepting and capturing in service end (210), and locates identification and control trojan horse in service end (210).
16. the network security method of a kind of anti-Trojan as claimed in claim 13 is characterized in that comprising based on application layer data and TCP head and/or IP header identification trojan horse according to the step of application layer data identification trojan horse.
17. the network security method of a kind of anti-Trojan as claimed in claim 13 is characterized in that comprising based on the relation recognition trojan horse between the packet according to the step of application layer data identification trojan horse.
18. as the network security method of one of claim 13-15 described a kind of anti-Trojan, the relation between described application layer data or application layer data and TCP head and/or IP header or the packet of it is characterized in that belongs between service end (210) and the control end (240) and is connected the situation of once transmitting a plurality of packets.
19. as the network security method of one of claim 13-15 described a kind of anti-Trojan, the relation between described application layer data or application layer data and TCP head or IP header or the packet of it is characterized in that belongs to service end (210) and is connected the situation of repeatedly transmitting a plurality of packets with control end (240).
20. the network security method of a kind of anti-Trojan as claimed in claim 13 is characterized in that, takes to protect the step of operation to comprise transmits data packets between prevention service end (210) and the control end (240) to service end (210).
21. the network security method of a kind of anti-Trojan as claimed in claim 13 is characterized in that, service end (210) is taked to protect the step of operation to comprise to disconnect being connected between service end (210) and the control end (240).
22. the network security method of a kind of anti-Trojan as claimed in claim 13 is characterized in that, takes to protect the step of operation to comprise that notification service end (210) has been mounted trojan horse program to service end (210).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2008102272823A CN101431521A (en) | 2008-11-26 | 2008-11-26 | Anti-Trojan network security system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2008102272823A CN101431521A (en) | 2008-11-26 | 2008-11-26 | Anti-Trojan network security system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101431521A true CN101431521A (en) | 2009-05-13 |
Family
ID=40646687
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA2008102272823A Pending CN101431521A (en) | 2008-11-26 | 2008-11-26 | Anti-Trojan network security system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101431521A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567884B (en) * | 2009-05-26 | 2011-12-14 | 西北工业大学 | Method for detecting network theft Trojan |
CN102333042A (en) * | 2011-10-31 | 2012-01-25 | 深信服网络科技(深圳)有限公司 | Method, security gateway and system for preventing data leakage |
CN103067370A (en) * | 2012-12-24 | 2013-04-24 | 珠海市君天电子科技有限公司 | Method of identifying remote control Trojan and device thereof |
CN103269341A (en) * | 2013-05-08 | 2013-08-28 | 腾讯科技(深圳)有限公司 | Spyware analysis method and computer system |
CN104023075A (en) * | 2014-06-16 | 2014-09-03 | 南威软件股份有限公司 | Internet online secret acquisition system and method |
CN105681417A (en) * | 2016-01-15 | 2016-06-15 | 重庆泛涵数码科技有限责任公司 | File transmission system and method capable of computer virus isolation |
CN105740700A (en) * | 2015-08-13 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | Method and system for identifying internet banking payment type Trojan |
CN106201579A (en) * | 2016-06-28 | 2016-12-07 | 北京金山安全软件有限公司 | Method and device for deleting registry starting item and electronic equipment |
-
2008
- 2008-11-26 CN CNA2008102272823A patent/CN101431521A/en active Pending
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567884B (en) * | 2009-05-26 | 2011-12-14 | 西北工业大学 | Method for detecting network theft Trojan |
CN102333042A (en) * | 2011-10-31 | 2012-01-25 | 深信服网络科技(深圳)有限公司 | Method, security gateway and system for preventing data leakage |
CN103067370A (en) * | 2012-12-24 | 2013-04-24 | 珠海市君天电子科技有限公司 | Method of identifying remote control Trojan and device thereof |
CN103269341A (en) * | 2013-05-08 | 2013-08-28 | 腾讯科技(深圳)有限公司 | Spyware analysis method and computer system |
CN103269341B (en) * | 2013-05-08 | 2016-02-17 | 腾讯科技(深圳)有限公司 | A kind of analytical method of spying program and computer system |
CN104023075A (en) * | 2014-06-16 | 2014-09-03 | 南威软件股份有限公司 | Internet online secret acquisition system and method |
CN105740700A (en) * | 2015-08-13 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | Method and system for identifying internet banking payment type Trojan |
CN105681417A (en) * | 2016-01-15 | 2016-06-15 | 重庆泛涵数码科技有限责任公司 | File transmission system and method capable of computer virus isolation |
CN105681417B (en) * | 2016-01-15 | 2018-08-14 | 重庆泛涵数码科技有限责任公司 | Computer virus off-limit file Transmission system and method |
CN106201579A (en) * | 2016-06-28 | 2016-12-07 | 北京金山安全软件有限公司 | Method and device for deleting registry starting item and electronic equipment |
CN106201579B (en) * | 2016-06-28 | 2019-06-21 | 珠海豹趣科技有限公司 | A kind of method, apparatus and electronic equipment for deleting registry boot item |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR100628325B1 (en) | Intrusion detection sensor detecting attacks against wireless network and system and method for detecting wireless network intrusion | |
CN101431521A (en) | Anti-Trojan network security system and method | |
CN101136922B (en) | Service stream recognizing method, device and distributed refusal service attack defending method, system | |
Verba et al. | Idaho national laboratory supervisory control and data acquisition intrusion detection system (SCADA IDS) | |
CN102035793B (en) | Botnet detecting method, device and network security protective equipment | |
JP3618245B2 (en) | Network monitoring system | |
JP2003527793A (en) | Method for automatic intrusion detection and deflection in a network | |
CN105450619A (en) | Method, device and system of protection of hostile attacks | |
KR20120126674A (en) | Method of defending a spoofing attack using a blocking server | |
KR20080028381A (en) | Method for defending against denial of service attacks in ip networks by target victim self-identification and control | |
EP3433749B1 (en) | Identifying and trapping wireless based attacks on networks using deceptive network emulation | |
CN110099027A (en) | Transmission method and device, storage medium, the electronic device of service message | |
KR20080026122A (en) | Method for defending against denial of service attacks in ip networks by target victim self-identification and control | |
CN111835694A (en) | Network security vulnerability defense system based on dynamic camouflage | |
JP2008306610A (en) | Illicit intrusion/illicit software investigation system, and communicating switching device | |
CN114499915B (en) | Trapping attack method, device and system combining virtual nodes and honeypots | |
Huang et al. | Detecting stepping-stone intruders by identifying crossover packets in SSH connections | |
OConnor et al. | Bluetooth network-based misuse detection | |
KR101593897B1 (en) | Network scan method for circumventing firewall, IDS or IPS | |
CN110831009B (en) | Wireless AP test method and test system for preventing wireless DOS attack | |
JP2018073397A (en) | Communication device | |
Lu et al. | Client-side evil twin attacks detection using statistical characteristics of 802.11 data frames | |
CA2456902A1 (en) | Method, data carrier, computer system and computer programme for the identification and defence of attacks on server systems of network service providers and operators | |
Bharti et al. | A Review on Detection of Session Hijacking and Ip Spoofing. | |
Reddy et al. | A new compromising security framework for automated smart homes using VAPT |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20090513 |