201211817 六、發明說明: 【發明所屬之技術領域】 本發明係關於-種網路病毒偵測及阻斷技術,更詳而 言之’係、㈣於-種涉及防止受到例如是僵屍網路病毒 (Botn⑷或病毒攻擊對象具有針對性之目標式攻擊病毒感 染的用戶端進行病毒的擴散或受絲控制_路病毒防護 方法及系統。 【先前技術】 8〇加俗稱僵屍網路(z_ie network),於此僵屍網 =下的病毒通常會隨著email、即時通訊軟體或電腦系統 漏洞侵入網路用戶終端,再藏身於任何一個程式裡。請參 閱第1圖,僵屍網路通常由三部份所組成,包括控制端”、 =屍網路成員(12a、12b、12c)以及指令發㈣13,該指 /發出端13即為駭客本身,其下達指令給僵屍網路成員 12b、12c) ’僵屍網路成員⑽、挪、⑶)是指被 工的文害電腦,該受害電腦通常不會察覺自己已遭受病 毒感染,而成為僵屍網路的—份子;而控制端η則負責管 2制整倾屍網路,並將該指令發出端13所發出的指令 傳遞給僵屍網路成員。 目前的病毒防護解決方牵本i 3 主 鮮厌万莱主要疋在用戶終端安裝防 二W ’但由於防毒程式的病毒特徵碼係針對全球流量進 订抽樣’因此僅能提供較為一般化的病毒碼,且大部份的 病毋分析㈣皆以特徵碼為分析基礎,並無法針對具有自 我更新此力的僵屍病毒變種後的行為進行即時地防護,也 111680 4 201211817 無法針對僅在特定網路區域範圍内出現的目標式攻擊 進行防護,造成即便大多數用戶終端已安料^毒軟體毋 仍無法阻止僵屍網路的入侵,對全球經濟造 【發明内容】 里亢楨失。 . ^解決上述習知技術之缺點,本發明之目的在於 一種網路病毒防護系統及方法,可在制利戶端^ 網路中存在惡意檐案或僵屍網路病毒行為時,即時地阻斷 鲁惡意流量,避免病毒的進一步擴散,以及受感染 受駭客控制。 义 本發明之另—目的在域供—種料財防護系統 及方法,透過即時阻斷與惡意標案相關的網路惡竟站點以 =僵屍病毒控制主機的網路通道,以克服由於僵屍病毒變 而造成病毒解除程式失效的問題。 本u之又-目的在於提供—種網路病毒防護系統 及方法,透過佈署於ISiVIDC網路,可完整分析特定範圍 意行為與槽案,並產生專有的病 除私式,可較一般防毒軟體更能針對僅出現在特定用 戶,罔路中發生的目標式攻擊進行偵測及清除。 本發明之再-目的在於提供—種職財防護系統 法’可強化—般防毒軟體所無法提供制未知病毒及 寺殊病毒的能力,有效降低用戶端遭受病毒攻擊之風險。 為達上述目的及其他相關之目的,本發明即提供 =路:毋防蠖系統’其透過網路系統與各用戶端及防秦業 病母刀析中心相連接,該系統包括:用於偵測在各該用 11)680 5 201211817 戶端取得網路通訊服務過程中偵測該用戶流量是否存在可 疑樓案之監測模組;用於當該監測模組監測到取得網路= 訊服務過程中的用戶端流量存在有可疑檀案時,捕㈣用 戶端流量中的可疑樓案樣本以供分析該可疑樓案樣本^是 否存在網路病毒以及該網路病毒可能執行的惡意行為,並 生成該可疑檔案樣本對應的網路病毒行為分析報告之分析 模組;用於將該監測模組所捕捉到的可疑槽案樣:以^ 分析模組所生成之該可疑槽案樣本對應的網路病二 析報告傳送至該防毒業者病毒分析中心,俾供其據以^ 出相適應的病毒解除程式之傳輸模組;防紫模組,依據該 監測模組所捕捉到的可疑標案樣本以及該分析模組所生^ 之該可疑檔案樣本對應的網路病毒行為分析報告,將分 結果匯入防禦模組以針對受該可疑標案樣本感染的用二端 提供網路端網路防護服務,避免受感染用戶端在病毒解= 程式未查殺病毒前進行變種或遭受病毒控制主機控二;= 及病毒查殺模組,其用於接收該防毒業者病毒分析中心製 作並回傳的病毒解除程式,據以針對受感染的用戶端執= 相應的病毒查殺作業。 於本發明之一實施型態中,該監測模組透過監控各該 用戶端的網路流量,以作為在各該用戶端取得網路通^ 務過程中偵測該用戶端本端是否下載可疑槽案的依據。該 分析模組將所捕捉到的可疑檔案樣本移至沙箱 (sandbox)’俾於該沙箱中開啟該可疑槽案樣本,從: 該可疑稽案樣本中是否存在可執行程式,並針對該可執行 111680 6 201211817 程式或攻擊程式碼進行安全性分析,俾將有危害的可疑檔 案樣本確定為惡意檔案,並記錄該惡意檔案中所存在的網 路病毒及其病毒行為模式,且監控該惡意檔案是否有網路 訪問請求’並記錄該惡意槽案的網路訪問路控’據以確定 與該惡意檔案相關的網路惡意站點以及病毒控制主機的位 址信息。該防紫模組將該分析模組分析得出該惡意樓案中 所存在的網路病毒及其病毒行為模式,與該惡意棺案相關 的網路惡意站點以及病毒控制主機的位址信息資料導入至 ® 防禦模組的病毒資料庫中,針對用戶流量進行防護,避免 用戶電腦與惡意站點以及病毒控制主機連繫,使得病毒變 種或遭受駭客控制。 此外,本發明復提供一種網路病毒防護方法,係由一 網路病毒防護系統透過網路系統與用戶端及防毒業者病毒 分析中心相連接,以令該網路病毒防護系統對用戶端進行 病毒防護處理,其包括以下處理步驟:(1)該網路病毒防護 Φ 系統偵測在取得網路通訊服務過程的用戶端流量中是否存 在可疑檔案;(2)該網路病毒防護系統捕捉用戶端流量中的 可疑檔案樣本以供分析該可疑檔案樣本中是否存在網路病 毒以及該網路病毒可能執行的惡意行為,並生成對應的網 路病毒行為分析報告(3)該網路病毒防護系統依據病毒行 為分析報告得針對受該可疑檔案樣本感染的用戶端提供網 路端病毒防護服務,藉此從網路端阻絕病毒網路行為,避 免受感染用戶端在病毒解毒程式未查殺病毒前進行變種或 遭受病毒控制主機控制,造成更多損害,且該網路病毒防 7 111680 201211817 護捕捉到的可疑播案樣本及其對應的網路病毒 订為刀析報告至防毒業者病毒錢h,俾供 :=t::穴分析中心製作並回傳的病毒解除程式, :毒==病,防護狀態操作模式的用戶端執行相應的 各之一實施例中,該方法步驟⑴係透㈣201211817 VI. Description of the Invention: [Technical Field of the Invention] The present invention relates to a network virus detection and blocking technique, and more specifically, 'systems, (4)-related to preventing, for example, botnet viruses (Botn (4) or virus attack object has targeted targeted attack virus infection of the user side for virus spread or silk control _ road virus protection method and system. [Prior Art] 8 〇 plus commonly known as botnet (z_ie network), The virus under this botnet usually invades the network user terminal with email, instant messaging software or computer system vulnerability, and then hides in any program. Please refer to Figure 1, the botnet usually consists of three parts. The composition includes the control terminal, the corpse member (12a, 12b, 12c) and the command (four) 13, and the finger/issuing terminal 13 is the hacker itself, which gives instructions to the botnet members 12b, 12c) 'zombie Network members (10), Norwegian, (3)) refer to the computer that is being worked on. The victim computer usually does not notice that it has been infected with a virus and becomes a botnet. The control terminal η Responsible for the system of the corpse, and the instructions issued by the terminal 13 to the botnet members. The current virus protection solution is the main i 3 main 厌 万 Wanlai main 安装 installed in the user terminal Secondly, 'because the antivirus program's virus signature code is for global traffic sampling', it can only provide a more general virus pattern, and most of the disease analysis (4) is based on the signature code, and can not be targeted The behavior of the zombie virus variant with self-updating force is immediately protected, and 111680 4 201211817 can not protect against targeted attacks that occur only within a specific network area, even if most user terminals have been poisoned The software 毋 still can't stop the invasion of the botnet, and it is lost to the global economy. ^To solve the shortcomings of the above-mentioned prior art, the object of the present invention is a network virus protection system and method, which can be When the malicious account or botnet virus behavior exists in the network, the malicious traffic is blocked immediately, and the virus is further prevented from spreading. And the infection is controlled by the hacker. The other purpose of the invention is to provide a domain-based financial protection system and method for controlling the host by using the zombie virus to block the malicious website associated with the malicious target. Network channel to overcome the problem of virus removal due to bots. This is another purpose - to provide a network virus protection system and method, which can be analyzed in a specific range by deploying on the ISiVIDC network. The intentional behavior and the slot case, and the generation of proprietary disease-free private, can be more effective than the general anti-virus software to detect and clear targeted attacks that occur only in specific users and in the road. It is to provide a kind of occupational financial protection system law that can strengthen the anti-virus software can not provide the ability to make unknown viruses and temple viruses, effectively reducing the risk of virus attack on the user side. In order to achieve the above purposes and other related purposes, the present invention provides a road: a flood control system that is connected to each user terminal and a mother-resistant disease center through a network system, the system includes: The monitoring module for detecting whether there is a suspicious building in the user traffic during the process of obtaining the network communication service by using the 11) 680 5 201211817 terminal is used for monitoring the network to obtain the network service process When there is a suspicious Tan case in the client-side traffic, the suspicious case sample in the client traffic is collected for analysis of the suspicious building sample. ^There is a network virus and malicious behavior that the network virus may perform, and generated The analysis module of the network virus behavior analysis report corresponding to the suspicious file sample; the suspicious slot case sample captured by the monitoring module: the network corresponding to the suspicious slot sample generated by the ^ analysis module The disease analysis report is transmitted to the anti-virus industry virus analysis center, and the transmission module for the virus removal program is adapted accordingly; the anti-purple module is based on the suspicious target captured by the monitoring module. The sample and the network virus behavior analysis report corresponding to the suspicious file sample generated by the analysis module, and the result is sent to the defense module to provide the network end network for the second end infected by the suspected sample sample. Protection service, to avoid infected clients in the virus solution = program before the virus is detected or subjected to virus control host control; = and virus killing module, which is used to receive the antivirus player virus analysis center production and return The virus is released from the program, so that the infected client is responsible for the corresponding virus killing operation. In an implementation manner of the present invention, the monitoring module monitors the network traffic of each user end, so as to detect whether the local end of the user terminal downloads the suspicious slot during the process of obtaining the network communication by each user terminal. The basis of the case. The analysis module moves the captured suspicious file sample to a sandbox, and opens the suspicious slot sample in the sandbox, from: whether there is an executable program in the suspect sample, and Execute 111680 6 201211817 program or attack code for security analysis, determine the dangerous suspicious file sample as a malicious file, record the network virus and its virus behavior pattern in the malicious file, and monitor the malicious Whether the file has a network access request 'and records the network access path of the malicious slot' to determine the address of the malicious website and the virus control host associated with the malicious file. The anti-purple module analyzes the network module and the virus behavior pattern existing in the malicious building, the malicious website related to the malicious file, and the address information of the virus control host. The data is imported into the virus database of the defensive module to protect user traffic, avoiding the user's computer connection with malicious sites and virus control hosts, making the virus variant or subject to hacking control. In addition, the present invention provides a network virus protection method, which is connected by a network virus protection system to a client and an antivirus operator virus analysis center through a network system, so that the network virus protection system performs virus on the user side. Protection processing, which includes the following processing steps: (1) the network virus protection Φ system detects whether there is a suspicious file in the user-side traffic of the network communication service process; (2) the network virus protection system captures the user end A sample of suspicious files in the traffic for analyzing whether there is a network virus in the suspicious file sample and malicious actions that the network virus may perform, and generating a corresponding network virus behavior analysis report. (3) The network virus protection system is based on The virus behavior analysis report provides a network-side virus protection service for the client infected by the suspicious file sample, thereby blocking the virus network behavior from the network side, and preventing the infected client from performing the virus virus removal program before the virus is removed. Variants or suffer from virus control host control, causing more damage, and the network virus protection 7 111680 201 211817 The suspicious broadcast sample captured by the guard and its corresponding network virus are set as the knife analysis report to the anti-virus industry virus money h, 俾 for:=t:: virus analysis program produced and returned by the hole analysis center, poison = = disease, the state of the protection state operation mode is executed in a corresponding embodiment, the method step (1) is through (four)
r二r網路流量,以作為_在取得網路通訊㈣ 餘的各_戶端是否下載可疑財的依據。 該方法步驟⑵復包括以下處理步驟··(2_υ將所捐 2到的可㈣純本移結箱(sandbQX),並於該沙箱中開 2可㈣案樣本;(2_2)分析該可疑檔案樣本中是否存在 攻擊程式碼;(2~3)針對該可疑刪 中所存在的可執行程式或惡意攻擊程式碼進行安全性分 二的可疑檔案樣本確定為惡意檔案,並記錄r two r network traffic, as a basis for whether to download suspicious money in each of the _ terminals of the network communication (four). The method step (2) further includes the following processing steps: (2_υ can be donated 2 to the (4) pure transfer box (sandbQX), and open 2 (4) samples in the sandbox; (2_2) analyze the suspicious file Whether there is an attack code in the sample; (2~3) The suspicious file sample for which the executable program or the malicious attack code existing in the suspicious deletion is classified as a malicious file is determined as a malicious file, and recorded
所存在_路財及其病毒行為模式;以及 :惡思檔案是否有網路訪問請求,若有,則記錄 =:=網路訪問路徑,據以確定與該惡意槽案相關 的、.罔路惡‘5站點以及病毒控制主機的位址信息。 此外,於方法步驟⑶中,係透過將該 讀案巾所存麵轉赫及其鱗行為料,旬亥^ =相_網路惡意㈣以及病毒㈣主機的位址信息資 ,導二至該防禦模組的病毒資料庫中,從網路端阻絕病毒 、㈣仃為’避免受感染用戶端在病毒解毒程式未查殺病毒 !11680 8 201211817 鈿進行變種或遭受病毒控制主機控制,造成更多損害。 藉由本發明之網路病毒防護系統及方法,可針對網路 中各種已知或未知的網路攻擊及惡思彳當案進行即時地分析 及阻斷防禦處理,不但可提南病毒查殺的成功效率亦能有 效降低用戶端遭受病毒攻擊之風險,且本發明透過佈署至 ISP/ I DC網路中,可針對僵屍網路病毒或者是對病毒攻擊 對象具有針對性之目標式攻擊病毒進行分析及查殺,因此 較一般防毒軟體更具有針對性。 【實施方式] 以下係藉由特定的具體實施型態說明本發明之技術 内谷’热悉此技藝之人士可由本說明書所揭示之内容輕易 地暸解本發明之其他優點與功效。本發明亦可藉由其他不 同的具體實施型態加以施行或應用,本說明書中的各項細 節亦可基於不同觀點與應用,在不悖離本發明之精神下進 行各種修飾與變更。 請參閱第2圖,係本發明之網路病毒防護系統應用於 網路環境中之一實施变態架構示意圖,該網路病毒防護系 統係佈署於網際網路服務提供者(Internet Service Provider ; ISP)或網路資料中心(Internet Data Center ; IDC)網路20中,以結合該ISP/IDC網路20以及防毒業者 病毒分析中心23所建構而成,其主要用於監測分析僅於特 定區域出現的新型網路攻擊及惡意檔案。其中,ISp/IDC 網路20係提供網路接 網際網路(Internet)22,並針對 ISP/!DC網路20連服務平台’以供用戶端21經由該 9 111680 201211817 該用戶t 21通訊網路流量進行監控,在當發現於用斤 21在取知網路通訊服務過 、 而 有亞音浐奉广生μ 中偵測该用戶端21本端存在 A案或病制于為時,即時地阻斷 二:感染的用戶端2丨自行連接至一 22; 思越彳T病毒的更新及擴散(請容後詳述)。 此外’该網路病毒除可兔!_、+,+义丨 路病毒外,朴明之娜讀術所述的僵屍網 擊對象具有針對性之目了5於病f攻 會透過社交1程的手法,透過電子郵 牛:卩時相軟體㈣或者某蚊 =;;軍/广立或電信單位等組織網路,一 亚不會像—般病毒-樣對外部擴散,所以—般防毒: ==架構並無嶋並分析出此類目標式攻擊病 :及系1 /田案樣本’然’透過本發明之網路病毒防護方 ,…”則可直接從被防護的用戶流量中蒐集且分析出此 的用戶射甘-主案稭此避免受到感染 主:在八病甘尚未查殺前在組織網路内持續散播病 :广成組織網路内部的更多損害。請參閱第3圖,為本 日之網路病毒防護系統之系統基本架構及其應用如第2 j所不之網路環境的一實施例架構方塊圖。如圖所示,該 =於脱/H)C網路20上的網路病毒防護系統係透 匕網路系統與用戶端21及防毒業者病毒分析中心23相互 連結通訊,其包括監測模組⑽、分析模组22G、傳輸模組 111680 201211817 230、防禦模組24〇、 信息的資料庫2〇1。*努查殺模組250以及用於儲存資料 監測模組21〇用_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ The address of the evil '5 site and the virus control host. In addition, in the method step (3), by translating the face of the reading towel and its scale behavior material, the address information of the host (the network malicious (4) and the virus (four) host is guided to the defense. In the virus database of the module, the virus is blocked from the network, and (4) ' 避免 'to avoid the infected client in the virus detoxification program has not detected the virus! 11680 8 201211817 钿 variant or subject to virus control host control, causing more damage . With the network virus protection system and method of the present invention, various known or unknown network attacks and ill-conceived cases in the network can be analyzed and blocked in real time, not only can the South virus be killed and killed. Successful efficiency can also effectively reduce the risk of virus attack on the user side, and the present invention can be deployed to an ISP/IC network to target a targeted attack virus against a botnet virus or a virus attack target. Analysis and killing, so it is more targeted than the general anti-virus software. [Embodiment] The following describes the technology of the present invention by a specific embodiment. Those skilled in the art will readily appreciate other advantages and effects of the present invention from the disclosure of the present specification. The present invention may be embodied or applied in other specific embodiments, and various modifications and changes can be made without departing from the spirit and scope of the invention. Please refer to FIG. 2 , which is a schematic diagram of an implementation of the network virus protection system in the network environment. The network virus protection system is deployed in an Internet service provider ( Internet Service Provider ; ISP) or Internet Data Center (IDC) network 20 is constructed by combining the ISP/IDC network 20 and the antivirus player virus analysis center 23, and is mainly used for monitoring and analyzing only in a specific area. New types of cyber attacks and malicious files. The ISp/IDC network 20 provides a network access network (Internet) 22 and is provided for the ISP/!DC network 20 service platform 'for the client terminal 21 via the 9 111680 201211817. The traffic is monitored, and when it is found that the user has detected the network communication service, and the sub-voice 浐 广 Guangsheng μ detects that the user terminal 21 has the A case or the disease is present, immediately Block 2: The infected client 2 is connected to a 22; the update and spread of the virus T (please refer to the details). In addition, the network virus except rabbits! _, +, + 丨 丨 病毒 病毒 , , , 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 朴 所述 所述 所述Software (4) or a mosquito =;; military / Guangli or telecommunications units and other organizations network, one Asia will not be like a virus-like external diffusion, so anti-virus: == architecture is not flawed and analyzed Target attack disease: and the system 1 / field sample 'Ran' through the network virus protection party of the present invention, ..." can directly collect and analyze the user from the protected user traffic - the main case straw This avoids infection. The main problem is that the disease is spread in the organization's network before the eight illnesses have been detected: more damage inside the network of the organization. Please refer to Figure 3, the system of the network virus protection system of today. The basic architecture and its application are as shown in the block diagram of an embodiment of the network environment of the second embodiment. As shown in the figure, the network virus protection system on the network of the off/H network C is through the network. The road system is connected to the client 21 and the antivirus player virus analysis center 23, and includes a monitoring module (10). Analysis module 22G, 111,680,201,211,817 transfer module 230, a prevention module 24〇, database information 2〇1 * Nu killing module 250 for storing data and a monitoring module 21〇
通訊服務的過裎中▲;偵測各用戶端21在取得網際網路 案。監測模組21〇係7用戶端流量中是否存在可疑檔 為偵測是否下載可乂 &控各用戶端.21的網路流量方式作 子郵件收發、網頁、墙案的依據’前述通訊服務例如為電 分享以及FTP喻覽、即時通訊、點對點軟體(P2p)檔案 分析模組::輪!; 在取得網路通訊服&於當監測模組210監測到用戶端21 疑檔案時,例如在^過程中該用戶端21流量中存在有可 路流量里未 取得網路通訊服務過程中用戶端發生網 。 $的丨月形,捕捉用戶端21在取得網路通訊服務過 耘中的可疑檔案之可疑檔案樣本211,並暫存於資料庫2〇 1 中以供判斯該可疑檔案樣本211中是否存在網路病毒以及 、.同路病母可能執行的惡意行為’並生成該可疑權案樣本 211對應的網路病毒行為分析報告221。該分析模組22〇 先行將所捕捉的各用戶端21取得通訊服務過程中所存在 的可疑槽案樣本211移至沙箱(sandbox)中’俾於該沙箱中 開啟該可疑檔案樣本211,從而分析該可疑檔案樣本211 中疋否會對系統進行攻擊而產生可執行的攻擊程式,若 有’則進一步針對該可執行的攻擊程式的安全性進行分 析’例如分析該程式是否會嘗試修改系統設定、執行漏洞 攻擊、竊取系統資料以及對外下載更多攻擊程式等等惡意 程式之行為’故可將含有危害性的可執行程式的可疑樓案 111680 201211817 樣本211確疋為惡意植案。其次,令該分析模組Mo透過 開啟該惡意檔案來識別其相應的病毒行為模式,例如已經 實施的病毒行為,正在進行的病毒行為以及將要執行的病 毒行為等。接著,再令分析模組220分析該惡意檔案是否 有網路訪問請求,若有則提取該惡意檔案的網路訪問路 “訪問耘式名稱等信息,並針對該惡意檔案的網路訪問 凊求執行監控,以此確定出與該惡意檔案相關的網路惡意 站點以及病毒控制主機,前述網路惡意站點以及病毒控制 主機即為第1圖所示的控制端u的位址信息,以主動確定 網路病毒㈣主機的㈣,供後續可即時且有效地執行相 關防禦措施。在完成上述各步驟地分析後,令分析模組22〇 圮錄該惡意檔案中所存在的網路病毒及其病毒行為模式 (立如受控制及感染行為),3^及與該惡意槽案相關的網路惡 意站點以及病毒控制主機的位址等信息,並生成前述網路 病毒行為分析報告221。 傳輸模組230用於將監測模組21〇所捕捉到的可疑檔 案樣本211以及分析模組22〇所生成的對應的網路病毒行 為分析報告221傳送至防毒業者病毒分析中心23,俾供其 據以製作出相適應的病毒解除程式231。 防禦模組240透過將分析模組22〇分析得出該惡意檔 案中所存在的晴病毒及其病毒行為模式,與該惡意樓案 相關的網路m點以及僵屍病毒控制主機的位址信息資 料導入至病毒資料庫巾’以有針對性地對僅受該惡意樓案 所感染的各用戶端21執行相關病毒防護服務,例如,切斷 111680 201211817 各受感染之用戶端21地網路連接通路,以避免其自行連接 至惡意站點中執行病毒變種,並針對網路病毒行為分析報 告221中所記錄的惡意站點及病毒控制主機的位址執行屏 蔽,從而避免網路中其它用戶端21遭受該病毒感染,以防 ' 止病毒於該特定網路區域中進一步擴散,換言之,從網路 端阻絕病毒網路行為,避免受感染用戶端在病毒解毒程式 未查殺病毒前進行變種或遭受病毒控制主機控制,造成更 多損害。 m — 病毒查殺模組250則用於接收該防毒業者病毒分析中 心23製作並回傳的病毒解除程式231,據以針對各處於病 毒防護狀態操作模式的用戶端21執行相應的病毒查殺作 業,於此,由於防禦模組240係針對各受感染的用戶端21 進行了即時地防禦措施,因此可避免受感染用戶端21中存 在的病毒在病毒解除程式製作過程中變種,造成與該病毒 解除程式231不同步而無法查殺的情況發生,可有效提高 0其病毒查殺的成功率,解決傳統防毒軟體僅透過病毒碼更 新方式無法查殺變種快速病毒之問題。 第4圖係為本發明之網路病毒防護方法之處理流程 圖,如圖所示,首先執行步驟S110,憤測各用戶端21在 取得網路通訊服務過程中該用戶端21本端是否存在可疑 槽案’具體而言’係監控各用戶端21的網路流量中’如用 戶端收發電子郵件、瀏覽網頁、即時通訊、點對點軟體(P2P) 檔案分享以及FTP檔案傳輸等之過程是否產生有可疑檔案 儲存於用戶端21中,若是,則進至步驟S120 ;若否,則 111680 201211817 重複執行步驟S110。 於步驟S120中,捕捉前述網路通訊服務過程中存在 的可疑檔案之可疑檔案樣本211並暫存於資料庫201中, 接著進至步驟S130。 於步驟S130.中,分析資料庫201中的可疑檔案樣本 211中是否存在網路病毒以及該網路病毒可能執行的病毒 行為,並生成對應的網路病毒行為分析報告221,接著進 至步驟S141及步驟S142。 於步驟S141中,將所捕捉到的可疑檔案樣本211及 其對應的網路病毒行為分析報告221傳送至防毒業者病毒 分析中心23,俾供其據以製作出相適應的病毒解除程式 231,接著進至步驟S151。 於步驟S151中,接收防毒業者病毒分析中心23製作 並回傳的病毒解除程式231,接著進至步驟S160。 於步驟S142中,於分析出資料庫201中的可疑檔案 樣本211中存在網路病毒以及該網路病毒可能執行的惡意 行為,並生成對應的網路病毒行為分析報告221後,導入 可疑檔案樣本211及網路病毒行為分析報告221資料至病 毒防禦模組,接著進至步驟S152。 於步驟S152中,防禦模組依據網路病毒行為分析報 告221中記錄的該惡意檔案中所存在的網路病毒及其病毒 行為模式資料,切斷各受感染之用戶端21的網路連接通 路,以避免其自行連接至惡意站點中執行病毒變種,並針 對該網路病毒行為分析報告221中記錄的與該惡意檔案相 14 II1680 201211817 關的網路惡意站點以及病毒控制主機的位址執行屏蔽,以 避免網路中其它用戶端21遭受該病毒感染,以防止病毒於 該特定網路區域中進一步擴散,接著進至步驟S160。 於步驟S160中,利用防毒業者病毒分析中心23製作 並回傳的病毒解除程式231,據以針對各處於病毒防護狀 態操作模式的用戶端執行相應的病毒查殺作業。 需說明的是,本發明不同於習知技術係透過病毒特徵After the communication service is over ▲; detecting that each client 21 is in the Internet. The monitoring module 21 detects whether there is a suspicious file in the user terminal traffic to detect whether to download the 乂& control the network traffic mode of each user terminal. 21 for the sub-mail sending and receiving, webpage, wall case based on the aforementioned communication service For example, electric sharing and FTP metaphor, instant messaging, peer-to-peer software (P2p) file analysis module:: round! When obtaining the network communication service & when the monitoring module 210 detects the user terminal 21 suspect file, for example, in the process of the user terminal 21, there is a user in the process of not obtaining the network communication service in the flow rate. The network occurs at the end. The month shape of $ captures the suspicious file sample 211 of the suspicious file of the client 21 after obtaining the network communication service, and temporarily stores it in the database 2〇1 for judging whether the suspicious file sample 211 exists. The network virus and the malicious behavior that may be performed by the same patient, and generate the network virus behavior analysis report 221 corresponding to the suspected rights sample 211. The analysis module 22 first moves the captured suspicious slot samples 211 existing in the captured user service 21 to the sandbox, and opens the suspicious file sample 211 in the sandbox. Therefore, it analyzes whether the suspicious file sample 211 attacks the system to generate an executable attack program, and if there is 'further analyzes the security of the executable attack program', for example, analyzes whether the program attempts to modify the system. Set, execute vulnerability attacks, steal system data, and download malicious programs such as attackers and other malicious programs. Therefore, the suspicious building 111680 201211817 sample 211 containing harmful executable programs can be confirmed as malicious. Secondly, the analysis module Mo is enabled to open the malicious file to identify its corresponding virus behavior patterns, such as the virus behavior that has been implemented, the ongoing virus behavior, and the virus behavior to be performed. Then, the analysis module 220 analyzes whether the malicious file has a network access request, and if so, extracts the network access path of the malicious file, and accesses the information such as the name of the file, and requests for the network access of the malicious file. Performing monitoring to determine the malicious website and the virus control host associated with the malicious file, and the foregoing malicious website and the virus control host are the address information of the control terminal u shown in FIG. Proactively determining the (4) of the network virus (4) host for subsequent follow-up and effective implementation of the relevant defense measures. After completing the analysis of the above steps, the analysis module 22 records the network virus present in the malicious file and The virus behavior pattern (such as controlled and infected behavior), 3^ and the malicious malicious site related to the malicious slot and the address of the virus control host and other information, and generate the aforementioned network virus behavior analysis report 221. The transmission module 230 is configured to transmit the suspicious file sample 211 captured by the monitoring module 21 and the corresponding network virus behavior analysis report 221 generated by the analysis module 22〇 to The antivirus player virus analysis center 23 is configured to generate a suitable virus release program 231. The defense module 240 analyzes the analysis module 22 to obtain the virus and its virus behavior pattern in the malicious file. The network m point related to the malicious building and the address information data of the zombie virus control host are imported into the virus database towel to perform targeted correlation on each client 21 infected only by the malicious building. The virus protection service, for example, cuts off the network connection path of each infected client 21 to avoid the self-connection to the malicious site to perform the virus variant, and records the record recorded in the network virus behavior analysis report 221 The address of the malicious site and the virus control host is shielded, so as to prevent other clients 21 in the network from being infected by the virus, so as to prevent the virus from further spreading in the specific network area, in other words, blocking the virus from the network. Network behavior, to avoid infected clients to change before the virus detoxification program does not detect the virus or suffer from virus control host control, resulting in more The virus killing module 250 is configured to receive the virus release program 231 prepared and returned by the antivirus player virus analysis center 23, and accordingly perform a corresponding virus check for the client 21 in the virus protection state operation mode. In this case, the defense module 240 performs an immediate defense against each infected client 21, so that the virus existing in the infected client 21 can be prevented from being modified in the virus release program. The virus release program 231 is not synchronized and cannot be detected and killed, which can effectively improve the success rate of the virus detection and killing, and solve the problem that the traditional anti-virus software cannot detect and kill the rapid virus through the virus code update mode. For the processing flowchart of the network virus protection method of the present invention, as shown in the figure, step S110 is first executed to inspect whether the client 21 has a suspicious slot at the local end of the client 21 during the process of obtaining the network communication service. Specifically, 'the system monitors the network traffic of each client 21', such as the user terminal to send and receive emails, browse the webpage, instant messaging, point-to-point Software (P2P) file sharing process, and FTP file transfer, etc. whether a suspicious file 21 stored in the UE, if yes, proceeds to step S120; if no, 111,680,201,211,817 repeat step S110. In step S120, the suspicious file sample 211 of the suspicious file existing in the network communication service process is captured and temporarily stored in the database 201, and then proceeds to step S130. In step S130., it is analyzed whether the network virus and the virus behavior that the network virus may perform in the suspicious file sample 211 in the database 201, and the corresponding network virus behavior analysis report 221 is generated, and then proceeds to step S141. And step S142. In step S141, the captured suspicious file sample 211 and its corresponding network virus behavior analysis report 221 are transmitted to the antivirus player virus analysis center 23, for which the corresponding virus release program 231 is prepared, and then Proceed to step S151. In step S151, the virus release program 231 created and returned by the antivirus player virus analysis center 23 is received, and the flow proceeds to step S160. In step S142, after analyzing the malicious virus in the suspicious file sample 211 in the database 201 and the malicious behavior that the network virus may perform, and generating the corresponding network virus behavior analysis report 221, importing the suspicious file sample 211 and the network virus behavior analysis report 221 data to the virus defense module, and then proceeds to step S152. In step S152, the defense module cuts off the network connection path of each infected client 21 according to the network virus and the virus behavior pattern data existing in the malicious file recorded in the network virus behavior analysis report 221. To prevent it from connecting to a malicious site to perform a virus variant, and to address the malicious site of the malicious file and the address of the virus control host recorded in the network virus behavior analysis report 221 and the malicious file 14 II1680 201211817 Masking is performed to prevent other clients 21 in the network from being infected by the virus to prevent further spread of the virus in the particular network area, and then proceeds to step S160. In step S160, the virus release program 231 created and returned by the antivirus player virus analysis center 23 is used to execute a corresponding virus killing operation for the client side in the virus protection state operation mode. It should be noted that the present invention is different from the prior art by virus characteristics.
I 碼的方式來判斷可疑檔案中是否存在網路病毒,而是透過 開啟該可疑檔案,判斷其中是否存在可執行程式、修改系 統資料、攻擊系統漏洞以及該可疑檔案是否存在網路訪問 請求等信息來判斷其是否屬於惡意檔案或行為,因此,可 強化一般防毒軟體所無法提供的偵測未知病毒及特殊病毒 的能力,如第5圖所示,其用以詳細說明第4圖所示之步 驟S130分析網路病毒的處理流程圖,而以下所述網路病毒 例如為僵屍網路病毒(B 〇 t n e t)或病毒攻擊對象具有針對性 鲁之目標式攻擊病毒,首先執行步驟S131,將所捕捉的各該 用戶端21之網路通訊服務過程中所存在的可疑檔案樣本 移至沙箱(sandbox),並於該沙箱中開啟該可疑檔案樣本, 接著進至步驟S132。 於步驟S132中,判斷所開啟的該可疑檔案樣本中是 否存在可執行程式或存在攻擊程式碼,若是,則進至步驟 S133 ;若否,則結束本發明網路病毒防護方法執行分析網 路病毒的處理步驟,而可進行第4圖的步驟S110。 於步驟S133中,判斷該可執行程式或攻擊程式碼所 15 111680 201211817 模式是否安全,例如觀察可疑檔案樣本是否對 從而攻擊、非法存取標案系統以及開機磁區等, 驟S134’·::執二式是否為惡意檔案,若是,則進至步 •網路病毒的處理丄;束:===防護方法執行分析 於步驟_中二圖的步驟_。 毒及豆η” 。思㈣中所存在的網路病 ”病”純式’接著進至步驟⑽。 於步驟S13 5中,梓兮巧立丨上士 訪問程.式名稱算作自讀案的網路訪問路徑、 執行,、〜’並針對該惡意财的網路訪問請求 以及此確^與該,惡意槽案相關的網路惡意站點 ==!時且有效地執行相關防禦措施。接著 驟,並;進母防濩方法執行分析網路病毒的處理步 驟’並可進W4圖的步驟幻41及3142。 7 下功=所述’本發明之網路病毒防護系統及方法具有以 可疑^ 戶端於取得網路通訊服務過程中存在 、進行防禦措施,從而避免未受感染的 制主機導害 已受感染的用戶端遭受骇客控制從事惡意行為,可防範= 路病毒的擴散。 ^ υ万扼網 主狄in於即時切斷了受感染電腦連接至惡意站點或病 毋/空制线的通訊網路,因此可防止受感染電腦中的病毒 自订執灯更新’產生因製作出的病毒解除程式與病毒不同 111680 16 201211817 步,而導致病毒查殺失效的情況。 (3) 本發明係可佈署於ISP/IDC網路中,可針對僅於 特定特定區域出現的新型網路攻擊及惡意檔案進行分析, 並產生病毒解除程式來掃除該特有的惡意程式,相較於一 般防毒軟體更具有針對性。 (4) 本發明係透過監控網路流量,並透過直接打開可 疑檔案針對其中的可執行程式、修改系統資料、攻擊系統 漏洞及其是否具有網路訪問請求進行分析監控,相較於一 般防毒軟體依靠病毒特徵碼進行判斷而言,本發明可強化 一般防毒軟體所無法提供的偵測未知病毒及特殊病毒的能 力,更可有效地降低用戶端遭受病毒攻擊的風險。 上述僅用以例示說明本發明之網路病毒防護系統及 方法之實施型態,非用以限定本發明之實質技術内容之範 圍。本發明之網路病毒防護系統及方法其實質技術内容係 廣義地定義於下述之申請專利範圍中,任何他人所完成之 _技術實體或方法,若與下述之申請範圍所定義者完全相 同,或為等效之變更,均將被視為涵蓋此專利範圍之中。 【圖式簡單說明】 第1圖為習知僵屍網路病毒的系統架構示意圖; 第2圖為本發明之網路病毒防護系統應用於網路環境 中之一貫施型態架構示意圖, 第3圖為本發明之網路病毒防護系統之系統基本架構 及其應用如第2圖所示之網路環境的一實施例架構方塊 圖, 17 111680 201211817 第4圖為本發明之網路病毒防護方法之處理流程圖; 以及 第5圖為詳細說明第4圖所示之步驟S130分析網路 病毒的處理流程圖。 【主要元件符號說明】 11 控制端 12a、12b、12c 僵屍網路成員 13 指令發出端 20 ISP/IDC 網路 200 網路病毒防護糸統 201 資料庫 210 監測模組 211 可疑檔案樣本 220 分析模組 221 網路病毒行為分析報告 230 傳輸模組 240 防禦模組 250 病毒查殺模組 21 用戶端 22 網際網路 23 防毒業者病毒分析中心 231 病毒解除程式 S110、S120、S130、S13bS132、S133、S134、S135、S14h S142、S151、S152、S160 步驟 18 111680I code to determine whether there is a network virus in the suspicious file, but to open the suspicious file to determine whether there are executable programs, modify system data, attack system vulnerabilities and whether the suspicious files have network access requests and other information To determine whether it is a malicious file or behavior, therefore, can enhance the ability of general anti-virus software to detect unknown viruses and special viruses, as shown in Figure 5, which is used to detail the steps shown in Figure 4. S130 analyzes the processing flowchart of the network virus, and the following network virus, for example, a botnet virus (B 〇tnet) or a virus attack object has a targeted target attack virus, first performs step S131, and captures the captured virus. The suspicious file sample existing in the network communication service process of each of the client terminals 21 is moved to a sandbox, and the suspicious file sample is opened in the sandbox, and then proceeds to step S132. In step S132, it is determined whether there is an executable program or an attack code in the suspicious file sample that is turned on, and if yes, proceeds to step S133; if not, ends the network virus protection method of the present invention to perform analysis of network virus The processing steps are performed, and step S110 of FIG. 4 can be performed. In step S133, it is determined whether the executable program or the attack code 15 111680 201211817 mode is safe, for example, observing whether the suspicious file sample is against, thereby attacking, illegally accessing the target system, and booting the magnetic area, etc., S134'·:: Whether the second type is a malicious file, if it is, then go to the step of • network virus processing; bundle: === protection method to perform the analysis in step _ second figure step _. "Poisonous and Bean η". The online disease "sickness" in the thinking (4) is followed by the step (10). In step S13 5, the sergeant visits the program. The name is counted as a self-reading case. The network access path, execution, and ~' and the network access request for the malicious money and the network malicious site associated with the malicious slot case ==! and effectively implement the relevant defense measures. Then, the method of performing the analysis of the network virus is performed by the method of preventing the cyber virus, and the steps of the W4 diagram are imaginary 41 and 3142. 7 The following describes the network virus protection system and method of the present invention. The suspicious ^ client exists in the process of obtaining the network communication service, and the defense measures are taken to prevent the uninfected host from infecting the infected user terminal from being subjected to the hacker control to engage in malicious acts, which can prevent the spread of the road virus. ^ υ 扼 扼 主 于 于 于 于 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时 即时Virus release program and virus Same as 111680 16 201211817, which leads to the failure of virus killing. (3) The present invention can be deployed in an ISP/IDC network to analyze new types of network attacks and malicious files that occur only in specific specific areas. And generate a virus removal program to remove the unique malicious program, which is more targeted than the general anti-virus software. (4) The present invention monitors network traffic and directly opens the suspicious file for the executable program, Modify system data, attack system vulnerabilities and whether they have network access requests for analysis and monitoring. Compared with the general anti-virus software relying on virus signatures, the present invention can strengthen the detection of unknown viruses that cannot be provided by general anti-virus software. The ability of the special virus can effectively reduce the risk of the user being attacked by the virus. The foregoing is only for exemplifying the implementation of the network virus protection system and method of the present invention, and is not intended to limit the technical content of the present invention. Scope. The essential technical content of the network virus protection system and method of the present invention is broadly defined in In the scope of the patent application, any technical entity or method completed by any other person, if it is identical to the scope defined in the following application, or equivalent changes, will be considered to cover the scope of this patent. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic diagram of a system architecture of a conventional botnet virus; FIG. 2 is a schematic diagram of a consistent architecture of a network virus protection system applied to a network environment according to the present invention, FIG. The system basic architecture of the network virus protection system of the present invention and its application, as shown in the block diagram of the network environment shown in FIG. 2, 17 111680 201211817 FIG. 4 is a network virus protection method of the present invention. Processing Flowchart; and FIG. 5 is a flow chart for processing the analysis of the network virus in step S130 shown in FIG. 4 in detail. [Main component symbol description] 11 Control terminal 12a, 12b, 12c Botnet member 13 Command issuing terminal 20 ISP/IDC Network 200 Network virus protection system 201 Database 210 Monitoring module 211 Suspicious file sample 220 Analysis module 221 Network Virus Behavior Analysis Report 230 Transmission Module 240 Defense Module 250 Virus Detection Module 21 Client 22 Internet 23 Antivirus Vendor Virus Analysis Center 231 Virus Release Program S110, S120, S130, S13bS132, S133, S134, S135, S14h S142, S151, S152, S160 Step 18 111680