CN102088373B

Movatterモバイル変換

Info

Publication number: CN102088373B
Application number: CN 200910253853
Authority: CN
Inventors: 田谨维; 钟耀霆; 林志鸿; 吴建兴
Original assignee: Institute for Information Industry
Current assignee: Institute for Information Industry
Priority date: 2009-12-03
Filing date: 2009-12-03
Publication date: 2013-10-09
Anticipated expiration: 2029-12-03
Also published as: CN102088373A

Abstract

The invention discloses a monitoring method and device for a datum of hardware. The datum comprises private information, recognition information and at least one first network transmission address. The monitoring device comprises a storage unit and a processing unit, wherein the datum is stored in the storage unit according to the recognition information; the processing information is used for recording the recognition information of the datum and the at least one first network transmission address in a marking information table; and when the processing unit arranges to transmit the private information of the datum to a second network transmission address which is different from the at least one first network transmission address in order to response to a transmission system call, a signal is output to stop the transmission of the private information.

Description

Translated fromChinese

用于监控一硬件的一数据的监控方法及监控装置Monitoring method and monitoring device for monitoring data of a hardware

技术领域technical field

本发明是关于一种用于监控一硬件的一数据的监控方法及监控装置；更详细地说，本发明是关于一种避免具有私有(private)信息的数据遭到不当传输的监控方法及监控装置。The present invention relates to a monitoring method and a monitoring device for monitoring a data of a hardware; more specifically, the present invention relates to a monitoring method and a monitoring method for preventing data with private information from being improperly transmitted device.

背景技术Background technique

随着信息工业的发展，计算机与网络已在日常生活中占有不可或缺的地位。举例而言，以计算机处理各种数据或是以网络搜寻各种信息、购物以及数据交换等等，皆是许多人已习以为常的生活方式。更进一步地说，网络信用卡结帐、网络购物下单以及网络提款机(web ATM)等，更是被经常使用的网络服务。With the development of the information industry, computers and networks have played an indispensable role in daily life. For example, processing various data with a computer or searching for various information, shopping, and data exchange through the Internet are all ways of life that many people have become accustomed to. Furthermore, online credit card checkout, online shopping orders, and online cash machines (web ATMs) are frequently used online services.

在应用前述网络服务的情况下，使用者通常皆需通过网络将夹带与其相关的私有信息的数据传送至网络服务提供厂商，这些私有信息包含帐号/密码信息、身分证字号或是线上交易记录等。一般而言，这些夹带与使用者相关的私有信息的数据是通过浏览器接口被传送。因此，许多骇客便利用浏览器接口的漏洞窃取这些使用者传送至网络服务提供厂商的数据，进而导致现今私有信息被外泄的事件层出不穷。In the case of using the above-mentioned network services, users usually need to transmit the data with related private information to the network service provider through the network, such private information includes account/password information, ID number or online transaction records wait. Generally speaking, these data carrying private information related to the user are transmitted through the browser interface. Therefore, many hackers take advantage of the loopholes in the browser interface to steal the data sent by these users to the network service provider, which leads to the continuous leakage of private information.

举例而言，当使用者利用浏览器，于网络服务提供厂商(如Yahoo)的网页中输入帐号/密码并登入会员页面之后，使用者的计算机便以一储存路径以及一数据名称，储存使用者输入的具有相关于Yahoo的帐号/密码的数据，当使用者欲再次利用浏览器登入Yahoo的网页时，计算机即可通过前述的储存路径及数据名称存取具有相关于Yahoo的帐号/密码的数据，以直接登入会员页面。在此一过程中，骇客即可利用浏览器漏洞，通过编码之后的脚本语言(例如Javascript或VBscript)执行恶意程序，并通过浏览器，将具有相关于Yahoo的帐号/密码的数据传送至骇客先行指定的网络地址。For example, when a user uses a browser to enter the account number/password in the webpage of the network service provider (such as Yahoo) and logs in to the membership page, the user's computer stores the user's account with a storage path and a data name. The input data with account/password related to Yahoo, when the user wants to use the browser to log in to Yahoo’s web page again, the computer can access the data with account/password related to Yahoo through the aforementioned storage path and data name , to log in directly to the membership page. During this process, hackers can take advantage of browser vulnerabilities to execute malicious programs through coded scripting languages (such as Javascript or VBscript), and transmit data related to Yahoo’s account/password to hackers through the browser. The network address specified by the customer in advance.

针对此问题，现有技术提供一种用于检测恶意程序的软件，其是通过分析不同恶意程序，并建立不同种类的恶意程序特征的数据库，以进一步通过这些恶意程序特征检测并阻止骇客利用恶意程序并通过浏览器，将夹带与使用者相关的私有信息的数据传送至其先行指定的网络地址。In response to this problem, the prior art provides a software for detecting malicious programs, which analyzes different malicious programs and establishes a database of different types of malicious program features to further detect and prevent hackers from exploiting these malicious program features. The malicious program transmits the data containing the private information related to the user to the network address specified in advance through the browser.

然而，基于脚本语言的特性，现有检测恶意程序的软件将相当难以检测通过脚本语言所执行的恶意程序，并无法建立具有通用的恶意程序特征的数据库。换言之，只要用以执行恶意程序的脚本语言经过其它编码方式处理，现有检测恶意程序的软件即无法进行检测及分析。However, based on the characteristics of the scripting language, it is quite difficult for existing software for detecting malicious programs to detect malicious programs executed by the scripting language, and it is impossible to establish a database with general characteristics of malicious programs. In other words, as long as the scripting language used to execute the malicious program is processed by other coding methods, the existing software for detecting malicious programs cannot detect and analyze them.

有鉴于此，在网络服务日渐成熟且恶意程序日益泛滥的情况之下，要如何避免私有信息遭到恶意程序的不当传输，这是业界亟需决的问题。In view of this, how to prevent private information from being improperly transmitted by malicious programs is an urgent problem in the industry under the situation that network services are becoming more mature and malicious programs are becoming more and more common.

发明内容Contents of the invention

本发明的一目的在于提供一种用于监控一硬件的一数据的监控装置。该数据具有一私有信息、一识别信息以及至少一第一网络传输地址。该监控装置包含一储存单元以及一处理单元。该储存单元用以储存一标记信息表并根据该识别信息储存该数据。该处理单元用以将该数据的识别信息以及至少一第一网络传输地址记录于该标记信息表；因应一存取系统呼叫，根据该识别信息存取该数据；同时，因应一传输系统呼叫安排(arrange)该数据的私有信息的一传输。其中，该存取系统呼叫是相关于该识别信息，且该传输系统呼叫具有一第二网络传输地址。最后，该处理单元将根据该标记信息表记录的该数据的识别信息以及至少一第一网络传输地址，判断该至少一第一网络传输地址以及该第二网络传输地址是否相同，当该至少一第一网络传输地址以及该第二网络传输地址不同时，该处理单元即输出一信号。An object of the present invention is to provide a monitoring device for monitoring a data of a hardware. The data has private information, identification information and at least one first network transmission address. The monitoring device includes a storage unit and a processing unit. The storage unit is used for storing a mark information table and storing the data according to the identification information. The processing unit is used to record the identification information of the data and at least one first network transmission address in the tag information table; respond to an access system call, access the data according to the identification information; at the same time, respond to a transmission system call arrangement (arrange) A transfer of private information for the data. Wherein, the access system call is related to the identification information, and the transmission system call has a second network transmission address. Finally, the processing unit will judge whether the at least one first network transmission address and the second network transmission address are the same according to the identification information of the data recorded in the tag information table and at least one first network transmission address. When the first network transmission address and the second network transmission address are different, the processing unit outputs a signal.

本发明的另一目的在于提供一种用于监控一硬件的一数据的监控方法。该数据具有一私有信息、一识别信息以及至少一第一网络传输地址，且该数据根据该识别信息被储存于一储存单元。该监控方法包含以下步骤：令一处理单元将该数据的识别信息以及至少一第一网络传输地址记录于一标记信息表，其中，该标记信息表系储存于该储存单元；因应一存取系统呼叫，令该处理单元根据该识别信息存取该数据，其中，该存取系统呼叫系相关于该识别信息；因应一传输系统呼叫，令该处理单元安排该数据的私有信息的一传输，其中，该传输系统呼叫具有一第二网络传输地址；根据该标记信息表记录的该数据的识别信息以及至少一第一网络传输地址，令该处理单元判断该至少一第一网络传输地址以及该第二网络传输地址是否相同；以及当该至少一第一网络传输地址以及该第二网络传输地址不同时，令该处理单元输出一信号。Another object of the present invention is to provide a monitoring method for monitoring a data of a hardware. The data has private information, identification information and at least one first network transmission address, and the data is stored in a storage unit according to the identification information. The monitoring method includes the following steps: making a processing unit record the identification information of the data and at least one first network transmission address in a tag information table, wherein the tag information table is stored in the storage unit; in response to an access system calling, causing the processing unit to access the data according to the identification information, wherein the access system call is related to the identification information; in response to a transmission system call, causing the processing unit to arrange a transmission of private information of the data, wherein , the transmission system call has a second network transmission address; according to the identification information of the data recorded in the tag information table and at least one first network transmission address, the processing unit determines the at least one first network transmission address and the second network transmission address Whether the two network transmission addresses are the same; and when the at least one first network transmission address and the second network transmission address are different, make the processing unit output a signal.

另外，为达前段所述的目的，本发明还提供一种计算机程序产品，内储用于监控一硬件的一数据的监控方法的程序，该程序通过计算机被加载一监控装置后可执行并可完成前段所述的监控方法。In addition, in order to achieve the purpose of the preceding paragraph, the present invention also provides a computer program product, which stores a program of a data monitoring method for monitoring a hardware, and the program can be executed after being loaded into a monitoring device by a computer and can Complete the monitoring method described in the previous paragraph.

综上所述，本发明所揭露的用于监控一硬件的一数据的监控方法、监控装置及其计算机程序产品可将具有私有信息的数据的识别信息及其应被传送的网络传输地址储存于标记信息表中。同时，本发明将根据系统呼叫以及被储存于标记信息表的识别信息，于具有私有信息的数据被安排传输时，进行被储存于标记信息表的网络传输网址以及被安排传输的网络传输网址的比对，以避免私有信息遭到恶意程序的不当传输。To sum up, the monitoring method, monitoring device and computer program product for monitoring a data of a hardware disclosed in the present invention can store the identification information of the data with private information and the network transmission address to be transmitted in the tag information table. At the same time, according to the system call and the identification information stored in the tag information table, when the data with private information is scheduled to be transmitted, the network transmission URL stored in the tag information table and the network transmission URL scheduled to be transmitted are determined. comparison to prevent private information from being improperly transmitted by malicious programs.

附图说明Description of drawings

在参阅附图及随后描述的实施方式后，本发明所属技术领域具有通常知识者便可了解本发明的其它目的、优点以及本发明的技术手段及实施态样，其中：After referring to the accompanying drawings and the implementation methods described later, those with ordinary knowledge in the technical field of the present invention can understand other purposes, advantages, technical means and implementation aspects of the present invention, wherein:

图1A是根据本发明的第一实施例的监控装置的示意图；FIG. 1A is a schematic diagram of a monitoring device according to a first embodiment of the present invention;

图1B是根据本发明的第一实施例的标记信息表的示意图；以及FIG. 1B is a schematic diagram of a tag information table according to a first embodiment of the present invention; and

图2是本发明的第二实施例的监控方法的流程图。Fig. 2 is a flow chart of the monitoring method of the second embodiment of the present invention.

具体实施方式Detailed ways

以下将通过实施例来解释本发明的内容，本发明是关于一种用以监控一硬件的一数据的监控方法、监控装置其计算机程序产品，其优点在于可防止夹带私有信息的数据被传输至恶意程序指定的网络传输地址。需说明者，以下实施例及附图中，与本发明非直接相关的元件均已省略而未绘示；且附图中各元件间的尺寸关系仅为求容易了解，非用以限制实际比例。The content of the present invention will be explained by the following embodiments. The present invention relates to a monitoring method for monitoring a data of a hardware, a computer program product of a monitoring device thereof, which has the advantage of preventing data with private information from being transmitted to The network transmission address specified by the malicious program. It should be noted that in the following embodiments and drawings, elements not directly related to the present invention have been omitted and not shown; and the dimensional relationship between the elements in the drawings is only for easy understanding, not to limit the actual ratio .

如图1A所示，本发明的第一实施例是一种用于监控一硬件1的一数据的监控装置11。硬件1具有一存储器13以及一显示单元15，使用者则可通过一操作系统(图未绘示)控制硬件1的各部元件。操作系统可以是市面上发售的各种操作系统，例如微软窗口(Windows)操作系统、苹果计算机麦金塔操作系统、Linux操作系统或是Unix操作系统等，于第一实施例中，操作系统是微软窗口操作系统。而硬件1则可以是个人计算机(Personal Computer；PC)或是苹果计算机公司贩售的麦金塔计算机(Macintosh；MAC)，于第一实施例中，硬件1则为个人计算机(PersonalComputer；PC)。需注意的是，本发明并不限制操作系统以及硬件1的种类，所属技术领域的通常知识者亦可使用其它种类的操作系统、硬件以及其搭配来完成本发明，故在此不再赘述。As shown in FIG. 1A , the first embodiment of the present invention is amonitoring device 11 for monitoring a piece of hardware 1 . The hardware 1 has amemory 13 and adisplay unit 15 , and the user can control various components of the hardware 1 through an operating system (not shown). The operating system can be various operating systems on the market, such as Microsoft Windows (Windows) operating system, Apple Computer Macintosh operating system, Linux operating system or Unix operating system, etc. In the first embodiment, the operating system is Microsoft Windows operating system. The hardware 1 can be a personal computer (Personal Computer; PC) or a Macintosh computer (Macintosh; MAC) sold by Apple Computer. In the first embodiment, the hardware 1 is a personal computer (PersonalComputer; PC). . It should be noted that the present invention does not limit the type of operating system and hardware 1 , and those skilled in the art can also use other types of operating systems, hardware and their combinations to complete the present invention, so details will not be repeated here.

监控装置11包含一储存单元111以及一处理单元113。监控装置11电性连接至存储器13以及显示单元15。储存单元111用以储存一标记信息表10。当使用者通过浏览器(图未绘示)以及硬件1，准备传送具有私有信息的数据2至一第一网络传输地址20时，处理单元113将根据一储存路径以及一数据名称，储存数据2于储存单元111及/或存储器13中。其中，前述储存路径以及数据名称即为数据2的识别信息22。同时，处理单元113将数据2的识别信息22以及第一网络传输地址20储存于标记信息表10中。Themonitoring device 11 includes astorage unit 111 and aprocessing unit 113 . Themonitoring device 11 is electrically connected to thememory 13 and thedisplay unit 15 . Thestorage unit 111 is used for storing a tag information table 10 . When the user prepares to send thedata 2 with private information to a firstnetwork transmission address 20 through the browser (not shown) and the hardware 1, theprocessing unit 113 will store thedata 2 according to a storage path and a data name in thestorage unit 111 and/or thememory 13 . Wherein, the aforementioned storage path and data name are theidentification information 22 of thedata 2 . At the same time, theprocessing unit 113 stores theidentification information 22 of thedata 2 and the firstnetwork transmission address 20 in the tag information table 10 .

举例来说，当使用者通过浏览器以及硬件1，准备传送具有帐号/密码的私有信息的数据2至网络服务提供厂商(如Yahoo)的服务器的第一网络传输地址20(如209.191.93.53)时，处理单元113将根据储存路径(如C:\Documents andSettings\user\Local Settings\Cookies\cookie:useryahoo.com)以及数据名称(如cookie:useryahoo.com)，储存数据2于储存单元111及/或存储器13中。同时，处理单元113将储存路径「C:\Documents and Settings\user\LocalSettings\Cookies\cookie:useryahoo.com 」、数据名称「cookie:useryahoo.com」以及第一网络传输地址「209.191.93.53」储存于标记信息表10中。For example, when the user uses the browser and the hardware 1, prepares to send thedata 2 with the private information of the account number/password to the first network transmission address 20 (such as 209.191.93.53) of the server of the network service provider (such as Yahoo) , theprocessing unit 113 will store thedata 2 in thestorage unit 111 and /or inmemory 13. At the same time, theprocessing unit 113 stores the storage path "C:\Documents and Settings\user\LocalSettings\Cookies\cookie:useryahoo.com", the data name "cookie:useryahoo.com" and the first network transmission address "209.191.93.53". In the tag information table 10.

需特别说明的是，本发明并不限制标记信息表10储存的第一网络传输地址20的数量，即使用者可通过浏览器以及硬件1，将具有同一识别信息22的数据2同时传送至多个第一网络传输地址20，所属技术领域具有通常知识者可依据前述说明进一步储存其它第一网络传输地址20，故在此不再赘述。It should be noted that the present invention does not limit the number of firstnetwork transmission addresses 20 stored in the tag information table 10, that is, the user can simultaneously transmit thedata 2 with thesame identification information 22 to multiple For the firstnetwork transmission address 20, those skilled in the art can further store other firstnetwork transmission addresses 20 according to the foregoing description, so details will not be repeated here.

同时，私有信息是使用者的机敏信息，例如：帐号/密码(account and password)信息、计算机记录(cookie)信息以及浏览器自动完成数据(browser auto completedata)信息。本发明并不限制私有信息的种类，所属技术领域具有通常知识者亦可自行设定私有信息的种类以及数量，故在此不再赘述。At the same time, private information is sensitive information of the user, such as account/password (account and password) information, computer record (cookie) information, and browser auto completed data (browser auto completed data) information. The present invention does not limit the types of private information, and those with ordinary knowledge in the technical field can also set the types and quantities of private information by themselves, so details will not be repeated here.

当处理单元113因应一存取系统呼叫12，根据识别信息22存取数据2时，处理单元113将进行一系列程序。需特别说明的是，存取系统呼叫12是相关于识别信息22。举例而言，存取系统呼叫12可为一数据开启系统呼叫、一数据读取系统呼叫、一数据复制系统呼叫、一数据移动系统呼叫、一数据关闭系统呼叫或一清除存储器系统呼叫。When theprocessing unit 113 responds to anaccess system call 12 and accesses thedata 2 according to theidentification information 22, theprocessing unit 113 will perform a series of procedures. It should be noted that accessing the system call 12 is related to theidentification information 22 . For example, the access system call 12 can be a data on system call, a data read system call, a data copy system call, a data move system call, a data off system call or a clear memory system call.

于本实施例中，处理单元113将因应一数据开启系统呼叫，根据识别信息22开启数据2，其中，数据开启系统呼叫具有一传递参数，且传递参数系对应于识别信息22。详细地说，处理单元113将根据下列程序代码，判断数据2的开启：In this embodiment, theprocessing unit 113 opens thedata 2 according to theidentification information 22 in response to a data opening system call, wherein the data opening system call has a transmission parameter, and the transmission parameter corresponds to theidentification information 22 . In detail, theprocessing unit 113 will judge the opening of thedata 2 according to the following program code:

其中，「OpenFile」代表前述的数据开启系统呼叫；「cookie:useryahoo.com」则代表数据2的数据名称；「HANDLE」则为对应于识别信息22的传递参数，换言之，若其它系统呼叫中具有传递参数「HANDLE」，即与识别信息22相关，表示这些系统呼叫皆是对数据2进行存取动作。当处理单元113根据标记信息表10的识别信息22判断数据2被开启，随即开始监控并记录所有相关的系统呼叫。Among them, "OpenFile" represents the aforementioned data opening system call; "cookie:useryahoo.com" represents the data name ofdata 2; The transfer parameter "HANDLE" is related to theidentification information 22, indicating that these system calls are all access actions to thedata 2. When theprocessing unit 113 judges that thedata 2 is enabled according to theidentification information 22 of the tag information table 10 , it immediately starts to monitor and record all related system calls.

接着，处理单元113因应一数据读取系统呼叫，将数据2的私有信息储存至一第一存储器地址131，其中，数据读取系统呼叫具有前述的传递参数，且传递参数对应于第一存储器地址131。更进一步而言，处理单元113将根据下列程序代码，判断数据2的读取：Next, theprocessing unit 113 stores the private information of thedata 2 in afirst memory address 131 in response to a data reading system call, wherein the data reading system call has the aforementioned transfer parameters, and the transfer parameters correspond to thefirst memory address 131. Furthermore, theprocessing unit 113 will judge the reading ofdata 2 according to the following program code:

其中，「ReadFileEx」代表数据读取系统呼叫。由于传递参数「HANDLE」与识别信息22相关，因此处理单元113将藉此判断数据2的读取。此外，参数「lpBuffer」代表数据2被储存至存储器13的第一存储器地址131(如0x04e463b9)。同时，处理单元131将储存数据2的私有信息的存储器地址(即第一存储器地址131)记录于储存单元111中。Among them, "ReadFileEx" represents the data reading system call. Since the transfer parameter “HANDLE” is related to theidentification information 22 , theprocessing unit 113 will judge the reading of thedata 2 based on this. In addition, the parameter “lpBuffer” represents the first memory address 131 (such as 0x04e463b9) where thedata 2 is stored in thememory 13 . At the same time, theprocessing unit 131 records the memory address (ie, the first memory address 131 ) storing the private information of thedata 2 in thestorage unit 111 .

于本实施例中，处理单元113还将因应数据复制系统呼叫及/或数据移动系统呼叫，将数据2的私有信息由存储器13的第一存储器地址131复制及/或移动至一第二存储器地址133。同时，于数据2的私有信息复制及/或移动之后，处理单元113将储存数据2的私有信息的存储器地址(即第一存储器地址131及/或第二存储器地址133)记录及/或更新于储存单元111中。数据复制系统呼叫以及数据移动系统呼叫的说明将分述如下。In this embodiment, theprocessing unit 113 will also copy and/or move the private information of thedata 2 from thefirst memory address 131 of thememory 13 to a second memory address in response to the data copying system call and/or the data moving system call 133. At the same time, after the private information ofdata 2 is copied and/or moved, theprocessing unit 113 records and/or updates the memory address (i.e., thefirst memory address 131 and/or the second memory address 133) storing the private information ofdata 2 instorage unit 111. The description of the data duplication system call and the data transfer system call will be described separately as follows.

具体而言，处理单元113将根据下列程序代码，判断数据2的私有信息自第一存储器地址131复制至第二存储器地址133：Specifically, theprocessing unit 113 will determine that the private information of thedata 2 is copied from thefirst memory address 131 to thesecond memory address 133 according to the following program code:

void*memcpy(void*memcpy(

void*dest，void*dest,

const void*src，)；const void *src,);

其中，「memcpy」代表数据复制系统呼叫；参数「*dest」代表第二存储器地址133(如0x00123456)；参数「*src」代表第一存储器地址131(即0x04e463b9)。另一方面，处理单元113将根据下列程序代码，判断数据2的私有信息自第一存储器地址131移动至第二存储器地址133：Among them, "memcpy" represents a data copy system call; the parameter "*dest" represents the second memory address 133 (such as 0x00123456); the parameter "*src" represents the first memory address 131 (ie 0x04e463b9). On the other hand, theprocessing unit 113 will determine that the private information of thedata 2 is moved from thefirst memory address 131 to thesecond memory address 133 according to the following program code:

mov eax[ebx]；mov eax[ebx];

「mov」代表数据移动系统呼叫；参数「eax」代表第二存储器地址133(例如：0x00123456)；参数「ebx」代表第一存储器地址131(即0x04e463b9)。"mov" represents a data movement system call; the parameter "eax" represents the second memory address 133 (for example: 0x00123456); the parameter "ebx" represents the first memory address 131 (ie 0x04e463b9).

需特别说明的是，若处理单元113因应数据关闭系统呼叫或清除存储器系统呼叫进行数据2的关闭或清除，则处理单元113将持续地根据标记信息表10继续监控是否有其它具有私有信息的数据被存取。于另一实施态样中，处理单元113将根据下列程序代码，判断数据2被关闭或清除：It should be noted that if theprocessing unit 113 closes or clears thedata 2 in response to the data close system call or the clear memory system call, theprocessing unit 113 will continue to monitor whether there are other data with private information according to the tag information table 10 is accessed. In another embodiment, theprocessing unit 113 will judge that thedata 2 is closed or cleared according to the following program code:

其中，「FileClose」以及「free」分别代表数据关闭系统呼叫以及清除存储器系统呼叫。由于传递参数「HANDLE」与识别信息22相关，因此处理单元113将藉此判断数据2的关闭。此外，参数「*ptr」代表欲关闭数据的存储器地址；参数「eax」代表被清除数据的存储器地址。处理单元113将比较参数「*ptr」或参数「eax」的值是否等于数据2的私有信息目前储存的存储器地址(即第二存储器地址133)；若是，则表示数据2被关闭或被清除。Among them, "FileClose" and "free" represent data close system call and clear memory system call respectively. Since the transfer parameter “HANDLE” is related to theidentification information 22, theprocessing unit 113 will use this to determine whether thedata 2 is closed. In addition, the parameter "*ptr" represents the memory address of the data to be closed; the parameter "eax" represents the memory address of the data to be cleared. Theprocessing unit 113 will compare whether the value of the parameter "*ptr" or the parameter "eax" is equal to the memory address currently storing the private information of the data 2 (ie the second memory address 133); if so, it means that thedata 2 is closed or cleared.

由上述说明可知，有别于现有单纯比对数据库以检测恶意行为的方法，本发明的监控装置11将根据各系统呼叫的传递参数，判断是否有存取系统呼叫对数据2的私有信息进行存取，同时根据对应于传递参数的存储器地址，记录及/或更新储存数据2的私有信息的存储器地址，进而完成后续的监控。From the above description, it can be seen that, unlike the existing method of simply comparing databases to detect malicious behavior, themonitoring device 11 of the present invention will judge whether there is access to the private information of thedata 2 based on the transmission parameters of each system call. access, and at the same time record and/or update the memory address of the private information storing thedata 2 according to the memory address corresponding to the passed parameter, and then complete subsequent monitoring.

随后，处理单元113将因应一传输系统呼叫14，安排数据2的一传输。具体而言，传输系统呼叫14具有一传输数据存储器地址以及一第二网络传输地址(图未绘示)。于本实施例中，第二网络传输地址是恶意程序设定的网络传输地址(如129.342.33.22)。具体而言，处理单元113将根据下列程序代码，安排数据2传输至第二网络传输地址：Subsequently, theprocessing unit 113 arranges a transmission of thedata 2 in response to a transmission system call 14 . Specifically, the transmission system call 14 has a transmission data storage address and a second network transmission address (not shown). In this embodiment, the second network transmission address is a network transmission address set by a malicious program (such as 129.342.33.22). Specifically, theprocessing unit 113 will arrange thedata 2 to be transmitted to the second network transmission address according to the following program code:

其中，「connect」代表一建立远程连线的系统呼叫；「send」代表一通过已建立好的连线传送数据2的系统呼叫；参数「*name 」代表第二网络传输地址(即129.342.33.22)；参数「*buf」代表传输数据存储器地址。处理单元113将撷取传输系统呼叫14的传输数据存储器地址(即参数「*buf」的值)，并判断传输数据存储器地址与储存数据2的私有信息的存储器地址(即第一存储器地址131及/或第二存储器地址133)是否相同。Among them, "connect" represents a system call to establish a remote connection; "send" represents a system call to transmitdata 2 through an established connection; the parameter "*name" represents the second network transmission address (ie 129.342.33.22 ); The parameter "*buf" represents the memory address of the transmission data. Theprocessing unit 113 will retrieve the transmission data storage address of the transmission system call 14 (ie the value of the parameter "*buf"), and determine the transmission data storage address and the storage address of the private information of the storage data 2 (ie thefirst storage address 131 and thefirst storage address 131 and /or whether the second memory address 133) is the same.

当处理单元113判断传输数据存储器地址(即参数「*buf」的值)与第一存储器地址131(即0x04e463b9)及/或第二存储器地址133(即0x00123456)相同时，即表示数据2将被传送至第二网络传输地址。接着，处理单元113即根据标记信息表10记录的数据2的识别信息22以及第一网络传输地址20，判断第二网络传输地址与第一网络传输地址20是否相同。于本实施例中，由于第二网络传输地址(即129.342.33.22)与第一网络传输地址20(即209.191.93.53)不同，此即代表数据2将被传送至恶意程序指定的网络传输地址。此时处理单元113便输出一信号100至显示单元15。When theprocessing unit 113 judges that the memory address of the transmission data (that is, the value of the parameter "*buf") is the same as the first memory address 131 (that is, 0x04e463b9) and/or the second memory address 133 (that is, 0x00123456), it means that thedata 2 will be Send to the second network transport address. Next, theprocessing unit 113 determines whether the second network transmission address is the same as the firstnetwork transmission address 20 according to theidentification information 22 of thedata 2 recorded in the tag information table 10 and the firstnetwork transmission address 20 . In this embodiment, since the second network transmission address (ie 129.342.33.22) is different from the first network transmission address 20 (ie 209.191.93.53), it means that thedata 2 will be sent to the network transmission address specified by the malicious program. At this moment, theprocessing unit 113 outputs asignal 100 to thedisplay unit 15 .

显示单元15将根据信号100显示一警示讯息，同时，处理单元113将根据信号100停止数据2的传输。相反的，若第二网络传输地址与第一网络传输地址20相同，处理单元113即将数据2传送至第二网络传输地址。Thedisplay unit 15 will display a warning message according to thesignal 100 , and at the same time, theprocessing unit 113 will stop the transmission of thedata 2 according to thesignal 100 . On the contrary, if the second network transmission address is the same as the firstnetwork transmission address 20, theprocessing unit 113 is about to transmit thedata 2 to the second network transmission address.

于其它实施态样中，若处理单元113判断传输数据存储器地址(即参数「*buf」的值)与第一存储器地址131及/或第二存储器地址133不同时，则表示目前欲传送的数据并非私有信息，处理单元113将进行数据的传输，同时监控装置11的处理单元113将不会进行比较网络传输地址的步骤。In other implementations, if theprocessing unit 113 judges that the memory address of the transmission data (that is, the value of the parameter "*buf") is different from thefirst memory address 131 and/or thesecond memory address 133, it indicates the data to be transmitted currently It is not private information, theprocessing unit 113 will transmit the data, and theprocessing unit 113 of themonitoring device 11 will not perform the step of comparing network transmission addresses.

接着，处理单元113将继续监控系统呼叫是否持续地对于数据2进行传输的动作，同时根据标记信息表10持续地监控是否有其它具有私有信息的数据被存取。Next, theprocessing unit 113 will continue to monitor whether the system call continues to transmit thedata 2 , and at the same time continuously monitor whether other data with private information is accessed according to the tag information table 10 .

本发明的第二实施例如图2所示，是一种用于监控一硬件的一数据的监控方法。本发明的监控方法可用于一监控装置，例如第一实施例所述的监控装置11。监控装置包含一储存单元以及一处理单元。其中，数据具有一私有信息、一识别信息以及至少一第一网络传输地址，且数据系根据识别信息被储存于储存单元。私有信息可为一帐号/密码信息、一计算机记录信息以及一浏览器自动完成数据信息其中的一。As shown in FIG. 2 , the second embodiment of the present invention is a method for monitoring a data of a hardware. The monitoring method of the present invention can be used in a monitoring device, such as themonitoring device 11 described in the first embodiment. The monitoring device includes a storage unit and a processing unit. Wherein, the data has private information, identification information and at least one first network transmission address, and the data is stored in the storage unit according to the identification information. The private information can be one of account/password information, computer record information and browser auto-complete data information.

具体而言，第二实施例所描述的监控方法可由一计算机程序产品执行，当监控装置由一计算机加载该计算机程序产品并执行该计算机程序产品所包含的多个指令后，即可完成第二实施例所述的监控方法。前述的计算机程序产品可储存于计算机可读取记录媒体中，例如只读存储器(read only memory；ROM)、闪存、软盘、硬盘、光盘、随身碟、磁带、可由网络存取的数据库或熟悉此项技术者所现有且具有相同功能的任何其它储存媒体中。Specifically, the monitoring method described in the second embodiment can be executed by a computer program product, and when the monitoring device is loaded with the computer program product by a computer and executes a plurality of instructions contained in the computer program product, the second The monitoring method described in the embodiment. The aforementioned computer program product can be stored in a computer-readable recording medium, such as a read-only memory (read only memory; ROM), a flash memory, a floppy disk, a hard disk, an optical disk, a flash drive, a magnetic tape, a database that can be accessed by a network, or a database familiar with this Any other storage media that is available to the skilled person and has the same function.

第二实施例的监控方法包含以下步骤。首先执行步骤201，处理单元将数据的识别信息以及至少一第一网络传输地址记录于一标记信息表，其中，标记信息表系储存于储存单元中。识别信息包含一储存路径以及一数据名称，数据是根据储存路径以及数据名称储存于储存单元。The monitoring method of the second embodiment includes the following steps. First,step 201 is executed, the processing unit records the identification information of the data and at least one first network transmission address in a tag information table, wherein the tag information table is stored in the storage unit. The identification information includes a storage path and a data name, and the data is stored in the storage unit according to the storage path and the data name.

于步骤202中，因应一存取系统呼叫，处理单元根据识别信息存取数据，其中，存取系统呼叫系相关于识别信息。Instep 202, in response to an access system call, the processing unit accesses data according to the identification information, wherein the access system call is related to the identification information.

举例而言，于步骤202中，处理单元将因应一数据开启系统呼叫，根据识别信息开启数据，其中，数据开启系统呼叫具有一传递参数，且传递参数对应于识别信息；随后处理单元还将因应一数据读取系统呼叫，将数据的私有信息储存至一第一存储器地址，其中数据读取系统呼叫亦具有前述的传递参数，且传递参数对应于第一存储器地址。For example, instep 202, the processing unit will respond to a data open system call and open data according to the identification information, wherein the data open system call has a delivery parameter, and the delivery parameter corresponds to the identification information; then the processing unit will also respond to A data read system call stores the private information of the data to a first memory address, wherein the data read system call also has the aforementioned transfer parameters, and the transfer parameters correspond to the first memory address.

于一实施态样中，处理单元因应一数据复制系统呼叫，将数据的私有信息由第一存储器地址复制至一第二存储器地址；或者于另一实施态样中，处理单元将因应一数据移动系统呼叫，将数据的私有信息由第一存储器地址移动至第二存储器地址。最后，于步骤202中，处理单元将储存数据的私有信息的存储器地址(即第一存储器地址及/或第二存储器位地址)记录于储存单元中，有关步骤202的实施细节已于第一实施例中进行说明，故在此不再赘述。In one embodiment, the processing unit copies the private information of the data from a first memory address to a second memory address in response to a data copy system call; or in another embodiment, the processing unit responds to a data move System call to move private information of data from a first memory address to a second memory address. Finally, instep 202, the processing unit records the memory address (i.e., the first memory address and/or the second memory bit address) storing the private information of the data in the storage unit. The implementation details ofstep 202 have been described in the first implementation This example is used for illustration, so it will not be repeated here.

于步骤203，处理单元将因应一传输系统呼叫安排数据的一传输，其中，传输系统呼叫具有一传输数据存储器地址以及一第二网络传输地址。接着于步骤204中，处理单元将撷取传输系统呼叫的传输数据存储器地址，并判断传输存储器地址与储存数据的私有信息的存储器地址(即第一存储器地址及/或第二存储器地址)是否相同。若是，则执行步骤205，处理单元将根据标记信息表记录的数据的识别信息以及至少一第一网络传输地址，判断至少一第一网络传输地址以及第二网络传输地址是否相同。Instep 203, the processing unit arranges a transmission of data in response to a transmission system call, wherein the transmission system call has a transmission data storage address and a second network transmission address. Then instep 204, the processing unit will retrieve the transmission data storage address called by the transmission system, and determine whether the transmission storage address is the same as the storage address of the private information storing the data (ie, the first storage address and/or the second storage address) . If yes, step 205 is executed, and the processing unit determines whether the at least one first network transmission address and the second network transmission address are the same according to the identification information of the data recorded in the tag information table and the at least one first network transmission address.

若处理单元于步骤205判断至少一第一网络传输地址以及第二网络传输地址相同时，则执行步骤206，将数据的信息传送至第二网络传输地址，并返回步骤202，等候其它存取系统呼叫，以存取其它数据。若处理单元于步骤205判断至少一第一网络传输地址以及第二网络传输地址不同时，则执行步骤207，使处理单元输出一信号。接着于步骤208，令一显示单元根据前述的信号显示一警示讯息。最后，执行步骤209，处理单元根据信号停止数据的私有信息的传输，并返回步骤202，等候其它存取系统呼叫，以存取其它数据。If the processing unit determines atstep 205 that at least one of the first network transmission address and the second network transmission address are the same, then executestep 206 to transmit the data information to the second network transmission address, and return to step 202 to wait for other access systems Call to access other data. If the processing unit determines atstep 205 that at least one of the first network transmission address and the second network transmission address is different, then executestep 207 to make the processing unit output a signal. Then instep 208, a display unit is made to display a warning message according to the aforementioned signal. Finally,step 209 is executed, the processing unit stops the transmission of the private information of the data according to the signal, and returns to step 202, waiting for calls from other access systems to access other data.

若处理单元于步骤204判断传输存储器地址与第一存储器地址及/或第二存储器地址不同时，表示欲传输的数据的信息并非私有信息，接着执行步骤206，将数据的信息传送至第二网络传输地址，并返回步骤202，等候其它存取系统呼叫，以存取其它数据。If the processing unit judges instep 204 that the transmission memory address is different from the first memory address and/or the second memory address, indicating that the information of the data to be transmitted is not private information, then executestep 206 to transmit the data information to the second network Send the address, and return to step 202, waiting for other access system calls to access other data.

除了上述步骤，本发明的监控方法亦能执行第一实施例所描述的所有操作及功能，所属技术领域具有通常知识者可直接了解本发明的监控方法如何基于上述第一实施例以执行此等操作及功能，故在此不再赘述。In addition to the above steps, the monitoring method of the present invention can also perform all the operations and functions described in the first embodiment, those skilled in the art can directly understand how the monitoring method of the present invention is based on the above-mentioned first embodiment to perform these The operation and functions are not repeated here.

综合上述，本发明的监控方法、监控装置及其计算机程序产品将先行于标记信息表中，记录具有私有信息的数据的识别信息及其应被传送的网络传输地址。随后，即根据系统呼叫进行具有私有信息的数据的监控，若传输系统呼叫准备将具有私有信息的数据传送至标记信息表未记录的网络传输网址时，则停止具有私有信息的数据的传送。据此，本发明将可避免私有信息遭到恶意程序的不当传输。To sum up the above, the monitoring method, monitoring device and computer program product thereof of the present invention will be preceded in the tag information table to record the identification information of the data with private information and the network transmission address to be transmitted. Subsequently, monitor the data with private information according to the system call, and if the transmission system calls to transmit the data with private information to the network transmission website that is not recorded in the marked information table, then stop the transmission of the data with private information. Accordingly, the present invention can prevent private information from being improperly transmitted by malicious programs.

上述的实施例仅用来例举本发明的实施态样，以及阐释本发明的技术特征，并非用来限制本发明的保护范畴。任何熟悉此技术者可轻易完成的改变或均等性的安排均属于本发明所主张的范围，本发明的权利保护范围应以申请专利范围为准。The above-mentioned embodiments are only used to illustrate the implementation of the present invention and explain the technical features of the present invention, and are not intended to limit the scope of protection of the present invention. Any changes or equivalence arrangements that can be easily accomplished by those skilled in the art fall within the scope of the present invention, and the protection scope of the present invention should be based on the scope of the patent application.