A computer having an IP address may provide various services to other computers in a network by way of opening a port. A port is generally regarded as an export through which a computer communicates with the outside world. For example, an HTTP (Hypertext Transport Protocol) server will open the TCP port 80, and thus, a computer of a user may be connected with the server via the port 80, exchange the HTTP protocol, and obtain an HTTP page ultimately presented on the computer of the user. Or, a mail server may open the port 587, and a computer of a user may be connected with the mail server via the port 587, and exchange the SMTP (Simple Mail Transfer Protocol) protocol, thereby realizing the function of transmitting a mail. Or again, some ports may be further opened in a computer of a user to realize some functions. For example, the computer of the user may open the port 135 by default, so as to be able to be connected with another computer to realize the function of remote assistance, etc.
A common user has no adequate knowledge to manage which ports his own machine needs to open or close, which leaves an opportunity for a hacker to intrude into a computer (which may be the above mentioned HTTP server, mail server, or also may be the computer of the common user). One of commonly used approaches in intrusion is to scan a target machine to seek open ports that may be exploited, and then connect to these ports to manipulate the target machine. For example, an intruder may deliver a spam via the SMTP port 587, or remotely log in a user's machine utilizing the Telnet port 23, and so on.
To keep off the attack of such a remote intrusion behavior, the prior art generally uses the firewall technology to intercept. Firewall technology primarily plays the role of interception by way of adding rules to limit connection. Namely, it may be that a list of IP addresses which can be connected to a certain open port is set by way of a white list, or a list of IP addresses which cannot be connected to a certain open port is set by way of a black list; when a connection request is intercepted by the firewall, it is judged, according to the white list or the black list, whether the IP address of the connection request is an IP address for which connection is allowed, so as to judge whether the connection request this time is a hacker intrusion, and then decide on whether to alarm or prevent this connection.
The firewall technology may play the role of preventing a remote intrusion of a computer to a certain extent, however, at least the following drawbacks exist: the user needs to set a rule, which poses a high professional requirement for the user; if the white list approach is used, the possibility of leading to a misjudgment is relatively large, and with the addition of new IP addresses, the list will be excessively bulky, thereby affecting the response speed of connection; and if the black list approach is used, it is difficult to avoid imperfection, and likewise, an excessive expansion and problems resulting from it exist.