1. Field of the Invention
The present invention generally relates to a terminal and a related computer-implemented method for detecting malicious data, and more specifically, to a terminal and a related computer-implemented method for detecting a malicious data with reduced operations and decreased packet traffic.
2. Description of the Prior Art
With the rapid development in the computer industry, the widespread proliferation of computers prompts the development of computer networks that allow computers to communicate with each other. One significant computer network that has become the preferred data communication medium for a broad class of computer users is the Internet, commonly known as the “world-wide web”, or WWW. A broad class of computer users, ranging from private individuals to large multi-national corporations, now routinely employs the Internet to access information, to distribute information, to correspond electronically, and even to conduct personal conferencing.
One particular problem that has plagued many computer applications results from malicious data, and the increased popularity of computer network just makes the situation more serious. Malicious data include the software that destroys or deletes data, makes computer systems intrudable or controllable by invalid users, or steals data, such as virus, computer worms, Trojan horses, key Loggers, Spywares, and etc. Malicious data may also refer to fake data, data for cheating, or data of a huge volume that brings inconvenience to users or computer systems. Internet fishing, SPAMs, and SPIT(Spam over Internet Telephony) belong to the second category.
Some individuals have developed malicious data that may hinder the operation of computers. Whether a virus is intended simply as a practical joke or a planned attack on a computer network, vast amounts of damage may result. A computer virus is a program that disrupts operations of a computer by modifying other executable programs. A virus may also delete or corrupt crucial system files, user data files or application programs. Additionally, malicious data may make copies of themselves to distribute to other computers connected to a communications network, thereby causing damage to computers at several locations.
The prior art has attempted to reduce the effects of virusand prevent their proliferation by using various virus detection programs. One such virus detection method was disclosed by Ji et al. in U.S. Pat. No. 5,623,600. Ji et al. utilized gateways equipped with proxy servers to perform virus detections for the whole file being transmitted into or out of a network. Please refer to FIG. 1. FIG. 1 is a block diagram of a memory of the gateway of the prior art disclosed by ji et al. in U.S. Pat. No. 5,623,600. The memory 10 of a gateway, coupled to the network by a bus 11, comprises a File Transfer Protocol (FTP) proxy server 12, an operating system 13 including a kernel 14, a Simple Mail Transfer Protocol (SMPT) proxy server 15, and application programs 16 including but not limited to computer drawing programs, word processing programs, and etc. When a file is transferred to and from the gateway node, the kernel 14 receives the file first, and then the destination addresses of packets of the file are changed such that the packets can be transmitted to one of the proxy servers 12 and 15 according to the type of the file afterwards. Assume the file received is a file of FTP type, so it is transmitted to the FTP proxy server 12. The FTP proxy server 12 takes charge of checking if the file composed of the received packets is of a type that may contain viruses. If the file composed of the packets received by the FTP proxy server 12 is considered a safe and clean file, the destination address of the file will be changed again, and the file with the new-changed destination address will be transferred back to the kernel 13 of the memory 10 of the gateway. Similarly, the SMTP proxy server 15 takes charge of checking if the message composed of packets transferred to and from the gateway node is of a type that may contain viruses.
The method of the prior art disclosed by ji et al. in U.S. Pat. No. 5,623,600 installs the proxy servers in the memory of gateway nodes for checking data transferred to and from the protected domain of a given network. However, it requires additional process effort since all packets need to be transferred to a particular proxy server in advance of the original destination.
Another method for detecting malicious data, commonly referred to as signature scanning, scans each transmitted packet individually, searching for code fragments of known patterns used for malicious data. However, it is easy for the method of signature scanning to make false alarms. Hence the error rate is raised and unendurable.
Because of these performance problems and limitations of the prior art, it is desirable to develop a better detecting method, malicious data removal and response mechanism for a computer network.