As well known, the network structure which is most extensively applied in the present-day Internet environment satisfies the DoD model (also called TCP/IP family). The DoD model comprises a link layer, an Internet layer, a transmission layer and an application layer. If a program desires to send or receive Internet data, it needs to make its own data meet the TCP/IP protocol standard so that the data can be accurately and effectively transmitted in the Internet. Among the four-layer protocols, the data structures of the link layer, Internet layer and transmission layer all have a set of relatively rigid standard, a programmer cannot change their structures without authorization, so key data can be easily monitored by security software or security device and is difficult to disguise. Only the data structure of the application layer has a very high customizable characteristic. A programmer is allowed to arbitrarily define content and structure therein according to his own demands and ideas.
The current solution of detecting the data structure of the application layer performs the detection mainly relying on feature codes, i.e., a developer finds a certain network threat (remote control, Trojan, worm or the like) that has already occurred, by performing research and analysis of a sample on hand, grasps network data packets transmitted by it, then extracts its fixed feature (e.g., a specific characteristic occurring at a certain specific offset) as a basis for an automatic detection of the program. However, the biggest drawback of this conventional solution lies in the existence of hysteresis, and a sample of a new threat must be found and analyzed, only then an effective interception can be done.
As known from the above, the conventional manner for recognizing the network behavior of the program cannot accurately recognize a newly-emerging or new variant network behavior of the program.