Abstract: In allusion to the damage of baleful program for computer users and its fast growth in quantity, a detection system based on network communication behavior data of one program was proposed. A detection model of suspicious communication behavior based on difference contrast was emphasized. The cooperative work diagram of each module of the system and program code of critical technology of the system were given. The test result shows that the system can detect network communication, communication process and domain name for one program.

Key words: baleful program, network driver, communication detection, Service Provider Interface (SPI)

摘要： 针对恶意程序对计算机用户造成的危害以及其数量上的快速增长，提出了一种基于文件网络通信行为数据的检测系统。重点介绍了基于差异对比法的可疑通信行为检测模型，给出了系统各模块协同工作流程图以及系统中关键技术的实现代码。测试结果表明，该系统具备通信检测、通信进程检测和域名信息检测功能。

关键词: 恶意程序, 网络驱动, 通信检测, 服务提供者接口