JP2019003349A - Virus monitoring method by individual instruction processing time measurement - Google Patents

Abstract

To provide a method and a program for detecting the start of a virus.SOLUTION: A virus is a program, and when the program is read, the program is started to perform a malicious activity. When individual processing is executed even though the program comprises instruction sentences prescribing the individual processing, a value (data) of a variable necessary to the processing is surely read. When the data includes the virus, the virus is started to cause damage. The started virus needs a time for making a malicious activity. Therefore, even though the execution of the program is returned to the original program from the virus, it takes a longer time than a required time for executing the processing in a normal state (without virus). Then, a fixed time is appropriately set, whether or not the processing is finished is determined when the time elapses to detect the virus.SELECTED DRAWING: Figure 2

Description

The present invention relates to a method and a program for monitoring the execution of a virus according to an abnormal state by measuring the processing time of each instruction when a virus enters the program and starts up.

Cyber attacks are already at a serious stage. Sophisticated hackers can infiltrate any computer system, steal its data, and tamper with it. Information from many institutions and companies has already been damaged. Moreover, they often do not recognize the fact that they are injured. Conventional programming techniques cannot avoid this crisis. The following table describes the conventional programming method, explains why it is not possible to avoid all cyber attacks, explains the method of scenario function programming, and many cyber attacks using that method. Explain why you can fight
Table of contents 1. Two major features of conventional programming techniques 2. Anti-virus measures in conventional programming methods Explanation of scenario function program 4. Virus neutralization by scenario function program

1. Two major features of the conventional programming method In the conventional programming method, the numerical values (operands) required for individual processing (calculation, condition determination, reading, writing, etc.) included in it are trials of individual processing. Of course it must exist before. Therefore, the order of processing is important, and a person considers the order so that the order is not mistaken, and instructs the computer by a program. There are two ways to specify the processing order. The first is a method of processing the processing method written for each line from top to bottom in the program in the order written. If you want them to be processed in that order, they are automatically processed one after another without any special instruction.

The second way of specifying the processing order is not to follow the order written from top to bottom, but to jump to the line number (memory address) where the processing method is written and execute the processing written there. A method in which a person instructs a computer by a program. For example, instruct GOTO 100th line. Or
if ~ (condition) (eg X> Y)
then processing A (Example: A = B + C)
else processing B (Example: P = QR)
In this case, if the condition is right, the next line is processed. If not, the program instructs the program to jump to the line where else is written and execute the process.
In any case, the processing order must be instructed by the person by the program. In other words, if it is instructed by the program, the processing method written in the place as instructed is automatically executed. This is called the processing order instruction principle.
Therefore, if a virus program is inserted next to a certain line, for example, by a cyber attack, execution automatically shifts to the virus program written on that line.
Also, for example, if the jump address (return address) is changed to the address of a virus program due to buffer overflow, execution automatically shifts to that virus program. In short, the computer will behave exactly as instructed, regardless of whether it is a legitimate instruction.

There is another notable feature of traditional programming techniques. That is, if there is a value in the data area, it is used as a correct value without verifying whether it is a correctly generated value or a value generated by a cyber attack. This is called the unverified usage principle of data values.

These two features, ie, the above-mentioned “processing order instruction principle” and “data value non-verification usage principle” are the fundamental principles of the conventional programming technique, and that is the reason why cyber attacks cannot be avoided. Therefore, with conventional programming methods, there is no countermeasure after a malicious program (called a virus program, abbreviated as a virus for short) has invaded a legitimate program. There is no other way but to stop.

2. How will anti-virus virus intrusion prevention be done using conventional programming methods? First, it must be identified as a virus. Since a virus is a program, since a virus program that has been recognized as a virus in the past has been publicly registered with the characteristics of the program (called a bit pattern), a pattern list, that is, a wanted list is created and distributed. Immediately before receiving all data transmitted to the server or personal computer, the pattern of the data is examined, and if there is matching data by comparing with the pattern list, the intrusion can be prevented. However, this method has no effect on new viruses that are not wanted.
Therefore, the contents of the transmitted program are further checked to see if they are bad. In addition, it checks if there is an attempt to intrude using known vulnerabilities such as Windows, Internet software, various applications, or programming languages. Other various measures are taken to prevent the invasion of viruses. Software that implements these measures is called a firewall.

However, since there are theoretically infinite number of new viruses, it cannot cope with all viruses, and it is difficult to determine whether they are malicious in the first place. Because it is difficult, there is a limit to the virus prevention effect. The method of verification using individual authentication ciphers (passwords, etc.) is not perfect because cryptanalysis technology has been developed, and passwords are decrypted or leaked. From the above situation, it is impossible to completely prevent the invasion of viruses by the conventional programming method as long as the Internet is connected directly or indirectly.

3. Explanation of scenario function program The scenario function programming method was invented as the ultimate anti-virus measure. Even if a virus enters, the scenario function detects the virus itself, decontaminates it, and returns to normal processing. This virus detection, decontamination, and normal recovery is called virus neutralization. The scenario function programming method is completely different from the conventional one. The scenario function does not have the “processing order instruction principle” and the “non-verification use principle of data values” which are weaknesses against viruses of conventional programming techniques. A programming method called scenario function is described below. However, the description here is limited only to the concept of scenario function necessary for the description of the present invention described later.

First, the “processing order” in the scenario function will be described. As described above, in the conventional programming method, a person performs “processing order instruction”. On the other hand, in the scenario function method, the processing order is determined by the computer. The reason is outlined below. Decompose requirements into single function statements, each of which is an individual process. Each processing is, for example, if X> Y A = B + C. Regardless of the order in which the individual processing methods determined according to the requirements are described and arranged, the computer starts processing from what can be processed, and if anything that cannot be processed remains, it returns to the top of the order in which they are arranged again. All the processes are eventually executed by trying unprocessed processes and repeating this work in a cyclic manner. See FIG.

This will be explained with an example. Assume that there is a process that generates a value of a variable A (if X> Y A = B + C). Therefore, if there is a process that can be executed by repeatedly trying all the processes until the necessary variables B, C, X, Y (operands) are obtained, all B, C, X, Y are executed. After obtaining the value, the value of the variable A is generated for the first time, that is, the processing is executed. Rather than instructing the processing order by a person, processing is performed in the order in which necessary data values are obtained by cyclic repetition. A series of programs for eventually executing the process A by cyclic repetition is called a vector A program (abbreviated as vector A). See FIG. This processing method is called data combination. This is the basic principle of the scenario function. The processing order of the scenario functions is not the order described as a program. The actual processing order cannot be understood by a person unless he / she tries the processing by cyclic repetition and sees the result. In the scenario function, there is no operation for instructing the address of the destination line as described above in the current programming method and executing the processing method written there. This is because the processing method group for the jump destination also performs the scenario function processing as a whole in the entire processing. In the case of conditional branching, both the processing in case of right and the processing in case of failure are tried, and the processing that is satisfied is adopted because one is satisfied. In other words, the individual processes may be written anywhere in the program based on the principle of “the processing order is determined by the result of cyclic repetition” which is a feature of the scenario function.

4). Disabling viruses with scenario function programs The above example will be described. In order for the value of A to be obtained correctly, values for B, C, X, and Y need to be obtained, and they must be values generated by normal processing, that is, a program. The value given by the virus is not correct. In addition, all values upstream of those operands must be so. From the input data value to the A value, it must be linked by the method of each processing in a chain of data value dependency relationships. The values of the individual data items connected by this data value chain are called legitimate values. If any value in this chain is altered by a virus, it must be detected and eliminated.

For the following description, refer to the vector A related to the process A in FIG. In a certain process A (for example, the above process A, that is, A = B + C if X> Y), since the variable A is a legitimate value, A is not generated by the virus but generated by the process A. In addition to satisfying the satisfaction condition X> Y, it is necessary that the values B, C, X, and Y (operands) exist and be legitimate. In other words, for the value of A to be legitimate,
(a) The values of B, C, X, and Y (operands) exist and are legitimate values.
(b) Satisfaction condition X> Y is satisfied
(c) Process A trial end flag is on,
Must be established. You must make a decision for that. Therefore, the legitimacy of B, C, X, and Y is also determined for A as described above. In order to determine (a) above because the value of A is legitimate, it is judged whether or not a legitimacy flag, which will be described later, is set in a vector related to the processing of each operand. If the legitimacy flag is set for each of the vector programs related to B, C, X, and Y, and if (b) and (c) above are established, then the value of A is assumed to be legitimate. Raise the legitimacy flag. The determination operations (a), (b), and (c) above are called legitimacy verification operations. In this way, the vectors related to the individual variables are cyclically and repeatedly tried, and each process is tried. If the result is determined to be good, the legitimacy flag is set for each variable. If the legitimacy flag is not raised in any of B, C, X, and Y, or X> Y is not established, A is initialized without setting the legitimacy flag in A. A program that executes the legitimacy verification operation is referred to as a legitimacy verification program.

This operation is tried one after another for all vectors related to the individual processes arranged in an arbitrary order, and is repeated or repeated until all values are legitimately established. This ensures that all data values from all input data values to all output data values are linked in a chain of interdependencies. That is, it is guaranteed that all values are values generated by the program. If the value of some variable in this chain is not a value generated by the program, it is the value given by the virus because the processing end flag for that variable is not turned on. Is not detected by the legitimacy verification program. If it is detected, it is deinitialized and decontaminated, and then it can be returned to a normal state by repeated circulation.
The above operation is called virus neutralization by the scenario function program. This technology is patented in Japan (patent numbers 5992079 and 6086977).

Patent No. 5992079 Patent No. 6086977

Scenario Function Program Issues The above scenario functions also have issues. That is, when reading data necessary for trying the processing in each variable vector, if the virus program is mixed in the data, the virus is executed. The processing of individual variables is, in terms of program statements, assignment statements (eg A = B + C), constant statements (A = 10), conditional statements (X <Y), input statements (Read A) This is an output statement (Write A). All program processes result in these five processes.
The above problem will be described as an example using an input command sentence. When external data is read by an input command statement, if a virus program (simply called a virus) is read along with legitimate data, the computer will start the virus next to the input command statement. is there. Once the virus starts, it can tamper with or steal the original program data. This is the problem of the scenario function.
This issue is not just about input statements. The five types of processing work to read all data values necessary for the processing. Therefore, if the virus program is mixed in the data, the above problem will occur.

There are two situations depending on the function of the virus.
First, since the original scenario function is not executed unless the virus has a function to return to the original scenario function, the trial does not end even if a certain time or more has elapsed for the vector A. The state is abnormal and an immediate warning is issued to stop the scenario function. Alternatively, the vector A is initialized, the scenario function is continued, and the vector A is restarted (called return) in the next cycle.
Second, if the virus has the function to return to the original scenario function, if the virus has altered the data, it will eventually detect, decontaminate, and restore it by trying the scenario function repeatedly. I can do it. This is called vector neutralization. However, if the data is stolen but not tampered with, the scenario function cannot catch the virus. In that case, as described above, using the fact that the end of trial of process A is delayed by the amount of time that the virus steals data, if process A has not finished trial even after a certain period of time has passed, Immediately issue a warning and stop the scenario function. Alternatively, the vector A is initialized, the scenario function is continued, and the vector A is restarted (called return) in the next cycle.
The following table summarizes the above.

Comparison of operation of conventional method program and scenario function program Processing time monitoring program (forced interrupt judgment type) applied to scenario function type programs Processing time monitoring program (processing end time regulation type) applied to scenario function type programs Processing time monitoring program applied to scenario function type programs (vector end time regulation type) Processing time monitoring program (forced interrupt judgment type) applied to the conventional method program

FIG. 2 is an example using a timer interrupt. FIG. 3 shows an example using a vector control program. See FIG. A processing time monitoring program is constructed for each process (command) as follows. Since it is a scenario function, processing is performed with vectors. First, the timer switch is always turned on immediately before each processing (command statement) (for example, processing A. For example, A = B + C). Then, process A is tried. After trying process A, the process A trial end flag is turned on. Next, in order to verify the legitimacy of the value generated by the above processing, execute the legitimacy verification program, and if the value of A is obtained and the judgment is good, the legitimacy flag is turned on, If not, the generated value is initialized.

On the other hand, when an appropriately set time (referred to as timer set time) elapses, the timer transmits an interrupt signal. Since the CPU of the computer has an interrupt signal processing function, the vector program, which is the original program, is temporarily stopped, all data is saved in a register and stored, and then the interrupt program is started. The interrupt program interrupts and moves somewhere in the original program, and determines whether the process A trial end flag is on or off. The timer setting time must be set to be short so as not to give time for the process A to return to the original program and turn on the trial end flag of process A after the malicious action has taken place within that time. Basically, it is desirable that the shortest time is within a range exceeding the time required for the process A and the time to turn on the process trial end flag. That way, you can limit the amount of time the virus does bad things. In this case, if even the regular data requires a processing time longer than the timer setting time, a warning / emergency stop occurs during the process A. But this is also a good way to do it. This is because even if there is an emergency stop, if a person checks and there is no problem, it can be restarted as it is, and it is better than giving more time for the virus to do something wrong. To put it the other way around, if you set a long timer setting time and give the virus time to do evil, it is necessary to be aware that if the virus only steals data, you cannot recognize the virus.

Further details will be described. When the timer set time is set, the interrupt program starts when the timer set time elapses, and determines whether the trial end flag of the process A in the vector is on or off. If the flag is on, it indicates that the process A has been completed normally within the timer set time, so that the interrupt program returns execution to the next place where the original program interrupted. On the other hand, if the flag is off, the state is that the virus is executed after the normal reading process and consumes time. Therefore, it is determined that the flag has not been turned on, and a warning is issued. Emergency stop the function program.
In designing the program, in order to specify the processing trial end flag for determining whether the interrupt program should be turned on or off, immediately after the start of each vector, the processing trial end flag name of the vector is registered in the interrupt program.

In the above embodiment, the interrupt program is used, but there is also a method for regulating the trial time of the process A. See FIG. 2-1. In other words, a program instruction is used that “if processing A ends within a certain time, it proceeds to the next processing as normal, and if it does not end within a certain time, it proceeds to a designated program”. If process A does not finish within a certain time, it is judged that the state is because the virus was executed after the normal reading process and time was consumed, a warning was issued, and the scenario function program was urgently stopped. To do.

Whereas, the installation position of the flag for determining whether or not the process A in each vector is completed or not, or the installation position of the instruction that regulates the trial time of the process A is processed as described above. Immediately after A is desirable. If it is a position after that, the time for many operations on the way to the processing trial end determination flag to be installed after processing A will vary depending on various factors, so it will act as a virus that moves immediately after processing A It becomes difficult to capture time sensitively. However, in a program based on a scenario function, the vector has a predetermined pattern, and it may not be preferable to insert a trial end flag for process A or a process trial end time restriction command there. In that case, it is determined whether or not there has been a virus wrong based on whether or not the vector is completed within a predetermined time. See FIG. In this case, when starting each vector in turn in a program for controlling each vector (called a coordinate function in the scenario function),
“If vector A ends within a certain period of time, it proceeds to the next process as normal, and if it does not end within a certain period of time, it proceeds to the specified program.”
You can use this command. The specified program is given a function to issue a warning and make an emergency stop of the scenario function.
In this case, if the virus has a function of returning to the original program after startup, it is difficult to capture the virus as described above. It is even more difficult if you have a short working time, especially when doing virus evil. On the other hand, it is effective for viruses that do not have a function to return. However, it should be noted that, even in such a case, in the case of software that cannot set the predetermined time short, sufficient time is given to act on the virus before warning / emergency stop.

It is easy for a scenario function program to introduce the above processing time monitoring program into the original program. The reason is described.
Since the scenario function program mounts the individual processing methods on the vectors described in the paragraph number 0011 and FIG. 2 and arranges the vectors at random, it is not necessary for the person to think about and specify the processing order. The program is very simple and one pattern. The scenario function program is described in detail in Patent Documents 1 and 2 described above. It is easy to previously add various instruction groups necessary for the processing time monitoring program as a template to the one-pattern program.

Method Applied to Conventional Programming Method In the programming method using the scenario function, the processing order may be random, and as described above, the processing order is determined by sequentially and repeatedly trying individual processes. On the other hand, in the conventional programming method, since the processing order is specified by the person in consideration of the processing order as described above, if the specified order is correct, an operand required for a certain processing always has a value at that time. Therefore, it is not necessary to repeat each process sequentially and repeatedly. However, in this conventional programming method, as described in paragraph 0014, “all data values from all input data values to all output data values are connected by a chain of interdependencies. A "guarantee", i.e. "a guarantee that no data values are contaminated by a virus" is obtained.

However, if the guarantee is not required, it is not necessary to provide the legitimacy verification program in the processing time monitoring program. The purpose is “If a virus program is mixed in the input data, the virus starts, and the next process (command) in the regular program is not executed within the set time, a warning is issued and the program is forcibly stopped. If it is only necessary to input the input path to the intrusion route and start location as a virus countermeasure, the legitimacy determination program is not required in the processing time monitoring program (FIG. 2). Also, the processing time monitoring program need not be applied to all individual processes, but only to input processes. This is shown in FIG.

Only the input process (command) is necessarily performed by this one-pattern subroutine. Unlike the programming method using the scenario function, the conventional programming method equipped with this processing time monitoring program cannot detect, decontaminate, and return to normal status due to virus contamination. If the virus does not return to the original program, it will be alerted and alerted whenever the timer has expired. In addition, in the case of a virus having a function of returning to the original program, if the timer setting time is shortened, the time during which the virus works wrong can be limited as described in paragraph 0020. So if the virus has been doing wrong for longer than a certain amount of time, it can issue a warning and make an emergency stop.
The above-mentioned disaster avoids disasters that do not even realize that the virus has moved. However, as in the case of the scenario function described in paragraph 0020, in the case of a virus having a function for returning to the original location of the original program, if the timer setting time is long, the virus may steal or alter the data. However, it should be noted that the virus cannot be caught.

Cyber attacks, such as viruses entering computers, secretly stealing information, tampering, and performing malicious actions, are becoming increasingly serious. The most troublesome problem is that even if information is leaked or falsified by a virus, the victim cannot recognize it. According to the present invention, if a virus is activated, a warning is issued after a certain time and the program is urgently stopped. Therefore, industrial applicability is great.

Claims (4)

When the requirements for creating a program are broken down into single-function statements, and each of them is called "individual processing", the individual processing is arranged arbitrarily, and the individual processing is sequentially and repeatedly tried. In a program called a scenario function that tries to generate the values of all the variables necessary for execution, sequentially generates the values that can be generated, and eventually executes all the individual processes, the time required for each process is Monitor to determine whether the required time exceeds a set time, and if it exceeds, determine that the virus has been executed, issue a warning, and urgently stop the scenario function.
A computer program characterized by the above.
The program according to claim 1, which is a program for applying the program of claim 1 to a conventional programming technique, and is executed only for input processing among individual processing.
A storage medium in which the program according to claim 1 or 2 is stored.
A circuit in which the program according to claim 1 or 2 is materialized.