KR101124615B1 - Apparatus and methdd of searching group activity malicious code - Google Patents

Abstract

The present invention relates to a method of searching for collective behavioral malware based on group behavior of hosts infected with malware, and collects traffic data of a search target network and examines the traffic data to group common behaviors occurring in different hosts. Create a plurality of host groups based on the action and the object of action of the group action, measure the similarity between the plurality of host groups indicating how the hosts belonging to each of the plurality of host groups match, and use the similarity to group Find behavioral malware.

Botnets, group behaviors, collective behavior malware

Description

Group behavior malware detection method and device {APPARATUS AND METHDD OF SEARCHING GROUP ACTIVITY MALICIOUS CODE}

The present invention relates to a method for searching group behavior malware, and more particularly, to a method for searching for group behavior malware based on group behavior of hosts infected with malware.

Due to the rapid development of many infrastructures that make up the Internet due to the development of Internet technology and the increase of the population, many vulnerabilities of the Internet are exposed due to the incomplete preparation of security factors. Cyber terrorism, which attacks the majority, frequently occurs. These cyber attacks are becoming increasingly intelligent and organized, and are forming professional and organized networks to gain economic benefits. As such, cyber attackers have come up with technology to control their existence and location, to control numerous computers under their control in order to obtain financial gains for illegal activities, and botnets have emerged for this purpose. .

Attackers install bots on thousands and tens of thousands of computers and control them over the network at the same time, making them perform malicious activities. As botnets grow in size, there are various types and methods of attack using them, and the damages are becoming more serious, which is the biggest issue of cyber security.

Recently, many malicious attacks such as distributed denial of service (DDoS), spamming, and pharming are mostly conducted by botnets. A malicious hacker infects a personal computer (PC), making it a bot that can be controlled at will, and performing malicious activities by controlling thousands and tens of thousands of these PCs all over the network. A botnet is a network of thousands to hundreds of thousands of bots that are remotely controlled by a bot master who has the authority to control and control them.

In general, PCs are infected by bots through various paths. If you click on the executable code in the spam mail, you can load the infection code into the worm and infect the vulnerable PCs. Very diverse In addition, infections using rootkits are often difficult to identify.

The bot master uses the IRC (Internet Relay Chat) channel mainly for command transfer and control between itself and the botnet. 1. The infected PC automatically receives the latest bot code 2. Updates itself and connects to the command / control server. 5. The botnet mainly uses TCP 6665 ~ 6669 ports and performs many cyber attacks such as DDoS attack, phishing, pharming, and spamming. Currently, most DDoS attacks and spam e-mails have been reported through botnets, and many serious damages have occurred.

In the meantime, botnets have caused significant damage to businesses. Malicious bots can greatly increase traffic as they scan the network for targets to infect, making the network very slow or disruptive, leaving the enterprise almost unworkable. Moreover, as botnets are used in other security attacks these days, the risks and damages increase even more.

Malware or spyware is distributed through botnets, and spam mails are heavily distributed. In particular, the damage from DDoS attacks through botnets is very large.

For adult service providers, including DDoS attacks against 13 root domain name servers ("DNS") servers worldwide in February 2007, and domestic video chat services that began to grow in the second half of 2006. Attacks on botnets, including the attacks on the game item brokerage site in October 2007, were extremely powerful.

Botnets are very widespread, at home and abroad. In the Korea Information Security Agency (KISA), when a PC attempts to connect to a bot control server, it is infected with a domestic bot by a DNS sinkhole method that blocks the connection with the bot control server by returning a specific IP from the DNS server. PC statistics are published. As of October 2007, the domestic malicious bot infection rate reached 11.7%. (Korea Information Security Agency, Internet Infringement Incident Trend and Analysis Monthly Report, October 2007. Here, we define the domestic malicious bot infection rate as the percentage of domestic bot infected PCs among the estimated malicious bot infection PCs worldwide.)

Vint Serve, Google's father of the Internet, said at the World Economic Forum in Davos, Switzerland, in January 2007 that the spread of botnets is a global epidemic, with 100 million to 150 million PCs connected to the Internet. Are being used as botnets, and users of these computers are usually victims who do not want to join the botnet.

Although there are variations based on statistics and estimates, it seems clear that there are a large number of PCs infected with bots worldwide and acting as zombies on botnets.

Recently, a number of techniques for detecting bots have been proposed to cope with botnets, but the proposed techniques have shown the limitations of the level of the original technology proposal.

The technical problem to be achieved by the present invention is to provide an efficient collective behavior malware search method.

Group behavior malware search method according to an aspect of the present invention for achieving the above object is to collect the traffic data of the searched network to review the traffic data and the common behavior that occurs in different hosts and the group behavior Create a plurality of host groups based on the target of the behavior, measure similarity between the plurality of host groups indicating how closely the hosts belonging to each of the plurality of host groups match, and use the similarity to find the group behavior malware. .

In accordance with another aspect of the present invention, there is provided a group behavior malicious code search apparatus comprising: first means for collecting traffic data of a search target network; A second means for creating a plurality of host groups based on the action target of the action, and a similarity measure indicating how the hosts belonging to the first group and the second group among the plurality of host groups match each other and using the similarity group And third means for finding behavioral malware, wherein the first group and the second group are contiguous unit time groups that have performed the same group behavior for the same behavior object.

As described above, according to the present invention, the accuracy of the search can be improved and the search rate can be improved by searching for the group behavior malware based on the group behavior.

DETAILED DESCRIPTION Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and like reference numerals designate like parts throughout the specification.

Throughout the specification, when a part is said to "include" a certain component, it means that it can further include other components, without excluding other components unless specifically stated otherwise. In addition, the terms “… unit”, “… group”, etc. described in the specification mean a unit for processing at least one function or operation, which may be implemented in hardware or software or a combination of hardware and software.

First, the behavior sequence of the botnet and the characteristics of the botnet will be described with reference to FIG. 1. 1 is a diagram illustrating the life cycle of a botnet.

Bots are hosts infected with collective behavioral malware, and botnets are networks of thousands to hundreds of thousands of bots remotely controlled by a bot master that has the authority to control and control bots.

As shown in FIG. 1, the botnet infects a host having a vulnerability using a bot malware of an individual made by an attacker (S110). There are various ways to infect, including how to use attachments in emails, how to infect via messenger, and how to use Internet worms.

Next, the infected host downloads the actual bot code (S120). The reason for not downloading the bot code directly in step S110 is that the bot code size is large and the attacker who propagates the bot frequently updates his bot code with the latest data.

The infected host performs a DNS look up (S130). The infected host executes the downloaded bot code and sends the domain name of the Command and Control (C & C) channel server in the bot code to DNS to query DNS for the IP address of the C & C channel server. do. Most bots perform a DNS lookup process. The C & C channel server is a channel server for the bot master to control the bot, and the bot code of the infected host automatically connects to the C & C channel using the domain name of the C & C channel server.

The infected host accesses the C & C channel server using the IP address received in response to the DNS and joins the C & C channel (S140). In general, Internet relay chat (hereinafter referred to as "IRC") is used as a C & C channel server.

The bot master connects to the C & C channel server and controls the bot hosts through the C & C channel server and transmits a malicious attack command to the bot hosts (S150 and S160). The bot hosts that received the malicious attack command then perform malicious bot actions such as DDoS, spamming, and leakage of personal information.

Botnets usually reside on an IRC channel server and wait to perform attack commands from the bot master. Botnet behaviors such as accessing channel servers, waiting on channel servers, and conducting attacks are distinguished from those of normal hosts in that they have group behavioral characteristics that represent behavioral characteristics in groups. Group behavior refers to common behavior that occurs at different hosts in a unit time. The group behavioral characteristics of botnets are related to the botnet's order of action as described above.

Botnets exhibit group behavior in the process of detecting vulnerable hosts and spreading bot malware through worms. In other words, hosts belonging to botnets perform malicious behaviors of host scanning, port scanning, and worm code propagation. In this process, group behavioral characteristics can be confirmed.

Downloading bot code in the process of downloading bot code from infected hosts also has group behavior.

The behavior of querying DNS in the DNS lookup process for botnet constituent hosts to find C & C channel servers also has group behavior.

The botnet constituent hosts joining the C & C channel periodically send and receive the Ping and Pong messages used by the IRC to inform their channel connection status.

In the process of malicious attacks by hosts belonging to botnets, malicious behaviors such as DDoS and spamming also exhibit group behavioral characteristics.

There is a difference between normal group behavior and botnet group behavior, and DNS lookups are as shown in Table 1.

Source IP to connect to domain name Behavior pattern DNS type Botnet DNS Query Characteristics Fixed size group (botnet members) Group behavior is intermittent DDNS (dynamic DNS) Normal DNS Query Characteristics Normal users Non-Group Behavior Continues at Random Primarily DNS

Next, the collective behavior malware search apparatus according to an embodiment of the present invention will be described with reference to FIG. 2 is a structural diagram of a collective behavior malware search apparatus according to an embodiment of the present invention.

As shown in FIG. 2, the group behavior malware search apparatus according to the embodiment of the present invention includes a data collector 210, a group behavior classifier 220, a similarity analyzer 230, and a botnet reporter 240.

The data collector 210 is connected to the sensor to collect data transmitted from the sensor through the network. The sensor collects the TCP traffic data and the UDP traffic data and stores them or delivers them to the data collector 210 in real time. TCP traffic data includes IRC traffic data (TCP 6667, etc.), UDP traffic data includes DNS traffic data (UDP 53, etc.). The more the sensor exists in several places, the more effective the detection of the botnet, and usually exists in front of the main router or secondary DNS (cache server) of a particular network. The collected data has a data structure suitable for the data collector 210 to receive and is transferred to a UDP socket or a TCP socket.

The group behavior classifier 220 reviews the data received from the data collector 210, creates a host group according to the group behavior of traffic, stores the data in a data structure, and delivers the host list belonging to the group to the similarity analyzer 230. Do it. That is, the group behavior classifier 220 finds a host group based on the object and the group behavior and stores the host list belonging to the group in the data structure. The data structure can be a linked list or a hash table. Although the linked list has a merit of using less memory, the similarity takes a lot of time to measure the similarity, and the hash table has a disadvantage of using a lot of memory, but the merit of taking the similarity takes less time.

The similarity analyzer 230 calculates how much the hosts belonging to two groups match each other for two groups of adjacent unit time having the same group behavior for the same behavior among the groups received from the group behavior classifier 220. The similarity between two groups is measured. When the measured similarity exceeds the similarity threshold, the hosts belonging to at least one of the two groups are determined as the botnet, and the host list belonging to the botnet and the action target of the botnet are sent to the botnet reporter 240. And, if the similarity is λ _s -δ <S <λ _s , the host belonging to at least one of the two groups is determined as the suspect group, and the host list belonging to the suspect group and the action target of the suspect group are determined by the botnet reporter ( 240). Where λs is the threshold of similarity and δ is the margin of error of any similarity.

The botnet reporter 240 stores the host list belonging to the botnet received from the similarity analyzer 230 and the action target of the botnet in a database. Correlation Analysis between groups and targets can be performed to improve detection accuracy. In addition, the botnet reporter 240 transmits the action target of the group determined as the suspect group to the black list of the group action classifier 220.

Hereinafter, a method for searching collective behavior malicious code according to an embodiment of the present invention will be described with reference to FIG. 3. 3 is a flow chart of a group behavior malware search method according to an embodiment of the present invention.

As shown in FIG. 3, the data collector 210 collects data through the sensor and transmits the data to the group behavior classifier 220 (S310).

The group behavior classifier 220 creates a host group using the data received from the data collector 210 (S320).

When there are n _t hosts having act A for the act target O in the search target network for a unit time t, n _t hosts are created as a group G (O, A) when Equation 1 is satisfied.

Here, N is the total number of hosts of the search target network, and λ is an arbitrary threshold.

Therefore, elements necessary for creating a host group are n, lambda, t, and O.

Scale to detect botnet That is, if the number of the robot belonging to the botnet b probability of a host belonging to the botnet to be detected in the search target network (P _b) is b / N, is a λ P _b.

The unit time t and the target object O can be determined as follows according to each situation in which the group action appears.

In the case of DNS traffic observed during DNS lookup or C & C channel migration, the target object O is the domain name (DN) of the DNS query that bot hosts query the domain name server, and the unit time t Is determined by Equation 2 in consideration of the DNS TTL (time to live) value.

Min (TTL of DDNS) <t <Max (TTL of normal DNS)

C & C traffic includes continuous watchdog traffic and temporary command and control traffic.

Looking at watchdog traffic, the action target O is a destination IP address of TCP traffic or a Ping / Pong of IRC. The destination of the TCP traffic is the IRC server, and the ping pong of the IRC usually occurs at 90 second intervals. The unit time t is determined as shown in Equation 3 in consideration of the Ping / Pong duration.

Min (Ping / Pong duration) <t <Max (Ping / Pong duration)

Looking at the temporarily generated command and control traffic, the action target O is the source IP address of TCP traffic. The source of TCP traffic is the IRC server. Since it is impossible to know in what period the command and control traffic will occur, the amount of command and control packets that occur during any time is evaluated to calculate what distribution the command and control traffic follows and determine the unit time t based on this.

Attack traffic includes DDoS attack traffic and spamming traffic. Looking at the attack traffic, the action target O is the destination IP address of TCP / UDP / ICMP traffic. The destination for TCP / UDP / ICMP traffic is the attack target (Victim). Since it is impossible to know in what period the attack traffic occurs, the unit time t is determined based on the calculation of the distribution of the attack traffic distribution by evaluating the amount of attack packets occurring at any time.

Looking at the update traffic, the action target O is the destination IP address or domain name of the TCP traffic. The destination of TCP traffic is the update server. The unit time t is determined as shown in Equation 4 based on the code update period of the botnet.

Min (Update duration) <t <Max (Update duration)

When creating host groups, use black lists and white lists to improve performance.

The black list is a list of action targets of the group classified as Suspicious Group, which is not detected by the botnet, but the data of the black list is processed first when the host group is created.

The white list is a list of actions that are prepared to reduce data processing for well-known and well-known normal domains and IPs. The process of classifying group actions is not performed for the targets of the white list.

The similarity analyzer 230 measures similarity between the plurality of created groups (S330).

The similarity analyzer 230 measures similarity by calculating how the hosts belonging to two groups of two unit times having the same group behavior for the same behavior object among the plurality of groups match each other. Alternatively, a plurality of similarities may be obtained and an average value may be used.

That is, group G ₁ (O, A) is a group that has performed group action A on the target object O for unit time t ₁ , and group G ₂ (O, A) has group action on the target object O for unit time t ₂ . A similarity is obtained by considering how many hosts belong to a group A and simultaneously belong to group G ₁ (O, A) and group G ₂ (O, A). The unit time t ₁ and the unit time t ₂ may or may not be adjacent unit times.

Alternatively, group G ₃ (O, A) is a group of act A for the target object O for unit time t ₃ , and the similarity between group G ₁ (O, A) and group G ₂ (O, A) Obtain the similarity between group G ₂ (O, A) and group G ₃ (O, A), and obtain the similarity between group G ₁ (O, A) and group G ₃ (O, A), respectively, and use the average value. have.

The similarity between the group G ₁ (O, A) and the group G ₂ (O, A) can be obtained using Equation 5.

Where | G | is the number of hosts belonging to group G, and | G | ≠ 0. G ₁ ∩G ₂ means a group consisting of hosts belonging to group G ₁ (O, A) and group G ₂ (O, A) simultaneously.

The similarity analyzer 230 determines that hosts belonging to the group G ₁ (O, A) or the group G ₂ (O, A) are botnets when the similarity obtained through Equation 5 exceeds the similarity threshold λ _s (S340). ).

The closer to 1, the more likely it is to be a botnet, and the closer to 0, the more likely it is to be a normal group. In general, botnets have similarity values within 0 to 0.3 for normal groups.

The similarity analyzer 230 is a group consisting of hosts simultaneously belonging to G ₁ (O, A) and group G ₂ (O, A) when the similarity obtained through Equation 5 is greater than λ _s −δ and less than λ _s. Is determined to be a suspect group, and the suspect group's action is added to the black list. Is the margin of error of any similarity.

Embodiments of the present invention are not implemented only through the above-described apparatus and / or method, but may be implemented through a program for realizing a function corresponding to the configuration of the embodiments of the present invention, a recording medium on which the program is recorded, and the like. Such implementations may be readily implemented by those skilled in the art from the description of the above-described embodiments.

Although the embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. It belongs to the scope of rights.

1 is a diagram illustrating the life cycle of a botnet.

2 is a structural diagram of a collective behavior malware search apparatus according to an embodiment of the present invention.

3 is a flow chart of a group behavior malware search method according to an embodiment of the present invention.

Claims (17)

Collecting traffic data transmitted and received on the search target network; Reviewing the traffic data, a plurality of groups based on a group action, which is an action performed by different hosts per unit time in the same way, with respect to predetermined traffic data, and a target of action, which is information in which group actions are performed among the information constituting the traffic data. Creating a host group; Measuring similarity between the plurality of host groups indicating how much the hosts belonging to each of the plurality of host groups match; And Using the similarity to find a group behavior malicious code, The group action is an action of querying DNS during a DNS (domain name server) lookup process, The traffic data is DNS traffic, and the action target is a domain name of a DNS query, Collective behavior malware detection method. Collecting traffic data transmitted and received on the search target network; Reviewing the traffic data, a plurality of groups based on a group action, which is an action performed by different hosts per unit time in the same way, with respect to predetermined traffic data, and a target of action, which is information in which group actions are performed among the information constituting the traffic data. Creating a host group; Measuring similarity between the plurality of host groups indicating how much the hosts belonging to each of the plurality of host groups match; And Using the similarity to find a group behavior malicious code, The group activity is an act of periodically sending and receiving ping and pong messages used by IRC (Internet Relay Chat) to notify hosts of C & C channels. , The traffic data is watchdog traffic, and the action target is an IP (internet protocol) address of the traffic data; Collective behavior malware detection method. Collecting traffic data transmitted and received on the search target network; Reviewing the traffic data, a plurality of groups based on a group action, which is an action performed by different hosts per unit time in the same way, with respect to predetermined traffic data, and a target of action, which is information in which group actions are performed among the information constituting the traffic data. Creating a host group; Measuring similarity between the plurality of host groups indicating how much the hosts belonging to each of the plurality of host groups match; And Using the similarity to find a group behavior malicious code, The group action is a distributed denial of service attack, The traffic data is attack traffic, and the action target is an IP (internet protocol) address of a destination of the traffic data, Collective behavior malware detection method. The method according to any one of claims 1 to 3 Creating the plurality of host groups Counting the number of hosts that have performed the same group action for the same action object that is information related to predetermined traffic data on the search target network for a unit time; And And if the value obtained by dividing the number of hosts by the total number of hosts belonging to the search target network is equal to or greater than a threshold value, creating hosts having the same group behavior as one group. 5. The method of claim 4, And the threshold is a probability that the collective behavioral malware exists in the search target network. 5. The method of claim 4, If the traffic data is DNS (Domain Name Server) traffic, the unit time is determined according to DNS TTL (time to live). The method of claim 6, The unit time is larger than the minimum value of the TTL (time to live) of the dynamic DNS and less than the maximum value of the TTL (time to live) of the normal DNS collective behavior malware detection method. 5. The method of claim 4, If the traffic data is watchdog traffic, the unit time is greater than the minimum value of the ping-pong period and less than the maximum value of the ping-pong period. Collective behavior malware detection method. 5. The method of claim 4, If the traffic data is attack traffic, the unit time is determined based on the distribution followed by the attack traffic. How to detect malware. The method according to any one of claims 1 to 3, The similarity is a value obtained by dividing the number of hosts belonging to a first group and a second group among the plurality of host groups by the number of hosts belonging to the first group and the host belonging to the first group and the second group simultaneously. The sum of the number divided by the number of hosts belonging to the second group divided by two, A group action in which the first group and the second group are groups that have performed the same group action on the same object How to detect malware. The method of claim 10, Determining that the hosts belonging to the first group or the second group are hosts infected with the collective behavioral malware when the similarity exceeds a predetermined similarity threshold. Collective behavior malware detection method. The method of claim 11, Determining hosts belonging to the first group or the second group as a suspect group when the similarity is greater than the difference between the similarity threshold and the similarity error range limit value and less than the similarity threshold; And And adding the same action target of the first group and the second group to the blacklist. The method of claim 12, The step of creating the plurality of host groups is a group behavior malware search method using the black list. First means for collecting traffic data transmitted and received on a search target network; Reviewing the traffic data collected by the first means, based on the action target which is the group action performed by the different hosts per unit time for the predetermined traffic data and the group action is performed among the information constituting the traffic data Second means for creating a plurality of host groups; And And a third means of measuring similarity indicating how closely the hosts belonging to the first group and the second group among the plurality of host groups match, and using the similarity to find a group behavior malicious code. The first group and the second group are groups that have performed the same group action with respect to the same action object, The group actions include host scanning, port scanning, worm code propagation, bot code downloading, querying DNS during the DNS (domain name server) lookup process, and hosts joined to the Command and Control (C & C) channel. Periodically send and receive ping and pong messages used by Internet Relay Chat (IRC) to announce their channel connection status, distributed denial of service attacks, and spamming One of the If the traffic data is DNS traffic, the action target is a domain name of a DNS query, When the traffic data is attack traffic, the action target is an IP (internet protocol) address of the destination of the traffic data, If the traffic data is attack traffic, the action target is the IP address of the destination of the traffic data, If the traffic data is command and control traffic, the action target is the source IP address of the traffic data, Collective behavior malware search device. The method of claim 14, The host group is Collective Behavior Malware Detection Device, which is a group of hosts whose threshold is equal to or greater than the same group behavior for the same time. The method of claim 15, The similarity is obtained by dividing the number of hosts belonging to the first group and the second group by the number of hosts belonging to the first group and the number of hosts belonging to the first group and the second group simultaneously. Group behavior malware detection device that is the sum of the value divided by the number of hosts in the group 2 divided by 2. The method of claim 16 And wherein the third means determines the hosts belonging to the first group or the second group as hosts infected with the group behavior malware when the similarity exceeds a predetermined similarity threshold.

Images