KR101404882B1 - A system for sorting malicious code based on the behavior and a method thereof - Google Patents

Abstract

The present invention relates to a system for sorting a malicious code based on a behavior and a method thereof and, more particularly, to a system for sorting a malicious code based on a behavior and a method thereof, capable of measuring the risk score of the behavior by analyzing a parameter and API called in the execution of a file which is an analysis object and calculating the risk of the file by summing up the risk scores. According to the present invention, a malicious code detection error is reduced and an unknown malicious code is efficiently detected by analyzing the behavior based on parameter and API information called in the execution of the file.

Description

FIELD OF THE INVENTION [0001] The present invention relates to malicious code classification systems and classification methods based on malicious codes,

The present invention relates to a malicious code classification system and a classification method based on an action, and more particularly, to a malicious code classification system and a classification method based on an action, in which an API and parameters called at the time of execution of a file to be analyzed are analyzed, And calculating the risk of the file by summing the scores of the malicious codes.

A conventional malicious code detection system is a system that compares a binary pattern included in a file and a process with a binary pattern registered in advance or a pattern for a specific action in order to detect an unstructured malicious code, If detected, use a method to handle it.

A system that detects malicious codes by comparing binary patterns can expect accurate detection and classification through analysis beforehand, but it is difficult to diagnose new malicious codes and variants when they appear and is reflected in the database after the static analysis is finished Rapid processing is difficult. In order to overcome these drawbacks, there is a study on behavior - based malicious code detection.

Open No. 2008-0047261, which is one of the prior arts, "Atypical malicious code detection method and system using process action prediction technique" uses behavior-based malicious code detection technique, There is a room for detecting a normal operation used in the system, and there is a disadvantage that system load and detection performance may be deteriorated because a processing module for avoiding it has to exist separately. Also, this behavior-based analysis method differs from the purpose of the system that processes file analysis automatically.

Another prior art Patent Publication No. 2011-0088042 entitled " Malicious Code Automatic Discriminator & Method "has a similar purpose in that it is an automatic discrimination for various malicious codes, but there is no specific method for detecting a malicious code. Since only HASH is extracted, there is a disadvantage that some malicious code should be defined through analysis again.

Another prior art Patent Application No. 2012-0073018 entitled " System and Method for Detecting Malicious Code "collects information on an API (Application Programming Interface) included in a file to be analyzed and analyzes it, Is abstracted into 128 pre-configured behavior nodes, and generates a pattern based on this. In this case, all the partial graphs are saved by reducing the number of nodes that can appear in the file.

However, we can not figure out the exact behavior of the file because we do not collect the key parameters that explain how to use the API. In addition, since it is possible to trace only predetermined actions, there is no way to judge whether malicious code is present when a new malicious code is found in the absence of a similar pattern.

KR 10-2008-0047261 A KR 10-2011-0088042 A KR 10-2012-0073018 A

According to an aspect of the present invention, there is provided an information processing method for collecting all API call information for processes executed by a file to be analyzed, converting the API call information into an action unit according to a predetermined rule, The present invention also provides a malicious code classification system and a classification method based on the operation of automatically determining whether malicious code is included.

In the case of a file identified as malicious code, the present invention also provides detailed classification information by patterning the behavior and classifying the behavior again by automatically measuring the similarity with the existing pattern DB, and collectively managing the individual analysis performed by the client The present invention is to provide a malicious code classification system and a classification method based on an act of providing quick and precise analysis information on an exponentially growing malicious code.

According to an aspect of the present invention, there is provided a classification system for calculating a risk of an analysis object file by analyzing an application programming interface (API) and parameters called when an analysis object file is executed, And stores the collected data in a management object DB 112. The analysis result of the analysis object file is sent to an administrator or a network user An integrated management unit 102 for transferring the information; A line processor 104 for checking whether the file to be analyzed exists by checking the management object file DB 112, changing the flag value included in the data set of the analysis object file to 'analysis start' Wow; An action monitoring unit (106) for generating an API to be called when the analysis target file is executed and a log file in which parameters used in the API call are recorded; The action monitoring unit 106 distinguishes the API and the parameter from the log file generated by the behavior monitoring unit 106, converts the API and the parameter so as to be recognized as an individual action, generates a conversion log file, An analysis unit 108 for recording information for identifying an action performed by the analysis unit 108 in a behavior classification policy data set and giving a risk of a process performed when the analysis object file is executed; If the pattern of the analysis object file is compared with a pattern of existing malicious code stored in the malicious code pattern DB 114 and the similarity degree exceeds a predetermined reference value, information on a similar pattern is recorded in the data set of the analysis object file And a classifying unit 110 for classifying the image data.

A file name, a file size, an environmental variable, a risk level, a classification pattern, a similar pattern, a similarity, a flag, an analysis start time, and an analysis end time are recorded in the structured data set for the analysis object file .

The conversion log file generated by the analysis unit 108 includes one API (abbreviated as API) and one or more 'Param (variable)'.

The analyzing unit 108 determines that the process is a suspicious action when the process is one of releasing a firewall or lowering a file access privilege. If the action of the process is to delete the security program, And if the file is one of the actions for replacing the file with another file, the malicious action is determined.

According to another embodiment of the present invention, there is provided a classification method for calculating a risk of an analysis object file using a malicious code classification system, the integrated management part 102 generating a structured data set for a file sent from an external server, In a file DB (112); Line processing unit 104 searches the file to be analyzed out of the files stored in the management subject file DB 112 and changes the flag value included in the structured data set of the analysis object file to "analysis start" To the monitoring unit (106); A third step of generating and transmitting to the analysis unit 108 a log file in which the behavior monitoring unit 106 records an API that is called when the analysis object file is executed and a parameter used in the API call; A fourth step of separating the API and the parameter from the log file and converting the API and the parameter so that they can be recognized as individual behaviors to generate a conversion log file; And a fifth step of analyzing the conversion log file by the analysis unit 108 to give a risk of a process performed when the analysis target file is executed.

A file name, a file size, an environmental variable, a risk level, a classification pattern, a similar pattern, a similarity, a flag, an analysis start time, and an analysis end time are recorded in the structured data set for the analysis object file .

In the fourth step, the conversion log file generated by the analysis unit 108 includes one API (abbreviated as API) and one or more 'Param (variable)'.

In the fifth step, if the analysis unit 108 determines that the process is one of releasing a firewall or lowering a file access privilege, the analyzing unit 108 determines that the process is suspicious. Or if the system file is replaced with another file, the malicious action is determined.

When the classification unit 110 compares the similarity of the pattern of the malicious code stored in the malicious code pattern DB 114 with the sample pattern generated in the analysis object file and exceeds the reference value, the pattern of the existing malicious code And a sixth step of generating a new pattern name if the new pattern name is less than the reference value.

The classifying unit 110 further includes a seventh step of registering a new pattern name in the malicious code pattern DB 114. [

According to the present invention, by analyzing the behavior based on the API and parameter information to be called during execution of the file, it is possible to reduce errors in malicious code detection and effectively detect unknown malicious codes.

In addition, it can provide additional information such as what kind of malicious code, malicious code distributed from when, what other malicious code is classified, etc., It is possible to improve the responsiveness to malicious codes.

1 is a block diagram showing the structure of a classification system according to an embodiment of the present invention;
2 is a block diagram showing the structure of a data set of an analysis object file;
3 is a flowchart showing an operation process of the pre-processing unit;
4 is a block diagram showing the structure of the analysis unit;
5 is a block diagram showing the structure of a classification unit;
6 is a flowchart showing an operation process of the analyzer and the classifier;
7 is a block diagram showing the structure of a behavior classification data set;
8 is a conceptual diagram graphically illustrating a method of measuring the degree of similarity between a patterned action and an existing pattern.
FIG. 9 is a conceptual diagram showing representative types of attributes according to each action. FIG.

Hereinafter, a malicious code classification system and classification method based on an action according to an embodiment of the present invention will be described with reference to the drawings.

1 is a block diagram showing the structure of a classification system according to an embodiment of the present invention.

The malicious code classification system based on an action (hereinafter referred to as a "classification system") of the present invention may be a server or a client connected to a plurality of PCs 200 through a network. The classification system 100 can reduce the workload by entrusting a plurality of PC 200 connected to the outside with a part of the analysis work.

The integrated management unit 102 receives a malicious code-related file from the outside and transmits the analysis result to the administrator or network users.

The integrated management unit 102 collects files via an external malicious code management server (not shown) and stores the malicious code in the management target file DB 112, the malicious code pattern DB 114, the log conversion policy table 116, And provides a function that allows the policy table 118 to be accessed and modified in a integrated manner through a web page.

The files collected by the integrated management unit 102 are all files related to the malicious code and are not limited to a specific format. When the files sent from the external server are transferred to the classification system 100, the data structure of the file is configured according to the analysis process.

2 is a block diagram showing a structure of a data set of an analysis object file.

The integrated management unit 102 extracts the structured data from the collected files with the job ID, the hash value (HASH), the file name, the file size, the environmental variable, the risk level, the classification pattern, the similar pattern, Create a dataset and set the job ID according to the method and order specified. After that, the hash value, the file name, the file size, the environment variable, and the start time of the analysis are automatically input by identifying the file using the operation ID.

Here, the environment variable is identification data used for processing the use of a specific application program (for example, MS Office, Hangul, etc.) as information received from an external server. In other words, data indicating the name or type of an application program used to execute a file to be analyzed, and data values stored in environment variables include HWP, Word, PowerPoint, Excel, Flash player, ), Internet Explorer, Firefox, and Chrome. The integrated management unit 102 analyzes the extension of the file to determine which application program is executed. However, in the case of a file having no extension, the integrated management unit 102 can determine which application program should be executed through the data value of the environment variable .

Environment variables can be continuously expanded as much as the application you are installing, making it possible to analyze a variety of files, except for damaged or non-installed application-type files.

The integrated management unit 102 generates job IDs for all the collected files, sequentially stores them in the management object file DB 112, and then transfers the files to the line processing unit 104. Then, The pre-processing unit 104 performs a pre-inspection.

The pre-processing unit 104 periodically checks the management object file DB 112 and transfers the file matching the condition to the behavior monitoring unit 106.

3 is a flowchart showing an operation process of the pre-processing unit.

First, the line processing unit 104 checks whether there is a file to be analyzed by checking the flag value of the data set of the file stored in the management object file DB 112 (S102, S104)

The flag value is recorded in one of three states: 'wait', 'start analysis', and 'end analysis'. 'Waiting' is a value indicating a file that has not yet been analyzed. 'Start Analysis' is a value indicating the file in which analysis is started and the analysis is in progress. 'End Analysis' This is a value indicating a file that has been classified.

The line processor 104 checks the job ID of a file whose flag value is 'waiting' in the data set, and determines whether each file is executable sequentially according to the input time when there is a file 'waiting' Check. (S106). If the environment variable does not exist, it is checked whether or not the PE (Portable Executable) file format that can be loaded in the Windows system is present. S108)

The reason for confirming the existence of the environment variable is that if the environment variable exists, it is possible to directly check the application program necessary for executing the file, so that it is not necessary to check whether the environment variable is executable in Windows. If there is no environment variable, check whether it is a PE file format. If the file does not conform to the PE file format, it ends without analysis.

Files that use the PE file format have extensions such as "exe, dll, ocx, sys, drv", and the binary dump value in the file has a common point that starts with 'MZ'. Therefore, if there is no environment variable in the file, the line processing unit 104 checks the value of the binary dump and confirms that it conforms to the PE file format.

In other words, if the environment variable is recorded in the dataset of the file or the file is in the PE format, it is an executable file in the window system, so it is subjected to malicious code analysis.

When the flag value of the file stored in the management object file DB 112 is 'standby' and it is judged that the file is executable in the window, the line processing unit 104 deletes the 'list of files to be excluded from malicious code analysis' , &Quot; white list ") (S110)

The whitelist is used to reduce the workload of the pre-processing unit 104 by registering in advance a secure file that does not require malicious code analysis, as information on a file that has already been clearly judged as being not a malicious code.

Information on the whitelist is stored in the management object file DB 112. The pre-processing unit 104 checks whether the 'executable file' is included in the whitelist while the flag value is 'standby' (S114). However, if the flag value of the file is not included in the whitelist, the flag value of the file is changed to 'start analysis' (S112). And transmits the file to the behavior monitoring unit 106 for the next procedure (S116)

The action monitoring unit 106 is connected to one or more PCs 200 that perform an analysis process of a process. The action monitoring unit 106 includes an analysis program install module for the PC 200 and a monitoring module . The behavior monitoring unit 106 analyzes the APIs and parameters of the file to generate a file that can identify the respective actions. In order to reduce the time and load required for the analysis, one or more PCs Can be commissioned. However, this is optional and the behavior monitoring unit 106 may perform all the analysis work.

The installation module checks 32/64 bit (bit) and environment variables, and distributes and executes executable files satisfying the conditions of a specific program and the like to the analysis PC 200. The monitoring module monitors the API of the process that is created or referenced when the file is executed. It then outputs the APIs to be called and the parameters used in the API call as 'log files' and returns the system to its initial state after a specified time to terminate the process or prevent infinite waiting. Because the flow of code can occur across multiple processes, you can create log files on a per-process basis to help you find relationships through analysis.

An example of the log file outputted by the behavior monitoring unit 106 is as follows.

- Log file contents when executing specific file Timestamp API Parameters Status 19: 26: 44: 171 CreateProcessInternalW lpApplicationName => (null)
lpCommandLine => C: \ DOCUME ~ 1 \ ADMINI ~ 1 \ LOCALS ~ 1 \ Temp \ a.exe
dwCreationFlags => (null) SUCCESS 19: 26: 44: 171 CreateProcessA lpApplicationName => (null)
lpCommandLine => C: \ DOCUME ~ 1 \ ADMINI ~ 1 \ LOCALS ~ 1 \ Temp \ a.exe
dwCreationFlags => (null) SUCCESS

- Log file contents when searching specific window Timestamp API Parameters Status 18: 23: 53: 206 FindWindowA lpClassName => FileMonClass
lpWindowName => (null) FAILURE 18: 23: 53: 206 FindWindowA lpClassName => 18467-41
lpWindowName => (null) FAILURE 18: 23: 53: 206 FindWindowA lpClassName => OLLYDBG
lpWindowName => (null) FAILURE

- Log file contents when sending a packet to a specific IP Timestamp API Parameters Status 19: 49: 42: 761 Connect IP => 218.xxx.xxx.254
PORT => 80 SUCCESS 19: 49: 42: 761 Send BUF => GET /s/blog.html HTTP / 1.0 User-Agent: Mozilla / 4.0 (compatible) Host: blog.xxx.com.cn m
LEN => 108 SUCCESS

FIG. 4 is a block diagram illustrating the structure of the analysis unit, FIG. 5 is a block diagram illustrating the structure of the classification unit, and FIG. 6 is a flowchart illustrating an operation process of the analysis unit and the classification unit.

The analysis unit 108 includes a log conversion module 108a, a behavior classification module 108b, a risk measurement module 108c, and a process-related information extraction module 108d. In addition, the analyzer 108 applies the data stored in the log conversion policy table 116 and the behavior classification policy table 118 to each module. If the policy content is modified by the administrator, the module 108 checks the policy file modification time, Allow new policies to be applied.

The log conversion module 108a divides the log file created and transmitted by the behavior monitoring unit 106 into the API and the parameters used in the API call and converts each data to be recognizable as an individual action according to the log conversion policy (S202)

The log conversion policy is for preprocessing before separating log files into individual behaviors, and converts the APIs and parameters included in the log file according to the policy.

For example, suppose you have an API called "GetModuleFileNameW" and a log file that contains the parameters "hModule => 0x00401050, lpFilename => C: \ sample.exe". In this case, parameter '0x00401050' in 'hModule' is simply a hex value in the case of 'hModule => 0x00401050', so when converting log, 'API (GMFN) .Param (Hex) .Param (Path) Conversion log file '. Here, the rule for converting '0x00401050' to hex is a log conversion policy, and these rules are defined in the log conversion policy.

In the case of 'CreateProcessA' included in the first of the three log files described above, 'API (CPA) .Param (null) .Param (Path.File) .Param (null)' is recorded .

Namely, API abbreviations (GMFN, CPA, etc.) are input in parentheses following 'API', and variables (Hex, File, null, Path.File, etc.) used in parameters are input in parentheses after 'Param'.

The log conversion module 108a parses the log file in which the API and the parameters are recorded, and determines which character string is converted according to the log conversion policy.

The action classifying module 108b refers to the action classifying policy and classifies the 'conversion log file' as an action, and records the contents in the action classifying policy data set.

For example, if an API called 'CreateProcess' and a parameter 'C: \ sample.exe' are called after a unit action named 'API (CF) .Param (Path) .Param (CA)', The log file becomes 'API (CP) .Param (Path)', and the converted information is divided into one action for creating and executing a file according to a behavior classification policy (S204)

Here, one action ['API (CF) .Param (Path) .Param (CA)' + 'API (CP) .Param (Path)'] , And information on 'action 1' is included in the action classification policy to identify such action. The action classification policy is composed of a risk score, an attribute, and a reference description according to the action of 'action 1', and is managed through the integrated management unit 102.

7 is a block diagram showing the structure of a behavior classification policy dataset.

In the behavior classification policy data set, the attribute of the behavior and the risk score are measured when one file is executed, and these contents are stored in the behavior classification policy table 118 (S206)

As shown in FIG. 7, an action having an action ID of 1 uses "API CreateFile and a parameter called CREATE_ALWAYS", and the system manager 'Manager 1' uses a file having such code (file creation) A risk score of '0' is given and stored.

In addition, an action ID 2 is an action to add itself to the firewall, and the attribute is not designated because it does not belong to any particular place, and the risk score is stored with a value of '1'.

The behavior classifying module 108b generates and stores a behavior classifying policy dataset including contents designated by the administrator.

The risk measurement module 108c compiles the action data sent from the action classifying module 108b and assigns a risk to each process (S208). Then, the measured risk is classified into normal, suspicious, and malicious according to the policy. And transmits the job ID to the classifying unit 110 when it is included in the criterion. If it is not malicious, the similarity is displayed as a normal or suspicious result in the job ID, and the analysis end time is updated in the data set of the analysis target file and is finally terminated. The updated dataset is stored in the managed file DB 112.

The risk score for each action criterion is 0 for normal activity, 1 for suspicious activity, and 5 for malicious activity. As a criterion for judging behavior, 'suspicion' is given when there is a possibility that the action can be fully utilized for malicious (eg, releasing the firewall, lowering the file access authority, etc.) (For example, deleting a security program, or replacing a system file with another file). This criterion is a score for an individual action, and a criterion for judging a process as 'malicious' is that a score of 5 or more is a combination of actions taken according to the execution of a process.

The process-related-information extracting module 108d checks the API call information, analyzes the cause-and-effect relationship between the individual processes, and stores it in a file. For example, if B, C, and D are created and referenced through Process A, then B is a child process of A, C is a process created as a service by B, D is injected by C The execution of arbitrary code), and so on.

The classification unit 110 includes a similar pattern measurement module 110a and a classification determination module 110b.

Patterns represent the sequential flow of behaviors such as 'Behavior_1' and 'Behavior_2' as described above. In order to pattern behaviors, since the minimum number of behaviors must be secured, the similar pattern measurement module 110a checks the minimum number of behaviors before measuring the similarity value. Then, the similar pattern measurement module 110a compares the transferred malicious pattern with existing patterns of the malicious code pattern DB 114 (S210)

8 is a conceptual diagram graphically illustrating a method of measuring the degree of similarity between a patterned action and an existing pattern.

The similarity measure is a result of calculating the ratio of the number of behaviors equal to the total number of behaviors. The similarity measure shows a matching rate of 0 to 100% as shown in FIG. 8, and the similarity pattern measurement module 110a calculates Updates the information with the job ID, and transfers the data to the next step.

When the behavior pattern of the sample file to be analyzed and the pattern of the existing malicious code stored in the malicious code pattern DB 114 coincide with the reference value (for example, 90%) as shown in FIG. 8A, The sample pattern is classified as the same pattern as the existing pattern having a high degree of similarity. In other words, the patterns of the two patterns must overlap so much that the similar parts in the two patterns exceed the reference value in each pattern.

However, if the degree of similarity is less than the reference value as in (b), it is regarded as not a similar pattern. Even when a pattern of one file is completely included in the pattern of another file, the ratio of the patterns that are commonly overlapped with each other is not considered to be a similar pattern because the ratio of patterns that do not exceed the reference value.

Then, the classification determination module 110b confirms the similar pattern and the similarity result of the updated malicious code pattern DB 114.

(Eg, DDOS) when the same pattern is completely the same or equal to or more than a predetermined level (eg, 90% or more) based on the similarity measured in comparison with the pattern stored in the malicious code pattern DB 114. Agent.Sample) and updates the task ID of the data set (S212, S214)

Otherwise, a new pattern name is generated by judging the new or variant, and the new pattern name is registered in the malicious code pattern DB 114 (S216, S218).

FIG. 9 is a conceptual diagram illustrating representative types of attributes according to each action.

Attributes of malicious code are worms, viruses, trojans, and other new attributes can be specified.

The distinguished name is created for distinguishing a newly generated pattern and performing an automated process, and an identification name is created based on the behavior attribute described in FIG.

For newly added patterns, the distinguished name is automatically attached based on the attribute and process association. For example, if the behavior attribute is 'DDOS', append 'DDOS' to the distinguished name, and if malicious is detected in the child process, make 'Dropper.DDOS.Agent.Sample' with 'Dropper' appended to the child process pattern distinguished name.

In addition, you can use the distinguished name "Worm.IRC.ngrBot", "Trojan.DDoS.Rincux.Nation", "Trojan.Dropper.OnlinegameHack.wsxp", "Trojan.Backdoor.Xyligan" .

If the file is included in the malicious criteria and it is a new pattern that is not existing, check the actions and if the attribute includes 'Dropper, Backdoor, DDOS, IRC' Therefore, the attribute of the distinguished name does not exist separately, and the name is created in the kind of the behavior attribute.

If the similarity value determined by the classification determination module 110b is not classified into the existing pattern (for example, 89.79%) with a slight difference (for example, within 5%), it is determined to be a variant. (For example, Ex.DDOS.Agent.Sample).

All the newly generated pattern identification names are registered in the malicious code pattern DB 114, and the name and description description can be modified through the integrated management unit 102, so that a quick response to malicious codes that become issues in the analysis of other files (S220) Furthermore, the generated pattern identification name is updated to the analyzed pattern of the job ID and is finally terminated.

While the present invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, As will be understood by those skilled in the art. Therefore, it should be understood that the above-described embodiments are to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than the foregoing description, It is intended that all changes and modifications derived from the equivalent concept be included within the scope of the present invention.

100: classification system 102: integrated management unit
104: Line processing unit 106:
108: Analysis section 110: Classification section
112: management target file DB 114: malicious code pattern DB
116: log conversion policy table 118: action classification policy table
200: PC

Claims (10)

A classification system for calculating a risk of an analysis object file by analyzing an application programming interface (API) and parameters called when an analysis object file is executed,
The malicious code management server of the present invention collects the analysis target file through an external malicious code management server, generates a structured data set for the collected analysis target file, stores the structured data set in the management target file DB 112, To an administrator or a network user;
A line processor 104 for checking whether the file to be analyzed exists by checking the management object file DB 112, changing the flag value included in the data set of the analysis object file to 'analysis start'Wow;
An action monitoring unit (106) for generating an API to be called when the analysis target file is executed and a log file in which parameters used in the API call are recorded;
The action monitoring unit 106 distinguishes the API and the parameter from the log file generated by the behavior monitoring unit 106 and generates a conversion log file by converting the API and the parameter to be recognizable as individual behaviors, An analysis unit 108 for recording information for identifying an action performed by the analysis unit 108 in a behavior classification policy data set and giving a risk of a process performed when the analysis object file is executed;
If the pattern of the analysis object file is compared with a pattern of existing malicious code stored in the malicious code pattern DB 114 and the similarity degree exceeds a predetermined reference value, information on a similar pattern is recorded in the data set of the analysis object file And a classifier (110) for classifying the malicious code based on the behavior. The method according to claim 1,
A file name, a file size, an environmental variable, a risk level, a classification pattern, a similar pattern, a similarity, a flag, an analysis start time, and an analysis end time are recorded in the structured data set for the analysis object file Based malicious code classification system. The method according to claim 1,
The conversion log file generated by the analysis unit 108 includes one API (abbreviated as API) and one or more 'Param (variable)'. . The method according to claim 1,
The analysis unit 108
If it is determined that the process is one of releasing the firewall or lowering the file access privilege, it is determined that the process is suspicious. If the action of the process is to delete the security program, or the system file is replaced with another file Wherein the malicious code is determined to be malicious if the malicious code is one of the malicious codes. A classification method for calculating a risk of an analysis object file using the malicious code classification system according to any one of claims 1 to 4,
A first step in which the integrated management unit 102 generates a structured data set for a file sent from an external server and stores the structured data set in the management object file DB 112;
Line processing unit 104 searches the file to be analyzed out of the files stored in the management subject file DB 112 and changes the flag value included in the structured data set of the analysis object file to "analysis start" To the monitoring unit (106);
A third step of generating and transmitting to the analysis unit 108 a log file in which the behavior monitoring unit 106 records an API that is called when the analysis object file is executed and a parameter used in the API call;
A fourth step of separating the API and the parameter from the log file and converting the API and the parameter so that they can be recognized as individual behaviors to generate a conversion log file;
And a fifth step of analyzing the conversion log file by the analysis unit 108 to give a risk of a process performed when the analysis target file is executed. 6. The method of claim 5,
A file name, a file size, an environmental variable, a risk level, a classification pattern, a similar pattern, a similarity, a flag, an analysis start time, and an analysis end time are recorded in the structured data set for the analysis object file Wherein the malicious code is classified as malicious code based on an action. 6. The method of claim 5,
The conversion log file generated by the analyzing unit 108 in the fourth step includes one API (abbreviated as API) and one or more 'Param (variable)'. How to classify malicious codes. 6. The method of claim 5,
In the fifth step, if the analysis unit 108 determines that the process is one of releasing a firewall or lowering a file access privilege, the analyzing unit 108 determines that the process is suspicious. Or if the system file is replaced with another file, the malicious code is determined to be malicious. 6. The method of claim 5,
When the classification unit 110 compares the similarity of the pattern of the malicious code stored in the malicious code pattern DB 114 with the sample pattern generated in the analysis object file and exceeds the reference value, the pattern of the existing malicious code And a sixth step of creating and assigning a new pattern name if the name of the malicious code is less than the reference value. 10. The method of claim 9,
Wherein the classifying unit (110) further includes a seventh step of registering a new pattern name in the malicious code pattern DB (114).

Images