KR20140075839A - Methods and Apparatus for Detecting Malicious Behavior - Google Patents

Methods and Apparatus for Detecting Malicious Behavior Download PDF

Info

Publication number
KR20140075839A
KR20140075839A KR1020120135941A KR20120135941A KR20140075839A KR 20140075839 A KR20140075839 A KR 20140075839A KR 1020120135941 A KR1020120135941 A KR 1020120135941A KR 20120135941 A KR20120135941 A KR 20120135941A KR 20140075839 A KR20140075839 A KR 20140075839A
Authority
KR
South Korea
Prior art keywords
request
execution
malicious
connection
malicious code
Prior art date
Application number
KR1020120135941A
Other languages
Korean (ko)
Inventor
윤승용
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020120135941A priority Critical patent/KR20140075839A/en
Publication of KR20140075839A publication Critical patent/KR20140075839A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3013Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is an embedded system, i.e. a combination of hardware and software dedicated to perform a certain function in mobile devices, printers, automotive or aircraft systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Abstract

The present invention relates to a malicious code detection technique in a terminal device, and relates to a method and an apparatus for detecting malicious behavior such as a malicious code infringement behavior and information leakage behavior by malicious code infection, A determination unit for monitoring a predetermined monitoring item and determining whether execution of the network connection request is caused by a malicious action; And a blocking unit for blocking the execution of the transmission command when the execution of the transmission command is determined to be caused by a malicious action. According to the present invention, it is possible to detect and block an attack by a new malicious code by monitoring each action occurring in malicious code or the like and correlating and analyzing the attack, and it is possible to detect and block an attack by a new malicious code, And the miss rate can be reduced.

Description

TECHNICAL FIELD The present invention relates to a malicious behavior detecting apparatus and method,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a malicious code detection technique in a terminal device, and more particularly, to a method and apparatus for detecting malicious code such as a malicious code infecting activity and information leakage.

The smart phone combines the advantages of a mobile phone and a personal digital assistant (PDA), integrating data communication functions such as schedule management, fax transmission, reception, and Internet access to mobile phone functions. The biggest feature is that it can install, add or delete hundreds of various application programs according to user's preference, unlike existing mobile phones, which were released as finished products and used only the given functions.

Because of these features, the smartphone market has grown tremendously over the past few years, and smartphone malicious code is also growing rapidly in scale. This is the reason for the open platform, where anyone can easily create and distribute malware, and the open environment due to the open market. In addition, it is easy to propagate because of various external connection environments such as wireless Internet, Bluetooth and USB. In the early days, malicious codes of smart phones were aimed at simply propagating or paralyzing the functional operation of the terminal. Recently, however, the malicious code has changed into a form of charging that takes charge of leakage of personal information and monetary gain.

Smartphones are infected with various kinds of malicious code through various routes. Recently, there have been increasing cases of infections through app stores and markets using repackaging techniques, which are disguised as normal applications. There are various types of malicious codes, such as a malfunction code that breaks the function of a key button, a malfunction attack that paralyzes the function of sending and receiving a telephone, and a battery depletion attack that continuously consumes power of a smartphone. However, recently, A billing-type attack that continuously tries to make a financial gain, and an information leakage attack that leaks device information or user information from an infected smartphone to the outside.

Currently, most smartphones use signature-based pattern matching techniques to detect malicious code using an anti-virus program as in traditional PCs. This technique uses a pattern matching technique to detect an attack before a signature is updated when a new attack occurs. And the number of signatures for detection increases as the number of malicious codes increases. Therefore, the problem of performance is the biggest disadvantage.

KR 10-2011-0128632 Chungnam National University Industry-University Collaboration Foundation 2011.11.30 KR 10-1051641 AhnLab Corporation 2011.07.19

In order to solve the problems of the related art described above, the present invention provides a method and apparatus for monitoring a user behavior, important information and resource access, telephone connection, text transmission, and external Internet connection attempt without using a signature- And to provide a billing inducing method and an information leakage prevention technique in a terminal device by detecting malicious activity through the terminal device.

In order to solve the above technical problem, in order to solve the technical problem, it is necessary to monitor the status of a predetermined monitoring item in connection with a request for network connection, and to judge whether execution of the request is caused by execution of a request not intended by the user or not allowed in advance ; And a blocking unit for blocking the execution of the request when it is determined that the execution of the request is caused by execution of a request that is not intended by the user or is not permitted in advance .

The monitoring item is an input unit connected to the network connection management apparatus by wire or wireless, and the status of the monitoring item is a request for the connection through the input unit. And monitors whether or not the request for inputting the request is input by the user.

The monitoring item may be a storage unit connected to the network connection management apparatus by wire or wirelessly. The status of the monitoring item may include whether or not the stored information is transmitted through the storage unit. The monitoring of the monitoring item may include: And monitoring whether the information is leaked or not.

When the execution of the request is not intended by the user or is judged to be due to the execution of a request not permitted in advance, the blocking unit notifies the execution of the malicious code, the malicious program or the malicious worm by the output And blocks or permits the execution of the request based on whether the request is blocked or allowed to be executed.

A determining unit for monitoring a status of a predetermined monitoring item in response to a request for network connection and determining whether execution of the request is caused by execution of a malicious code, a malicious program, or a malicious worm; And a blocking unit for blocking the execution of the request when the execution of the request is judged to be caused by execution of a malicious code, a malicious program or a malicious worm. The malicious program according to claim 1, Provide a behavior detection device.

Monitoring the status of the predetermined monitoring item in connection with the request for network connection and determining whether the request is due to the execution of a request not intended by the user or not previously allowed; And blocking the execution of the request if it is determined that the execution of the request is due to execution of a request that is not intended by the user or that is not allowed in advance .

The monitoring item may be an input unit connected to the network connection management apparatus by a wired or wireless connection, the status of the monitoring item may be input through the input unit, and monitoring the monitoring item may include inputting The network connection management method comprising the steps of:

The monitoring item is a storage unit connected to the network connection management apparatus via a wired or wireless connection, and the status of the monitoring item is whether or not stored information is transmitted through the storage unit. The monitoring of the monitoring item may include storing information The network connection management method comprising the steps of:

Also, the blocking step may be a step of notifying the execution of the malicious code, the malicious program, or the malicious worm when the execution of the request is judged to be caused by the execution of the request not intended by the user, Outputting the request to the output unit, and blocking or permitting the execution of the request by accepting the blocking or allowing of execution of the request.

Monitoring a state of a predetermined monitoring item in response to a request for network connection, and determining whether execution of the request is caused by execution of a malicious code, a malicious program, or a malicious worm; And blocking the execution of the request when the execution of the request is judged to be caused by execution of a malicious code, a malicious program or a malicious worm. The malicious program according to claim 1, To detect malicious behavior.

According to the present invention, since the signature-based pattern matching technique is not used, the problem that the signature for a new attack is generated and updated can not be detected, which is a disadvantage of the signature-based pattern matching technique, is solved. According to the present invention, there is no need to increase the number of signatures for detecting the attacks in a situation where the number of malicious codes of the smartphone is increasing day by day, and the degradation of performance due to an increase in signature can also be solved. In addition, it monitors and correlates each behavior of malicious code, detects attacks by detecting new malicious code, and is able to detect and block malicious codes. By applying blacklists and whitelists, You can reduce the search rate.

1 is a block diagram of a network connection management apparatus according to an embodiment of the present invention.
2 is a detailed block diagram of a network access management apparatus according to an embodiment of the present invention.
3 is a flowchart of a network access management method for a malicious behavior of a billing-induced attack according to an embodiment of the present invention.
4 is a flowchart of a network access management method for malicious activity of an information leakage type attack according to an embodiment of the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the drawings.

In the following description and the accompanying drawings, substantially the same components are denoted by the same reference numerals, respectively, and redundant description will be omitted. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

The present invention relates to a network connection management apparatus and method, and is described below with reference to Figs. However, it will be readily understood by those skilled in the art that the detailed description given herein with respect to these drawings is for purposes of illustration, as the invention extends beyond these limited embodiments.

1 is a block diagram of a network connection management apparatus according to an embodiment of the present invention.

1, the network access management apparatus 1 according to the embodiment of the present invention monitors the status of a predetermined monitoring item with respect to a request for network connection, and when the request is not intended by the user A determination unit (10) for determining whether the request is due to execution of an unauthorized request; And a blocking unit (20) for blocking the execution of the request when it is determined that the execution of the request is caused by execution of a request not intended by the user or not permitted in advance.

The network connection management apparatus 1 is preferably a terminal capable of transmitting and receiving various information via a communication network according to a key operation. The network connection management apparatus 1 may be a personal computer (PC), a notebook computer, a personal digital assistant An assistant, and a mobile communication terminal. Preferably, the device is a smart phone capable of transmitting and receiving data wirelessly and having a display portion.

Execution of a request not intended by the user or not allowed in advance is malicious behavior by a malicious code, a malicious program, or a malicious worm, and the operation principle of the network connection management apparatus for the malicious action will be described below. The malicious action may be, for example, a billing activity or an information leakage activity.

Hereinafter, the operation principle of the network access management apparatus for the billing inducing action will be described according to an embodiment of the present invention.

The request for network connection may be a request for telephony connection or transmission of a text message to the network. The monitoring item is an input unit connected to the network connection management apparatus by wire or wireless, and the status of the monitoring item is a request for the connection through the input unit. Means to monitor whether a request for a user has been entered by the user.

It is important for the determination unit 10 to discriminate whether the request for the connection is caused by the user or by malicious behavior based on a malicious code installed in the apparatus.

The input unit may be a means that the user can input, that is, a keyboard, a mouse, a touch screen, a touch panel, or the like. Preferably, it is a touch part of a smartphone terminal device. The terminal touch unit (not shown) has a function of specifying coordinates or selecting characters using a finger or a tool for communication with the outside. The touch unit detects a touch position and performs a specific process using stored software when an input means such as a human hand or an object touches a character or a specific position displayed on a screen (screen) without using a keyboard User interface device. Examples of the touch portion include a resistive overlay, a surface acoustic wave, a capacitive overlay, and an infrared beam.

The determination unit 10 can detect whether a manual operation is performed, such as inputting a telephone number directly to a user to make a call or transmit a character, or searching a telephone directory stored in the terminal for text transmission, have. In the case where there is no input from the terminal touch unit, the determination unit 10 determines that execution of the request for connection is automatically performed by a program source code such as a malicious code, It is judged as an act.

The determination unit 10 may further determine whether the request is an execution of an unauthorized request. Whether or not the execution of the unauthorized request is performed may include determining whether a destination telephone number or a received telephone number of a telephone connection or a text message transmission request It can be judged by considering whether it is a previously input blocked telephone number. The blocked telephone number is called a blacklist. In order to determine whether the unintended request of the user is to be executed or not and whether the request is to be executed beforehand, the user first considers whether to request the message transmission to the telephone number in the blacklist, It is desirable to consider whether the execution of the request is an execution. In particular, the request for transmission to the telephone number in the blacklist can be promptly intercepted by blocking the request for the connection at the blocking unit 20 without prompting the permission of execution of the request.

Hereinafter, the operation principle of the network access management apparatus for the information leakage operation will be described according to an embodiment of the present invention.

The request for the network connection may be a connection request for the Internet connection. When the connection request for the Internet connection is executed in order to distinguish the connection request by the malicious code or the like, the determination unit 10 transmits the information of the storage unit (not shown) of the network access management apparatus storing the important information If the information transmission has been performed, it is judged that the execution of the request for connection is a malicious action based on a malicious code or the like, based on an outflow of important information.

Wherein the monitoring item is a storage unit connected to the network connection management apparatus by wire or wireless, the status of the monitoring item is whether or not the stored information is transmitted through the storage unit, and monitoring the monitoring item comprises: It means monitoring the leak.

The storage unit (not shown) of the apparatus may suitably be a memory card, an address book and a telephone book store, a location information store, a device information store or a website visit record and bookmark store, a voice record store, Is considered when judging whether a connection request for an Internet connection has been executed by a malicious action.

The determination unit 10 may further determine whether the connection destination address of the request for connection is allowed or blocked in advance. In case of connection request of Internet connection, the connection destination address is an IP (Internet Protocol) address, and a permitted Android address is a common smartphone of the Android system, which synchronizes with the Google server, Is preferred and may be referred to as a white list.

The determining unit 10 may determine that the malicious action is not caused by a malicious code or the like when the Internet connection access request is executed to the address in the whitelist.

Preferably, the determination unit 10 determines whether the access request is for an allowed Internet address, i.e., a white list, and determines whether the malicious action is detected by detecting information leakage from the storage unit .

The determination of the malicious behavior of the malicious code based on the black list and the white list contributes to reducing the false positives and false positives of the determination unit 10. [ In addition, it is possible to increase the processing speed of interception by blocking or allowing the interruption of the execution of the request for connection, which will be described later, without receiving an input as to whether or not to block the execution of the request for connection. In particular, the black list and the whitelist can be received from the incoming telephone directory database and the Internet address database generated by the malicious codes that have already appeared and analyzed, and are preferably updated in real time by an external management server.

The blocking unit 20 outputs to the output unit of the network connection management apparatus that the execution of the request for connection is caused by the malicious action, and receives the blocking or the permission of the execution of the request for connection, Lt; RTI ID = 0.0 > and / or < / RTI >

The output unit (not shown) of the network connection management apparatus is preferably a display unit of the terminal. The terminal display unit displays information processed by the terminal. For example, when the terminal is in the call mode, a UI (User Interface) or GUI (Graphic User Interface) associated with the call is displayed. When the terminal is in the video communication mode or the photographing mode, the photographed and / or received video or UI and GUI are displayed. The terminal display unit may include a liquid crystal display (LCD), a thin film transistor-liquid crystal display (TFT LCD), an organic light-emitting diode (OLED), a flexible display, , And a three-dimensional display (3D display).

If the determination unit 10 determines that the execution of the connection request is malicious due to a malicious code or the like, the terminal display unit displays an alert notification, and determines whether the user should block the execution of the connection request , It is further indicated whether it is allowed or not, so that it is inputted. The blocking unit 20 blocks or permits the execution of the blocking or permitting operation.

2 is a detailed block diagram of a network connection management apparatus according to an embodiment of the present invention.

The determination unit 10 of the network access management apparatus 1 includes a user input monitoring module 100, a billing-inducing type analysis module 102, a critical information access monitoring module 104, an information leakage analysis module 106 ).

The user input monitoring module 100 monitors the input of a user in response to a telephone network connection request for telephone connection and text transmission. The billing-inducing type analysis module 102 determines whether the user is a billing-inducing malicious action in consideration of whether the user input is monitored by the user input monitoring module 100. In addition, the important information access monitoring module 104 monitors whether or not important information is accessed in connection with the network connection request of the Internet connection. The information leakage analysis module 106 determines whether the information leakage type malicious action is taking into consideration whether the important information accessibility monitoring module 104 accesses important information. The billing-inducing type analysis module 102 and the information leakage type analysis module 106 may receive a blocked telephone number or an allowed IP address from a blacklist or whitelist database and may further judge whether the malicious action is taken. When the billing-inducing-type analysis module 102 and the information leakage analysis module 106 determine that the network accessing operation is a malicious operation, the determination result is transmitted to the blocking portion 20.

The blocking unit 20 may include an alarm notification module 200 and a blocking module 202. When the blocking unit 20 transmits a result of the malicious action in the determination unit 10, the alert notification module 200 informs the user that the malicious action is being performed, and the action blocking module 202 notifies the user of the connection request Or accept the connection to allow or block the connection.

3 is a flowchart of a network access management method for a billing-induced attack according to an embodiment of the present invention.

A connection request for telephone connection or text transmission in the network access management apparatus is executed (S200). The determination unit determines whether the telephone number of the telephone connection or text transmission is present in the black list (S202). If the request is for a connection to a telephone number, execution of the connection request is immediately blocked without asking the user whether or not to block the connection (S210)

The determination unit detects whether the execution of the request for connection is a request by a user input of the input unit, in order to determine whether or not a manual operation is performed by the user. In the case where it is determined that an input of a request for connection by a user is made, the user is allowed to execute a request for connection without asking whether to allow or block execution of the request for the connection (S212)

If the request for connection is inputted without manual operation by the user, the judging unit judges that the connection request for charging inducement is executed by a programmed source such as a malicious code, and transmits the malicious action to the output (S206). Preferably, the output unit is a display unit of the terminal.

Also, it is inputted by the user whether or not the execution of the request for connection is blocked, and the execution of the request for connection is blocked when the user inputs the blocking. (S210)

4 is a flowchart of a network access management method for an information leakage type attack according to an embodiment of the present invention.

A connection request for Internet connection in the network connection management apparatus is executed (S300)

The determination unit determines whether the IP address for the Internet connection is present in the whitelist (S302). If the request is for access to the IP address existing in the whitelist, . (S312)

The determination unit determines whether the access request is executed after the access to the important information of the storage unit of the network access management apparatus is performed. If there is no access to the important information of the storage unit, the user is allowed to execute the request without asking whether to allow or block the execution of the request for connection (S312)

Wherein the judging unit judges execution of a request for connection as execution of an information leakage operation by a programmed source of a malicious code when the access to the important information of the storage unit is detected, And notifies the user through the output unit of the apparatus (S308)

In addition, if the user inputs whether to block the execution of the request for the connection and the user inputs the blocking, the execution is blocked. (S310)

According to an embodiment of the present invention, a telephone connection, a character transmission attempt, and an Internet connection attempt of a terminal device are detected in order to detect malicious code behavior, and furthermore, an input of a terminal from the user for the connection attempt, Malicious behavior by malicious code is detected by detecting whether there is important information and resource accessing action in the terminal before pressing the button to make a call, searching the telephone directory to transmit characters, or attempting to connect to the Internet Blocking device or device. According to the present invention, it is possible to detect and block an attack by a new malicious code by monitoring each action occurring in the malicious code and detecting an attack by correlating and analyzing the attack, The false positives and false positives can be reduced.

The present invention has been described with reference to the preferred embodiments. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The scope of the present invention is defined by the appended claims rather than by the foregoing description, and all differences within the scope of equivalents thereof should be construed as being included in the present invention.

Claims (1)

A determination unit for monitoring a status of a predetermined monitoring item in connection with a request for network connection and determining whether execution of the request is due to execution of a request not intended by the user or not allowed in advance; And
And a blocking unit for blocking the execution of the request when the execution of the request is judged to be caused by execution of a request not intended by the user or not permitted in advance.
KR1020120135941A 2012-11-28 2012-11-28 Methods and Apparatus for Detecting Malicious Behavior KR20140075839A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020120135941A KR20140075839A (en) 2012-11-28 2012-11-28 Methods and Apparatus for Detecting Malicious Behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020120135941A KR20140075839A (en) 2012-11-28 2012-11-28 Methods and Apparatus for Detecting Malicious Behavior

Publications (1)

Publication Number Publication Date
KR20140075839A true KR20140075839A (en) 2014-06-20

Family

ID=51128301

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020120135941A KR20140075839A (en) 2012-11-28 2012-11-28 Methods and Apparatus for Detecting Malicious Behavior

Country Status (1)

Country Link
KR (1) KR20140075839A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9740941B2 (en) 2014-10-27 2017-08-22 Hanwha Techwin Co., Ltd. Apparatus and method for visualizing loitering objects
KR101865238B1 (en) * 2016-12-13 2018-06-07 주식회사 엔피코어 Device for deactivating malicious code and method for operating the same
CN112434297A (en) * 2020-12-29 2021-03-02 成都立鑫新技术科技有限公司 Method for detecting mobile phone security in public place

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9740941B2 (en) 2014-10-27 2017-08-22 Hanwha Techwin Co., Ltd. Apparatus and method for visualizing loitering objects
KR101865238B1 (en) * 2016-12-13 2018-06-07 주식회사 엔피코어 Device for deactivating malicious code and method for operating the same
CN112434297A (en) * 2020-12-29 2021-03-02 成都立鑫新技术科技有限公司 Method for detecting mobile phone security in public place
CN112434297B (en) * 2020-12-29 2024-02-20 成都立鑫新技术科技有限公司 Method for detecting safety of mobile phone in public place

Similar Documents

Publication Publication Date Title
CN104125216B (en) A kind of method, system and terminal for lifting credible performing environment security
EP3165019B1 (en) Method and apparatus of notifying of smishing
EP2680182B1 (en) Mobile device and method to monitor a baseband processor in relation to the actions on an application processor
US20110161452A1 (en) Collaborative malware detection and prevention on mobile devices
CN108712561B (en) Authority management method, device, mobile terminal and storage medium
CN106921799A (en) A kind of mobile terminal safety means of defence and mobile terminal
CN106713266B (en) Method, device, terminal and system for preventing information leakage
WO2019061362A1 (en) Method and device for accessing device identifiers
Haris et al. Evolution of android operating system: a review
WO2017211205A1 (en) Method and device for updating whitelist
CN109873794B (en) Protection method for denial of service attack and server
CN110457935B (en) Permission configuration method and terminal equipment
CN106709282B (en) resource file decryption method and device
CN109992965B (en) Process processing method and device, electronic equipment and computer readable storage medium
CN112100655A (en) Data detection method and device, electronic equipment and readable storage medium
KR20130066901A (en) Apparatus and method for analyzing malware in data analysis system
CN105279433B (en) Application program protection method and device
CN116541865A (en) Password input method, device, equipment and storage medium based on data security
KR20140075839A (en) Methods and Apparatus for Detecting Malicious Behavior
CN108540645B (en) Mobile terminal operation method and mobile terminal
KR20150124076A (en) System, Server, Method and Recording Medium for Blocking Illegal Applications, and Communication Terminal Therefor
WO2015037850A1 (en) Device and method for detecting url call
CN107045610B (en) Data migration method, terminal device and computer readable storage medium
CN110443030B (en) Permission processing method and terminal device
KR20160001046A (en) Apparatus and Method for preventing malicious code in electronic device

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination