KR20140075839A - Methods and Apparatus for Detecting Malicious Behavior - Google Patents
Methods and Apparatus for Detecting Malicious Behavior Download PDFInfo
- Publication number
- KR20140075839A KR20140075839A KR1020120135941A KR20120135941A KR20140075839A KR 20140075839 A KR20140075839 A KR 20140075839A KR 1020120135941 A KR1020120135941 A KR 1020120135941A KR 20120135941 A KR20120135941 A KR 20120135941A KR 20140075839 A KR20140075839 A KR 20140075839A
- Authority
- KR
- South Korea
- Prior art keywords
- request
- execution
- malicious
- connection
- malicious code
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3013—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is an embedded system, i.e. a combination of hardware and software dedicated to perform a certain function in mobile devices, printers, automotive or aircraft systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Abstract
The present invention relates to a malicious code detection technique in a terminal device, and relates to a method and an apparatus for detecting malicious behavior such as a malicious code infringement behavior and information leakage behavior by malicious code infection, A determination unit for monitoring a predetermined monitoring item and determining whether execution of the network connection request is caused by a malicious action; And a blocking unit for blocking the execution of the transmission command when the execution of the transmission command is determined to be caused by a malicious action. According to the present invention, it is possible to detect and block an attack by a new malicious code by monitoring each action occurring in malicious code or the like and correlating and analyzing the attack, and it is possible to detect and block an attack by a new malicious code, And the miss rate can be reduced.
Description
BACKGROUND OF THE
The smart phone combines the advantages of a mobile phone and a personal digital assistant (PDA), integrating data communication functions such as schedule management, fax transmission, reception, and Internet access to mobile phone functions. The biggest feature is that it can install, add or delete hundreds of various application programs according to user's preference, unlike existing mobile phones, which were released as finished products and used only the given functions.
Because of these features, the smartphone market has grown tremendously over the past few years, and smartphone malicious code is also growing rapidly in scale. This is the reason for the open platform, where anyone can easily create and distribute malware, and the open environment due to the open market. In addition, it is easy to propagate because of various external connection environments such as wireless Internet, Bluetooth and USB. In the early days, malicious codes of smart phones were aimed at simply propagating or paralyzing the functional operation of the terminal. Recently, however, the malicious code has changed into a form of charging that takes charge of leakage of personal information and monetary gain.
Smartphones are infected with various kinds of malicious code through various routes. Recently, there have been increasing cases of infections through app stores and markets using repackaging techniques, which are disguised as normal applications. There are various types of malicious codes, such as a malfunction code that breaks the function of a key button, a malfunction attack that paralyzes the function of sending and receiving a telephone, and a battery depletion attack that continuously consumes power of a smartphone. However, recently, A billing-type attack that continuously tries to make a financial gain, and an information leakage attack that leaks device information or user information from an infected smartphone to the outside.
Currently, most smartphones use signature-based pattern matching techniques to detect malicious code using an anti-virus program as in traditional PCs. This technique uses a pattern matching technique to detect an attack before a signature is updated when a new attack occurs. And the number of signatures for detection increases as the number of malicious codes increases. Therefore, the problem of performance is the biggest disadvantage.
In order to solve the problems of the related art described above, the present invention provides a method and apparatus for monitoring a user behavior, important information and resource access, telephone connection, text transmission, and external Internet connection attempt without using a signature- And to provide a billing inducing method and an information leakage prevention technique in a terminal device by detecting malicious activity through the terminal device.
In order to solve the above technical problem, in order to solve the technical problem, it is necessary to monitor the status of a predetermined monitoring item in connection with a request for network connection, and to judge whether execution of the request is caused by execution of a request not intended by the user or not allowed in advance ; And a blocking unit for blocking the execution of the request when it is determined that the execution of the request is caused by execution of a request that is not intended by the user or is not permitted in advance .
The monitoring item is an input unit connected to the network connection management apparatus by wire or wireless, and the status of the monitoring item is a request for the connection through the input unit. And monitors whether or not the request for inputting the request is input by the user.
The monitoring item may be a storage unit connected to the network connection management apparatus by wire or wirelessly. The status of the monitoring item may include whether or not the stored information is transmitted through the storage unit. The monitoring of the monitoring item may include: And monitoring whether the information is leaked or not.
When the execution of the request is not intended by the user or is judged to be due to the execution of a request not permitted in advance, the blocking unit notifies the execution of the malicious code, the malicious program or the malicious worm by the output And blocks or permits the execution of the request based on whether the request is blocked or allowed to be executed.
A determining unit for monitoring a status of a predetermined monitoring item in response to a request for network connection and determining whether execution of the request is caused by execution of a malicious code, a malicious program, or a malicious worm; And a blocking unit for blocking the execution of the request when the execution of the request is judged to be caused by execution of a malicious code, a malicious program or a malicious worm. The malicious program according to
Monitoring the status of the predetermined monitoring item in connection with the request for network connection and determining whether the request is due to the execution of a request not intended by the user or not previously allowed; And blocking the execution of the request if it is determined that the execution of the request is due to execution of a request that is not intended by the user or that is not allowed in advance .
The monitoring item may be an input unit connected to the network connection management apparatus by a wired or wireless connection, the status of the monitoring item may be input through the input unit, and monitoring the monitoring item may include inputting The network connection management method comprising the steps of:
The monitoring item is a storage unit connected to the network connection management apparatus via a wired or wireless connection, and the status of the monitoring item is whether or not stored information is transmitted through the storage unit. The monitoring of the monitoring item may include storing information The network connection management method comprising the steps of:
Also, the blocking step may be a step of notifying the execution of the malicious code, the malicious program, or the malicious worm when the execution of the request is judged to be caused by the execution of the request not intended by the user, Outputting the request to the output unit, and blocking or permitting the execution of the request by accepting the blocking or allowing of execution of the request.
Monitoring a state of a predetermined monitoring item in response to a request for network connection, and determining whether execution of the request is caused by execution of a malicious code, a malicious program, or a malicious worm; And blocking the execution of the request when the execution of the request is judged to be caused by execution of a malicious code, a malicious program or a malicious worm. The malicious program according to
According to the present invention, since the signature-based pattern matching technique is not used, the problem that the signature for a new attack is generated and updated can not be detected, which is a disadvantage of the signature-based pattern matching technique, is solved. According to the present invention, there is no need to increase the number of signatures for detecting the attacks in a situation where the number of malicious codes of the smartphone is increasing day by day, and the degradation of performance due to an increase in signature can also be solved. In addition, it monitors and correlates each behavior of malicious code, detects attacks by detecting new malicious code, and is able to detect and block malicious codes. By applying blacklists and whitelists, You can reduce the search rate.
1 is a block diagram of a network connection management apparatus according to an embodiment of the present invention.
2 is a detailed block diagram of a network access management apparatus according to an embodiment of the present invention.
3 is a flowchart of a network access management method for a malicious behavior of a billing-induced attack according to an embodiment of the present invention.
4 is a flowchart of a network access management method for malicious activity of an information leakage type attack according to an embodiment of the present invention.
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the drawings.
In the following description and the accompanying drawings, substantially the same components are denoted by the same reference numerals, respectively, and redundant description will be omitted. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.
The present invention relates to a network connection management apparatus and method, and is described below with reference to Figs. However, it will be readily understood by those skilled in the art that the detailed description given herein with respect to these drawings is for purposes of illustration, as the invention extends beyond these limited embodiments.
1 is a block diagram of a network connection management apparatus according to an embodiment of the present invention.
1, the network
The network
Execution of a request not intended by the user or not allowed in advance is malicious behavior by a malicious code, a malicious program, or a malicious worm, and the operation principle of the network connection management apparatus for the malicious action will be described below. The malicious action may be, for example, a billing activity or an information leakage activity.
Hereinafter, the operation principle of the network access management apparatus for the billing inducing action will be described according to an embodiment of the present invention.
The request for network connection may be a request for telephony connection or transmission of a text message to the network. The monitoring item is an input unit connected to the network connection management apparatus by wire or wireless, and the status of the monitoring item is a request for the connection through the input unit. Means to monitor whether a request for a user has been entered by the user.
It is important for the
The input unit may be a means that the user can input, that is, a keyboard, a mouse, a touch screen, a touch panel, or the like. Preferably, it is a touch part of a smartphone terminal device. The terminal touch unit (not shown) has a function of specifying coordinates or selecting characters using a finger or a tool for communication with the outside. The touch unit detects a touch position and performs a specific process using stored software when an input means such as a human hand or an object touches a character or a specific position displayed on a screen (screen) without using a keyboard User interface device. Examples of the touch portion include a resistive overlay, a surface acoustic wave, a capacitive overlay, and an infrared beam.
The
The
Hereinafter, the operation principle of the network access management apparatus for the information leakage operation will be described according to an embodiment of the present invention.
The request for the network connection may be a connection request for the Internet connection. When the connection request for the Internet connection is executed in order to distinguish the connection request by the malicious code or the like, the
Wherein the monitoring item is a storage unit connected to the network connection management apparatus by wire or wireless, the status of the monitoring item is whether or not the stored information is transmitted through the storage unit, and monitoring the monitoring item comprises: It means monitoring the leak.
The storage unit (not shown) of the apparatus may suitably be a memory card, an address book and a telephone book store, a location information store, a device information store or a website visit record and bookmark store, a voice record store, Is considered when judging whether a connection request for an Internet connection has been executed by a malicious action.
The
The determining
Preferably, the
The determination of the malicious behavior of the malicious code based on the black list and the white list contributes to reducing the false positives and false positives of the
The blocking
The output unit (not shown) of the network connection management apparatus is preferably a display unit of the terminal. The terminal display unit displays information processed by the terminal. For example, when the terminal is in the call mode, a UI (User Interface) or GUI (Graphic User Interface) associated with the call is displayed. When the terminal is in the video communication mode or the photographing mode, the photographed and / or received video or UI and GUI are displayed. The terminal display unit may include a liquid crystal display (LCD), a thin film transistor-liquid crystal display (TFT LCD), an organic light-emitting diode (OLED), a flexible display, , And a three-dimensional display (3D display).
If the
2 is a detailed block diagram of a network connection management apparatus according to an embodiment of the present invention.
The
The user
The blocking
3 is a flowchart of a network access management method for a billing-induced attack according to an embodiment of the present invention.
A connection request for telephone connection or text transmission in the network access management apparatus is executed (S200). The determination unit determines whether the telephone number of the telephone connection or text transmission is present in the black list (S202). If the request is for a connection to a telephone number, execution of the connection request is immediately blocked without asking the user whether or not to block the connection (S210)
The determination unit detects whether the execution of the request for connection is a request by a user input of the input unit, in order to determine whether or not a manual operation is performed by the user. In the case where it is determined that an input of a request for connection by a user is made, the user is allowed to execute a request for connection without asking whether to allow or block execution of the request for the connection (S212)
If the request for connection is inputted without manual operation by the user, the judging unit judges that the connection request for charging inducement is executed by a programmed source such as a malicious code, and transmits the malicious action to the output (S206). Preferably, the output unit is a display unit of the terminal.
Also, it is inputted by the user whether or not the execution of the request for connection is blocked, and the execution of the request for connection is blocked when the user inputs the blocking. (S210)
4 is a flowchart of a network access management method for an information leakage type attack according to an embodiment of the present invention.
A connection request for Internet connection in the network connection management apparatus is executed (S300)
The determination unit determines whether the IP address for the Internet connection is present in the whitelist (S302). If the request is for access to the IP address existing in the whitelist, . (S312)
The determination unit determines whether the access request is executed after the access to the important information of the storage unit of the network access management apparatus is performed. If there is no access to the important information of the storage unit, the user is allowed to execute the request without asking whether to allow or block the execution of the request for connection (S312)
Wherein the judging unit judges execution of a request for connection as execution of an information leakage operation by a programmed source of a malicious code when the access to the important information of the storage unit is detected, And notifies the user through the output unit of the apparatus (S308)
In addition, if the user inputs whether to block the execution of the request for the connection and the user inputs the blocking, the execution is blocked. (S310)
According to an embodiment of the present invention, a telephone connection, a character transmission attempt, and an Internet connection attempt of a terminal device are detected in order to detect malicious code behavior, and furthermore, an input of a terminal from the user for the connection attempt, Malicious behavior by malicious code is detected by detecting whether there is important information and resource accessing action in the terminal before pressing the button to make a call, searching the telephone directory to transmit characters, or attempting to connect to the Internet Blocking device or device. According to the present invention, it is possible to detect and block an attack by a new malicious code by monitoring each action occurring in the malicious code and detecting an attack by correlating and analyzing the attack, The false positives and false positives can be reduced.
The present invention has been described with reference to the preferred embodiments. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The scope of the present invention is defined by the appended claims rather than by the foregoing description, and all differences within the scope of equivalents thereof should be construed as being included in the present invention.
Claims (1)
And a blocking unit for blocking the execution of the request when the execution of the request is judged to be caused by execution of a request not intended by the user or not permitted in advance.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120135941A KR20140075839A (en) | 2012-11-28 | 2012-11-28 | Methods and Apparatus for Detecting Malicious Behavior |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120135941A KR20140075839A (en) | 2012-11-28 | 2012-11-28 | Methods and Apparatus for Detecting Malicious Behavior |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20140075839A true KR20140075839A (en) | 2014-06-20 |
Family
ID=51128301
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020120135941A KR20140075839A (en) | 2012-11-28 | 2012-11-28 | Methods and Apparatus for Detecting Malicious Behavior |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20140075839A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9740941B2 (en) | 2014-10-27 | 2017-08-22 | Hanwha Techwin Co., Ltd. | Apparatus and method for visualizing loitering objects |
KR101865238B1 (en) * | 2016-12-13 | 2018-06-07 | 주식회사 엔피코어 | Device for deactivating malicious code and method for operating the same |
CN112434297A (en) * | 2020-12-29 | 2021-03-02 | 成都立鑫新技术科技有限公司 | Method for detecting mobile phone security in public place |
-
2012
- 2012-11-28 KR KR1020120135941A patent/KR20140075839A/en not_active Application Discontinuation
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9740941B2 (en) | 2014-10-27 | 2017-08-22 | Hanwha Techwin Co., Ltd. | Apparatus and method for visualizing loitering objects |
KR101865238B1 (en) * | 2016-12-13 | 2018-06-07 | 주식회사 엔피코어 | Device for deactivating malicious code and method for operating the same |
CN112434297A (en) * | 2020-12-29 | 2021-03-02 | 成都立鑫新技术科技有限公司 | Method for detecting mobile phone security in public place |
CN112434297B (en) * | 2020-12-29 | 2024-02-20 | 成都立鑫新技术科技有限公司 | Method for detecting safety of mobile phone in public place |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104125216B (en) | A kind of method, system and terminal for lifting credible performing environment security | |
EP3165019B1 (en) | Method and apparatus of notifying of smishing | |
EP2680182B1 (en) | Mobile device and method to monitor a baseband processor in relation to the actions on an application processor | |
US20110161452A1 (en) | Collaborative malware detection and prevention on mobile devices | |
CN108712561B (en) | Authority management method, device, mobile terminal and storage medium | |
CN106921799A (en) | A kind of mobile terminal safety means of defence and mobile terminal | |
CN106713266B (en) | Method, device, terminal and system for preventing information leakage | |
WO2019061362A1 (en) | Method and device for accessing device identifiers | |
Haris et al. | Evolution of android operating system: a review | |
WO2017211205A1 (en) | Method and device for updating whitelist | |
CN109873794B (en) | Protection method for denial of service attack and server | |
CN110457935B (en) | Permission configuration method and terminal equipment | |
CN106709282B (en) | resource file decryption method and device | |
CN109992965B (en) | Process processing method and device, electronic equipment and computer readable storage medium | |
CN112100655A (en) | Data detection method and device, electronic equipment and readable storage medium | |
KR20130066901A (en) | Apparatus and method for analyzing malware in data analysis system | |
CN105279433B (en) | Application program protection method and device | |
CN116541865A (en) | Password input method, device, equipment and storage medium based on data security | |
KR20140075839A (en) | Methods and Apparatus for Detecting Malicious Behavior | |
CN108540645B (en) | Mobile terminal operation method and mobile terminal | |
KR20150124076A (en) | System, Server, Method and Recording Medium for Blocking Illegal Applications, and Communication Terminal Therefor | |
WO2015037850A1 (en) | Device and method for detecting url call | |
CN107045610B (en) | Data migration method, terminal device and computer readable storage medium | |
CN110443030B (en) | Permission processing method and terminal device | |
KR20160001046A (en) | Apparatus and Method for preventing malicious code in electronic device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WITN | Withdrawal due to no request for examination |