JP2003186687A - Method and apparatus for virus detection - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To detect new or varietal computer viruses. <P>SOLUTION: A microextraction unit 14 extracts micro information from an inspection object file 12 and re-builds to a source code. A trace detection unit 16 traces the re-built source code of the macro one line by one line, to detect whether or not the characteristic code of a virus is included. A risk degree calculating unit 18 calculates the degree of risk of the macro, based on weighting of the feature code extracted by the trace detection unit 16 and judges whether the macro is a virus. When a virus is detected, a weighing updating unit 24 of a database updating unit 20 updates the weighting of a feature code record 28 of a virus database 26 for the feature code extracted by the trace detection unit 16. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a computer virus detection technique, and more particularly to a method, device and system for detecting a virus that infects a computer program file or data file.

[0002]

2. Description of the Related Art According to the domestic virus damage notification status announced by Information-technology Promotion Agency (IPA), 199
It can be seen that the damage began to increase rapidly after seven years. 1
Between 990 and 1996, the number of cases exceeding 1,000 a year was only one year, whereas 1997
Since the year, the number of cases has not fallen below 2,000, 200
In 0 years, the number is increasing to 11,109.

The reason for the rapid increase in the number of virus damages is that the number of infection opportunities increases due to the widespread use of personal computers and networks, that individuals and companies have low awareness of virus countermeasures, and that they are technically related to virus countermeasures. It can be said that there is also a factor in that aspect. This is because the rapid increase in damage in 1997 was due to the emergence of a new type of virus, the macrovirus. This is due to the emergence of new species such as.

[0004]

As described above, the conventional anti-virus means that it is very weak against the new virus, which means that there is a problem in the virus detection method. Conventional virus detection methods rely on pattern matching with codes unique to viruses discovered in the past, and it takes time and effort to update the virus definition file each time a new virus appears. There will be a delay.

The present invention has been made in view of such circumstances, and an object thereof is to provide a virus detection technique for effectively detecting a new virus or a variant virus.

[0006]

One aspect of the present invention relates to a virus detection method. This method includes a step of associating a characteristic code related to a virus-specific operation with a weight indicating a risk in a database, and a step of tracing a file to be inspected to collect the characteristic code registered in the database. Calculating the risk of the inspection target file by evaluating the weight associated with each feature code based on the collected combination of feature codes. Here, the files to be inspected include program files and data files such as documents and macros.

The method may further include the step of updating the weights stored in the database with respect to the collected characteristic codes. The updating of the weight may be performed when a virus is detected in the inspection target file.
The determination as to whether or not the inspection target file contains a virus may be given from the outside. In addition, the detection of the virus may be performed based on the risk level. For example, when the risk level exceeds a predetermined reference value, it may be determined that the inspection target file contains a virus.

The risk may be calculated by classifying the collected characteristic codes into hierarchical levels and then varying the evaluation of the weight depending on the level. Hierarchical levels include modules, subroutines, opcodes,
And the level of the hierarchical structure of the processing code such as the operand, the method of evaluating the weight is made different between the processing routine unit level such as the module and the subroutine and the lower primitive command level such as the instruction code and the operand. The risk may be calculated by a combination of evaluations.

Another aspect of the present invention relates to a virus inspection device. This device traces a database in which a feature code relating to a virus-specific operation is associated with a weight indicating a risk and a file to be inspected, collects the feature code registered in the database, and collects the feature. An inspection unit that identifies a combination of codes as an operation pattern, and a risk degree calculation unit that calculates a risk degree of the operation pattern based on the collected combination of characteristic codes and the weight are included.

An update unit may be further included for updating the weight stored in the database for the characteristic code forming the operation pattern according to the degree of risk. For example, when the risk is equal to or higher than a predetermined reference value, the operation pattern is determined to be a virus and the weight is updated, but when the risk is less than the reference value, the weight is not updated. You may do it.

The database stores an operation pattern of a virus, and the updating unit compares the specified operation pattern with an operation pattern of the virus stored in the database and, in accordance with the similarity, You may update the weight of the said characteristic code which comprises the specified operation pattern. Further, when the risk level of the specified operation pattern is equal to or higher than the reference value, this operation pattern may be stored in the database as a new virus operation pattern.

The inspection unit classifies the collected feature codes into processing routine units and primitive command units and classifies them, and the risk degree calculation unit changes the evaluation of the weights according to the hierarchy to classify the risk. The degree may be calculated. Further, the risk degree calculation unit may distinguish the collected characteristic codes by the type of the instruction and the operation target, and may calculate the risk degree by changing the evaluation of the weight depending on the combination of the instruction and the operation target type. Good. For example, some commands have risks, such as automatic file opening commands, and some actions have risks, such as actions for files in system folders, template files, and executable files. ,
The method of evaluating the weight may be changed depending on the combination of the command and the type of the operation target.

Yet another aspect of the present invention relates to a computer program. This program refers to a database in which a characteristic code relating to a virus-specific operation is associated with a weight indicating a risk, and collects the characteristic code registered in the database from an inspection target file; Calculating the degree of risk of the inspection target file by evaluating the weight associated with each feature code based on the combination of the selected feature codes.

The database may be provided in a server, and the database may be referred to via a network. A system including a user terminal in which the program is installed and the server may be configured. Further, the program may be configured as a mobile agent that patrolles a user terminal on the network and inspects for viruses.

Yet another aspect of the present invention also relates to a virus detection method. This method is to register the code necessary to take the behavior peculiar to macro viruses and the value indicating the risk when the code is used as a virus as one record in the database, and trace the macro line by line. Then, collecting the registered codes, recording a combination of codes, and calculating a risk degree that is a judgment value of whether or not a virus is based on each weight from the combination of collected codes, When the risk exceeds a reference value, the macro includes a step of judging that the macro is a virus, and when a virus is detected, a step of updating the database by increasing or decreasing the weight based on the collected code. . In the updating step, pattern comparison may be performed with a virus detected in the past, and if there are many similarities, the weight of the collected code may be increased.

It should be noted that any combination of the above components, and the expression of the present invention converted between a method, a device, a server, a system, a computer program, a recording medium, etc. are also effective as an aspect of the present invention. .

[0017]

BEST MODE FOR CARRYING OUT THE INVENTION The present invention proposes and constructs a virus detection system for the purpose of effectively detecting a new virus or variant virus, which incorporates the concept of a heuristic test method suitable for detecting a new virus. To do. Further, in the embodiments, the macro viruses are targeted because of the large number of new and variant viruses and the possibility of future infection.

First, regarding the macro virus to be inspected, the features of the macro virus, the infection mechanism, and the macro virus detection method will be described.

The macro virus is a virus that infects a macro part added to a data file such as a document file. The files handled by a computer are roughly divided into "program files" and "data files".
There is a kind, and there was a dogma that conventional viruses do not infect data files, but it has been overturned by the advent of macro viruses. Currently, there are many application programs that have macro functions, but among them, those with a large market share, limited macro functions, and low security are targeted by virus makers. In addition, OLE (Object
Linking and Embedding) Automation function and DD
Infection between different application programs is possible using the E (Dynamic Data Exchange) function, which results in the emergence of a virus with a very strong infectivity.

It is also important that macroviruses are very easy to make. This is why there are far more new species and variants than conventional viruses. In the past, creating a virus required programming in a low-level language such as assembler and knowledge of the OS, but in the case of a macro virus, knowledge of the macro language itself or Visual Basic (trademark) is required. It is enough to have some.

Since the macro virus itself is a data file, it infects and becomes infected via an application that operates the macro. The flow of macro viruses spreading infection is shown below. (1) A virus invades a computer from the outside by e-mail or download. (2) Launch the application program to open the file. (3) The application program reads the file and executes the macro. (4) When the virus macro is executed, it writes a copy of itself in the standard template file. (5) After that, a template infected with a virus is applied to the file read by the application program, and the macro of the file also becomes a virus.

As described above, there are a large number of variant viruses in macroviruses, and it is difficult to catch all variant viruses by conventional virus detection methods that merely compare codes. is there.

Therefore, in the present embodiment, attention is paid to the fact that the macrovirus has a unique operation pattern such as writing a copy of itself in the standard template in order to spread the infection, and these operation patterns are considered. To detect macro viruses. Further, in the present embodiment, the concept of the heuristic inspection method to be described below is introduced in order to capture the operation pattern peculiar to the macro virus.

The heuristic inspection method is to collect the code required for the operation pattern peculiar to the computer virus from the program to be inspected, how much the code is included in the program, and the code is a virus. It is a technology that allows the virus detection system itself to make trial and error to determine whether there is a possibility or not, whether or not it is a virus.

By using this technique, unlike the conventional virus detection by code comparison, it is not necessary to update the virus definition file each time a new virus appears, and it is possible to eliminate the delay in response. Moreover, since it only deals with the characteristics of viruses, it is suitable for detecting new and variant viruses.

In the virus detection system according to this embodiment, the concept of the heuristic inspection method is introduced, and the operation pattern peculiar to the virus is captured in the following manner to determine whether or not it is a virus. (1) A code necessary for taking an operation peculiar to a macro virus and a value (hereinafter, referred to as a weight) indicating a risk when the code is used as a virus are registered as one record in the database. (2) Trace the macro line by line and collect the registered code. At this time, record how the codes were combined. (3) From the collected code combinations, the degree of risk, which is a judgment value as to whether a virus is present, is calculated based on each weight. (4) When the risk level exceeds the standard value, the macro is judged to be a virus. (5) When a virus is detected, the database is updated by increasing or decreasing the weight based on the code collected at this time and the state of the virus being detected in the past.

As shown in FIG. 1, the virus detection system is composed of four processing routines. The function of each routine and their cooperation are described.

1. Macro Extraction Processing Routine This routine extracts only macros from a file containing macros. In order to read macros without using an application, it is necessary to understand the mechanism of OLE2 composite files and structured storage. As shown in FIG. 2, the OLE2 composite file has a file system structure like a file system, and is composed of a storage corresponding to a directory and a stream corresponding to a file. Macros and especially VBA (Visual Basic For Appli)
For a file that uses cation), the stream that handles it can be specified easily, so this is used to reconstruct the macro.

The macro information stored in the stream is composed of a command, a data group that stores variable names as a character string, and a data group that shows how to arrange them. As it is, the trace processing of the next macro cannot be performed efficiently, so the macro is once reconstructed into a form that is easy to trace. FIG. 3 is a part of a stream storing a character string data group forming a macro. This is reconstructed according to the rules and written out as text in Fig. 4.

2. Macro trace processing routine The feature code registered in the database is inspected while tracing the macro line by line. The feature code mentioned here is a code that will be used to execute the virus auto-infection, disease onset, and latent functions. The feature code and the weight corresponding to it are recorded in the database. Details of the record will be described in a learning method described later.

When the characteristic code is found, it is classified into four levels shown in FIG. 5 and the respective weights are sent to the risk degree calculation routine. That is, there are four hierarchical levels of a module level, a subroutine level, an instruction code level, and an argument (hereinafter, also referred to as an operand) level. The level of code is determined by using the information obtained when reconstructing the macro. At the module level and subroutine level, the name acts as a trigger for virus activity, and at the instruction code level and argument level, the risk of being a virus greatly changes depending on the combination.

3. Danger degree calculation routine The degree of danger expresses the virus-likeness as it is, and those above the reference value are judged to be viruses. The risk level is calculated in the following flow based on the weights collected in the previous trace processing (hereinafter, also referred to as trace inspection). (1) First, a module-level weight is obtained and stored. (2) Next, since the subroutine level weight is obtained,
Here, whether or not the virus activity cannot be triggered is calculated in combination with the module level weight, and the value is set to A. (3) When the weight of the instruction level is obtained at the same time as the weight of the instruction code level, the value B for the action of the virus is calculated from the combination. If there is no argument level weight, the instruction code level weight is B. (4) When the end of the subroutine is detected while tracing the macro, the risk is calculated from the combination of A and B. The risk level is calculated for all subroutines, and the highest risk level is used as the macro risk level.

4. Database Update Routine This routine increases or decreases the weight registered in the database. The weight is an important value that serves as a basis for determining whether or not it is a virus, and it is expected to improve the accuracy of virus detection by skillfully increasing or decreasing the weight.

The timing for increasing / decreasing the weight is when a virus is detected, and the code is increased / decreased in consideration of the frequency and time interval used by the virus, but it is necessary to avoid a detection error due to the excessive reduction of the weight. . As a countermeasure, set the lower limit of the weight, rather than the amount of increasing the weight,
The amount of reduction is reduced.

As will be described later with reference to a learning method, since the macro patterns at the time of detecting a virus in the past are also recorded in the database, all the codes sent from the macro trace processing routine are also recorded in the database.

Next, the learning method will be described in detail. In this virus detection system, it is indispensable to investigate the essential operation patterns of macro viruses, and for that reason, we have adopted a method to reflect the experience of detecting viruses in the past. Further, the learning referred to here is to bring the weight close to an appropriate value, which corresponds to automatic updating of the database.

First, the structure of the database will be described. The database consists of two tables, one stores a pair of feature code and weight, and one stores a pattern of virus macros detected in the past. Macro patterning is a serialization of feature codes and a collection of them. The structure of the record is as follows.

Record of table for feature code (1) Serial number (2) Basic value (3) Additional value (4) Character string of feature code (5) Frequency of appearance

Record of table for macro patterning (1) Time stamp (2) Character string of serial number string (3) Frequency of appearance

The weights described so far refer to basic values, and the additional values are weights that reflect past experience and are used in the learning process described here. The serial number string is
It is a collection of serial numbers in the feature code table into a character string.

Next, the learning procedure will be described with reference to FIG. (1) The risk degree based on the basic value is calculated as described above. At this time, macro patterning is also performed at the same time. (2) Next, the pattern is compared with the virus macro detected in the past. If there are many similarities, it means that viruses that have similar behavior have been detected in the past. Also, if there is a part that operates exactly the same, it can be regarded as an essential operation of the virus, and the added value of the code is increased. (3) Considering the case where the virus has already spread in the computer, if all the patterns are the same, the additional value is not increased. This is to prevent the weight from being improperly biased under the influence of a specific virus. (4) A new risk is calculated by giving an additional value to the risk. (5) Decrease the additional value of the code whose difference is equal to or more than a certain value with reference to the one having the highest appearance frequency.

FIG. 7 is a block diagram of the virus detection device 10 according to the embodiment. In terms of hardware, this configuration is the CPU, memory, and other L of any computer.
It can be realized by SI, and in terms of software, it is realized by a program or the like having a virus detection function loaded in the memory, but here, the functional blocks realized by the cooperation thereof are drawn. Therefore, it will be understood by those skilled in the art that these functional blocks can be realized in various forms by only hardware, only software, or a combination thereof.

Macro extraction unit 1 of virus detection device 10
4, the trace inspecting unit 16, the risk calculating unit 18, and the database updating unit 20, as software processing,
The macro extraction processing routine, the macro trace processing routine, the risk degree calculation routine, and the database update routine in the virus detection system described above are executed respectively.

The virus database 26 stores a characteristic code record 28 and a macro pattern record 30. The characteristic code record 28 is a record of the characteristic code table, in which the characteristic code peculiar to the virus is associated with the weight indicating the risk. The macro pattern record 30 indicates a virus pattern composed of a combination of feature codes, and is a record of the macro patterning table described above.

The feature code is divided into four levels and weighted as shown in FIG. In the case of a module or subroutine whose operation itself involves a risk such as automatic opening of a file, the degree of danger can be known from the module name or the subroutine name. In addition, there is also a thing in which the degree of risk can be grasped from the type of operation target such as operation of a file in the system folder, operation of a template file, opening of an executable file. Therefore, it is necessary to register the command and the operation target separately and weight the combination. In addition, it is necessary to hierarchically classify the characteristic codes to judge the risk in large processing units such as modules and subroutines, and to judge the risk in more primitive units such as instruction codes and operands. For example, instead of using the automatic opening of a file, it is also possible to display the dialog and to cause the user to click the button of the dialog, thereby substantially automatically opening the file.
Therefore, it is not enough to judge the risk only by using the module name or the subroutine name, and it is necessary to judge the risk at a lower instruction code or operand level.

A general flow of the virus detection procedure by the virus detection device 10 will be described with reference to FIG. The macro extraction unit 14 reads the inspection target file 12 (S1
0). Next, the macro extraction unit 14 extracts macro information from the file to be inspected and reconstructs the macro information into the state of the source code (S12). The trace checking unit 16 traces the reconstructed macro source code line by line to check whether the virus characteristic code is included (S14). At this time, the trace inspection unit 16 identifies an operation pattern composed of a combination of feature codes.

The risk degree calculation unit 18 includes a trace inspection unit 16
Based on the weight of the feature code extracted by, the macro risk is calculated and it is determined whether the macro is a virus (S16). When a virus is detected by the virus determination (Y in S18), the database updating unit 20 stores the feature code record 28 of the virus database 26 with respect to the feature code forming the macro operation pattern identified by the trace inspecting unit 16. The weight is updated (S20). If no virus is detected (S1
8 N), the virus database 26 is not updated.

FIG. 9 is a flow chart showing the detailed procedure of the macro reconstruction processing S12. As already shown in FIG. 3, the macro information is scattered in the binary data of the document file to be inspected, and it is difficult to trace it as it is. The macro extraction unit 14 extracts the macro information from the file to be inspected and performs a reconstruction process for assembling the source code as shown in FIG. First, it is checked whether the file to be inspected uses structured storage (S3).
0). When the structured storage is not used (N in S30), the process ends without inspecting for viruses. When the structured storage is used (Y in S30), it is checked whether or not the inspection target file includes a macro (S32). When the macro is not included (N in S32), the process ends without inspecting for viruses. If the macro is included (Y in S32), the macro information is assembled, and the state of the source code is written out (S34).

FIG. 10 shows a macro trace inspection process S14.
5 is a flowchart showing a detailed procedure of the above. The trace checking unit 16 traces the source code of the reconstructed macro line by line, refers to the virus database 26, and checks whether or not there is a match in the registered feature code record 28, and the matched feature code. And its weights are collected (S40). In addition, for each macro subroutine, the type of the characteristic code forming the subroutine is stored as an operation pattern (S42).

FIG. 11 is a flow chart showing the detailed procedure of the virus judgment processing S16. Risk calculator 18
Calculates the degree of danger for each macro subroutine based on the weight of the feature code extracted by the trace inspection unit 16. The trace inspection unit 16 uses the feature code shown in FIG.
It is classified into the four levels shown in. Risk calculator 1
In step S50, the module-level weight M and the subroutine-level weight S are combined to calculate a risk VT that can trigger virus activity (S50). For example,
Let VT = max (M, S). Next, for each instruction of the subroutine, the instruction code level weight I and the operand level weight O are combined to calculate the risk VA against virus activity (S52). For example, VA = I × O.

Next, the risk level of the subroutine is calculated by combining the two risk levels VT and VA having different hierarchical levels of the evaluated weights for each subroutine (S54). For example, the sum of the value of VT and the largest value of VA in the subroutine is set as the risk level of the subroutine. When the risk of the subroutine is calculated for all the subroutines of the macro, the highest risk of the risk of those subroutines is set as the risk of the macro (S56). When the macro risk exceeds the predetermined reference value (Y in S58), it is determined that the macro is a virus (S6).
0), otherwise (N in S58), the macro is not determined as a virus.

FIG. 12 is a flow chart showing the detailed procedure of the database updating process S20. The database update unit 20 includes a macro pattern registration unit 22 and a weight update unit 2
Including 4. When it is determined that the macro is a virus, the macro pattern registration unit 22 registers the operation pattern of the macro specified by the trace inspection unit 16 in the virus database 26 as a new macro pattern record 30.
The weight updating unit 24 updates the weight of the characteristic code record 28 with respect to the characteristic code forming the operation pattern.

The basic principle of the learning algorithm is to regard the operation pattern common to various viruses as the essential operation of the virus, and increase the weight of the characteristic code forming the operation pattern. For example, virus A,
The operations of B and C are as follows.

(A) Operation of virus A: (A-1) Trigger file open, (A-
2) Write X in the register, (A-3) Rewrite the standard template file.

(B) Operation of virus B: (B-1) File open as a trigger, (B-
2) Delete system file, (B-3) Rewrite standard template file.

(C) Operation of virus C: (C-1) Triggered by starting application
(C-2) Alter the file Y, (C-3) Rewrite the standard template file.

At this time, the operation pattern of "rewriting the standard template file" has three types of virus A,
It is common to B and C, and the operation pattern "trigger on file open" is common to the two viruses A and B. Therefore, the increase amount of weight is large for the feature code that constitutes the operation pattern "Rewrite standard template file", and the increase amount of weight is small for the feature code that constitutes the operation pattern "Trigger file open". To take.

The weight is divided into a basic value and an additional value. The basic value is a fixed value indicating the degree of danger expected for the feature code, and the additional value is a value updated by the learning algorithm with the initial value set to zero. The additional value increases for feature codes that are frequently used by viruses, and the additional value decreases for feature codes that are rarely used by viruses. Since the weight indicating the degree of risk of the feature code is given by the sum of the basic value and the additional value, the weight is updated according to the operation pattern of the virus found in the past.

A specific learning procedure will be described. With respect to the found operation pattern of the virus, the number of appearances is counted for each type of feature code forming the operation pattern (S50). For example, when the operation pattern of the virus is composed of three types of characteristic codes a, b, and c, the number of appearances of each of the three types of characteristic codes a, b, and c is incremented by one. For all operation patterns of the virus, the number of application of the feature code included in the operation pattern is counted in this way. Next, the additional value of the feature code is increased in proportion to the number of appearance counts (S52). For example, a value obtained by multiplying the number of appearances by a predetermined increase coefficient is set as a new additional value. As a result, the additional value increases as the feature code of the operation pattern common to various viruses.

If the number of appearances is greater than or equal to the specific number (Y in S54), the additional value of the feature code having an extremely large number of counts is decreased (S56). For example, the additional value is decreased in proportion to the difference in the number of appearances between feature codes.
That is, a value obtained by multiplying the difference in the number of appearances by a predetermined reduction coefficient is subtracted from the additional value. The addition value is reduced to prevent the weight from being biased under the influence of a specific virus.

As described above, in the embodiment, the macrovirus was taken up as the inspection object, and the effective detection method for the new virus incorporating the concept of the heuristic inspection method was proposed. Since it is a system that stores the code unique to macro viruses and learns the danger,
Unlike the virus detection method by simple pattern matching of the code, it can flexibly deal with a modified virus that is a part of the existing virus, and detects even a new virus that has never existed before. It becomes possible.

The present invention has been described above based on the embodiments. It is understood by those skilled in the art that the embodiments are exemplifications, that various modifications can be made to combinations of respective constituent elements and respective processing processes, and that such modifications are within the scope of the present invention. . Hereinafter, such a modified example will be described.

In the embodiment, the virus detection method has been described by taking as an example a macrovirus in which many new and variant viruses appear. However, the present invention is not limited to the macrovirus, and the present invention is a virus that infects a program code. It is also applicable to the general public.

In the embodiment, a database in which codes peculiar to viruses are collected is provided in the computer to be inspected, but such a database is provided in the server to search for necessary data via the network,
It may be configured to download. In addition, a mobile agent having the virus detection program according to the present embodiment may be distributed to a user's computer for distributed virus detection. Even in the configuration using such an agent, the virus code database may be provided in the user's computer or in the server. Further, the data area of the agent program may include at least a part of such a database.

In addition, the virus detection system scans the hard disk of the computer and inspects for viruses,
It may be provided as a standalone application such as virus quarantine software that performs the removal. In that case,
When data read from a recording medium such as a CD-ROM or data downloaded via a network is written to the hard disk, the data may be scanned on demand. Further, the virus detection system may be provided in a form incorporated in an application having a macro function. In this case, when the application opens the macro file, the virus detection system may measure the macro risk and notify the user of the risk before the macro file is opened and executed to give a warning. .

In the above learning procedure, the weight is updated when a virus is detected, but the determination as to whether it is a virus may be given from the outside. For example, the user may determine whether it is a virus and give the determination result to the virus detection system. Also, the database update section
A virus definition file provided externally may be used to evaluate the success or failure of the virus determination by the risk degree calculation unit.

[0067]

INDUSTRIAL APPLICABILITY According to the present invention, a new or variant virus can be effectively detected.

[Brief description of drawings]

FIG. 1 is an overall configuration diagram of a virus detection system according to an embodiment.

FIG. 2 is a diagram illustrating a data structure of a composite file that is an example of a virus inspection target file.

3 is a diagram showing macro information stored in a stream of the composite file in FIG.

FIG. 4 is a diagram showing a state in which the macro information of FIG. 3 is reconstructed and written in a text.

FIG. 5 is a diagram for explaining level division of weights associated with virus feature codes.

FIG. 6 is a diagram illustrating a learning procedure of the database of FIG.

FIG. 7 is a configuration diagram of a virus detection device according to an embodiment.

FIG. 8 is a flowchart showing a virus detection procedure in the virus detection device.

9 is a flowchart showing a detailed procedure of macro reconstruction processing of FIG.

10 is a flowchart showing a detailed procedure of a trace inspection process of the macro of FIG.

FIG. 11 is a flowchart showing a detailed procedure of virus determination processing in FIG.

FIG. 12 is a flowchart showing a detailed procedure of the database update processing of FIG.

[Explanation of symbols]

10 virus detection device, 12 inspection target file,
14 macro extraction unit, 16 trace inspection unit, 1
8 Risk calculation part, 20 Database update part, 2
2 macro pattern registration unit, 24 weight update unit, 2
6 virus database, 28 feature code record, 30 macro pattern record.

Claims (13)

[Claims] 1. A step of registering a feature code related to a virus-specific operation with a weight indicating a risk in a database, and a step of tracing an inspection target file to collect the feature code registered in the database. And based on the combination of the collected feature codes,
Evaluating the weight associated with each feature code and calculating the degree of risk of the file to be inspected. 2. The virus detection method according to claim 1, further comprising the step of updating the weights stored in the database for the collected characteristic codes. 3. The virus detecting method according to claim 2, wherein the updating of the weight is performed when a virus is detected in the inspection target file. 4. The virus detection method according to claim 3, wherein the detection of the virus is performed based on the degree of risk. 5. The virus detection according to claim 1, wherein the collected characteristic codes are classified into hierarchical levels, and the risk is calculated by changing the evaluation of the weight depending on the level. Method. 6. A database in which feature codes related to virus-specific operations are associated with weights indicating danger, and a file to be inspected is traced to collect and collect the feature codes registered in the database. A virus inspection including: an inspection unit that specifies a combination of characteristic codes as an operation pattern; and a risk degree calculation unit that calculates a risk degree of the operation pattern based on the collected combination of characteristic codes and the weight. apparatus. 7. The updating unit according to claim 6, further comprising an updating unit that updates the weight stored in the database for the characteristic code forming the operation pattern according to the degree of risk. Virus inspection device. 8. The database stores an operation pattern of a virus, and the update unit compares the specified operation pattern with an operation pattern of a virus stored in the database and determines the similarity according to the similarity. The virus inspection apparatus according to claim 7, wherein the weight of the characteristic code forming the specified operation pattern is updated. 9. The inspecting unit classifies the collected characteristic codes into a processing routine unit and a primitive command unit, and the risk calculating unit changes the weight evaluation depending on the hierarchy. The virus inspection apparatus according to claim 6, wherein the risk level is calculated. 10. The risk level calculation unit distinguishes the collected characteristic codes by the type of an instruction and an operation target, and evaluates the weight by changing the evaluation of the weight depending on the combination of the command and the type of the operation target. The virus inspection apparatus according to claim 6 or 9, which is calculated. 11. A step of collecting the feature code registered in the database from a file to be inspected by referring to a database in which a feature code relating to an operation peculiar to a virus is associated with a weight indicating a risk and registered, Based on the collected feature code combinations,
A computer program for causing a computer to execute a step of evaluating the weight associated with each characteristic code and calculating a risk degree of the inspection target file. 12. A code required for performing an operation peculiar to a macro virus, a step of registering a value indicating a risk when the code is used as a virus as one record in a database, and a macro for each line. A step of tracing and collecting the registered codes and recording a combination of the codes, and a step of calculating a risk degree which is a judgment value of whether or not the virus is based on each weight from the collected code combinations, When the risk exceeds the standard value, the macro judges that the macro is a virus, and when a virus is detected, it increases or decreases the weight based on the collected code and updates the database. A method for detecting a virus, comprising: 13. The virus detection method according to claim 12, wherein the updating step performs pattern comparison with a virus detected in the past, and if there are many similarities, the weight of the collected code is increased. .