KR100509650B1 - 코드 삽입 기법을 이용한 악성 스크립트 감지 방법 - Google Patents
코드 삽입 기법을 이용한 악성 스크립트 감지 방법 Download PDFInfo
- Publication number
- KR100509650B1 KR100509650B1 KR10-2003-0016208A KR20030016208A KR100509650B1 KR 100509650 B1 KR100509650 B1 KR 100509650B1 KR 20030016208 A KR20030016208 A KR 20030016208A KR 100509650 B1 KR100509650 B1 KR 100509650B1
- Authority
- KR
- South Korea
- Prior art keywords
- rule
- script
- code
- malicious
- matching
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Quality & Reliability (AREA)
- Devices For Executing Special Programs (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
구 분 | 내 용 |
로컬 시스템 내의 자기 복제 | 대상 시스템에 자신의 복사본을 만든다. 엄밀히 구분하면, 존재하지 않는 새로운 복사본을 생성하는 경우와, 대상 시스템에 이미 존재하던 스크립트 파일의 내용을 자신과 같은 내용으로 바꾸어 넣는 행위로 나눌 수 있다. |
전자우편을 통한 자기 복제 | 주소록에 기재된 계정으로 자신을 첨부한 전자우편을 전송한다. |
IRC를 통한 자기 복제 | mIRC와 같은 IRC 클라이언트의 초기화 스크립트를 변경하여 대화상대 접속시, 자신을 전송하도록 한다. |
공유 폴더를 통한 자기 복제 | 네트워크 공유 폴더를 검색하여 자신을 복사한다. |
배열 위치 | 의 미 | 비 고 |
0 | 일치한 매칭 룰의 이름 | 문자열 |
1 | 리턴값 | 이름이 아닌 실행시의 값이 저장됨 |
2 | 호출된 메소드를 제공하는 객체 | |
3 이상 | 파라미터 |
메 소 드 | 내 용 |
init | 클래스 초기화 |
SetVal(pos, value) | value 값을 버퍼의 pos 번째에 대입 |
Check | 악성 행위 여부 검사 |
Claims (2)
- 악성 스크립트를 실행시간에 감지하는 방법에 있어서,악성 행위 패턴을 구성하는 일련의 메소드들 상호간에 관련된 파라미터와 리턴값이 실행 중에 일치하는지를 검사하되,상기 검사는,악성 행위가 단위 행위들의 조합으로 구성되며 각각의 단위 행위는 더 작은 단위 행위 또는 하나 이상의 메소드 호출들로 구성되는 것으로 모형화하여 스크립트 코드에서 실행시간에 검사할 메소드 호출 문장 형태를 정의하는 매칭 룰과 이러한 매칭 규칙을 만족하는 문장에 사용된 룰 변수의 관계를 분석하여 악성 행위를 검색할 수 있도록 매칭된 패턴간의 관계를 정의하는 관계 룰로 구분하고,감지할 대상 스크립트 코드에서 상기 매칭 룰과 부합되는 코드 패턴을 탐색하여 원본 스크립트의 메소드 호출 문장 전후에 파라미터와 리턴값 저장, 및 진단 엔진(자체 진단 루틴)을 호출하는 문장을 삽입하고 호출시 해당 매칭 룰에 관련된 관계 룰을 실행하여 메소드 호출 시퀀스의 악성 행위 구성 여부를 탐지하는 룰 기반의 진단 엔진 코드를 추가한 스크립트를 생성하는 단계; 및상기 생성된 스크립트의 실행 중에 호출된 진단엔진이 매칭 룰의 인스턴스를 생성하고 이에 관련된 관계 룰을 실행하여 악성 행위를 실행시간에 탐지하는 단계;를 포함하는 것을 특징으로 하는 코드 삽입 기법을 이용한 악성 스크립트 감지 방법.
- 삭제
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2003-0016208A KR100509650B1 (ko) | 2003-03-14 | 2003-03-14 | 코드 삽입 기법을 이용한 악성 스크립트 감지 방법 |
US10/735,985 US20040205411A1 (en) | 2003-03-14 | 2003-12-15 | Method of detecting malicious scripts using code insertion technique |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2003-0016208A KR100509650B1 (ko) | 2003-03-14 | 2003-03-14 | 코드 삽입 기법을 이용한 악성 스크립트 감지 방법 |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20040080845A KR20040080845A (ko) | 2004-09-20 |
KR100509650B1 true KR100509650B1 (ko) | 2005-08-23 |
Family
ID=33128921
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR10-2003-0016208A KR100509650B1 (ko) | 2003-03-14 | 2003-03-14 | 코드 삽입 기법을 이용한 악성 스크립트 감지 방법 |
Country Status (2)
Country | Link |
---|---|
US (1) | US20040205411A1 (ko) |
KR (1) | KR100509650B1 (ko) |
Families Citing this family (62)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100503386B1 (ko) * | 2003-03-14 | 2005-07-26 | 주식회사 안철수연구소 | 제어흐름과 자료흐름을 고려한 악성 행위 패턴 감지 방법 |
US7546638B2 (en) * | 2003-03-18 | 2009-06-09 | Symantec Corporation | Automated identification and clean-up of malicious computer code |
US20050108562A1 (en) * | 2003-06-18 | 2005-05-19 | Khazan Roger I. | Technique for detecting executable malicious code using a combination of static and dynamic analyses |
GB0513375D0 (en) * | 2005-06-30 | 2005-08-03 | Retento Ltd | Computer security |
US8984636B2 (en) | 2005-07-29 | 2015-03-17 | Bit9, Inc. | Content extractor and analysis system |
US8272058B2 (en) | 2005-07-29 | 2012-09-18 | Bit 9, Inc. | Centralized timed analysis in a network security system |
US7895651B2 (en) | 2005-07-29 | 2011-02-22 | Bit 9, Inc. | Content tracking in a network security system |
US20120144485A9 (en) * | 2005-12-12 | 2012-06-07 | Finjan Software, Ltd. | Computer security method and system with input parameter validation |
US7913092B1 (en) * | 2005-12-29 | 2011-03-22 | At&T Intellectual Property Ii, L.P. | System and method for enforcing application security policies using authenticated system calls |
GB0607594D0 (en) * | 2006-04-13 | 2006-05-24 | Qinetiq Ltd | Computer security |
KR100789722B1 (ko) * | 2006-09-26 | 2008-01-02 | 한국정보보호진흥원 | 웹 기술을 사용하여 전파되는 악성코드 차단시스템 및 방법 |
KR101303643B1 (ko) | 2007-01-31 | 2013-09-11 | 삼성전자주식회사 | 침입 코드 탐지 장치 및 그 방법 |
US9906549B2 (en) * | 2007-09-06 | 2018-02-27 | Microsoft Technology Licensing, Llc | Proxy engine for custom handling of web content |
US20090070663A1 (en) * | 2007-09-06 | 2009-03-12 | Microsoft Corporation | Proxy engine for custom handling of web content |
US8914774B1 (en) | 2007-11-15 | 2014-12-16 | Appcelerator, Inc. | System and method for tagging code to determine where the code runs |
US8954989B1 (en) | 2007-11-19 | 2015-02-10 | Appcelerator, Inc. | Flexible, event-driven JavaScript server architecture |
US8260845B1 (en) | 2007-11-21 | 2012-09-04 | Appcelerator, Inc. | System and method for auto-generating JavaScript proxies and meta-proxies |
US8719451B1 (en) | 2007-11-23 | 2014-05-06 | Appcelerator, Inc. | System and method for on-the-fly, post-processing document object model manipulation |
US8566807B1 (en) | 2007-11-23 | 2013-10-22 | Appcelerator, Inc. | System and method for accessibility of document object model and JavaScript by other platforms |
US8806431B1 (en) | 2007-12-03 | 2014-08-12 | Appecelerator, Inc. | Aspect oriented programming |
US8819539B1 (en) | 2007-12-03 | 2014-08-26 | Appcelerator, Inc. | On-the-fly rewriting of uniform resource locators in a web-page |
US8756579B1 (en) | 2007-12-03 | 2014-06-17 | Appcelerator, Inc. | Client-side and server-side unified validation |
US8938491B1 (en) | 2007-12-04 | 2015-01-20 | Appcelerator, Inc. | System and method for secure binding of client calls and server functions |
US8527860B1 (en) | 2007-12-04 | 2013-09-03 | Appcelerator, Inc. | System and method for exposing the dynamic web server-side |
US8639743B1 (en) | 2007-12-05 | 2014-01-28 | Appcelerator, Inc. | System and method for on-the-fly rewriting of JavaScript |
US8285813B1 (en) | 2007-12-05 | 2012-10-09 | Appcelerator, Inc. | System and method for emulating different user agents on a server |
US8335982B1 (en) | 2007-12-05 | 2012-12-18 | Appcelerator, Inc. | System and method for binding a document object model through JavaScript callbacks |
GB0806284D0 (en) * | 2008-04-07 | 2008-05-14 | Metaforic Ltd | Profile-guided tamper-proofing |
US8291079B1 (en) | 2008-06-04 | 2012-10-16 | Appcelerator, Inc. | System and method for developing, deploying, managing and monitoring a web application in a single environment |
US8880678B1 (en) | 2008-06-05 | 2014-11-04 | Appcelerator, Inc. | System and method for managing and monitoring a web application using multiple cloud providers |
KR101027928B1 (ko) * | 2008-07-23 | 2011-04-12 | 한국전자통신연구원 | 난독화된 악성 웹페이지 탐지 방법 및 장치 |
US7596620B1 (en) | 2008-11-04 | 2009-09-29 | Aptana, Inc. | System and method for developing, deploying, managing and monitoring a web application in a single environment |
KR101161008B1 (ko) * | 2009-06-30 | 2012-07-02 | 주식회사 잉카인터넷 | 악성코드 탐지시스템 및 방법 |
KR101040758B1 (ko) * | 2009-11-04 | 2011-06-10 | (주)피엔아이시스템 | 문자열 치환을 이용한 악성코드 차단 시스템 및 그 방법 |
KR101047382B1 (ko) * | 2009-12-08 | 2011-07-08 | 단국대학교 산학협력단 | 악성코드를 역이용한 파일 탈취 방지 방법 및 시스템, 및 기록 매체 |
KR101093410B1 (ko) | 2010-03-22 | 2011-12-14 | 주식회사 엔씨소프트 | 코드실행 알림기능을 이용한 악성 프로그램 탐지 방법 |
US20110246965A1 (en) * | 2010-04-01 | 2011-10-06 | International Business Machines Corporation | Correcting document generation for policy compliance |
CA2711855A1 (en) | 2010-08-25 | 2010-11-03 | Ibm Canada Limited - Ibm Canada Limitee | Secure third party scripting environment |
US9224010B2 (en) | 2011-09-01 | 2015-12-29 | International Business Machines Corporation | Secure document creation from potentially unsecure source templates |
US9135440B2 (en) * | 2012-08-01 | 2015-09-15 | Ut-Battelle, Llc | Statistical fingerprinting for malware detection and classification |
WO2014048194A1 (zh) * | 2012-09-29 | 2014-04-03 | 中兴通讯股份有限公司 | Android恶意应用程序检测方法、系统及设备 |
US10152591B2 (en) * | 2013-02-10 | 2018-12-11 | Paypal, Inc. | Protecting against malware variants using reconstructed code of malware |
KR101428915B1 (ko) * | 2013-02-22 | 2014-08-11 | 한양대학교 산학협력단 | 안드로이드 보안을 위한 피드백 기반 어플리케이션 재가공 프레임워크 방법과 그 시스템 |
JP6028657B2 (ja) * | 2013-03-28 | 2016-11-16 | 富士通株式会社 | 検証プログラム、検証方法および検証装置 |
US9569618B2 (en) * | 2013-08-28 | 2017-02-14 | Korea University Research And Business Foundation | Server and method for attesting application in smart device using random executable code |
KR101527098B1 (ko) * | 2013-08-28 | 2015-06-09 | 고려대학교 산학협력단 | 랜덤 실행 코드를 이용한 스마트 기기 내 어플리케이션 검증 서버 및 검증방법 |
EP3241135A4 (en) | 2015-01-01 | 2018-05-02 | Checkmarx Ltd. | Code instrumentation for runtime application self-protection |
EP3245776A4 (en) * | 2015-01-18 | 2018-06-13 | Checkmarx Ltd. | Rasp for scripting languages |
US10083298B1 (en) * | 2015-03-09 | 2018-09-25 | Symantec Corporation | Static approach to identify junk APIs in a malware |
KR101667774B1 (ko) * | 2015-04-23 | 2016-10-19 | (주)잉카엔트웍스 | 스크립트 프로그램을 위한 보안 제공 장치 및 방법 |
CN108140089B (zh) * | 2015-10-19 | 2021-05-07 | 日本电信电话株式会社 | 分析装置、分析方法以及记录介质 |
SE542513C2 (en) * | 2015-12-15 | 2020-05-26 | Saab Ab | A method for authenticating software |
US10387656B2 (en) | 2016-03-21 | 2019-08-20 | Checkmarx Ltd. | Integrated interactive application security testing |
KR102471221B1 (ko) * | 2016-11-14 | 2022-11-28 | 삼성에스디에스 주식회사 | 애플리케이션 변환 장치 및 방법 |
EP3401827A1 (en) | 2017-05-10 | 2018-11-14 | Checkmarx Ltd. | Method and system of static and dynamic data flow analysis |
US11204788B2 (en) | 2017-12-11 | 2021-12-21 | Comodo Security Solutions, Inc. | Method to protect against fileless infection from command line interpreters or documents |
KR102026959B1 (ko) * | 2019-04-19 | 2019-09-30 | 한화시스템(주) | 보안 시스템 및 그 동작 방법 |
US20210026969A1 (en) * | 2019-07-23 | 2021-01-28 | Chameleonx Ltd | Detection and prevention of malicious script attacks using behavioral analysis of run-time script execution events |
US11836258B2 (en) | 2020-07-28 | 2023-12-05 | Checkmarx Ltd. | Detecting exploitable paths in application software that uses third-party libraries |
CN112688966A (zh) * | 2021-03-11 | 2021-04-20 | 北京邮电大学 | webshell检测方法、装置、介质和设备 |
US20230195896A1 (en) * | 2021-12-21 | 2023-06-22 | Palo Alto Networks, Inc. | Identification of .net malware with "unmanaged imphash" |
CN114048488B (zh) * | 2022-01-13 | 2022-04-22 | 杭州默安科技有限公司 | 漏洞检测方法及系统 |
Family Cites Families (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6275938B1 (en) * | 1997-08-28 | 2001-08-14 | Microsoft Corporation | Security enhancement for untrusted executable code |
US5983348A (en) * | 1997-09-10 | 1999-11-09 | Trend Micro Incorporated | Computer network malicious code scanner |
US6289455B1 (en) * | 1999-09-02 | 2001-09-11 | Crypotography Research, Inc. | Method and apparatus for preventing piracy of digital content |
US6785818B1 (en) * | 2000-01-14 | 2004-08-31 | Symantec Corporation | Thwarting malicious registry mapping modifications and map-loaded module masquerade attacks |
JP2002050181A (ja) * | 2000-02-07 | 2002-02-15 | Toshiba Corp | 半導体記憶装置 |
US6775780B1 (en) * | 2000-03-16 | 2004-08-10 | Networks Associates Technology, Inc. | Detecting malicious software by analyzing patterns of system calls generated during emulation |
US6907396B1 (en) * | 2000-06-01 | 2005-06-14 | Networks Associates Technology, Inc. | Detecting computer viruses or malicious software by patching instructions into an emulator |
GB2364404B (en) * | 2000-07-01 | 2002-10-02 | Marconi Comm Ltd | Method of detecting malicious code |
US7210040B2 (en) * | 2000-07-14 | 2007-04-24 | Computer Associates Think, Inc. | Detection of suspicious privileged access to restricted computer resources |
US7636945B2 (en) * | 2000-07-14 | 2009-12-22 | Computer Associates Think, Inc. | Detection of polymorphic script language viruses by data driven lexical analysis |
US7069589B2 (en) * | 2000-07-14 | 2006-06-27 | Computer Associates Think, Inc.. | Detection of a class of viral code |
US7093239B1 (en) * | 2000-07-14 | 2006-08-15 | Internet Security Systems, Inc. | Computer immune system and method for detecting unwanted code in a computer system |
US8341743B2 (en) * | 2000-07-14 | 2012-12-25 | Ca, Inc. | Detection of viral code using emulation of operating system functions |
US7146305B2 (en) * | 2000-10-24 | 2006-12-05 | Vcis, Inc. | Analytical virtual machine |
US20020178375A1 (en) * | 2001-01-31 | 2002-11-28 | Harris Corporation | Method and system for protecting against malicious mobile code |
US7043634B2 (en) * | 2001-05-15 | 2006-05-09 | Mcafee, Inc. | Detecting malicious alteration of stored computer files |
US7487544B2 (en) * | 2001-07-30 | 2009-02-03 | The Trustees Of Columbia University In The City Of New York | System and methods for detection of new malicious executables |
US7512809B2 (en) * | 2003-08-22 | 2009-03-31 | Cyrus Peikari | Attenuated computer virus vaccine |
US8627458B2 (en) * | 2004-01-13 | 2014-01-07 | Mcafee, Inc. | Detecting malicious computer program activity using external program calls with dynamic rule sets |
US7383583B2 (en) * | 2004-03-05 | 2008-06-03 | Microsoft Corporation | Static and run-time anti-disassembly and anti-debugging |
-
2003
- 2003-03-14 KR KR10-2003-0016208A patent/KR100509650B1/ko active IP Right Grant
- 2003-12-15 US US10/735,985 patent/US20040205411A1/en not_active Abandoned
Also Published As
Publication number | Publication date |
---|---|
KR20040080845A (ko) | 2004-09-20 |
US20040205411A1 (en) | 2004-10-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR100509650B1 (ko) | 코드 삽입 기법을 이용한 악성 스크립트 감지 방법 | |
Galal et al. | Behavior-based features model for malware detection | |
Chernis et al. | Machine learning methods for software vulnerability detection | |
Shu et al. | Threat intelligence computing | |
JP4711949B2 (ja) | マクロと実行可能なスクリプトにおいてマルウェアを検出する方法およびシステム | |
US20040181677A1 (en) | Method for detecting malicious scripts using static analysis | |
JP5042315B2 (ja) | ソースコード内のセキュリティ脆弱性の検出 | |
US7707634B2 (en) | System and method for detecting malware in executable scripts according to its functionality | |
Thomas et al. | Using automated fix generation to secure SQL statements | |
US20180107821A1 (en) | Code instrumentation for runtime application self-protection | |
CN110225029B (zh) | 注入攻击检测方法、装置、服务器及存储介质 | |
Meawad et al. | Eval begone! semi-automated removal of eval from JavaScript programs | |
Liang et al. | A behavior-based malware variant classification technique | |
CN114077741B (zh) | 软件供应链安全检测方法和装置、电子设备及存储介质 | |
Alzarooni | Malware variant detection | |
US9600644B2 (en) | Method, a computer program and apparatus for analyzing symbols in a computer | |
Klein et al. | Hand sanitizers in the wild: A large-scale study of custom javascript sanitizer functions | |
Zhu et al. | Detecting privilege escalation attacks through instrumenting web application source code | |
Chai et al. | Invoke-deobfuscation: AST-based and semantics-preserving deobfuscation for PowerShell scripts | |
JP2007109016A (ja) | アクセスポリシ生成システム、アクセスポリシ生成方法及びアクセスポリシ生成用プログラム | |
Jordan et al. | Safe-pdf: Robust detection of javascript pdf malware using abstract interpretation | |
RU2662391C1 (ru) | Система и способ проверки веб-ресурсов на наличие вредоносных вставок | |
Jordan et al. | Unacceptable behavior: Robust pdf malware detection using abstract interpretation | |
Dornhackl et al. | Defining malicious behavior | |
Luh et al. | Advanced threat intelligence: detection and classification of anomalous behavior in system processes |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20130131 Year of fee payment: 8 |
|
FPAY | Annual fee payment |
Payment date: 20130816 Year of fee payment: 9 |
|
FPAY | Annual fee payment |
Payment date: 20140818 Year of fee payment: 10 |
|
FPAY | Annual fee payment |
Payment date: 20150817 Year of fee payment: 11 |
|
FPAY | Annual fee payment |
Payment date: 20160816 Year of fee payment: 12 |
|
FPAY | Annual fee payment |
Payment date: 20170816 Year of fee payment: 13 |
|
FPAY | Annual fee payment |
Payment date: 20180816 Year of fee payment: 14 |