KR101421136B1 - Method and apparatus for modeling computer program behavior for behavioral detection of malicious program - Google Patents

Abstract

The present invention relates to a method and an apparatus for modeling a behavior of a computer program executed in a computer system, and more particularly, to a program for inspecting a malicious program to determine whether or not the specific computer program is a malicious program And to a method and apparatus for modeling the behavior of a particular computer program.

According to the present invention there is provided a method of modeling a behavior of a computer program executed in a computer system, the computer program comprising the steps of: collecting system usage information using resources of the computer system; Extracting behavioral features of the computer program, and encoding the extracted behavioral features to generate behavioral feature vectors.

According to the present invention, a program for examining a malicious program can model the behavior of a specific computer program so as to determine whether or not a specific computer program is a malicious program.

Malicious code, malware, behavior modeling, behavior vector

Description

TECHNICAL FIELD The present invention relates to a method and an apparatus for modeling a behavior of a computer program for inspecting a malicious program,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method and an apparatus for modeling a behavior of a computer program executed in a computer system. More particularly, the present invention relates to a method and apparatus for modeling a behavior of a computer program, And a method and an apparatus for modeling the same.

According to the conventional malicious program monitoring technology, a sample of a malicious program that has already been generated is collected to extract a certain string that is a characteristic of the malicious program, and whether or not the malicious program is infected with the malicious program .

Accordingly, when a new malicious program is generated, a program has been developed to identify the new malicious program and to extract a characteristic string to monitor the malicious program corresponding to the malicious program. Therefore, before the information on the malicious program is added to the existing monitoring program, the new malicious program can not be prepared and the new malicious program can not be prevented from being damaged. As the type of the malicious program increases, the type of the character string that characterizes the malicious program also increases proportionally. Therefore, the program that monitors the malicious program has to increase the time required to check whether the character string of the malicious program exists or not.

If a mobile device such as a mobile phone or a PDA receiving power by using a battery or the like extracts a character string from a specific program and determines whether or not the character string is the same as a characteristic character string of a malicious program, There is a problem in that the operation time of the mobile terminal is reduced.

In addition, according to the conventional technology, when a vulnerability of a computer is disclosed due to an attack by a hacker, a program maker can only use a patch program that fixes the vulnerability to prevent an attack by a hacker, There was no obvious solution to the other attacks using numerous vulnerabilities.

Most malicious programs are not new programs that are completely different from existing malicious programs, but are a variant of existing malicious programs. However, in order to examine variant malicious programs, it is necessary to use a new string extracted from a malicious malicious program instead of a string extracted from a conventional malicious program.

The present invention models the behavior of a specific computer program executed in a computer system so that the behavior of the computer program can be modeled so that the computer program can determine whether or not the program is malicious through the behavior of the computer program.

The present invention allows a program for examining a malicious program to model the behavior of a specific computer program so that a program for inspecting a malicious program can determine whether the specific computer program is a malicious program.

The present invention aims at modeling behavioral features of normal programs and malicious programs so that a program for inspecting malicious programs can be trained.

According to an aspect of the present invention, there is provided a method of modeling a behavior of a computer program executed in a computer system, the method comprising: Extracting a behavioral feature of the computer program from the collected system usage information, and encoding the extracted behavioral feature to generate a behavioral feature vector. do.

According to an aspect of the present invention, there is provided an apparatus for modeling a behavior of a computer program executed in a computer system, the computer program comprising a collection unit for collecting system usage information using resources of the computer system, An extraction unit extracting behavioral characteristics of the computer program from usage information, and an encoding unit encoding the extracted behavioral feature to generate a behavioral feature vector.

According to the present invention, the behavior of a specific computer program executed in a computer system may be modeled to determine the characteristics of the particular computer program in another program.

According to the present invention, a program for examining a malicious program by modeling a behavior of a specific computer program can determine whether the specific computer program is a malicious program.

According to the present invention, behavioral features of normal programs and malicious programs can be modeled, respectively, so that a program for inspecting malicious programs can be trained.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

The computer system described in the present invention can be interpreted as including a PC, a mobile phone, and various digital electronic devices, including all the devices having a processor and a memory and executing a program to perform a task.

FIG. 1 is a flowchart showing a stepwise method of inspecting a malicious program using a behavioral feature vector of a computer program according to the present invention. Hereinafter, a method for inspecting a malicious program using the behavior of a computer program modeled according to the present invention will be described in detail with reference to FIG.

The malicious code described in the present invention refers to a program having all malicious intentions intended by the manufacturer to intentionally harm the user and a program of all executable forms operating on a computer system such as a macro or a script .

In step S110, the behavior of the computer program is modeled to generate a behavior feature vector. In step S110, the behavioral feature vector may be generated for both the malicious program and the normal program by modeling the behavior of the normal program as well as the malicious program.

In step S120, a program for inspecting a malicious program is trained so that the malicious program and the normal program can be distinguished from each other using the behavior feature vector generated in step S110. According to an embodiment of the present invention, a program for examining a malicious program calculates a value greater than a threshold value for a behavior feature vector modeling behavior of a normal program, and for a behavior feature vector modeling behavior of a malicious program, Can be trained to calculate the value.

In step S130, a behavior feature vector generated from a specific computer program and a program for inspecting malicious programs trained in step S120 are used to determine whether each computer program executed in the computer system is a malicious program or a normal program Inspect.

If the specific computer program is a normal program, the program for examining the malicious program computes a value of the behavioral feature vector of the specific computer program above a threshold value. If the specific computer program is a malicious program, A value less than the threshold value can be calculated with respect to the behavior characteristic vector of the program.

Most malicious programs are not entirely new malicious programs. It is merely a variant malicious program that has been modified by modifying some existing malicious programs. Therefore, the behavior of a new malicious program, which can not be judged as a malicious program, is similar to that of an existing malicious program.

Most of the malicious programs are similar in behavior, such as invading user's computer system and deleting user's data or deleting system files.

Therefore, if the behavior of a specific program determines whether a specific program is a normal program or a malicious program, it can be judged whether or not the malicious program is more accurate than the existing string comparison method. It is also possible to judge whether or not a malicious program is a malicious program which has not been known until now.

Unlike the prior art, there is no need to analyze information on a new malicious program, thereby reducing the damage occurring in analyzing a new malicious program.

FIG. 2 is a flowchart showing steps of a behavior modeling method of a computer program according to the present invention. Hereinafter, a behavior modeling method of a computer program according to the present invention will be described in detail with reference to FIG.

In step S210, a specific computer program executed in a specific computer system collects system usage information using resources of the computer system.

In order for a computer program to run on a computer system, it must access the computer system's resources, such as accessing the computer system's memory and reading data, or writing data to a particular file. A computer system provides an interface function that allows a computer program to access a specific resource of a computer system. A computer program can call an interface function to access a specific resource of a computer system to perform the required operation.

To destroy a user's data or system files, a malicious program must gain access to files or system files that store user data. To infect other devices, I / O devices should be accessed. Thus, system usage information, in which a computer program accesses a specific resource of the computer system, can be used to describe the behavior of the computer program.

According to an embodiment of the present invention, in step S210, the interface function provided by the computer system may be collected as the system usage information from the information called by the specific program.

The computer program may not only utilize the interface functions provided by the computer system, but may also perform operations based on events provided by the computer system.

When a computer program performs a specific operation at a certain time, the computer system generates a time event at the time, and the computer program performs a specific operation based on the time event. Also, input from a user or data transfer from another computer system is transferred from the computer system to the computer program in the form of special events.

The computer system generates an event corresponding to the input when the particular input occurs from the user, and the computer program causes the computer to perform the steps of: Thereby performing a specific operation.

Each of the computer programs can confirm whether or not the event associated with each computer program has issued and perform a specific operation according to the confirmation result.

Thus, a computer program performing operations based on event occurrence information of a computer system associated with the computer program can be used to describe the behavior of the computer program.

According to an embodiment of the present invention, in step S210, event occurrence information associated with the computer program may be collected as system usage information.

In step S220, a behavior characteristic of the computer program is extracted from the system usage information collected in step S210.

Each of the operations performed by the specific computer program is insufficient to determine whether the specific program is a normal program or a malicious program only by the respective operations.

For example, the computer program can periodically check whether or not a specific event has occurred in the computer system. By this checking operation, the computer program can not determine whether it is a normal program or a malicious program.

According to one embodiment of the present invention, in step S210, a computer program collects a plurality of pieces of information using a computer system over a plurality of different time periods, and in step S220, information on individual behaviors, The behavior characteristic of the computer program can be extracted based on the temporal relationship between the collected plurality of behaviors and operation information.

For example, when a specific computer program receives specific information from the outside or copies a specific file to a directory in which system files of the computer system are stored, only the respective operations of copying the files determine whether the specific computer program is a normal program or a malicious program It is insufficient to judge whether or not. However, if a specific computer program receives data from the outside of the computer system and then copies the file to the directory where the system files of the computer system are stored and periodically sends the copied file to the external device, Malicious programs can be suspicious.

According to an embodiment of the present invention, in step S220, the temporal order among the plurality of collected system use information can be extracted as a behavior characteristic of the computer program.

According to an embodiment of the present invention, in operation S220, a plurality of operation functions for the computer program may be generated based on the correlation between the plurality of collected system usage information.

The computer program calls the interface function provided by the computer system to perform the operation intended by the computer program. However, if the behavioral feature of the computer program is extracted for each interface function, the process becomes too complicated.

According to one embodiment of the present invention, in step S220, a plurality of operation functions for a computer program are generated based on the correlation between a plurality of system usage information related to each other, and the behavior characteristics of the computer program Can be extracted.

The operation function consists of at least one or more system usage information associated with each other.

For example, in order for a computer program to transfer data to another computer system using a wireless communication device installed in the computer system, the computer program checks whether the wireless communication device is installed or not being used by another computer program . If it is not used by another computer program, it obtains the access right to the wireless communication device, transfers the data to the wireless communication device, and returns the access right to the wireless communication device to the computer system after the data transmission is completed do.

If the behavior characteristics of a computer program are extracted in units of the respective interface functions for performing each of these operations, the process is so complex that the related system use information is configured as an operation function, The extraction process becomes relatively simple.

According to an embodiment of the present invention, a series of interface functions for confirming whether or not a wireless communication device is installed, acquiring an access right and transmitting data, and returning the access right to the computer system is configured as one operation function .

According to an embodiment of the present invention, in step S2220, a temporal posterior relationship of a plurality of operation functions can be extracted by the behavior feature.

Since each operation function called by the computer program is not sufficient to determine whether the computer program is a malicious program or a normal program, the behavioral characteristics of a specific computer program are extracted using the relationship between the plurality of operation functions.

According to an embodiment of the present invention, in step S220, a computer system is infected with a malicious program, a symptom of a malicious program is displayed, and another computer system is infected with the malicious program. The temporal posterior relationship can be extracted for the selected action function with the action feature.

According to an embodiment of the present invention, in step S220, the occurrence frequency of the generated operation function can be extracted as a behavior feature of the computer program.

According to an embodiment of the present invention, in step S220, a computer system is infected with each malicious program, a symptom of the malicious program is detected, and another computer system is infected. The occurrence frequency of each operation function can be extracted as an action feature.

Each malicious program may invoke a particular action function multiple times, or not at all, of all the action functions that the computer system provides during a lifetime. Thus, how many times a particular computer program calls a particular motion function during a life cycle can be a behavioral feature of a particular computer program.

In step S230, a behavior feature vector extracted in step S2220 is encoded to generate a behavior feature vector.

The behavior characteristic extracted in step S220 may be a form that is not a form that can be easily processed using a computer program but a flowchart showing a temporal relationship between respective operation functions. According to an embodiment of the present invention, in step S230, a behavior feature vector stored in the form of a number can be generated so that the extracted behavior feature can be processed by a computer program.

Behavioral feature vectors are modeled in a form that can be processed by a computer. In order to determine whether a computer program is a normal program or a malicious program using behavioral feature vectors, behavioral feature vectors that model behaviors of computer programs with similar behavioral characteristics may be similar to each other.

Behavioral characteristics of known malicious programs and behaviors of computer programs behaving similar to malicious programs are similar, and behavioral feature vectors of malicious programs and behavioral vectors of computer programs behaving similar to malicious programs may be similar . A program that tests malicious programs can determine a malicious program as a computer program that has behavioral feature vectors similar to behavioral feature vectors of malicious programs.

That is, if the first computer program and the second computer program have similar behavior to each other, the first behavioral characteristic of the first computer program and the second behavioral characteristic of the second computer program may be similar to each other. The first behavior feature vector and the second behavior feature vector generated by encoding the first behavior feature and the second behavior feature similar to each other may be similar to each other.

According to an embodiment of the present invention, the distance between the behavior feature vectors each encoding the similar behavior feature may be encoded so as to be in inverse proportion to the similarity between the behavior features. Where the distance between the two behavioral feature vectors can be the Euclidean distance. The Euclidean distance between the two behavior feature vectors x and y is determined by the following equation (1).

[Equation 1]

는 행동 특징 벡터 x의 i번째 원소,

는 행동 특징 벡터 y의 i번째 원소를 나타낸다.N is the length of the two behavior feature vectors x, y,

Is the i-th element of the behavior feature vector x,

Represents the i-th element of the behavior feature vector y.

이고, 행동 특징 벡터 y가

이라면, 두 행동 특징 벡터 x, y사이의 유클리디안 거리 z는

가 된다.If the behavioral feature vector x is

, And the behavior feature vector y is

, Then the Euclidean distance z between the two behavior feature vectors x, y is

.

If the distance between two behavior feature vectors is to be encoded small, the values of a and d, b and e, c and f must be encoded similarly. If the values of a and d, b and e, c and f are similar, then the two behavioral feature vectors are similar.

FIG. 3 is a diagram showing a file system structure of a Symbian operating system, which is an attack target of a Commwarrior Worm Virus, which is one of malicious programs. The file system structure of the Symbian operating system will be described in detail with reference to FIG.

The Symbian operating system is a mobile computer operating system developed by a consortium of Nokia, Sony Ericsson, Siemens and other European mobile telecom equipment makers since 1998 to avoid dependence on Microsoft's computer application system.

Symbian is a 32-bit multitasking operating system with real-time processing. It supports 2nd and 3rd generation mobile communication networks and supports multimedia messaging system (MMS), IPv6, Java (Java).

The Symbian operating system stores a file related to the operating system in the system directory 310 and its subdirectories 320, 330, 340, 350, 360.

The application directory 320 is a subdirectory of the system directory 310, and various application programs running in the Symbian operating system are installed. A malicious program that attacks a device installed with the Symbian operating system may store the program file in the application directory 320, destroy the user's data, or attack the system file.

The automatic execution directory 330 is a subdirectory of the system directory 310 and stores files that are automatically executed every time a device installed with the Symbian operating system is rebooted.

The library directory 340 stores the interface functions required for each application program to be executed in the form of a library file.

The installation directory 350 is a directory in which files installed in addition to the Symbian operating system are stored. The executable file extracted from the installation file stored in the installation directory 350 is stored in the application directory 320

The user may store the installation file of the application program in the installation directory 350 in order to install the specific application program or the installation file may be stored in the installation directory 350 in order to copy the malicious program itself. Therefore, simply copying a specific file to the installation directory is not sufficient to determine whether the computer program is malicious or normal.

Even if a computer program attempts to transfer a file stored in the installation directory 350 to another computer system, it is insufficient to judge whether the computer program is a malicious program or a normal program by simply attempting transmission.

However, if a computer program copies an installation file received from outside the computer system to the installation directory 350 and attempts to transfer the copied file to another computer system, the computer program may be determined to be a malicious program.

FIG. 4 is a diagram showing behavioral characteristics of the Com Warrior worm virus, which is one of malicious programs extracted according to an embodiment of the present invention. Hereinafter, the behavioral characteristics of the Com Warrior worm virus will be described in detail with reference to FIG.

In FIG behavior characteristics of Com Warrior worm it is illustrated using a plurality of operating functions.

In step S410, an operation function 'ReceiveFile (f, mode, type)' is executed. 'ReceiveFile' function the device is installed, the Symbian operating system to receive a setup file for Com Warrior worm from the other device. 'F', the argument of the 'ReceiveFile' function, is the name of the file received by the action function, and 'mode' indicates how the action function receives the file. As an example of a wireless communication method, 'mode' is when the 'Bluetooth', the device is Symbian operating system is installed by using a Bluetooth module provided in the apparatus to receive a setup file for Com Warrior worm, 'mode' is 'MMS' in the case of using the multi-media messaging service (multimedia messaging service) receives a setup file for Com Warrior worm. 'type' is a factor which indicates the type of file it is receiving, the operation function 'ReceiveFile' is the 'SIS' it received the setup file of the Com Warrior worm, file type, file type is installed in the Symbian operating system.

In step S420, the operation function 'InstallApp (f, file, dir)' is executed. InstallApp function to install the install file of the Com Warrior worm received in the step (S410) in a specific directory. 'F' of the factor 'InstallApp' function is a setup file of the Com Warrior worm, 'file' is an executable file of Com Warrior worm extracted from the installation file. Factor 'dir' are the Com Warrior worm as a directory virus of the executable file is being copied, Com Warrior worm For viruses, the Symbian operating system directory 310 or a factor that sub-directory (320, 330, 340, 350) .

In step S430, the operation function 'LaunchProcess (p, parent)' is executed. The 'LaunchProcess' function executes a specific application. For Com Warrior worm as an application that runs factor 'p' is, the execution file of the Com Warrior worm becomes a factor. Factor 'parent' is a as another application for executing a particular application, Com Warrior worm For viruses, the Symbian operating system, the installer program (Symbian Installer) factor.

In step S440, an operation function 'MakeSIS (f, files)' is executed. The 'MakeSIS' function creates the installation file again from the executable file. The argument 'f' is the installation file generated from the executable, and the argument 'files' is the executable.

In step S450, an operation function 'SetDevice (action)' is executed. The 'SetDevice' function performs a specific action indicated by the ComWor worm virus. The actions indicated by the ComWor worm virus are passed to the SetDevice function using the 'action' argument.

In step S460, an operation function 'BTFindDevice (d)' function is executed. The BTFindDevice function checks whether or not a Bluetooth transmission device exists in a device in which the Symbian operating system is installed. The Com Warrior worm virus transmits the identifier of the Bluetooth transmission device to the BTFindDevice function using the argument 'd'.

In step S470, the function OBEXSendFile (f, d) 'is executed. The OBEXSendFile function transfers data to the outside. The ComWorr worm virus transfers the name of the file to be transferred to the external function to the operation function OBEXSendFile using the argument 'f' and transfers the identifier of the transmission apparatus to which the file is to be transferred to the operation function OBEXSendFile using the argument 'd'.

The Com Warrior worm virus transmits the installation file generated in step S440 to the outside using the argument 'f'.

The ComWorrier worm virus can transmit the installation file of the ComWor worm virus to another device using the operation function OBEXSendFile and infect the device receiving the file.

In step S480, an operation function 'MMSFindAddress (a)' is executed. The MMSFindAddress function finds an arbitrary phone number in the list of phone numbers stored in the device where the Symbian OS is installed and sends it to the ComWor worm virus.

In step S490, the operation function MMSSendMessage (f, a) is executed. The MMSSendMessage function transmits the file using the MMS service to another device having a specific telephone number. The ComWorrier worm virus uses the argument 'a' to pass a specific phone number to the MMSSendMessage function, and the name of the file to be transferred to the external device using the argument 'f' is transferred to the MMSSendMessage function.

The ComWorrier worm virus can infect the device with the ComWorrier worm virus by transmitting the installation file of the ComWor worm virus to the device corresponding to the telephone number acquired in step S480 using the MMSSendMessage function.

Since the behavior characteristic of the specific function includes the temporal relationship between the plurality of operation functions, it is generally expressed in the form of a figure as shown in Fig. However, the program for examining a malicious program can not recognize the behavior characteristic of the drawing form as shown in FIG.

Thus, according to an embodiment of the present invention, the behavioral features of the drawing as shown in FIG. 4 can be encoded in the form of a string or numerical array so that a computer program can process the behavioral feature vector.

FIG. 5 is a diagram illustrating a structure of a behavior feature vector storing an occurrence frequency of an operation function according to an embodiment of the present invention. Hereinafter, the structure of the behavior feature vector will be described in detail with reference to FIG.

If an action function as a basic unit for extracting a behavior characteristic of a computer program is changed every time a behavior characteristic of each computer program is extracted, it is meaningless to distinguish the malicious program from the normal program according to the extracted behavior characteristic. Therefore, the operation function as a basic unit for extracting behavioral features should be independent of each computer program.

If all of the interface functions provided by the computer system have mutually related functions as the motion functions, the motion functions can be configured independently of the respective computer programs.

If all of the interface functions provided by the computer system are configured as an operation function, the total number of operation functions is determined differently depending on the computer system. A specific computer program performs an operation using only some of the operation functions among the entire operation functions. Depending on the computer program, a specific operation function may be used several times, a specific operation function may not be used, or only one operation may be performed.

According to an embodiment of the present invention, a behavior feature vector generated by encoding a behavior feature includes a plurality of elements each corresponding to the plurality of operation functions, and each of the elements may store the occurrence frequency of the operation function .

According to an embodiment of the present invention, all the operation functions provided by the computer system can be arranged according to a predetermined criterion. Assuming that the computer system provides N operation functions, each operation function can be given an identifier from '1' to 'N'.

According to an embodiment of the present invention, N elements are all required to describe all the occurrence frequencies of the N operation functions provided to the computer system.

An element 510 corresponding to a first operation function among a plurality of elements 510, 520, 530, 540, 550, and 560 of the behavior feature vector 500 is generated according to an embodiment of the present invention, And the element 520 corresponding to the second operation function may store the occurrence frequency of the second operation function. In the same way, an element corresponding to the Nth operation function can store the occurrence frequency of the Nth operation function.

In the embodiment of FIG. 5, the computer program does not call the first operation function and the third operation function among the operation functions provided by the computer system (510, 530). The second operation function and the sixth operation function are called once (520, 560), and the fourth operation function is called three times (540). The fifth action function is called twice (550).

According to an embodiment of the present invention, the elements of the behavior feature vector storing the occurrence frequency of each operation function may be disposed adjacent to each other within the behavior feature vector, but may be disposed at positions not adjacent to each other.

According to an embodiment of the present invention, the elements of the behavior feature vector storing the occurrence frequencies of the respective operation functions may be N elements at the beginning of the behavior feature vector, or may be N elements at the end.

6 is a diagram showing a structure of a behavior feature vector storing a temporal posterior relationship between operation functions according to an embodiment of the present invention. Hereinafter, the structure of the behavior feature vector will be described in detail with reference to FIG.

In order to model the behavior of a particular computer program, it is important how many times the computer program calls the motion function, but the subsequent relationship between the called motion functions is also important.

According to an embodiment of the present invention, a behavior feature vector generated by encoding a behavior characteristic of a computer program includes a plurality of elements corresponding to combinations of any two of the plurality of operation functions, The element may store the temporal relationship between the two operating functions.

FIG. 6A is a diagram illustrating a process in which a specific computer program performs an operation by sequentially calling an operation function provided by the computer system.

The computer program has a first operating function 641, a third operating function 642, a fourth operating function 643, a second operating function 644, a sixth operating function 645 and a fifth operating function 646 ) Are sequentially called to perform the operation.

6 (a), when the computer program calls the respective operation functions in a predetermined order, even if only the call order between the operation functions that are called temporally adjacent to each other is encoded, the characteristics of the computer program are sufficiently described . However, in the case where the operation function to be called by the computer program changes depending on the value of a specific variable during the execution of the computer program, or the order of calling is changed, the calling order between each operation function and all other operation functions must be encoded, Describe the behavioral characteristics of the program.

6B is a diagram illustrating a plurality of elements 612, 613, 614, 615, 616, 623, 624, 625, 626, 634, 635, 636 of the behavior feature vector 600 according to an embodiment of the present invention. In which the temporal relationship between the two operation functions is stored in an element corresponding to a combination of two operation functions.

According to an embodiment of the present invention, among elements of the operation feature vector 600, an element 612 corresponding to a combination of a first operation function and a second operation function may have a temporal posterior relationship between a first operation function and a second operation function Can be stored.

According to an embodiment of the present invention, each element that stores temporal posterior relation between operation functions by associating temporal posterior relation with '0' and '1' may have a binarized value.

According to an embodiment of the present invention, when a specific operation function is called before another operation function, '1' is stored in an element corresponding to the combination of the functions, and '0' .

6A, the computer program first calls the first operation function before the second operation function, so that '1' is stored in the element 612 corresponding to the combination of the first operation function and the second operation function . Since the first operation function is called first, an element 613 for storing the temporal relation between the first operation function and the third operation function, an element 614 for storing the temporal relation between the first operation function and the fourth operation function ), An element 615 for storing the temporal relation between the first operation function and the fifth operation function, and an element 616 for storing the temporal relation between the first operation function and the sixth operation function are '1' It can be saved.

Since the second operation function is called later than the third operation function and the fourth operation function, according to an embodiment of the present invention, an element 623 for storing the temporal posterior relation between the second operation function and the third operation function, '0' may be stored in the element 624 storing the temporal relation between the operation function and the third operation function.

Since the second operation function is called before the fifth operation function and the sixth operation function, according to an embodiment of the present invention, an element 625 for storing the temporal relation between the second operation function and the fifth operation function, '1' may be stored in the element 626 storing the temporal relation between the operation function and the sixth operation function.

According to one embodiment of the present invention, the temporal correlation between the first and second operating functions may not be stored again since they have already been stored in the corresponding element 612.

In the same way, the temporal correlation between the third operating function and the fourth operating function, the fifth operating function and the sixth operating function can be stored in corresponding elements 634, 635 and 636.

According to an embodiment of the present invention, if all the operation functions provided by the computer system are N, N-1 elements are all required to describe the temporal relation between the first operation function and the other operation function. In addition, N-2 elements are all required to describe the temporal relationship between the other operation functions except for the first operation function and the second operation function. All N-3 elements are required to describe the temporal relationship between the other operation function and the third operation function except for the first operation function and the second operation function. Therefore, N (N-1) / 2 elements are required to describe both temporal and posterior relations between the N operational functions provided by the computer system in the behavioral feature vector.

Figure 7 illustrates a data frame structure for storing behavioral feature vectors, in accordance with one embodiment of the present invention.

As shown in FIG. 7, the behavior feature vector may include a frequency storage area 710 and a posterior system storage area 720. Hereinafter, the structure of the behavior feature vector will be described in detail with reference to FIG.

The behavioral characteristics of a particular computer program may include not only the occurrence frequency at which each motion function is called and executed but also the temporal posterior relationship between the respective motion functions.

Therefore, in order to accurately describe the behavior of a specific computer program, the behavioral feature vector should describe not only the frequency of occurrence of the motion function but also the temporal posterior relationship between the respective motion functions.

According to one embodiment of the present invention, the behavior feature vector 700 may include a frequency storage area 710 that stores the frequency of occurrence of the motion function that the computer program calls.

According to one embodiment of the present invention, the behavior feature vector 700 may include a posterior relationship storage area 720 that stores temporal posterior relations between the operation functions that the computer program calls.

According to an embodiment of the present invention, when the number of operation functions provided by the computer system is N, N elements are required for the behavior feature vector to store the occurrence frequency of the operation function, N (N-1) / 2 elements are needed to describe all the posterior relations. Therefore, in order to describe both the frequency of occurrence of the action function and the temporal posterior relationship, an action feature vector requires N (N + 1) / 2 elements.

Although FIG. 7 shows an embodiment in which the frequency storage area 710 is included at the beginning of the behavior feature vector 700 and the posterior relationship storage area 720 is stored after the frequency storage area 710, According to the embodiment, the positions of the frequency storage area 710 and the posterior relation storage area 720 can be changed.

7, the frequency storage area 710 and the posterior relation storage area 720 are continuously arranged in the behavior feature vector 700. However, according to another embodiment of the present invention, And the posterior relationship storage region 720 may be disposed discontinuously.

8 is a block diagram illustrating the structure of an apparatus for modeling the behavior of a computer program, in accordance with one embodiment of the present invention. Hereinafter, the structure of an apparatus for modeling the behavior of a computer program will be described in detail with reference to FIG.

The modeling apparatus 800 according to the present invention includes a collecting unit 810, an extracting unit 820, and an encoding unit 830.

The collecting unit 810 collects system usage information in which a computer program executed in the computer system uses resources of the computer system.

A computer program runs on a computer system and requires access to resources such as memory, files, etc. on the computer system to perform the task. A computer system provides an interface function for a computer program to access various resources on the computer system, and a computer program accesses and operates on resources of the computer system through an interface function.

According to an embodiment of the present invention, the system use information may be information called by an interface function provided by the computer system.

The computer program can perform operations based on events provided by the computer system. Inputs from the user, data transfer from other computer systems, etc., are transferred from the computer system to the computer program in the form of special events.

Each of the computer programs can confirm whether or not the event associated with each computer program has issued and perform a specific operation according to the confirmation result.

According to an embodiment of the present invention, the system usage information may be event occurrence information of the computer system associated with the computer program.

The extracting unit 820 extracts behavioral characteristics of the computer program from the computer system usage information collected by the collecting unit 810.

In order to model the behavior of the computer program, each system usage information collected by the collection unit 810 is insufficient.

For example, a computer program can not determine whether a computer program is a normal program or a malicious program by merely copying a file to a directory where system files of the computer system are stored. Malicious programs can also copy programs to manipulate computer systems in the directory where system files are stored, but normal programs can also copy files to the directory where the system files of computer systems are stored to improve the performance of the computer system. It is because.

However, if a specific computer program receives data from the outside of the computer system and then copies the file to the directory where the system file of the computer system is stored and periodically copies the copied file to the external device, A computer program can be suspicious.

Therefore, not only the system usage information but also the temporal relationship between each system usage information and each system usage information should be extracted as a behavior characteristic of the computer program.

According to an embodiment of the present invention, the collecting unit 810 collects a plurality of system use information over a plurality of different time periods, and the extracting unit 820 extracts a plurality of system use information The behavioral characteristics of the computer program can be extracted.

According to an embodiment of the present invention, the extraction unit 820 may generate a plurality of operation functions for the computer program based on the correlation between the collected plurality of system usage information.

The computer program calls the interface function provided by the computer system to perform the task intended by the computer program, but it is not appropriate to extract the behavioral characteristic of the computer program by each interface function.

For example, in order for a computer program to transfer data to another computer system using a wireless communication device installed in the computer system, the computer program checks whether the wireless communication device is installed or not being used by another computer program . Further, the access right to the wireless communication device is acquired, the data is transmitted to the wireless communication device, and the access right to the wireless communication device is returned to the computer system after the data transmission is completed.

If the behavior characteristics of a computer program are extracted in units of the respective interface functions for performing each of these operations, the process is so complex that the related system use information is configured as an operation function, The extraction process becomes relatively simple.

If an action function as a basic unit for extracting a behavior characteristic of a computer program is changed every time a behavior characteristic of each computer program is extracted, it is meaningless to distinguish the malicious program from the normal program according to the extracted behavior characteristic. Therefore, the operation function as a basic unit for extracting behavioral features should be independent of each computer program.

If all of the interface functions provided by the computer system have mutually related functions as the motion functions, the motion functions can be configured independently of the respective computer programs.

According to an embodiment of the present invention, the extracting unit 820 can generate a plurality of operation functions for the computer program based on the correlation between the plurality of system usage information collected by the collecting unit 810.

Each malicious program may invoke a particular action function multiple times, or not at all, of all the action functions that the computer system provides during a lifetime. Thus, how many times a particular action function is called can be a behavioral feature of a particular computer program.

According to an embodiment of the present invention, the extraction unit 820 may extract the occurrence frequency of each operation function generated as a behavior feature of the computer program.

According to an embodiment of the present invention, the extracting unit 820 may extract the temporal relation of the plurality of operation functions with the behavior feature.

The encoding unit 830 encodes a behavior feature extracted by the extracting unit 820 to generate a behavior feature vector.

Since the behavior characteristic extracted by the extracting unit 820 is not a form that can be easily processed using a computer program, the encoding unit 830 may be configured to process the behavior characteristic extracted by the extracting unit 820 in a computer program And generates a behavior feature vector.

Since behavioral feature vectors describe the characteristics of a computer program as a behavior of a computer program, the behavioral feature vectors of similar computer programs that behave similarly should be similar to each other.

According to an embodiment of the present invention, if the behavior characteristics of the first computer program and the second computer program are similar to each other, the first system usage information corresponding to the first computer program collected by the collection unit 810, The second system usage information corresponding to the program may be similar to each other.

According to an embodiment of the present invention, if the first system use information and the second system use information are similar to each other, a first behavior characteristic corresponding to the first system use information extracted by the extraction unit 820, May be similar to each other.

According to an embodiment of the present invention, if the first behavior feature and the second behavior feature are similar to each other, the first behavior feature vector corresponding to the first behavior feature encoded by the encoding unit 830 and the second behavior feature corresponding to the second behavior feature May be similar to each other.

According to an embodiment of the present invention, the encoding unit 830 may be configured such that the similarity between the first behavior feature and the second behavior feature corresponds to a first behavior feature vector corresponding to the first behavior feature and a second behavior feature corresponding to the second behavior feature The first behavior feature vector and the second behavior feature vector may be encoded so as to be inversely proportional to the distance between the vectors. The two behavioral feature vectors are similar because the distance between two behavioral feature vectors that encode two similar behavioral features is close.

According to an embodiment of the present invention, the extracting unit 820 can extract the occurrence frequency of each operation function as a behavior feature for a life cycle of the malicious program.

The lifecycle can be defined as the time at which each malicious program infects a particular computer system, represents the symptoms of a malicious program, such as destroying user data or system data, and again infects other computer systems.

Each malicious program may invoke a particular action function multiple times, or not at all, of all the action functions that the computer system provides during a lifetime. Thus, how many times a particular computer program calls a particular motion function during a life cycle can be a behavioral feature of a particular computer program.

According to an embodiment of the present invention, the encoding unit 830 may include a plurality of elements corresponding to the plurality of operation functions in the behavior feature vector, and each element may store the occurrence frequency of the operation function.

According to one embodiment of the present invention, in the case of providing N operation functions of a computer system, the extracting unit 820 may include N elements in the behavior feature vector storing the occurrence frequency of each operation function .

According to one embodiment of the present invention, the encoding unit 830 includes a plurality of elements corresponding to combinations of any two of the plurality of operation functions in the behavior feature vector, and each element includes two operations The temporal relationship between functions can be stored.

According to an embodiment of the present invention, the encoding unit 830 associates temporal posterior relations between the two operation functions with '0' and '1', respectively, so that each element storing the posterior relation has a binarized value can do.

According to an embodiment of the present invention, the encoding unit 830 may sort all the operation functions provided by the computer system according to a predetermined criterion. Assuming that the computer system provides N operation functions, an identifier from 1 to N can be assigned to each operation function.

According to an embodiment of the present invention, when all of the operation functions provided by the computer system are N, the encoding unit 830 encodes N-1, N-1, One element may be included in the behavior feature vector. The encoding unit 830 may include N-2 elements in the behavioral feature vector storing the temporal relationship between the N-2 operation functions and the second operation function except for the first operation function. If the computer system provides all of the N operation functions, the encoding unit 830 may include N (N-1) / 2 elements in the behavior feature vector to describe all the temporal posterior relationships between the respective operation functions .

The modeling method according to an embodiment of the present invention may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer readable medium.

In addition, a data frame for transmitting broadcast history information according to an embodiment of the present invention can be recorded on a recording medium readable by various computer means.

The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions may be those specially designed and constructed for the present invention or may be available to those skilled in the art. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. When all or a part of the operations of the terminal or the base station described in the present invention are implemented by a computer program, the computer readable recording medium storing the computer program is also included in the present invention.

FIG. 1 is a flowchart showing a stepwise method of inspecting a malicious program using a behavioral feature vector of a computer program according to the present invention.

FIG. 2 is a flowchart showing steps of a behavior modeling method of a computer program according to the present invention.

3 is a diagram showing a file system structure of a Symbian operating system that is an attack target of a code warrior worm virus, which is one of malicious programs.

4 is a diagram showing behavioral characteristics of a code warrior worm virus, which is one of malicious programs extracted according to an embodiment of the present invention.

FIG. 5 is a diagram illustrating a structure of a behavior feature vector storing an occurrence frequency of an operation function according to an embodiment of the present invention.

6 is a diagram showing a structure of a behavior feature vector storing a temporal posterior relationship between operation functions according to an embodiment of the present invention.

7 is a diagram illustrating a structure of a behavior feature vector including both a frequency storage unit and a posterior relation storage unit according to an embodiment of the present invention.

8 is a block diagram illustrating the structure of an apparatus for modeling the behavior of a computer program, in accordance with one embodiment of the present invention.

Claims (22)

CLAIMS 1. A method of modeling a behavior of a computer program running on a computer system, The computer program comprising: collecting system usage information using resources of the computer system; Extracting a first behavioral feature and a second behavioral feature of the computer program from the collected system usage information; And Generating a first behavior feature vector and a second behavior feature vector by encoding the first behavior feature and the second behavior feature Lt; / RTI > Wherein the encoding is such that the similarity between the first behavior feature and the second behavior feature is inversely proportional to the distance between the first behavior feature vector corresponding to the first behavior feature and the second behavior feature vector corresponding to the second behavior feature To encode the first behavior feature vector and the second behavior feature vector, Wherein the first behavioral characteristic of the computer program is data used for training a program for inspecting a malicious program so as to distinguish the malicious program from the normal program. The system according to claim 1, Wherein the interface function provided by the computer system is information called by the computer program. The system according to claim 1, And event generation information of the computer system associated with the computer program. The method according to claim 1, Wherein collecting the system usage information comprises collecting a plurality of system usage information over a plurality of different times, Wherein the act of extracting the behavior feature comprises generating a plurality of action functions for the computer program based on the correlation between the collected plurality of system usage information The modeling method comprising the steps of: 5. The method of claim 4, The step of extracting the behavior feature may include extracting the occurrence frequency of each operation function with the behavior feature A modeling method characterized by 5. The method of claim 4, Wherein the extracting of the behavior feature comprises extracting a temporal posterior relationship of the plurality of operation functions with the behavior feature The modeling method comprising the steps of: 5. The method of claim 4, Wherein the behavior feature vector includes a plurality of elements each corresponding to the plurality of operation functions, and each element stores the occurrence frequency of the operation function. 5. The method of claim 4, Wherein the behavior feature vector includes a plurality of elements each corresponding to a combination of any two of the plurality of operation functions and each element stores a temporal posterior relationship between the two operation functions Modeling method. 9. The method of claim 8, Wherein each of the elements has a binarized value. delete 1. An apparatus for modeling behavior of a computer program running on a computer system, A collection unit for collecting system usage information using resources of the computer system; An extracting unit for extracting a first behavioral feature and a second behavioral feature of the computer program from the collected system use information; And An encoding unit for encoding the first behavior feature and the second behavior feature to generate a first behavior feature vector and a second behavior feature vector, Lt; / RTI > Wherein the encoding is such that the similarity between the first behavior feature and the second behavior feature is inversely proportional to the distance between the first behavior feature vector corresponding to the first behavior feature and the second behavior feature vector corresponding to the second behavior feature To encode the first behavior feature vector and the second behavior feature vector, Wherein the first behavioral characteristic of the computer program is data used for training a program for inspecting a malicious program so as to distinguish the malicious program from the normal program. The system according to claim 11, And the interface function provided by the computer system is information called by the computer program. The system according to claim 11, And event generation information of the computer system associated with the computer program. 12. The method of claim 11, Wherein the collecting unit collects a plurality of system use information over a plurality of different time periods, Wherein the extractor is operable to generate a plurality of operating functions for the computer program based on the correlation between the collected plurality of system usage information The modeling device comprising: 15. The method of claim 14, Wherein the extracting unit extracts the occurrence frequency of each of the operation functions with the behavior feature. 15. The method of claim 14, Wherein the extracting unit extracts a temporal posterior relationship of the plurality of operation functions with the behavior feature. 15. The method of claim 14, Wherein the behavior feature vector includes a plurality of elements each corresponding to the plurality of operation functions, and each of the elements stores the occurrence frequency of the operation function. 15. The method of claim 14, Wherein the behavior feature vector includes a plurality of elements each corresponding to a combination of any two of the plurality of operation functions and each element stores a temporal posterior relationship between the two operation functions Modeling device. 19. The method of claim 18, Wherein each of the elements has a binarized value. delete A computer-readable recording medium having recorded thereon a program for executing the method according to any one of claims 1 to 9. delete

Images