KR101446280B1 - System for detecting and blocking metamorphic malware using the Intermediate driver - Google Patents

Abstract

The present invention relates to a system and a method for detecting and blocking variants of malware using an intermediate driver and, more specifically, to a system and a method for detecting and blocking variants of malware using an intermediate driver which complements the shortcomings of a conventional signature analysis by proposing a model which analyzes state changes in a system and a network by using a network driver interface specification (NDIS) intermediate driver and detects and blocks malware having an irregular pattern in a kernel mode. The present invention detects state behavior by using protocol type, IP address, MAC, use port, length, and time information extracted from packet information.

Description

FIELD OF THE INVENTION [0001] The present invention relates to a malicious code detection and blocking system using intermittent drivers,

More particularly, the present invention relates to a system and method for detecting and blocking malicious codes using intermittent drivers, and more particularly, to a system and a method for analyzing system and network status changes using an NDIS (Network Driver Interface Specification) The present invention relates to a malicious code detection and blocking system using intermittent drivers and a method for detecting and blocking malicious codes using irregular patterns.

With the rapid growth of the Internet and the explosion of computer usage rates, several malicious codes have emerged. Such malicious code causes abnormal operation of the system, degradation of network performance, and leakage of personal information. Currently, most of the malicious code analysis is signature analysis. Signature analysis detects malicious code of a specific pattern quickly, but it can not detect the modified code, and has the disadvantage that the damage can be prevalent before analysis and blocking.

Also, due to the development of the information and communication technology, various kinds of malicious codes have appeared as the Internet has rapidly developed. These malicious codes cause abnormal operation of the system, degradation of network performance, leakage of personal information, and are becoming more systematic and complex attacks related to various crimes.

Currently, most malicious codes are detected and blocked by signature analysis, which only blocks malicious code with a certain pattern and can not detect malicious codes with irregular patterns.

Therefore, it is necessary to design and implement a more active malicious code analysis model that complements it.

In order to solve the above-mentioned problems, the present invention has been made to solve the above-mentioned disadvantages of the Signature analysis model which can block only malicious code of a specific pattern, analyze the system and network status, The present invention provides a system and method for detecting and blocking malicious codes of a malicious code using a tamper driver.

The present invention detects a state action using a protocol type, IP address, MAC, port, length, and time information extracted from the packet information.

Thereby blocking the process and the port for performing the state action.

The state action includes an attempt to send an IP spoofing packet, a TCP connection connection attempt, a connection wait attempt in a Listen mode, an attempt to send multiple IP packets, and a processor usage change.

The present invention relates to a method and an apparatus for analyzing a malicious code using an intermediate driver, Searching for a specific signature after analyzing the malicious code, and transmitting the signature-analyzed packet to the protocol; Periodically monitoring the system and network status with a state analysis model and blocking a process and a port in a kernel mode when a specific process detects an abnormal state of a packet at a specific port.

The intermediate driver includes a mapping step of mapping packets of different transport layers such as Ethernet and ATM.

The intermediate driver includes a packet filtering and blocking step for preferentially reading and managing information of a packet to be received and a packet to be transmitted in transmission.

The intermediate driver includes a road balancing step of exposing one virtual adapter to a higher level and distributing transmission packets to one or more NICs.

The protocol driver includes a step of copying data to be transmitted to an application into a packet.

The driver of the protocol calls the Network Driver Interface Specification (NDIS) function and transmits to the driver of the lower level.

The driver of the protocol includes a protocol interface for receiving a packet received at a lower level and transmitting the received data to the client application.

The present invention relates to a network driver interface specification (NDIS) creating an NDIS_PACKET structure to communicate between drivers; Obtaining an NDIS_BUFFER structure from NDIS_PACKET, and NDIS_BUFFER being associated with another NDIS_BUFFER; And creating and communicating a Network Driver Interface Specification (NDIS) packet using the NdisAllocatePacket API when accessing a Network Driver Interface Specification (NDIS) library at a higher level of the Network Driver Interface Specification (NDIS).

An IP address, MAC, port, length, and time information extracted from the Network Driver Interface Standard (NDIS) packet information.

Thereby blocking the process and the port for performing the state action.

The state action includes an attempt to send an IP spoofing packet, a TCP connection connection attempt, a connection wait attempt in a Listen mode, an attempt to send multiple IP packets, and a processor usage change.

The method comprising: copying a packet using an NdisQueryPacket API and reading an Ethernet header with an NdisQueryBuffer API; Analyzing packet information in the Ethernet header, copying the next buffer using the NdisGetNextBuffer API, and analyzing packet information again; Analyzing the packet information, extracting a specific pattern of the malicious code, converting the pattern into a database, and determining whether the pattern exists in the file to be inspected of the malicious code.

An IP address, MAC, port, length, and time information extracted from the packet information.

Thereby blocking the process and the port for performing the state action.

The state action includes an attempt to send an IP spoofing packet, a TCP connection connection attempt, a connection wait attempt in a Listen mode, an attempt to send multiple IP packets, and a processor usage change.

According to the present invention, the presented model can provide more active detection and blocking compared to Signature analysis through system state analysis.

According to the present invention, the disadvantage of passive signature analysis on malicious code can be compensated by using NDIS (Network Driver Interface Specification).

1 is a diagram showing an NDIS structure according to the present invention;
2 is a diagram showing an NDIS data structure according to the present invention;
3 is a diagram illustrating a code for analyzing received packet information using an intermediate driver of an NDIS according to the present invention;
4 is a view showing a signature of a Code Red Worm according to the present invention.
5 is a diagram illustrating a state analysis process of a model according to the present invention.
6 is a diagram illustrating a packet flow and a blocking process of a model according to the present invention;

For a better understanding of the present invention, a preferred embodiment of the present invention will be described with reference to the accompanying drawings. The embodiments of the present invention may be modified into various forms, and the scope of the present invention should not be construed as being limited to the embodiments described in detail below. The present embodiments are provided to enable those skilled in the art to more fully understand the present invention. Therefore, the shapes and the like of the elements in the drawings can be exaggeratedly expressed to emphasize a clearer description. It should be noted that in the drawings, the same members are denoted by the same reference numerals. Further, detailed descriptions of well-known functions and configurations that may be unnecessarily obscured by the gist of the present invention are omitted.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the drawings.

NDIS is a hierarchical network structure developed by 3COM and Microsoft. It is a conceptual layer created by the operating system and network interface card (NIC) to use various protocols to use various network protocol stacks.

The NDIS has the structure shown in FIG.

The MiniPort driver is the lowest common Ethernet driver in the NDIS architecture, and it directly controls the NIC, including sending and receiving data through the NIC. It also interfaces with the intermediate layer driver or protocol driver of the upper layer. Especially since it is an Ethernet driver, it does not know TCP / IP like it unless it is supported at the hardware level. The main features of the MiniPort driver are as follows.

(1) NIC initialization and registration function

(2) Control functions such as setting change, termination, and reset of NIC

(3) Transferring the packet to be transmitted and forwarding the received packet to the upper layer

Intermediate driver is located between MiniPort driver and Protocol driver and communicates between lower layer and upper layer. The main features of the Intermediate driver are as follows.

(1) A mapping function that maps packets of different transport layers, such as Ethernet and ATM.

(2) Packet filtering or blocking function that reads and manages the information of received packets and the packets that are transmitted in transmission.

(3) Road balancing function that distributes packets to one or more NICs by exposing one virtual adapter to a higher level.

Protocol driver is the top driver in the NDIS architecture and is the lowest driver in the transport layer driver that performs protocol transfers such as TCP / IP or IPX / SPX stacks. At this time, the protocol driver corresponds to the LAN protocols of FIG. The protocol driver has the following features.

(1) The function to copy the data transferred to the application to the packet.

(2) The function to call the NDIS function and transmit it to the driver of the lower level.

(3) The ability to provide a protocol interface to receive packets received at a lower level and to send the received data to the client application.

NDIS creates an NDIS_PACKET structure to communicate between drivers.

An NDIS_BUFFER structure can be obtained from NDIS_PACKET, and NDIS_BUFFER is associated with another NDIS_BUFFER. The larger the data capacity, the larger the number of NDIS_BUFFERs connected, the first NDIS_BUFFER is only 14 bytes, and the second is NDIS_BUFFER by 60 bytes.

When accessing the NDIS library at a higher level of NDIS, NDIS packets are created using the NdisAllocatePacket API to communicate.

Figure 2 shows the NDIS data structure.

The packet analysis uses the NdisQueryPacket API to copy the packet and then read the Ethernet header with the NdisQueryBuffer API. Then, the packet information is analyzed in the Ethernet header, the next buffer is copied by the NdisGetNextBuffer API, and the packet information is analyzed again, so that the information about the specific packet and the entire packet can be analyzed.

3 is a code for analyzing received packet information using an intermediate driver of the NDIS.

Signature analysis is a method used in most antivirus software. It extracts a specific pattern of malicious code, converts the pattern into a database, and judges the presence or absence of the pattern in the file to be inspected for malicious code. It works fast because it can minimize false positives and false positives and only compare certain patterns. However, there is a problem that the latest malicious code or similar variant code can not be identified, and the detection is possible after the damage has already become widespread.

FIG. 4 is a signature of Code Red Worm.

The analysis of the state of the proposed model according to the present invention is performed by attempting to send an IP spoof packet using an IP address, MAC address, MAC address, port, length and time information extracted from the packet information, an excessive TCP connection connection attempt, , Attempts to send multiple IP packets, changes in processor usage, and so on, and blocks the processes and ports that perform the actions. This has the advantage of active detection that complements the disadvantages of passive detection of the signature analysis model by analyzing the state of the system.

FIG. 5 shows a state analysis process of the model proposed in the present invention.

That is, the state analysis unit 101 uses the pattern file 106 in the process of detecting the behavior of the packet analysis data 102 and block 105 through the process detection 104.

In the malicious code blocking process of the proposed model, first, the malicious code is analyzed by the method of FIG. 2 and FIG. 3 using the intermediate driver. After analyzing the malicious code, a specific signature as shown in FIG. 4 is searched, and the packet after the signature analysis is transmitted to the protocol. The system and network conditions are periodically monitored with the state analysis model of FIG. 5, and if an abnormal state is detected in which a specific process has a large number of packets in a specific port, the process and the port are blocked in the kernel mode.

Figure 6 shows the packet flow and blocking process of the proposed model.

(204) through a signature analysis (202) and a state analysis (203) through a packet analysis process (201).

The present invention complements the disadvantages of the Signature analysis model that can block only malicious codes of a specific pattern, analyzes the system and network status, and presents a model that can detect and block malicious codes in the kernel mode. The presented model is expected to provide more active detection and blocking compared to Signature analysis through system state analysis. By implementing the proposed model in the future, we can analyze the probability of malicious code detection and blocking, compare with other models , Will analyze

The embodiment of the above-described variant malicious code detection and blocking system using the intermittent driver of the present invention is merely illustrative and those skilled in the art will appreciate that various modifications and equivalent It will be appreciated that other embodiments are possible.

Therefore, it is to be understood that the present invention is not limited to the above-described embodiments. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims. It is also to be understood that the invention includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention as defined by the appended claims.

101:
102: packet analysis data
103: Detecting the behavior
104: Process detection
105: Block
106: Pattern file
201: packet analysis process
202: Signature Matching
203: State Analysis
204: Detection

Claims (18)

delete delete delete A malicious code detection and blocking method using an intermediary driver by a malicious code detection and blocking system,
The malicious code detection and blocking system comprising the steps of: analyzing the malicious code using an intermediate driver;
The malicious code detection and blocking system searches for a specific signature after analyzing the malicious code, and transmits the signature-analyzed packet to a protocol driver of an upper layer;
A variant malicious code detection and blocking system periodically monitoring system and network status with a status analysis model to block processes and ports in kernel mode if a particular process detects an abnormal status of a packet at a particular port;
And detecting a malicious code of the malicious code using the intermittent driver. 5. The method of claim 4,
The intermittent driver includes:
And a mapping step of mapping packets of different transport layers, such as Ethernet, ATM, and the like, to the malicious code detection and blocking method using the intermedit driver. 5. The method of claim 4,
The intermittent driver includes:
And a packet filtering or blocking step of preferentially reading and managing the information of the received packet and the packet transmitted in transmission. 5. The method of claim 4,
The intermittent driver includes:
And a Road Balancing step of exposing one virtual adapter to a higher level and distributing transmission packets to one or more NICs. 5. The method of claim 4,
The protocol driver
And copying the data to be transmitted to the application to the packet. The method for detecting and blocking malicious codes according to claim 1, 5. The method of claim 4,
The protocol driver
And transmitting the network driver interface standard (NDIS) function to a driver of a lower level by calling the network driver interface standard (NDIS) function. 5. The method of claim 4,
The driver of the protocol
Providing a protocol interface to receive packets received at a lower level and transmitting the received data to a client application. ≪ Desc / Clms Page number 19 > The Network Driver Interface Specification (NDIS) creates an NDIS_PACKET structure to communicate between the drivers;
Obtaining an NDIS_BUFFER structure from NDIS_PACKET, and NDIS_BUFFER being associated with another NDIS_BUFFER;
Creating and communicating Network Driver Interface Specification (NDIS) packets using the NdisAllocatePacket API when accessing a Network Driver Interface Specification (NDIS) library at a higher level of the Network Driver Interface Specification (NDIS);
And detecting a malicious code of the malicious code using the intermittent driver. 12. The method of claim 11,
Wherein the control unit detects the state action using the protocol type, IP address, MAC, port, length, and time information extracted from the network driver interface standard (NDIS) packet information. How to detect and block malware. 13. The method of claim 12,
And blocking the process and the port for performing the state action. 13. The method of claim 12,
Wherein the state action includes an attempt to send an IP spoofing packet, a TCP connection connection attempt, a connection wait attempt in a Listen mode, an attempt to send an IP packet, and a processor usage change. How to detect and block variant malware. A malicious code detection and blocking method using an intermediary driver by a malicious code detection and blocking system,
The malicious code detection and blocking system reads the Ethernet header with the NdisQueryBuffer API after copying the packet using the NdisQueryPacket API;
Analyzing packet information in the ethernet header, analyzing packet information after copying the next buffer with the NdisGetNextBuffer API;
A step of extracting a specific pattern of the malicious code after analyzing the packet information by the detection and blocking system of the variant malicious code to convert the pattern into a database and determining the presence or absence of the pattern in the file to be inspected of the malicious code;
And detecting a malicious code of the malicious code using the intermediate driver. 16. The method of claim 15,
Detecting a state action using the protocol type, IP address, MAC, port, length, and time information extracted from the packet information. 17. The method of claim 16,
And blocking the process and the port for performing the state action. 17. The method of claim 16,
Wherein the state action includes an attempt to send an IP spoofing packet, a TCP connection connection attempt, a connection wait attempt in a Listen mode, an attempt to send an IP packet, and a processor usage change. How to detect and block variant malware.

Images