KR101577404B1 - System and method for blocking access malware by using monitoring java-script object and computer program for executing the method - Google Patents

System and method for blocking access malware by using monitoring java-script object and computer program for executing the method Download PDF

Info

Publication number
KR101577404B1
KR101577404B1 KR1020150114437A KR20150114437A KR101577404B1 KR 101577404 B1 KR101577404 B1 KR 101577404B1 KR 1020150114437 A KR1020150114437 A KR 1020150114437A KR 20150114437 A KR20150114437 A KR 20150114437A KR 101577404 B1 KR101577404 B1 KR 101577404B1
Authority
KR
South Korea
Prior art keywords
javascript
malicious code
external link
packet
code
Prior art date
Application number
KR1020150114437A
Other languages
Korean (ko)
Inventor
이호철
Original Assignee
인스소프트 주식회사
이호철
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 인스소프트 주식회사, 이호철 filed Critical 인스소프트 주식회사
Priority to KR1020150114437A priority Critical patent/KR101577404B1/en
Application granted granted Critical
Publication of KR101577404B1 publication Critical patent/KR101577404B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network

Abstract

The present invention relates to a malicious code access blocking system, comprising: a malicious code DB including a malicious code distribution code list; A packet collection analyzing device for collecting and analyzing packets transmitted when a user terminal accesses the Internet; And a JavaScript analyzing unit for determining whether the obfuscated JavaScript is calling an external link when the packet includes obfuscated JavaScript, and determining whether the malicious code distribution code is inserted in the external link to be called, .

Description

[0001] The present invention relates to a malicious code access blocking system, a method and a computer program for executing the method,

The present invention relates to a malicious code blocking technology, and more particularly, to a system and a method for blocking malicious code access using JavaScript object monitoring.

In recent years, damage to individuals and companies has been increasing due to leakage of personal information and corporate secrets. The leakage of such personal information and corporate confidentiality is caused by malicious code attacks when individuals and companies use the Internet. Malicious code refers to software that is intentionally made to perform malicious activities such as destroying the system or leaking information against the will and interest of the user. These types of malicious code include hacking tools such as viruses, worms, Trojans, backdoors, Logic Bombs, Trap Doors, malicious spyware spyware and adware. They have problems such as leakage of personal information such as user ID and password, control of target system, change of file deletion, system destruction, leakage of key data and installation of other hacking program, It is very diverse and serious.

In the past, malicious code developers have created malicious codes for the purpose of curiosity or self-disclosure, but recently, malicious codes have been produced to achieve financial benefits and political purposes. As a result, recent malicious codes are threatening Internet users because of the advanced, intelligent and automated attack and propagation technologies. As a result, the damage caused by malicious code has become widespread, and the number of malicious codes has increased exponentially over time. In addition, recent malicious codes may be able to bypass malicious code detection or interfere with and delay analysis of malicious code by incorporating various technologies.

In addition, recent hackers are using malicious code to distribute business, hacking a homepage and using malicious code to spread malicious programs. Hackers will immediately create a malicious attack tool if a zero-day vulnerability (the period between new vulnerabilities and the release of the software's security patches) is discovered due to intentional attack, Distribute malicious code. In addition, hackers can distribute malicious code to a user by causing content created by a partner company to be uploaded to the homepage with the malicious code inserted by an unintentional attack.

Hackers who want to distribute malicious code use evasion techniques to effectively hide malicious code on the hacked homepage. One example of such a circumventing technique is an automated detection prevention technique using a java script obfuscation of a malicious code distributed code. JavaScript obfuscation of malicious code uses scripted source code in the form of encoded strings to prevent automated programs from being found or to be difficult for home page managers to recognize. There are various obfuscation methods such as string encoding, crafted code encoding, and encoding using JavaScript string escape function as examples of such JavaScript obfuscation.

In this way, malicious code is distributed on the homepage of the visited terminal, such as personal information leakage, corporate information leakage, automatic e-mail sending or terminal remote control, such as damage to the malicious program distributed to businesses, such as financial loss, direct or indirect damage I will wear it. In addition, not only the general user who visits the company homepage but also the terminal of the employees inside the company are infected with the malicious code, so that the personal information of the customer and internal information of the company can be leaked.

Therefore, it is necessary to detect the abuse of the web server of the protected company via the malicious code, and to prevent the malicious code from being infected by visiting the external website Do.

Accordingly, it is an object of the present invention to provide a system and method for detecting a malicious code distribution code obfuscated with JavaScript and blocking malicious code distribution site access.

Accordingly, a malicious code access system, which prevents a user terminal from accessing a malicious code distribution web site between a user terminal and the Internet according to an embodiment of the present invention, collects packets transmitted and received when the user terminal accesses the Internet, And if the packet includes the obfuscated Javascript, it is determined whether the malicious code distribution code is inserted into the external link called from the JavaScript executed by executing the obfuscated JavaScript And a JavaScript analyzing apparatus, wherein the JavaScript analyzing apparatus comprises: a JavaScript engine generating unit that generates a JavaScript engine that executes the obfuscated Javascript; a generating unit that generates a JavaScript object in which the obfuscated JavaScript is executed Create JavaScript object And a JavaScript object monitor generating unit for generating a JavaScript object monitor for determining whether the malicious code distribution code is inserted into an external link called from the executed obfuscated JavaScript according to creation or modification of the JavaScript object The malicious code is transmitted to the user terminal by modifying the packet so that the malicious code is inserted into the external link so that the malicious code can not be connected to the external link, thereby preventing the user terminal from accessing the external link Device. ≪ / RTI >

delete

delete

Wherein the JavaScript object monitor detects creation or modification of the JavaScript object and detects whether the external link is invoked if generation or modification of the JavaScript object is detected; And a JavaScript object determination module that determines whether the external link is inserting the malicious code distribution code when the external link is called.

The JavaScript object determination module searches the malicious code DB for the external link and requests the connection blocking device to block access to the external link when the external link exists in the malicious code DB, Judges whether the malicious code is infected or not by checking the operation by executing the external link through a plurality of virtual machines when the malicious code is not present in the malicious code DB, The access blocking device is requested to block the connection of the external link.

Wherein the access blocking device comprises: a packet copying unit for copying the collected packets; A malicious code distributed code collection management unit for additionally registering and managing the external link in the malicious code DB when it is determined that there is a risk of infecting the malicious code even though the external link does not exist in the malicious code DB; And a malicious code spreading code blocking unit for modifying the copied packet and transmitting the modified packet to the user terminal when a connection blocking request is received from the external link.

Wherein the packet collection and analysis apparatus comprises: a packet collection unit for collecting packets transmitted from the user terminal; And a packet analyzer for analyzing whether the collected packet includes content represented by JavaScript.

A method for blocking malicious code access in a malicious code access system that prevents a user terminal from accessing a malicious code distribution web site between a user terminal and the Internet according to an embodiment of the present invention includes: Analyzing whether the packet includes obfuscated JavaScript, if the packet includes obfuscated JavaScript, executing the obfuscated JavaScript, and executing the obfuscated JavaScript, Determining whether a malicious code distribution code is inserted in an external link that is called from the external link; modifying the packet so that the malicious code distribution code can not be connected to the external link when the malicious code distribution code is inserted in the external link; And transmits the packet to the user terminal, Blocking the access to the external link, wherein analyzing whether the packet includes obfuscated Javascript comprises: providing an environment for executing the obfuscated Javascript; Generating a JavaScript object to execute a script, detecting creation or modification of the JavaScript object, and inserting the malicious code distribution code into the external link from an external link called from the executed obfuscated Javascript The malicious code access blocking method comprising the steps of: collecting a packet transmitted when the user terminal accesses the Internet; Analyzing whether the packet includes JavaScript; And determining whether a malicious code distribution code is inserted in an external link called by the JavaScript if the packet includes JavaScript.

The present invention also includes a computer program for executing the malicious code access blocking method.

With the existing technology, the accuracy of detecting and intercepting malicious code is significantly reduced because the obfuscated JavaScript code of html contents on the homepage can not be interpreted. However, according to an embodiment of the present invention, it is possible to detect a distributed code of obfuscated malicious code by copying, collecting and analyzing a packet between a user terminal and the Internet, You can block access to websites. In addition, the present invention generates a JavaScript engine in a system internal memory and executes JavaScript, thereby not only imposing a burden on the user's use of the system, but also completely blocking the infection.

As a result, in the case of an individual, a user can prevent infection of a malicious code from a visited website in order to receive the service. In the case of enterprise, it can prevent infection from external malicious code distribution site visited in the organization. That is, an Internet user can receive a safe and pleasant Internet environment from malicious code.

In addition, when a new vulnerability is discovered due to zero-day attacks, the vaccine manufacturer can use a normalized pattern to detect and block hacking, vulnerabilities, viruses or harmful traffic in signatures (intrusion detection and intrusion prevention systems and other information protection solutions) Meaning) takes an average of 3-5 weeks to patch. On the other hand, when the system according to an embodiment of the present invention is used, a zero-day attack can be coped with by performing URI detection that distributes malicious code.

1 is a view for explaining a malicious code access blocking system according to an embodiment of the present invention.
2 is a view for explaining a JavaScript analysis apparatus according to an embodiment of the present invention.
3 is a view for explaining an access breaker according to an embodiment of the present invention.
4 is a view for explaining a malicious code access blocking method according to an embodiment of the present invention.
FIGS. 5A through 5C illustrate functions of a JavaScript object monitor according to an exemplary embodiment of the present invention.

While the present invention has been described in connection with certain exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and similarities. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

Furthermore, the singular terms used in this specification and the claims should generally be construed to mean one or more unless otherwise stated.

1 is a view for explaining a malicious code access blocking system according to an embodiment of the present invention.

There are many web pages on the Internet with code that distributes malicious code. However, since the user terminal does not know which web page contains malicious code, it can search many web pages without any inspection. Therefore, even if the user terminal accesses the web page where the code for distributing the malicious code is inserted, the malicious code is downloaded and the user terminal is damaged.

The malicious code access blocking system 100 is a system for preventing such a problem. The malicious code access blocking system 100 collects a packet when a user terminal accesses the Internet, analyzes a collected packet, and transmits a malicious code distribution code (hereinafter referred to as malicious code distribution code) It is possible to prevent connection of the inserted web page. The malicious code access blocking system 100 includes a packet acquisition and analysis apparatus 110, a JavaScript analysis apparatus 120, an access blocking apparatus 130 and a malicious code DB 140.

The packet collection and analysis apparatus 110 analyzes the packet received from the user terminal to check whether obfuscated JavaScript is included. Specifically, the packet collection and analysis apparatus 110 includes a packet collection unit 111 and a packet analysis unit 112.

The packet collecting unit 111 collects packets (http, https) when the user terminal connects to the Internet. At this time, the packet collecting unit 111 may collect a plurality of TCP port packets that the user wants to monitor.

The packet collecting unit 111 may collect packets using an inline mode or a sniffing mode. The inline mode is configured as a bridge network so that all packets can be transmitted to the destination only after all the packets have passed through the network equipment. At this time, the network device can monitor all the packets and decide whether to pass the packets or not. The sniffing mode is configured in the network device to simply obtain a copy of the packet. For the sniffing mode, port mirroring or packet mirroring may be used.

In addition, the packet collecting unit 111 can collect packets using a web crawler. The web crawler can copy the web page of the visited site and index the copied page for quick search.

The packet analyzing unit 112 analyzes the packet collected from the packet collecting unit 111. Generally, since a packet to be transmitted includes html content (for example, a document), it is described based on html content. Specifically, the packet analyzing unit 112 analyzes JavaScript content included in the html contents. At this time, the packet analyzing unit 112 can parse the html contents.

If the obfuscated JavaScript is included in the html content, the packet analyzer 112 requests the JavaScript analyzer 120 to generate a JavaScript engine.

The JavaScript analysis apparatus 120 executes the obfuscated Javascript included in the html content to determine whether the html content includes a malicious code distribution code.

Specifically, if the obfuscated JavaScript is included in the html content, the JavaScript analysis apparatus 120 executes the embedded JavaScript through the JavaScript engine. Thereafter, the JavaScript analysis apparatus 120 can detect a URI called from the executed JavaScript to determine whether a malicious code distribution code is inserted. If it is determined that the malicious code distribution code is inserted into the called URI, the JavaScript analysis apparatus 120 transmits information about the html content to the access blocking apparatus 130 so that the connection to the user terminal can be blocked. The JavaScript analysis apparatus 120 will be described in detail with reference to FIG.

If it is determined that the malicious code distribution code is inserted into the html content, the access blocking device 130 blocks the user terminal from accessing the web page in which the malicious code distribution code is inserted. The connection blocking device 130 will be described later in detail with reference to FIG.

The malicious code DB 140 includes a list of malicious codes and malicious code distributed codes.

The packet collection analyzing device 110, the JavaScript analyzing device 120, and the access blocking device 130 can be performed in one system as well as in different external systems. For example, since the JavaScript analysis apparatus 120 has a burden of operating a plurality of virtual machines, the JavaScript analysis apparatus 120 can be separated from the access blocking apparatus 130 and executed in another system.

2 is a view for explaining a JavaScript analysis apparatus according to an embodiment of the present invention.

2, the JavaScript analyzing apparatus 200 includes a JavaScript engine generating unit 210, a JavaScript object generating unit 220, a JavaScript object monitor registering unit 230, and a JavaScript object monitor 240 do.

The JavaScript engine creation unit 210 creates the JavaScript engine 215 in the internal memory of the malicious code access blocking system. The JavaScript engine 215 may provide an environment in which JavaScript may be executed and may execute JavaScript.

The JavaScript object generating unit 220 generates objects in which JavaScript can be executed, such as a Javascript DOM (document object model) and a JavaScript BOM (browser object model).

When the JavaScript object is generated through the JavaScript object creation unit 220, the JavaScript engine 215 can execute obfuscated JavaScript code existing in the html content from the JavaScript object. In addition, the JavaScript engine 215 can extract a URI called from the executed JavaScript.

The JavaScript object monitor generation unit 230 generates the JavaScript object monitor 240. The generated JavaScript object monitor 240 can be registered in the JavaScript analysis apparatus 200 via the JavaScript engine 215.

The JavaScript object monitor 240 includes a JavaScript object detection module 241 and a JavaScript object determination module 242.

The JavaScript object monitor 240 can monitor the html content in real time from the packets being collected. In particular, the JavaScript object monitor 240 can monitor creation or modification of JavaScript objects in real time.

The JavaScript object detection module 241 detects html content generated from the obfuscated JavaScript executed via the JavaScript engine 225. The JavaScript object detection module 241 can detect whether there are tags that link external resources among html contents. There are many tags such as a tag, img tag, link tag, Iframe tag, Embed tag, object tag, and script tag that link external resources, and html tags developed in the future can be added.

For example, the JavaScript object detection module 241 may detect whether the src attribute of the html tag, including external resources, is present in the content being created or changed. Here, the src attribute is an HTML language for specifying the location of a resource to be used as an embed tag, and can be used as a tag for linking an external resource.

If the src attribute exists, the JavaScript object determination module 242 determines whether the URI existing in the src attribute exists in the malicious code DB. The Uniform Resource Identifier (URI) is an identifier that identifies all the resources on the Internet. The existence of a URI is always attached to the Internet protocol as a basic condition required to use the Internet. The URI includes a URL (Uniform Resource Locator) and a URN (Uniform Resource Name).

If the URI exists in the malicious code DB, it is determined that the malicious code distribution code is inserted in the html content, and the JavaScript object determination module 242 transmits information on the html content to the access blocking device.

If the URI does not exist in the malicious code DB, the JavaScript object determination module 242 uses the virtual machine to dynamically analyze the inserted URI. To this end, the JavaScript object determination module 242 may execute one or more virtual machines to execute a plurality of URIs. The JavaScript object judging module 242 can judge which action is performed by visiting the URI using the program in the virtual machine. If the malicious code is downloaded, the JavaScript object determination module 242 transmits information about the URI and html contents to the access blocking device.

In addition, the JavaScript object determination module 242 can execute a URI extracted through a virtual machine to check whether a DBD (Drive By Downloads) occurs. If the DBD is generated, the JavaScript object determination module 242 determines that the malicious code distribution code is inserted, and transmits the URI and html content information to the access blocking device. Here, DBD is a malicious code that is downloaded and executed without the user's knowledge, by distributing malicious code to an unspecified number of users by using a known security vulnerability. A user accessing a web page by a DBD can be infected with malicious code.

At this time, the JavaScript object determination module 242 can determine whether the URI extracted in conjunction with the malicious code DB or one or more vaccines outside the system contains malicious code distribution code.

3 is a view for explaining an access breaker according to an embodiment of the present invention.

3, the access blocking device 300 includes a packet copying unit 310, a malicious code distribution code collection management unit 320, and a malicious code distribution code blocking unit 330.

The packet copying unit 310 copies the packet collected by the packet collecting unit. Thereafter, the copied packet may be transmitted to the user terminal by including information for blocking access to the web page by the malicious code distributed code blocking unit 330.

The malicious code distributed code collection management unit 320 can collect the URI including the malicious code distributed code. Specifically, when the JavaScript object determination module determines that the URI includes a malicious code distribution code through the virtual machine despite the fact that the JavaScript object determination module is not a URI in the malicious code DB, the malicious code distribution code collection management unit 320 transmits the URI to the malicious code It can be saved in DB.

The malicious code distribution code blocking unit 330 blocks the user terminal from accessing the URI including the malicious code distribution code. Specifically, when it is determined through the JavaScript monitor that the URI includes a malicious code distribution code, the malicious code distribution code blocking unit 330 can modify the copied packet so that it can not access the URI, and transmit the modified packet to the user terminal. For example, the source code in the html content can be transformed into an error page that can not be accessed and transmitted to the user terminal. At this time, the malicious code distribution code blocking unit 330 may transmit a message that the connection is blocked because the web page to be connected to the user terminal contains malicious code distribution code.

4 is a view for explaining a malicious code access blocking method according to an embodiment of the present invention.

Referring to FIG. 4, in step S400, the packet collecting unit collects packets from the user terminal. A packet is a set of data that a client, which is a user terminal, can request a communication to an HTTP or HTTPS server and transmit a command that appears in the process of the server responding to the client. Thereafter, the packet analyzer analyzes whether the collected packet includes JavaScript. In addition, the packet analyzing unit can parse the html contents contained in the packet to analyze whether it contains obfuscated JavaScript.

If the html content includes obfuscated JavaScript, a JavaScript engine is created in step S405. The JavaScript engine is a program that runs obfuscated JavaScript and provides an environment in which JavaScript can be executed. Also, since the JavaScript engine is created in the internal memory of the malicious code access blocking system, it may not be affected by the user terminal or the external server.

In step S410, a JavaScript object is created. A JavaScript object is an object from which JavaScript can be executed, such as a JavaScript DOM and a JavaScript BOM. Because JavaScript is a scripting language that is based on objects (objects), a basic JavaScript object must exist to execute JavaScript code.

A JavaScript object monitor is created in step S415.

In step S420, the JavaScript object monitor monitors whether the JavaScript object is created or changed from the JavaScript being executed.

If the creation or modification of the JavaScript object is detected through the JavaScript object monitor, the JavaScript object detection module analyzes the html content generated from the executed obfuscated JavaScript in step S425. Then, the JavaScript object detection module detects whether external resources are invoked among the html contents.

If it is detected that the external resource is called, the JavaScript object determination module determines in step S430 whether the external resource to be called, that is, the URI exists in the malicious code DB.

If the URI exists in the malicious code DB, in step S435, the JavaScript object determination module requests the access blocking device to block the connection so that the user terminal can not use the html content.

If the URI does not exist in the malicious code DB, in step S440, the JavaScript object determination module can execute the URI using the virtual machine. The JavaScript Object Decision Module visits a URI using a program in the virtual machine and can analyze what it does.

In step S445, the JavaScript object determination module may determine whether a risk of malicious code infection occurs in the URI executed in the virtual machine. For example, a JavaScript object decision module can check if a DBD occurs when executing a URI.

If it is determined that there is a risk of malicious code infection, the JavaScript object monitor transmits URI and html content information to the access blocking device in step S450. Thereafter, the access blocking device additionally registers the URI in the malicious code DB and blocks the user terminal from accessing the URI.

FIGS. 5A through 5C illustrate functions of a JavaScript object monitor according to an exemplary embodiment of the present invention.

FIG. 5A is a diagram illustrating an example in which a JavaScript object monitor detects a change in an external link in a state where a JavaScript DOM is generated. FIG.

If the html document as shown in FIG. 5A is included in the packet and is transmitted from the user terminal, the malicious code access blocking system collects the html document through the packet collection and analysis apparatus. If it is determined that the html document contains obfuscated JavaScript, the packet acquisition and analysis device requests analysis of the obfuscated JavaScript with the JavaScript analysis device. The JavaScript parser then generates the JavaScript engine and JavaScript DOM. The JavaScript Object Monitor detects the creation of a JavaScript DOM and determines if there is a risk of malware infection.

Specifically, in step S500, the JavaScript object detection module is detected to be invoked at http://www.w3schools.com ( hereinafter, the first URI) using the src attribute. Accordingly, the JavaScript object determination module can determine whether the first URI is a URI existing in the malicious code DB.

In addition, in step S510, the JavaScript object detection module may detect that the src attribute calls the external link http://www.malware.com/mal.html ( hereinafter, the second URI). That is, when the step S510 is performed, the JavaScript object detection module may detect that the first URI called in step S500 is changed to the second URI. Accordingly, the JavaScript object determination module can determine whether the second URI exists in the malicious code DB.

Thereafter, if the first URI or the second URI is included in the malicious code DB or is not included in the malicious code DB, the access blocking device blocks the user terminal from accessing the URI .

5B is a view for explaining an example in which a JavaScript object monitor performs an external link detection of a src attribute in a state where a JavaScript DOM is generated. The same points as those in FIG. 5A will be omitted and differences will be mainly described.

The JavaScript analysis apparatus can perform step S520 by generating a JavaScript engine and a JavaScript DOM. The JavaScript object monitor can detect that the JavaScript script Iframe tag is generated by performing the step S520 while detecting the creation of the JavaScript DOM. In particular, the JavaScript object detection module can detect the creation of the src attribute in the generated tag. If the creation of the src attribute is detected, the JavaScript object decision module can determine if the URI that the src attribute invokes is inserting code that propagates the malicious code.

5C is a view for explaining an example in which a JavaScript object monitor performs an external link detection of a location attribute in a state where a JavaScript BOM is generated. The same points as those in FIG. 5A will be omitted and differences will be mainly described.

The JavaScript object monitor can detect the creation or modification of a JavaScript BOM. Accordingly, the JavaScript object monitor can detect the change of the location property by performing the step S530 while detecting the change of the JavaScript BOM. If a change in the location attribute is detected, the JavaScript object decision module can determine if the URI that the location attribute invokes is inserting code that propagates the malicious code.

The apparatus and method according to the above-described embodiments of the present invention may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer readable medium may include program instructions, data files, data structures, and the like, alone or in combination.

Program instructions to be recorded on a computer-readable medium may be those specially designed and constructed for the present invention or may be available to those skilled in the computer software arts. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Includes hardware devices specifically configured to store and execute program instructions such as magneto-optical media and ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like.

The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

The present invention has been described with reference to the preferred embodiments. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The scope of the present invention is defined by the appended claims rather than by the foregoing description, and all differences within the scope of equivalents thereof should be construed as being included in the present invention.

100: malicious code access blocking system
110: Packet collection analyzer
120: JavaScript analysis device
130:
140: Malicious Code DB

Claims (14)

A malicious code access system for blocking a user terminal from accessing a malicious code distribution web site between a user terminal and the Internet,
A packet collection and analysis apparatus for collecting and analyzing packets transmitted and received when a user terminal accesses the Internet; And
And a JavaScript analyzer for determining whether a malicious code distribution code is inserted in an external link called from the JavaScript executed by executing the obfuscated JavaScript if the packet includes obfuscated JavaScript, ,
The JavaScript analysis device
A JavaScript engine generating unit for generating a JavaScript engine for executing the obfuscated JavaScript;
A JavaScript object generation unit for generating a JavaScript object in which the obfuscated JavaScript is executed; And
And a JavaScript object monitor generating unit for generating a JavaScript object monitor for determining whether a malicious code distribution code is inserted into an external link called from the executed obfuscated JavaScript according to creation or modification of the JavaScript object,
And an access blocking device for blocking the user terminal from accessing the external link by transmitting the modified packet to the user terminal so that the malicious code is inserted into the external link, Includes malicious code access blocking system.
delete delete The method according to claim 1,
Wherein the JavaScript object monitor comprises:
A JavaScript object detection module that detects creation or modification of the JavaScript object and detects whether an external link is invoked if generation or modification of the JavaScript object is detected; And
And a JavaScript object determination module for determining whether the external link is inserting the malicious code distribution code when the external link is called.
5. The method of claim 4,
Wherein the JavaScript object determination module comprises:
Searches the malicious code DB for the external link,
If the external link is present in the malicious code DB, requesting the connection blocking device to block the connection of the external link,
If the external link does not exist in the malicious code DB, the external link is executed through a plurality of virtual machines to check the operation to determine whether the malicious code is infected. If it is determined that there is a risk of infection of the malicious code And requests the connection blocking device to block the connection of the external link.
6. The method of claim 5,
The connection blocking device
A packet copying unit for copying the collected packets;
A malicious code distributed code collection management unit for additionally registering and managing the external link in the malicious code DB when it is determined that there is a risk of infecting the malicious code even though the external link does not exist in the malicious code DB; And
And transmitting the modified packet to the user terminal when the connection blocking request is received from the external link.
The method according to claim 6,
The packet collection and analysis apparatus
A packet collector for collecting packets transmitted from the user terminal; And
And a packet analyzer for analyzing whether the collected packet includes content represented by JavaScript.
A method for blocking malicious code access in a malicious code access system that prevents a user terminal from accessing a malicious code distributed web site between a user terminal and the Internet,
Collecting packets transmitted and received when the user terminal accesses the Internet;
Analyzing whether the packet includes obfuscated JavaScript;
If the packet includes obfuscated JavaScript, determining whether a malicious code distribution code is inserted in an external link called from the executed JavaScript by executing the obfuscated JavaScript;
Modifying the packet so that it can not be connected to the external link when the malicious code distribution code is inserted in the external link; And
Transmitting the modified packet to the user terminal, and blocking the user terminal from accessing the external link,
The step of analyzing whether the packet includes obfuscated JavaScript
Providing an environment for executing the obfuscated JavaScript;
Generating a JavaScript object in which the obfuscated JavaScript is executed;
Detecting creation or modification of the JavaScript object; And
And determining whether the external link is inserting the malicious code distribution code in an external link called from the executed obfuscated JavaScript.
delete delete 9. The method of claim 8,
Wherein the step of determining whether the external link inserts the malicious code-
Comparing the external link with a malicious code database;
Blocking the connection of the external link when the external link exists in the malicious code DB;
Executing a plurality of virtual machines when the external link is not present in the malicious code DB;
Executing the external link in the virtual machine to confirm the operation; And
And blocking the connection of the external link when the operation has a risk of infecting the malicious code.
12. The method of claim 11,
Wherein the step of interrupting the connection of the external link comprises:
Copying the collected packets;
And modifying the copied packet and transmitting the modified packet to the user terminal.
13. The method of claim 12,
Further comprising registering the external link in the malicious code DB when it is determined that there is a risk of infecting the malicious code even though the external link does not exist in the malicious code DB.
14. The method according to any one of claims 8 to 13,
A computer program for causing a malicious code access blocking method to be recorded on a computer readable recording medium.
KR1020150114437A 2015-08-13 2015-08-13 System and method for blocking access malware by using monitoring java-script object and computer program for executing the method KR101577404B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150114437A KR101577404B1 (en) 2015-08-13 2015-08-13 System and method for blocking access malware by using monitoring java-script object and computer program for executing the method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150114437A KR101577404B1 (en) 2015-08-13 2015-08-13 System and method for blocking access malware by using monitoring java-script object and computer program for executing the method

Publications (1)

Publication Number Publication Date
KR101577404B1 true KR101577404B1 (en) 2015-12-28

Family

ID=55084985

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150114437A KR101577404B1 (en) 2015-08-13 2015-08-13 System and method for blocking access malware by using monitoring java-script object and computer program for executing the method

Country Status (1)

Country Link
KR (1) KR101577404B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019027106A1 (en) * 2017-08-01 2019-02-07 주식회사 에프원시큐리티 System for analyzing degree of risk for malicious code distribution site by using machine learning

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100123368A (en) * 2009-05-15 2010-11-24 인포뱅크 주식회사 System and method for analyzing malicious code
KR101200906B1 (en) * 2011-04-27 2012-11-13 (주)소만사 High Performance System and Method for Blocking Harmful Sites Access on the basis of Network
KR101514984B1 (en) * 2014-03-03 2015-04-24 (주)엠씨알시스템 Detecting system for detecting Homepage spreading Virus and Detecting method thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100123368A (en) * 2009-05-15 2010-11-24 인포뱅크 주식회사 System and method for analyzing malicious code
KR101200906B1 (en) * 2011-04-27 2012-11-13 (주)소만사 High Performance System and Method for Blocking Harmful Sites Access on the basis of Network
KR101514984B1 (en) * 2014-03-03 2015-04-24 (주)엠씨알시스템 Detecting system for detecting Homepage spreading Virus and Detecting method thereof

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019027106A1 (en) * 2017-08-01 2019-02-07 주식회사 에프원시큐리티 System for analyzing degree of risk for malicious code distribution site by using machine learning

Similar Documents

Publication Publication Date Title
US10956566B2 (en) Multi-point causality tracking in cyber incident reasoning
US10592676B2 (en) Application security service
US10447730B2 (en) Detection of SQL injection attacks
US11941054B2 (en) Iterative constraint solving in abstract graph matching for cyber incident reasoning
Egele et al. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks
KR101514984B1 (en) Detecting system for detecting Homepage spreading Virus and Detecting method thereof
US11184374B2 (en) Endpoint inter-process activity extraction and pattern matching
US9092823B2 (en) Internet fraud prevention
US20090064337A1 (en) Method and apparatus for preventing web page attacks
KR101080953B1 (en) System and method for detecting and protecting webshell in real-time
WO2009032765A2 (en) Proxy engine for custom handling of web content
WO2017056121A1 (en) Method for the identification and prevention of client-side web attacks
US20160134658A1 (en) Unauthorized access detecting system and unauthorized access detecting method
JP6450022B2 (en) Analysis device, analysis method, and analysis program
JP5752642B2 (en) Monitoring device and monitoring method
KR101487476B1 (en) Method and apparatus to detect malicious domain
KR100961149B1 (en) Method for detecting malicious site, method for gathering information of malicious site, apparatus, system, and recording medium having computer program recorded
TWI470468B (en) System and method for detecting web malicious programs and behaviors
JP5656266B2 (en) Blacklist extraction apparatus, extraction method and extraction program
KR101372906B1 (en) Method and system to prevent malware code
CN108040036A (en) A kind of industry cloud Webshell safety protecting methods
KR20080036706A (en) Web security module using regulation expression of web attack and include function of script language
KR101754195B1 (en) Method for security enhancement based on multi log gathering server
KR20120070025A (en) Web / email for distributing malicious code through the automatic control system and how to manage them
KR101577404B1 (en) System and method for blocking access malware by using monitoring java-script object and computer program for executing the method

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20181206

Year of fee payment: 4