KR101589656B1 - System and method for detecting and inquiring metamorphic malignant code based on action - Google Patents

Abstract

Disclosed are a system and a method for detecting and inquiring a metamorphic malignant code based on PI. According to the present invention, the system includes a malignant code analysis system which extracts application program interface (API) call information which a malignant code calls by performing a malignant doubt execution file, and detects the malignant action of the malignant code by using the extracted API call information; and a similarity analysis system which calculates API call similarity between at least two malignant codes by using a malignant code list where the malignant codes are collected. The API call similarity is obtained by using the API call information and/or the malignant code list. Thereby, a metamorphic malignant code of which a part is mutated is effectively detected.

Description

FIELD OF THE INVENTION [0001] The present invention relates to a malicious code variant detection system,

The embodiments are directed to a malware variant detection and query system and method for detecting and querying variant malicious codes based on an API.

 The security product performance assessment agency checked the malware and found that more than 100 million new malicious code was detected by October 2014.

In order to respond quickly to such rapidly growing malicious codes, studies are being actively conducted to automate malicious code analysis.

Recently, a system for automatically analyzing malicious code behavior at the kernel level has been proposed.

However, the existing malware detection system has been unable to analyze detailed behavior because it only monitored basic action events such as files, registers and processes.

Moreover, there was an increasing number of variants of malicious code that changed some code included in malicious code.

Korean Patent Publication No. 2012-0124638, publication date: November 14, 2012 Title of the invention: an action-based malware detection system and malicious code detection method.

It is an object of the present invention to provide an API based malicious code variant detection system and method for detecting malicious behavior of malicious code by extracting API call information called by malicious code.

In addition, the present embodiments provide an API based malicious code variant detection system and method for extracting API call similarity using API call information and / or behavior code and action group that can recognize the variant malicious code type. have.

It is another object of the present invention to provide an API-based malicious code variant detection system and method for extracting malicious code belonging to the same group that can recognize the variant malicious code type.

In addition, the embodiments have another object to provide a behavior-based malicious code variant inquiry system and method for inquiring malicious behavior and variant malicious codes.

According to an embodiment of the present invention, a malicious suspicious execution file is executed to extract application program interface (API) call information called by malicious code, and malicious code malicious behavior is detected using the extracted API call information Malicious code analysis system; And a similarity analysis system for calculating an API call similarity between at least two malicious codes detected using the malicious code list in which the malicious codes are collected.

Here, the malicious code analysis system may collect the malicious suspicious execution file from a network traffic sensor connected to the network.

The malicious code analysis system may further include a malicious suspicious execution file, first API call information, and a first database for storing malicious behavior of the malicious code.

In addition, the malicious code analysis system can extract API call information called by the malicious code through API hooking on the user level and the kernel level.

In addition, the malicious code analysis system can detect the malicious behavior by applying the malicious code rule set in advance to the API call information.

Also, the malicious code analysis system may apply the malicious code rule set including the hooking filtering.

In addition, the malicious code analysis system can detect the malicious behavior including virtualization malicious activity and real-time malicious activity.

Also, a behavior classification system for generating behavior codes by matching malicious behavior provided from the malicious code analysis system with pre-stored behavior classification rule information, and creating an action group in which the behavior codes having similar behavior are grouped And the similarity analysis system can measure the API call similarity among at least two malicious codes in the same action group by using the malicious code list gathering the detected malicious codes in the action group.

The behavior classification rule information includes an API number for identifying the action information according to the call of the API call information and the API included in the action rule of the action information, A parameter which is an object to be referred to for performing the action; A parameter value that is an actual value of the object, an associated API that is called together when the corresponding API is called; And a flag identifying whether the action is to be invoked with the associated API to match the action.

In addition, the behavior classification system may extract an API sequence using a malicious code list that collects the malicious codes included in the generated action group.

In addition, the behavior classification system can generate bit codes (1, 0) for each of the behavior codes through the coincidence between the extracted API sequence and the unit behavior in the behavior classification rule information.

In addition, the behavior classification system may include a second database for storing the behavior code, the action group, the malicious code list, the API sequence, and the bit code.

The system may further include a malicious code inquiry system for inquiring information stored in the first and second databases and performing a combination and calculation of the information for identifying the variant malicious code.

Also, the similarity analysis system can measure the API call similarity by grasping the individual API configuration, the API calling order, and the frequency between any two or more malicious codes included in the malicious code list.

In addition, the similarity analysis system can utilize the malicious code list including the malicious code hash list.

In addition, the similarity analysis system can perform API coding on the API call information using any two or more hashes included in the malicious code hash list to extract the API code sequence.

In addition, the similarity analysis system can measure the API call similarity using the N-gram in addition to the extracted API code sequence.

The similarity analysis system may include a third database for storing the API call information set, the malicious code list, the API code, the API code sequence, and the API call similarity.

The system may further include a malicious code inquiry system for inquiring information stored in the third database and performing a combination and calculation of the information for identifying the variant malicious code.

According to another embodiment of the present invention, there is provided a malicious code analysis method comprising the steps of: (a) extracting application program interface (API) call information called by a malicious code from a malicious code analysis system after executing a malicious suspicious execution file; (b) detecting malicious behavior for the malicious code in the malicious code analysis system using the extracted API call information; And (c) measuring the API call similarity between at least two of the malicious codes in the similarity analysis system using the API call information and the malicious code list gathering the detected malicious codes. And an inquiry method are provided.

The API-based malicious code variant detection and inquiry method includes the steps of: (d) generating behavior codes in the behavior classification system through matching between the detected malicious behavior and pre-stored behavior classification rule information; And (e) generating an action group in which malicious codes belonging to the same action group are grouped by using the action code in a behavior classification system, wherein (c) The API call similarity between at least two malicious codes in the same action group can be measured using a set of API call information including information and a malicious code list of the detected malicious codes.

Also, the step (c) may measure the API call similarity by grasping the individual API configuration, the API calling sequence, and the frequency between any two or more malicious codes included in the malicious code list.

As described above, according to the embodiments, the API call similarity is obtained by using the API call information and / or the malicious code list in the Windows environment, thereby effectively detecting the variant malicious code in which the code part is modified.

In addition, according to the embodiments, there is an effect that the API call information, the action code and the action group are obtained in the Windows environment, and the API call similarity is obtained based on the API call information and action group, thereby effectively detecting the variant malicious code in which the code part is modified.

1 is a block diagram schematically showing a malicious code variant detection and inquiry system according to an embodiment of the present invention.
FIG. 2 is a detailed view of a malicious code analysis system of a malicious code variant detection system according to an embodiment of the present invention.
FIG. 3 is a diagram exemplarily showing a type of traffic to be analyzed received by the malicious code management server 110 according to an embodiment of the present invention.
4 is a diagram illustrating a malicious code detection system in the real time analysis agent view according to an embodiment of the present invention.
5 is a diagram showing an API-based malicious behavior analysis result processed through the existing system and the system (virtualization environment) of the present embodiment.
6 is a diagram showing an example of malicious code analysis result processed through the existing system and the system of the present embodiment.
7 is a diagram showing a malicious code processing result processed through the existing system and the system of the present embodiment.
FIG. 8 is a diagram illustrating a malicious code variant detection system according to an embodiment of the present invention in more detail.
FIG. 9 is a diagram exemplifying the types of malicious code list and API call information generated in the malicious code variant detection system according to an embodiment of the present invention.
10 is a diagram illustrating an example of an N-gram algorithm applied to a similarity analysis system according to an embodiment of the present invention.
11 is a diagram illustrating an example of a query result of a malicious code inquiry system according to an embodiment of the present invention.
12 is a diagram illustrating a relationship between a behavior classification system and a similarity analysis system of a malicious code variant detection system and a malicious code inquiry system in more detail according to an embodiment of the present invention.
FIG. 13 is a diagram illustrating a form of behavior codes generated in a behavior classification system according to an exemplary embodiment of the present invention. Referring to FIG.
FIG. 14 is a diagram illustrating an exemplary behavior group generated in a behavior classification system according to an embodiment of the present invention. Referring to FIG.
15 and 16 are diagrams illustrating exemplary results of a malicious code inquiry system according to an embodiment of the present invention.
17 is a flowchart illustrating an API based malicious code variant detection and inquiry method according to an exemplary embodiment of the present invention.
18 is a flowchart illustrating a malicious behavior detection method of malicious code variant detection and inquiry method according to an embodiment of the present invention in more detail.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.

≪ Embodiment 1 >

1 is a block diagram schematically showing a malicious code variant detection and inquiry system according to an embodiment of the present invention.

Referring to FIG. 1, a malicious code variant detection and inquiry system 1000 according to an embodiment of the present invention includes a malicious code analysis system 100 for detecting malicious code of malicious code by extracting API call information, A behavior classification system (200) for detecting an altered malicious code by generating an action code and an action group on the basis of the behavior, and an API call similarity between at least two malicious codes in the API call information and / And a malicious code inquiry system 400 for searching malicious behavior and variant malicious code as described above.

Between each of these configurations, an external network such as a wired / wireless communication network or an internal network may be connected. However, the network to be connected between the respective configurations is not limited to the above network configuration. Hereinafter, each configuration will be described in more detail.

<Examples of detection of malicious behavior>

FIG. 2 is a detailed view of a malicious code analysis system of a malicious code variant detection system according to an embodiment of the present invention.

Referring to FIG. 2, the malicious code analysis system 100 according to an exemplary embodiment of the present invention manages overall malicious behavior analysis including API analysis request, analysis assignment, and analysis result inquiry and storage.

To this end, the malicious code analysis system 110 may include a malicious code management server 110 and a virtualization analysis agent 120. First, the malicious code management server 110 collects the analysis target traffic from the network traffic sensor 101 as a malicious code analysis target.

At this time, the network traffic sensor 101 is connected to a network, for example, a wired or wireless network, collects traffic including an executable file of an application program executed in a system running in a Windows environment, extracts analysis target traffic requiring analysis, To the code management server (110). An example of the analysis target traffic requested for analysis can be shown in FIG.

Therefore, the malicious code management server 110 receives the traffic to be analyzed from the network traffic sensor 101, and uses the Rest API to store the first malicious suspicious execution file and various meta information of the application program included in the traffic to be analyzed And can be stored in the database 111.

At this time, the executable file of the collected application program is preferably a PE (Portable Executable) file executable in a Windows environment.

However, it may be input, not collection. That is, the malicious code management server 110 may manually receive at least one executable file and store the executable file in the database 111.

At this time, the input executable file is preferably a PE (Portable Executable) file executable in a Windows environment. However, it is needless to say that the present invention is not limited to the PE (Portable Executable) file described above.

Next, the virtualization analysis agent 120 may include at least one virtualization agent module 121 that is simultaneously operated using virtualization technology. The virtualization agent module 121 may refer to a Windows system that is executed in a virtualized environment.

When the virtualization agent module 121 is activated, the virtualization agent module 121 can execute the first malicious suspicious execution file received from the malicious code management server 110. As a result of execution, the first application program interface (API) call information called by the malicious code can be extracted.

More specifically, the virtualization analysis server 120 executes the first malicious suspicious execution file received from the malicious code management server 110 using at least one or more virtualization agent modules 121, 1 API (Application Program Interface) call information.

Preferably, the first API call information can be extracted by monitoring API information called by the malicious code through API hooking at the user level and the kernel level. When the first API call information is extracted, the malicious behavior for the malicious code can be known.

In other words, 'Register at registry execution location', 'Copy file', 'Execute worm process', 'Create log file at C: W', 'Create mutex to prevent duplication' It is possible to know malicious behavior at the same user level and kernel level. The extracted first API call information is transmitted to the malicious code management server 110.

Thus, since the first API call information can be extracted on both the user level and the kernel level, the malicious code behavior analysis can be performed on various APIs.

In this case, the malicious code management server 110 may store the first API call information received from the virtualization analysis agent 120 in the database 101.

Meanwhile, the malicious code management server 110 may include a malicious behavior analysis management module 112 to detect more detailed malicious behavior using the stored first API call information.

In one embodiment, the malicious behavior analysis management module 112 may detect malicious malicious behavior in a virtual environment by applying a preset malicious code rule set to the first API call information received from the virtualization analysis agent 120.

At this time, the malicious rule set may include hooking filtering. That is, the malicious code ruleset including the hooking filtering is applied to the first API call information, and when the hooking-filtered first API calling information is compared with the predefined malicious code rule set to identify the malicious code malicious code, can do. It is a matter of course that the detected malicious malicious behavior is stored in the database 111.

However, all malicious code from the first malicious suspicious executable file may not be detected in the virtualized environment. In order to prepare for this, the present embodiment may further include a real-time analysis agent. This real-time analysis agent can be represented as shown in FIG.

4 is a diagram illustrating a malicious code detection system in the real time analysis agent view according to an embodiment of the present invention.

Referring to FIG. 4, the malicious code detection system 100 according to an exemplary embodiment of the present invention may include a malicious code management server 110 and a real-time analysis agent 130. At this time, the malicious code management server 110 may include a malicious behavior analysis management module 112.

First, the malicious behavior analysis management module 112 is a module for analyzing actual malicious behavior. The malicious behavior analysis management module 112 extracts a second malicious suspicious execution file that has not detected a malicious malicious behavior from the first malicious suspicious execution file stored in the database 111 have. The extracted second malicious suspicious execution file may be transmitted to the real analysis server 130 to be described later.

Next, in one embodiment, the real-time analysis agent 130 may include at least one real-time agent 131 that executes the second malicious suspicious executable file provided from the malicious behavior analysis management module 112 .

That is, the real-time agent 131 executes the received second malicious suspicious execution file in a real-time environment excluding the virtual environment, and then extracts second application program interface (API) calling information called by the malicious code.

Preferably, the real-time analysis agent 130 can extract the second API call information by monitoring the API information called by the malicious code through API hooking at the user level and / or kernel level. The extracted second API call information may be transmitted to the malicious behavior analysis management module 112.

Accordingly, the malicious behavior analysis management module 112 stores the second API call information received from the real-time agent 131 in the database 111, re-applies the previously stored malicious code rule set to the stored second API call information And detects real-time malicious activity.

At this time, the malicious code ruleset has the same relationship as described above, and a description thereof will be omitted. Of course, the detected real-time malicious activity is stored in the database 111.

As described above, in this embodiment, by extracting all the API call information (e.g., the first API call information and the second API call information) corresponding to the user level and the kernel level in the virtualized environment and / or the real-time environment, It gives the advantage of detecting malicious behavior of code.

<Comparative Example>

FIG. 5 shows an API-based malicious behavior analysis result processed through the existing system and the system (virtualization environment) of the present embodiment, FIG. 6 shows malicious code analysis results processed through the existing system and the system of the present embodiment as an example, 7 shows malicious code processing results processed through the existing system and the system of this embodiment.

In one embodiment, FIG. 5 compares whether malicious code behaviors that were not detected in the existing analysis system through the experiment can be detected in the proposed malicious code detection system 100. FIG.

According to experiments, we actually used malicious code samples that were circulated in 2013, and the malicious code samples inquired about the anti-virus process on the Windows system and forcibly terminated the corresponding anti-virus process.

And, malicious behavior such as downloading the executable file from the web was performed. In the existing analysis system, the action for the termination of the vaccine process was detected, but the action for the vaccine process was not detected.

On the other hand, in the malicious code detection system 100 proposed in one embodiment, in addition to the vaccine process inquiry, detailed malicious actions performed by the malicious code as shown in FIG. 5 can be recognized.

In this experiment, the analysis and detection performance of the existing behavior analysis system and the proposed system (100) are also measured for a plurality of malicious code samples. An example of the analysis result using 110 malicious code samples actually distributed can be shown in FIG.

As shown in FIG. 6, it can be seen that the system 100 of the embodiment detects an action that the existing analysis system can not detect. As a result, as shown in FIG. 7, the system 100 proposed in the embodiment detects 97 out of 110 malicious code samples used in the experiment, and shows that the performance is 88% We could detect malicious code (eg, 7) of malicious code that was not detected by the analysis system.

<Modified Malicious Code Detection / Query Example 1>

FIG. 8 is a diagram illustrating a malicious code variant detection system according to an embodiment of the present invention in more detail.

Referring to FIG. 8, a malicious code variant detection system 1000 according to an embodiment of the present invention includes a similarity analysis system 300 and a malicious code inquiry system 400. The similarity analysis system 300 includes an API And may include a similarity analysis server 310 and a database 320 to detect malicious code based on variant malicious code.

First, the similarity analysis server 310 receives the API call information from the malicious code analysis system 100 and stores the API call information in the database 320. Further, the malicious code analysis system 100 generates a list of malicious codes collecting detected malicious codes.

At this time, the generated malicious code list refers to a malicious code hash list to be subjected to the similarity measurement. The malicious code list may include time information, process information (PID, PPID), API name, parameter 1-8 information, and the like. Such a malicious code list is shown in FIG.

Therefore, the similarity analysis server 310 measures (calculates) the API call similarity between at least two malicious codes using the malicious code hash list of the malicious code list as described above.

At this time, in order to measure the similarity of the API calls between two or more malicious codes, at least two hashes requested for similarity measurement are input, and the API call information is coded to extract the API code sequence. The coded API code sequence is created as a file and stored and managed in the API sequence code folder.

Accordingly, the similarity analysis server 310 can calculate the API call similarity using the extracted API code sequence and the N-gram algorithm. For example, if the extracted API code sequence is accepted as an input value and applied to the N-gram algorithm, the API call similarity can be calculated.

In this case, the applied N-gram algorithm is a probabilistic representation of the appearance frequencies of N adjacent syllables (N-grams) in one string. The subsequences are extracted from the entire sequence, and subsequences having sizes of N Sequences can be extracted.

For example, a size of N = N tokens, and a string of 3-gram sets of "SIGNATURE", such as {"SIGNA", "IGNAT", "GNATU", " NATUR, "ATURE"}, the larger the value of N is, the larger the number of calls can be reflected as the value of N is smaller. However, if N = 1, it is the same as the calculation of the similarity of the general call frequency. In other words, when N is 1, the accumulated number of frequencies for each character in the sequence is the same.

In this way, when the N-gram algorithm is applied, since the call frequency and the frequency of the call sequence can be known according to the size setting of N, it is possible to calculate the API call similarity for at least two malicious code API code sequences. At this time, the degree of similarity may have a value between 0 and 1.

Next, in the present embodiment, the database 320 stores the API call information, the malicious code list, the API code, the API code sequence, and the calculated API call similarity described above. Thus, the variant malicious code is detected by calculating the API call similarity.

On the other hand, in the present embodiment, the malicious code inquiry system 400 may inquire information stored in the database 320, and may perform a combination and calculation of information for identifying the variant malicious code. Such inquiry and output can be realized through a user interface (GUI).

For example, in order to inquire the similarity degree between malicious code A and malicious code B as shown in FIG. 11, "case1. [Lookup] mal1_id (24), mal2_id (11) and case2. [Lookup] mal1_id [24] 67], "it outputs that the malicious codes A and B requested are contained in the same similar group, and malicious codes A and B are included in different groups to output no past similarity calculation result. As described above, the similarity degree inquiry can be realized through the user interface (GUI).

&Lt; Transformation Malicious Code Detection / Query Example 2 >

12 is a diagram illustrating a relationship between a behavior classification system and a similarity analysis system of a malicious code variant detection system and a malicious code inquiry system in more detail according to an embodiment of the present invention.

12, a malicious code variant detection system 1000 according to an embodiment of the present invention includes a behavior classification system 200, a similarity analysis system 300, and a malicious code inquiry system 400, The classification system 200 may include a behavior classification server 210 and a database 220 to detect behavior-based variant malicious codes.

First, the behavior classification server 210 receives malicious code of the malicious code and / or API call information from the malicious code analysis system 100. The behavior classification server 210 generates behavior codes by matching the malicious behavior of the received malicious code with the pre-stored behavior classification rule information.

In this case, the action classification rule information includes an API number for identifying API included in the action rule of the action information, an API number for identifying the API included in the action rule of the action information, A parameter value that is an actual value of an object, a flag that identifies whether an associated API that is called together when the API is invoked, and whether it should be called with the associated API to match the behavior.

Accordingly, it is confirmed that malicious behavior of the received malicious code belongs to the action classification rule, so that matching can be performed to generate action codes. An example of the generated behavior codes as shown in FIG. 13 can be shown.

As shown in FIG. 13, it can be seen that a certain malicious behavior is classified into an action code according to a behavior classification rule. On the other hand, the behavior codes are codes for identifying malicious code-specific behaviors, and a complex malicious behavior can be represented by one bit string. For example, it can be displayed as a bit string '1' when matching behavior and '0' when mismatching.

In this manner, when the behavior code is generated, the behavior classification server 210 can generate an action group in which malicious codes belonging to the same action group are grouped by using the generated action code.

For example, as shown in FIG. 14, the malicious codes assigned with the action codes may generate at least one action group grouped so that the malicious codes are classified into similar malicious codes based on the malicious codes.

At this time, malicious codes having the same behavior code are grouped into one group, and they can be classified into malicious codes having mutually similar actions. Also, the behavior code of one signature is identified as one behavior group, and the total number of behavior codes may have the same state as the number of similar behavior groups.

Thus, due to the generated behavior code and action group, the behavior-based variant malicious code can be easily identified in the present embodiment.

In addition, in one embodiment, the behavior classification server 210 may extract an API sequence using a malicious code list including malicious codes included in the generated action group. At this time, an example of the malicious code list can be represented as shown in FIG. 9 described above. 9, the API call information described in FIG. 1 is also displayed.

The extracted API sequence can be used to generate bit codes for each behavior code. That is, the behavior classification server 210 can generate bit codes (1, 0) for each behavior code by matching the extracted API sequence with the unit behavior in the behavior classification rule information.

As described above, the generated bit code is very useful for inputting a bit code at the time of inquiry in the malicious code variant inquiry system 300 to be described later to confirm various information such as variant malicious codes.

On the other hand, in the present embodiment, the database 220 serves to store behavior codes, action groups, malicious code lists, API sequences and bit codes generated as described above. The stored information may be queried by the malicious code inquiry system 400 to be described later.

Next, in the present embodiment, the similarity analysis system 300 uses the malicious code list that has collected the detected malicious codes in the behavior group generated by the behavior classification server 210 described above, You can measure the similarity of API call to code.

At this time, the malicious code list necessary for measuring the API call similarity is the same as the malicious code list of FIG. 8 described above. However, the present embodiment can measure the similarity of API calls between at least two malicious codes in the same action group related to the behavior classification system 200, but in the malicious code analysis system 100 ), The API call similarity between at least two malicious codes detected by the malicious codes is different.

At this time, in this embodiment, the similarity analysis system 300 can calculate the API call similarity using the N-gram algorithm in addition to the API code sequence. Such calculation has been fully described in FIG. 8, and a description thereof will be omitted. The information calculated or input and output as described above may be stored in the database 320. [

Finally, in this embodiment, the malicious code inquiry system 400 inquires the information stored in the database 320 of the similarity analysis system 300 and the database 220 of the behavior classification system 200, The combination and calculation of the information to identify the code can be performed. Such inquiry and output can be realized through a user interface (GUI). Such inquiry and output can be realized through a user interface (GUI).

For example, as shown in FIG. 15, in order to look up a list of variant malicious codes belonging to a specific group, a group name_id 28, a channel information TYPE 1, a variant judgment result TRUE When an inquiry is made, MAL2_id 11, 52, etc. may be calculated and output as a variant group according to the result of the variant determination.

16, for the variant inquiry for a specific malicious code A, "case1. [Lookup] mal1_id (24), variant judgment result (TRUE) and case2. [Lookup] mal1_id [24] (TRUE), the group type (TYPE1), and the case3. [Inquiry] mal1_id [24], the variant determination result (TRUE), the group type (TYPE2) , Only a list of variants within the same group is output, and a list of variants belonging to different groups can be output.

<Example of malicious activity detection method>

FIG. 17 is a flowchart illustrating an API-based malicious code variant detection and inquiry method according to an embodiment of the present invention. FIG. 18 is a flowchart illustrating a malicious code detection and inquiry method according to an exemplary embodiment of the present invention. Which is a flowchart showing the method in more detail.

Referring to FIG. 17, an action-based malicious code variant detection and inquiry method (S1000) according to an embodiment of the present invention includes extracting API call information and detecting malicious code malicious code in the malicious code analysis system 100 (S100), detecting a malicious code that has been altered by generating an action code and an action group based on the detected malicious action (S200) in the behavior classification system (200), detecting at least two of the API call information and / The above-described malicious code and variant malicious code are searched in the malicious code inquiry system 400 (S400) by obtaining the similarity degree of the API call between the malicious codes and detecting the variant malicious code by the similarity analysis system 300 ).

18, in step S110, the malicious suspicious execution file collected or inputted is stored in step S110, the malicious suspicious execution file is executed, and the first API call information, which is called by the malicious code, And extracting the malicious code on the kernel level in step S120; detecting a malicious malicious behavior by applying a malicious code rule set in advance to the first API call information; and detecting malicious code from a malicious code file And detecting the real-time malicious behavior by extracting second API call information called by the first API call information.

First, in step S110, the malicious code management server 110 collects the analysis target traffic from the network traffic sensor 101 as a target of analysis.

At this time, the network traffic sensor 101 is connected to a network, for example, a wired or wireless network, collects traffic including an executable file of an application program executed in a system running in a Windows environment, extracts analysis target traffic requiring analysis, To the code management server (110).

Accordingly, in step S110, the analysis target traffic is received from the network traffic sensor 101, and the first malicious suspicious execution file and various meta information of the application program included in the analysis target traffic are transmitted to the malicious code management server 110). &Lt; / RTI &gt;

At this time, the executable file of the collected application program is preferably a PE (Portable Executable) file executable in a Windows environment.

However, it may be input, not collection. That is, at step S110, at least one executable file may be manually input and stored in the database 111. [ At this time, it is preferable that the executable file to be input is a PE (Portable Executable) file executable in a Windows environment. However, it is needless to say that the present invention is not limited to the PE (Portable Executable) file described above.

Thereafter, in one embodiment, step S120 may simultaneously activate at least one virtualization agent module 121 using virtualization technology. At this time, the virtualization agent module 121, which is operated in conjunction with the virtualization agent module 121, may refer to a Windows system that is executed in a virtualized environment.

When the virtualization agent module 121 is activated, the first malicious suspicious execution file received from the malicious code management server 110 can be executed in the virtualization agent module 121. As a result of execution, the first application program interface (API) call information called by the malicious code can be extracted.

Conversely, in step S120, the first malicious suspicious execution file received from the malicious code management server 110 is executed using at least one virtualization agent module 121, and then a first API (Application Program) Interface call information can be extracted from the virtualization analysis server 120.

Preferably, API information called by the malicious code is monitored through API hooking at the user level and the kernel level, and the first API call information can be extracted from the virtualization analysis server 120. When the first API call information is extracted, the malicious behavior for the malicious code can be known.

In other words, 'Register at registry execution location', 'Copy file', 'Execute worm process', 'Create log file at C: W', 'Create mutex to prevent duplication' It is possible to know malicious behavior at the same user level and kernel level. The extracted first API call information is transmitted from the virtualization analysis server 120 to the malicious code management server 120.

Thus, since the first API call information is extracted on both the user level and the kernel level, the malicious code behavior analysis can be performed on various APIs.

In this case, the first API call information received from the virtualization analysis agent 120 may be stored in the database 101 of the virtualization analysis server 120.

Thereafter, in order to detect more detailed malicious behavior using the stored first API call information, step S130 is a step of setting malicious code rule sets, which are preset with the first API call information received from the virtualization analysis agent 120, 112) to detect virtual malicious behavior in a virtualized environment.

At this time, the malicious rule set may include hooking filtering. That is, a malicious code rule set including hooking filtering is applied to the first API call information, and when the hooking-filtered first API calling information is compared with a predefined malicious code rule set to confirm the identity, malicious code malicious behavior Can be detected by the analysis management module 112. The detected virtual malicious behavior may be stored in the database 111 of malicious behavior analysis management module 112.

However, it may not be possible to detect all malicious codes from the first malicious suspicious executable in a virtualized environment. In order to prepare for this, in step S130, the second malicious suspicious execution file that has not detected the virtual malicious behavior may be extracted from the first malicious suspicious execution file stored in the database 111. [ The extracted second malicious suspicious execution file is transmitted to the real analysis server 130 to be described later.

In step S140, the second malicious suspicious execution file received from the malicious behavior analysis management module 112 is executed through the real-time agent 131 of the real-time analysis agent 130, and then the malicious code The second API (application program interface) call information to be called by the real time analysis agent 130 is extracted.

Preferably, the second API call information can be extracted from the real-time analysis agent 130 by monitoring API information called by the malicious code through API hooking at the user level and / or the kernel level. The extracted second API call information is transmitted to the malicious behavior analysis management module 112.

Accordingly, in step S140, the second API call information received from the real-time agent 131 is stored in the database 111 of the malicious behavior analysis management module 112, and the stored second API call information is stored in the preset malicious code rule set The malicious behavior analysis module 112 detects the real-time malicious behavior.

At this time, the malicious code ruleset has the same relationship as described above, and a description thereof will be omitted. The detected real-time malicious activity is stored in the database 111. Therefore, the information stored in the database 111 can be usefully used for malicious behavior analysis as needed.

In this way, the present embodiment extracts all the API call information corresponding to the user level and the kernel level in the virtualized environment and / or the real-time environment, thereby detecting more detailed malicious behavior of the malicious code.

Returning to FIG. 17, in step S200 according to the present embodiment, malicious code malicious code and / or API calling information is received from the malicious code analysis system 100 by the malicious code analysis system 100 by the malicious code analysis system 100. The behavior classification server 210 generates behavior codes by matching malicious behavior of the received malicious code with pre-stored behavior classification rule information.

In this case, the action classification rule information includes an API number for identifying API included in the action rule of the action information, an API number for identifying the API included in the action rule of the action information, A parameter value that is an actual value of an object, a flag that identifies whether an associated API that is called together when the API is invoked, and whether it should be called with the associated API to match the behavior.

Accordingly, it is confirmed that malicious behavior of the received malicious code belongs to the action classification rule, so that matching can be performed to generate action codes. An example of the generated behavior codes can be represented as shown in FIG.

As shown in FIG. 13, it can be seen that a certain malicious behavior is classified into an action code according to a behavior classification rule. On the other hand, the behavior codes are codes for identifying malicious code-specific behaviors, and a complex malicious behavior can be represented by one bit string. For example, it can be displayed as a bit string '1' when matching behavior and '0' when mismatching.

If the action code is generated, the action classifying server 210 may generate an action group in which malicious codes belonging to the same action group are grouped using the generated action code in step S200.

For example, as shown in FIG. 14, the malicious codes assigned with the action codes may generate at least one action group grouped so that the malicious codes are classified into similar malicious codes based on the malicious codes.

At this time, malicious codes having the same behavior code are grouped into one group, and they can be classified into malicious codes having mutually similar actions. Also, the behavior code of one signature is identified as one behavior group, and the total number of behavior codes may have the same state as the number of similar behavior groups. In this way, the generated behavior codes and action groups are generated, so that the embodiment can easily detect malicious codes based on the behavior.

Also, in operation S200, the action classification server 210 may extract an API sequence using a malicious code list including malicious codes included in the generated action group. At this time, an example of the malicious code list can be shown as shown in FIG. 9, the API call information described in FIG. 17 is also displayed.

The extracted API sequence can be used to generate bit codes for each behavior code. That is, the behavior classification server 120 can generate bit codes (1, 0) for each behavior code by matching the extracted API sequence with the unit behavior in the behavior classification rule information.

As described above, the generated bit code is very useful for inputting a bit code at the time of inquiry in the malicious code variant inquiry system 300 to be described later to confirm various information such as variant malicious codes.

Thereafter, in this embodiment, step S200 stores the generated behavior code, action group, malicious code list, API sequence and bit code, etc., in the database 220 as described above. The stored information may be queried by the malicious code inquiry system 400 to be described later.

In step S300, the API call information is received from the malicious code analysis system 100 and stored in the database 320 of the similarity analysis server 310. [ Further, the malicious code list that has collected the malicious codes in the malicious code detected by the malicious code analysis system 100 and / or the action group of the behavior classification system 200 is extracted by the similarity analysis server 310.

At this time, the extracted malicious code list refers to the malicious code hash list of the similarity measurement target. The malicious code list may include time information, process information (PID, PPID), API name, parameter 1-8 information, and the like. Such a malicious code list is shown in FIG.

Accordingly, in step S300, the similarity analysis server 310 measures (calculates) the API call similarity between at least two malicious codes using the malicious code hash list of the malicious code list as described above.

At this time, in order to measure the similarity of the API calls between two or more malicious codes, at least two hashes requested for similarity measurement are input and the API call information is coded to extract the API code sequence. The coded API code sequence is created as a file and stored and managed in the API sequence code folder.

Accordingly, in step S300, the similarity analysis server 310 can calculate the API call similarity using the extracted API code sequence and the N-gram algorithm. For example, if the extracted API code sequence is accepted as an input value and applied to the N-gram algorithm, the API call similarity can be calculated.

In this case, the applied N-gram algorithm is a probabilistic representation of the appearance frequencies of N adjacent syllables (N-grams) in one string. The subsequences are extracted from the entire sequence, and subsequences having sizes of N Sequences can be extracted.

For example, a size of N = N tokens, and a string of 3-gram sets of "SIGNATURE", such as {"SIGNA", "IGNAT", "GNATU", " NATUR, "ATURE"}, the larger the value of N is, the larger the number of calls can be reflected as the value of N is smaller. However, if N = 1, it is the same as the calculation of the similarity of the general call frequency. In other words, when N is 1, the accumulated number of frequencies for each character in the sequence is the same.

In this way, when the N-gram algorithm is applied, since the call frequency and the frequency of the call sequence can be known according to the size setting of N, it is possible to calculate the API call similarity for at least two malicious code API code sequences. At this time, the degree of similarity may have a value between 0 and 1.

In this embodiment, the API 320 stores the API call information, the malicious code list, the API code, the API code sequence, and the calculated API call similarity as described above. Thus, the variant malicious code is detected by calculating the API call similarity.

In step S400, the malicious behavior analysis system 100, the behavior classification system 200, the similarity analysis system 300, and the database 110, 210, and 310 of the similarity analysis system 300, A combination and calculation of information for identifying malicious code can be performed. Such inquiry and output can be realized through a user interface (GUI).

For example, in order to inquire the similarity degree between malicious code A and malicious code B as shown in FIG. 11, "case1. [Lookup] mal1_id (24), mal2_id (11) and case2. [Lookup] mal1_id [24] 67], "it outputs that the malicious codes A and B requested are contained in the same similar group, and malicious codes A and B are included in different groups to output no past similarity calculation result.

15, in order to inquire a list of variant malicious codes belonging to a specific group, a query request such as "[inquiry] group1_id (28), channel information (TYPE1), and variant judgment result (TRUE) The MAL2_id 11, 52, etc. may be calculated and output as a variant group according to the result of the variant determination.

16, for the variant inquiry for a specific malicious code A, "case1. [Lookup] mal1_id (24), variant judgment result (TRUE) and case2. [Lookup] mal1_id [24] (TRUE), the group type (TYPE1), and the case3. [Inquiry] mal1_id [24], the variant determination result (TRUE), the group type (TYPE2) , Only a list of variants within the same group is output, and a list of variants belonging to different groups can be output.

As described above, in this embodiment, the malicious codes of variant malicious code and malicious code are advantageously inquired and calculated by the malicious code inquiry system 300 under various conditions.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the exemplary embodiments or constructions. You can understand that you can do it. The embodiments described above are therefore to be considered in all respects as illustrative and not restrictive.

100: malicious code analysis system 101: network traffic sensor
110: malicious code management server 111: database
112: malicious behavior analysis management module 120: virtualization analysis agent
121: virtualization agent module 130: real-time analysis agent
131: Real Time Agent 200: Action Classification System
210: behavior classification server 220: database
300: Similarity analysis system 310: Similarity analysis server
320: Database 400: Malicious Code Lookup System
1000: malware variant detection and retrieval system

Claims (25)

A malicious code analysis system for executing a malicious suspicious execution file to extract application program interface (API) call information called by malicious code and detecting malicious behavior of malicious code using the extracted API call information;
A similarity analysis system for calculating an API call similarity between at least two malicious codes detected using a malicious code list in which the malicious codes are collected; And
And a behavior classification system for generating behavior codes by matching malicious behavior provided from the malicious code analysis system and pre-stored behavior classification rule information and generating behavior groups in which the behavior codes having similar behavior are grouped ,

Wherein the similarity analysis system is configured to classify the API call similarity between at least two malicious codes in the same action group using a set of API call information collected from the API call information extracted from the action group and a malicious code list including the detected malicious code And,

Wherein the similarity analysis system measures the API call similarity by grasping an individual API configuration, an API call order, and a frequency between arbitrary at least two malicious codes included in the malicious code list. Inquiry system. The method according to claim 1,
The malicious code analysis system comprises:
An API based malicious code variant detection and retrieval system for collecting malicious suspicious execution files from network traffic sensors connected to a network. The method according to claim 1,
The malicious code analysis system comprises:
A first database for storing the malicious suspicious execution file, first API call information, and malicious behavior of the malicious code;
Based malicious code variant detection and retrieval system. The method according to claim 1,
The malicious code analysis system comprises:
An API based malicious code variant detection and retrieval system for extracting API call information called by the malicious code through API hooking on a user level and a kernel level. 5. The method of claim 4,
The malicious code analysis system comprises:
And an API based malicious code variant detection and inquiry system for detecting the malicious behavior by applying a malicious code rule set in advance to the API call information. 6. The method of claim 5,
The malicious code analysis system comprises:
An API based malicious code variant detection and retrieval system applying the malicious code ruleset including hooking filtering. The method according to claim 1,
The malicious code analysis system comprises:
Based malicious code variant detection and retrieval system that detects malicious activity including virtualization malicious activity and real time malicious activity. delete 2. The method according to claim 1,
An API number for identifying the API included in the behavior information of the API information and the behavior rule of the behavior information;
A parameter which is an object to be referred to for performing the action;
A parameter value that is an actual value of the object, an associated API that is called together when the corresponding API is called; And
And a flag that identifies whether the action is to be invoked with the association API to match the action. 10. The method of claim 9,
Wherein the behavior classification system comprises:
An API based malicious code variant detection and inquiry system for extracting an API sequence by using a malicious code list including the malicious codes included in the generated action group. 11. The method of claim 10,
Wherein the behavior classification system comprises:
And generating bit code (1, 0) for each of the behavior codes through the coincidence between the extracted API sequence and the unit behavior in the behavior classification rule information. 12. The method of claim 11,
Wherein the behavior classification system comprises:
A second database for storing the behavior code, the action group, the malicious code list, the API sequence and the bit code;
Based malware variant detection and retrieval system. 13. The method according to claim 3 or 12,
A malicious code inquiry system for inquiring information stored in the first and second databases and performing a combination and calculation of the information for verifying the variant malicious code;
Based malicious code variant detection and retrieval system. delete 2. The system according to claim 1,
An API based malicious code variant detection and retrieval system utilizing the above malicious code list including a malicious code hash list. 16. The method of claim 15,
Wherein the similarity analysis system comprises:
And an API code sequence is extracted from the API call information using any two or more hashes included in the malicious code hash list to extract an API code sequence. 17. The method of claim 16,
Wherein the similarity analysis system comprises:
And an API-based malicious code variant detection and inquiry system for measuring the API call similarity using an N-gram in addition to the extracted API code sequence. 18. The method of claim 17,
Wherein the similarity analysis system comprises:
A third database for storing the API call information set, the malicious code list, the API code, the API code sequence, and the API call similarity;
Based malware variant detection and retrieval system. 19. The method of claim 18,
A malicious code inquiry system for inquiring information stored in the third database and performing a combination and calculation of the information for identifying the variant malicious code;
Based malicious code variant detection and retrieval system. (a) extracting, from a malicious code analysis system, application program interface (API) call information called by a malicious code after executing a malicious suspicious execution file;
(b) detecting malicious behavior for the malicious code in the malicious code analysis system using the extracted API call information;
(c) measuring at least two API call similarities among malicious codes in the similarity analysis system using the API call information and a malicious code list gathering the detected malicious codes;
(d) generating behavior codes in the behavior classification system through matching between the detected malicious behavior and pre-stored behavior classification rule information; And
(e) generating a group of malicious codes belonging to the same action group by using the action code in a behavior classification system,
The method of claim 1, wherein the step (c) further comprises: using an API call information set that collects API call information extracted from the action group, and a malicious code list that is a collection of detected malicious codes, Respectively,
Wherein the step (c) comprises the steps of: detecting API-based malicious code variant detection by detecting an API configuration, an API calling sequence, and a frequency between arbitrary at least two malicious codes included in the malicious code list; And lookup method. delete delete 21. The method of claim 20,
The step (c)
An API based malicious code variant detection and retrieval method utilizing the malicious code list including the malicious code hash list. 24. The method of claim 23,
The step (c)
And an API code sequence is extracted from the API call information using any two or more hashes included in the malicious code hash list to extract an API code sequence. 25. The method of claim 24,
The step (c)
And an API-based malicious code variant detection and retrieval method for measuring the API call similarity using an N-gram in addition to the extracted API code sequence.

Images