KR101654973B1 - Apparatus and method for software filtering - Google Patents

Abstract

An apparatus and method for filtering illegal software based on feature information of software are disclosed. The software filtering method includes the steps of extracting first feature information from an installation file of the target software, determining whether information corresponding to the first feature information exists in the feature information DB, And if the corresponding information exists, judging the target software as illegal software. Therefore, since the software can be filtered using the feature information included in the installation file, it is possible to identify and filter a plurality of software in a short time.

Description

[0001] APPARATUS AND METHOD FOR SOFTWARE FILTERING [0002]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a technology for filtering software, and more particularly, to an apparatus and method for filtering illegal software based on feature information of software.

Today, with the development of the Internet and communication network, the distribution and distribution of software has greatly increased. Recently, with the hot air of smartphone, many users have created an environment where they can easily download and use the software through the application market. This change in circumstances has led to a decisive momentum for product selection to move from hardware to software.

However, due to the development of communication such as the Internet, software piracy and plagiarism have soared, which has hampered the development of the software industry.

Piracy of software means copying and distributing certain software as it is, and plagiarism / theft of software means reverse engineering of whole or partial code of software. And the like.

However, one of the conventional software copyright protection technologies is a method of inserting and distributing feature information (watermark, license information, etc.) from a developer, and it is difficult to extract specific information because of different copyright protection applying method for each developer. Can easily be damaged.

On the other hand, most of the software that is distributed (illegally) through the Internet has the behavior of the installation file, but there is not enough technology to filter the software considering this.

In addition, since the types and the number of software are very large, a separate software feature information DB search technique is required for efficient software filtering.

Furthermore, performance evaluation criteria for software filtering systems are needed to prevent low-performance software filtering systems from being developed and operated indiscriminately.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-mentioned problems, and it is an object of the present invention to provide a software filtering apparatus for quickly searching for and blocking illegal software to be uploaded to a web hard.

Another object of the present invention is to provide a software filtering method for quickly searching for and blocking illegal software to be uploaded to a web hard or the like.

According to another aspect of the present invention, there is provided a software filtering method including extracting first feature information from an installation file of a target software, determining whether information corresponding to the first feature information exists in the feature information DB, And judging the target software as illegal software when information corresponding to the first feature information exists in the feature information DB.

Here, the first feature information may include at least one of header information, resource information, file setting information, and icon information included in the installation file.

If the information corresponding to the first feature information does not exist in the feature information DB, it is determined whether the target software is legitimate software based on the distribution information about the target software. If the target software is legitimate software And updating the feature information DB using the feature information of the target software, if it is confirmed.

Extracting second feature information from an executable file of the target software when the target software is not identified as legitimate software; and if the information corresponding to the second feature information exists in the feature information DB, May be judged to be illegal software.

Here, the second characteristic information may be information included in the header of the executable file.

Here, the first specific information and the second characteristic information may be calculated through a hash function and expressed as a hash value.

Extracting third feature information from an executable file of the target software when information corresponding to the second feature information does not exist in the feature information DB; And judging the target software to be illegal software when the calculated similarity degree information is equal to or larger than a predetermined value.

Here, the third characteristic information may be extracted by analyzing a character string and an executable code included in the executable file.

If the similarity information calculated based on the feature information DB and the third feature information is less than a predetermined value, the method may further include determining the target software as legitimate software.

Here, it may further include a step of evaluating performance for software filtering.

Wherein evaluating the performance of the software filtering includes at least one of robustness, consistency, system performance, feature size, and speed for filtering. The performance evaluation can be performed.

According to another aspect of the present invention, there is provided a software filtering apparatus including a feature information DB, a feature information extracting unit for extracting first feature information, second feature information, And a software verification unit for determining whether the target software is illegal software by using the feature information DB, the first feature information, the second feature information, and the third feature information.

Since the software filtering apparatus and method according to the present invention can filter software using feature information included in an installation file, it is possible to identify and filter a plurality of software in a short time.

In addition, through the step-by-step filtering, the illegally distributed software can be correctly recognized and blocked.

Furthermore, by providing evaluation methods and criteria for software filtering, it is possible to prevent a low performance SW filtering system from being developed and operated indiscriminately.

1 is a conceptual diagram illustrating an environment in which a software filtering apparatus according to an embodiment of the present invention is applied.
2 is a conceptual diagram illustrating an operation of a software filtering apparatus according to an embodiment of the present invention.
3 is a flowchart illustrating a software filtering method according to an embodiment of the present invention.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. Like reference numerals are used for like elements in describing each drawing.

The terms first, second, A, B, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. And / or < / RTI > includes any combination of a plurality of related listed items or any of a plurality of related listed items.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted as either ideal or overly formal in the sense of the present application Do not.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings.

1 is a conceptual diagram illustrating an environment in which a software filtering apparatus according to an embodiment of the present invention is applied.

First, the distribution of illegal software (SW) means that the SW is distributed through abnormal routes other than the route set by the SW vendor (development and distributor). The illegally circulated SWs are most likely to have full or partial code tampering through reverse engineering to copy the SW as it is, or to use it without a license, and plagiarism / theft ).

According to the embodiment of the present invention, a SW is illegally distributed through SW filtering, and a technique for blocking the dissemination is provided.

Referring to FIG. 1, a plurality of SWs 21, 22, and 23 may be uploaded by a plurality of users on a web hard 10. Here, the web hard 10 is a kind of cloud storage space in which a plurality of users can upload software or contents. The web hard 10 is a concept that includes various online storage spaces to be.

Software (SW) refers to software that can be executed in all system environments such as MS Windows, Linux, Android, Java (JRE) and the installation files are MSI (Microsoft Installer), SFX (Self Extracting Archive) Android Package), Java Archive (JAR), and so on.

The software filtering apparatus 100 according to the embodiment of the present invention detects the illegal copying or plagiarism of the corresponding software in the uploading step for a plurality of target SWs 21, 22, 23 uploaded to the web hard 10 .

For example, the software filtering apparatus 100 may block the uploading of the target software determined to be illegal software.

In addition, the software filtering apparatus 100 according to the embodiment of the present invention includes the target SWs 21, 22, and 23 without requiring sensitive information such as source codes of the target SWs 21, And performs illegal copying or plagiarism detection on the software by using the installation file or executable files in a step-by-step manner.

2 is a conceptual diagram illustrating an operation of a software filtering apparatus according to an embodiment of the present invention.

Referring to FIG. 2, the software filtering apparatus 100 includes a feature information extracting unit 110, a specific information DB, a feature information DB managing unit 122, a software verifying unit 130, (140).

Here, the filtering processing unit 140 may operate within the web hard 10, but the present invention is not limited thereto. That is, the filtering processing unit 140 may allow or block the uploading of software from outside the web hard 10, and manage the uploading of software to the installation file DB 11 existing on the web hard 10 .

In addition, the feature information search server 120 may include a feature information DB 121 and a specific information DB management unit 122.

The operation performed by the software filtering apparatus 100 according to the embodiment of the present invention will now be described.

In order for the software to be uploaded to the web hard 10, the filtering processing unit 140 must pass through the filtering processing unit 140 and the filtering processing unit 140 may allow or block the uploading of the software according to a command of the software checking unit 130.

First, when a user requests uploading of software, the feature information extracting unit 110 may extract feature information on the target software.

The feature information on the SW can be divided into first feature information extracted from the installation file and second and third feature information extracted from the execution file.

The first characteristic information extracted from the installation file may refer to all the unique information constituting the installation file, such as header information, resource, setting file information and icon of the installation file which is a component of the installation file.

For example, in case of MSI, which is an installation file format of MS Windows, Globally Unique IDentifiers (GUIDs) for managing SW packages, the size and hash value of each configuration file, and the like can be used as feature information of the installation file.

Further, in the case of APK, which is an installation and distribution package format of the Android, app authority information and package name can be used as feature information of the installation file.

The second and third feature information extracted from the executable file may mean unique information that can identify the program from the header of the executable file and the information of the executable code.

For example, the second feature information extractable from the header of the executable file may include an address, an offset, a section and a table size of specific information, and the third feature information may include a sequence related to an execution command and a function And frequency, graph information, and the like.

The feature information extracting unit 110 may extract the first feature information, the second feature information, and the third feature information from the target software step by step. For example, the first feature information, the second feature information, and the third feature information may be sequentially extracted and transmitted to the feature information DB management unit 122.

In addition, the feature information extracting unit 110 may extract the feature information of the copyright-protected SW in order to configure the feature information DB 121 for the first time or to update the feature information DB 121 of the specific period.

The feature information DB 121 can store the feature information of the SWs that are subject to copyright protection. For example, the feature information DB 121 may store the feature information of the SWs in the form of a hash value table.

The feature information DB management unit 122 may search the feature information DB 121 for information corresponding to the feature information received from the feature information extraction unit 110 and may transmit the search result to the software verification unit 130. [ Here, the feature information DB management unit 122 may convert the received feature information into a hash value, and perform a search based on the hash value. However, the method of conversion to the hash value will be described in more detail in Fig.

The software verification unit 130 may receive the search result and determine whether the target software is software distributed through a legitimate path. That is, if information corresponding to the feature information transmitted from the feature information extracting unit 110 is searched from the feature information DB 121, the target software can be determined to be illegal software. On the other hand, if the feature information DB 121 can not retrieve information corresponding to the feature information received from the feature information extracting unit 110, the target software can be determined to be legitimate software.

In detail, the software verification unit 130 may determine whether the target software is illegal software by using the feature information DB 121, the first feature information, the second feature information, and the third feature information.

For example, when the information corresponding to the first feature information exists in the feature information DB 121, the software verification unit 130 may determine that the target software is illegal software.

If the information corresponding to the first feature information does not exist in the feature information DB 121, the software verification unit 130 may check whether the target software is legitimate software based on the distribution information about the target software. Here, the dissemination information may include information about the dissemination entity of the software and information about the dissemination path.

If it is determined that the target software is legitimate software, the software verification unit 130 may update the feature information DB 121 using the feature information of the target software. For example, if the target software is legitimate software and the new software is the software, the software verification unit 130 instructs the feature information DB management unit 122 to register feature information of the software in the feature information DB in the form of a hash value can do.

The software verification unit 130 receives a search result informing whether or not information corresponding to the feature information of the target software exists in the feature information DB 121 from the feature information DB 121, Or the permission command to the filtering processing unit 140. [

Accordingly, the software filtering apparatus 100 according to the embodiment of the present invention extracts feature information from the target software step by step, and searches for information corresponding to the extracted feature information in the feature information DB 121 based on the hash value Illegal software can be identified, and the illegal software identified can be prevented from being uploaded to the web hard 10 or the like.

Although the configuration of the software filtering apparatus 100 according to the embodiment of the present invention has been described above for the sake of convenience, at least two of the configuration units may be combined to form one configuration unit, It is to be understood that the invention is not limited to the disclosed embodiments, but may be embodied in many other specific forms without departing from the spirit or essential characteristics thereof.

In addition, the operation of the software filtering apparatus 100 according to the embodiment of the present invention can be implemented as a computer-readable program or code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. The computer-readable recording medium may also be distributed and distributed in a networked computer system so that a computer-readable program or code can be stored and executed in a distributed manner.

3 is a flowchart illustrating a software filtering method according to an embodiment of the present invention.

Referring to FIG. 3, a software filtering method performed step by step according to an embodiment of the present invention will be described. The software filtering method may be performed by the software filtering apparatus 100 shown in Fig.

To filter software based on executables, additional steps are required to extract the executable from the installation file. In the case of based on executable files, the executable code of each of the comparison target software is analyzed to extract the feature information, and the similarity between them is compared. However, since this process has a very high overhead, it is not suitable for filtering where fast processing speed is important.

In particular, the source-code-based similarity comparison technique is unsuitable for a large number of SW filters to be identified in a short time because of feature information analysis and extraction, feature information size, and comparison overhead.

Furthermore, since most of the SWs that are distributed (illegally) through the Internet are not the source code and executable files but the installation files, it is effective to use the feature information included in the installation file to filter the software.

In addition, since the types and the number of SWs are very large, it is necessary to quickly search for feature information for effective SW filtering.

Accordingly, a software filtering method according to an embodiment of the present invention proposes a step-by-step software filtering method in which feature information at an installation file level is used together with feature information that can be easily extracted from an executable file.

However, according to the embodiment of the present invention, the three-step filtering using three feature information is explained, but the filtering step can be reduced or enlarged according to the format of the installation file and the executable file of each SW.

Stage 1

In the first step, filtering is performed using feature information that is easy to extract but low in robustness.

More specifically, the first feature information is extracted from the installation file of the target software (S310), and it is determined whether information corresponding to the first feature information exists in the feature information DB 121 (S311). If information corresponding to the first feature information exists in the feature information DB 121, the target software may be determined to be illegal software (S360). Here, the first feature information may include at least one of header information, resource information, file setting information, and icon information included in the installation file, and may be calculated using a hash function and hash value Can be expressed.

If information corresponding to the first feature information does not exist in the feature information DB 121, it can be determined whether the target software is legitimate software based on the distribution information about the target software (S312).

If it is determined that the target software is legitimate software, the feature information DB 121 may be updated using the feature information of the target software (S340, S341). More specifically, it is possible to determine whether to register the target software with the new SW (S340), and update the feature information DB 121 according to the determination result (S341). If it is determined that the target software is legitimate software, the target software may be determined to be legitimate software and allowed to be uploaded to the web hard 10 or the like (S350).

For example, if information corresponding to the first feature information does not exist in the feature information DB 121, it can be confirmed that the new SW is copyright-protected by uploading the SW and checking the distributor. In addition, when the new SW is confirmed, feature information extraction and hash value calculation from the new SW can be performed and it can be added to the feature information DB 121. Furthermore, if it is determined whether suspected illegal SW distribution is suspected based on the name of the installation file and the file size, and if there is a suspicion, the following two and three-step filtering can be additionally performed.

Step 2

In the second step, the executable file is extracted from the installation file, and the feature information (second characteristic information) is extracted from the header of the executable file (S320). That is, since the second feature information at the executable file header level has to extract the executable file from the install file, the extraction overhead is larger, but is more difficult to be modulated compared with the first feature information.

Next, it is determined whether information corresponding to the second characteristic information exists in the characteristic information DB 121 (S321). If it is determined that information corresponding to the second feature information exists in the feature information DB 121, the target software may be determined to be illegal software (S360).

If it is determined that information corresponding to the second feature information does not exist in the feature information DB 121, the following three steps can be performed.

Step 3

In step 3, the character string included in the executable file and the executable code may be analyzed to extract the third characteristic information (S330). The third feature information is larger than the first and second feature information, but has a large extraction overhead, but is more difficult to be modulated.

It is also possible to determine whether the similarity information calculated based on the characteristic information DB 121 and the third characteristic information is equal to or greater than a preset value (S331). If the similarity information is equal to or larger than a preset value, (S360). On the other hand, if the similarity degree information is less than a preset value, the target software can be judged as legitimate software (S350). That is, even if the SW is modulated to bypass the software filtering method through the third step, the bypass can be blocked.

For example, the similarity information may have a value between 0 and 1. If the similarity information is 0, the SW is completely different, and when the similarity information is 1, the SW is completely the same. Therefore, the preset value can be set to a value between 0 and 1.

Hereinafter, the information used for the stepwise SW filtering will be described as an example.

1. Filtering SWs that are distributed in the MS Windows installation file format

(1) Step 1: Use GUIDs in the MSI file, the installation file format of MS Windows. GUIDs have upgrade code, product code, and package code. Upgrade code can be used to filter based on SW product type because same value is same between different versions of same SW. The product code is the same when the major version is different, but the value is different, and the Minor version is different. Since the package code has different values for each version, it is possible to filter version level of SW using Product code and Package code. That is, even if the same SW is used, the licenses may be different for each version.

(2) Step 2: Four pieces of information, such as AddressOfEntryPoint, SizeofInitializedData, SizeOfCode, and DataDirectory [2] .Size, among the information included in the header of a portable executable (PE), which is an executable file format of MS Windows, have. The meaning of each feature information is as follows. It is important information that the executable file is loaded into memory and executed. Therefore, in order to bypass the filtering system, modulating the following information makes it difficult to modulate easily because the program execution may not be possible.

- AddressOfEntryPoint: the entry point address of the executable file

- SizeofInitializedData: Size of initialized data section

- SizeOfCode: total size of executable code

- DataDirectory [2] .Size: Size of resource table

(3) Step 3: Extractable feature information through analysis of executable code (.text section) of MS Windows executable file or a string included in the executable file can be used as the third feature information. Feature information that can be extracted through analysis of executable code is composed of sequence and frequency based feature information of command and API (Application Platform Interface), call graph between functions, control Flow graph-based feature information, memory usage pattern-based feature information, and the like. The strings included in the executable file are string constants of the source code and the strings added at the compilation step, and are very useful feature information because they can reflect the characteristics of the source code well. Also, since these feature information is related to the function of the program, it is difficult to modulate and therefore reliability and robustness are high.

2. Filtering for Android apps (SW)

(1) Step 1: Extractable feature information can be used from the components other than the classes.dex (Dex format), which is an executable file of the APK file, which is an installation file format of the Android.

In particular, the AndroidManifest.xml file is easy to analyze and extract in the form of xml, and the included information is suitable as the first feature information because it is characteristic information of each app. In addition, package name, app name, app version, compatible SDK version information, and authority information can be applied in the first step. Further, the manifest.mf file stores the SHA1 hash value of all the components including the APK, which is also suitable as the first feature information. In other words, it is possible to distinguish between versions of an app, which is very effective for filtering.

(2) Step 2: Extractable feature information can be used from classes.dex file which is executable file (bytecode) of Android app. For example, method lists, class member variables, and so on can be used. The method list is related to the functionality of the app, and the class member variables are related to the implementation of each class, making it difficult to modulate. Therefore, if you are based on this feature information, it is difficult to bypass filtering.

The first feature information and the second feature information according to an embodiment of the present invention may be calculated through a hash function and expressed as a hash value. Therefore, the feature information can be quickly retrieved based on the hash table in the feature information DB 121. [

That is, the retrieval of feature information can be based on a hash table for fast and efficient retrieval. The search based on the hash table is very fast because the hash value is calculated from the feature information and used as the index of the hash table included in the feature information DB 121. The feature information DB 121 can store not only a hash table using an hash value as an index, but also additional information such as a name of a respective SW and a file size.

An index calculation process based on a hash value will be described as an example.

(1) Feature information extracted from software A can be assumed as follows.

Feature information 1: 002205fc, Feature information 2: 002df890, Feature information 3: 00011b64, Feature information 4: 002de8c0

(2) The hexadecimal numbers a through f are converted into decimal numbers, such as 0-> 16, a-> 10, b-> 11, c-> 12, d-> . ≪ / RTI > (0 is converted to 16 because there is a possibility of 0 division in the operation)

16 16 2 2 16 5 15 12 (feature information 1), 16 16 2 13 15 8 9 0 (feature information 2), 0 0 0 1 1 11 6 4 (feature information 3), 0 0 2 13 14 8 12 0 (feature information 4) can be calculated

(3) Sum the 8 digit values calculated as a result of (2) above.

(Eg 16 16 2 2 16 5 15 12 -> 16 + 16 + 2 + 2 + 16 + 5 + 15 + 12 = 84)

The results of performing these calculations are shown as 84 (feature information 1), 79 (feature information 2), 23 (feature information 3), and 49 (feature information 4).

(4) To limit the range of the index value, the remaining values except for one of the calculation results of (3) are multiplied, and the result is divided into one value excluding the multiplication result, and one Value.

As a result of this calculation, (84 x 79 x 23) / 49 = 3114 is calculated.

(5) You can use the remaining value (hash value) divided by the table size by the MOD (residual value) operation as an index.

That is, as a result of such an operation, it can be inserted into the 296 => 296th table.

Furthermore, it is necessary to evaluate the performance of SW filtering in order to prevent undesirable development and operation of a low-performance SW filtering system.

Performance evaluation criteria for SW filtering Related terms and concept definitions are as follows.

- Deformation SW: This is a SW that intentionally deforms (modulates) the normal SW to evaluate the performance of the filtering system. It is mainly used for robustness evaluation.

- Original SW: means normal SW before deformation of the deformation SW.

- Recognition: The feature information extracted from the transformed SW is the result of finding the feature information of the original SW accurately.

- Crash: The feature information extracted from the transformed SW represents the information of the original SW which is not accurate, and indicates the case where information of other SW is searched.

- Non-recognition: Information indicating that the feature information extracted from the transform SW does not find the feature information of the original SW.

Robustness: Indicates the degree to which the modified SW recognizes the original SW.

- Consistency: indicates the degree of consistency in repeated feature information extraction and recognition.

- System performance: It shows the usage rate of system resources used for extracting feature information and returning recognition result.

- Feature Size: It shows the size of feature information extracted from original SW.

- Extraction and Search Comparison Speed (Search Speed): It represents feature information extraction of modified SW and search / comparison time of original SW feature information DB 121.

A detailed evaluation method for evaluating the performance of the software filtering method based on the above-mentioned terms and concept definitions will be described as follows.

(1) Evaluation method for robustness

After extracting the feature information from the modified SW using the test PC, the recognition result information is received from the feature information DB 121 in accordance with the feature information extracted from the modified SW. The recognition result, the non-recognition, and the misrecognition can be calculated by analyzing the received result.

An example of the transformation items of the transform SW in the Android app is shown in Table 1 below.

division Variant Toughness Adding a class Add command / string Add AndroidManifest.xml permission Simple repackaging Change app extension to ZIP Change resource

(2) Evaluation method for consistency

10 arbitrary original SWs are selected, and the feature information is extracted 30 times. The binary data comparison is performed to confirm whether or not the extracted feature information is the same. Each of the deformation SWs of recognition, false recognition, and non-recognition is arbitrarily selected for each of 10 pieces, and the result of repeatedly recognizing 30 times can be received from the feature information DB 121 server.

(3) Evaluation method of system utilization rate

When the feature information extraction and robustness evaluation of the original SW are performed, the result of analyzing the result is stored by the average value of the CPU and memory used for the feature information extraction and the recognition result reply in the modified SW in 5 second units. Standard evaluation tools, basic programs necessary for the OS, and the like.

(4) Evaluation method for characteristic information amount

The feature information file extracted from the original and modified SW is divided by the total size of the original and the modulation SW.

(5) extraction and search / comparison speed

The characteristic information of the transformed SW is extracted from information generated when the robustness evaluation is performed, and the transformed SW feature information extraction and search / comparison time required to return the result of recognition or not is measured in the feature information DB 121.

Since the software filtering apparatus and method according to the embodiment of the present invention can filter the software using the feature information included in the installation file, it is possible to identify and filter a plurality of software in a short time.

In addition, through the step-by-step filtering, the illegally distributed software can be correctly recognized and blocked.

Furthermore, by providing evaluation methods and criteria for software filtering, it is possible to prevent a low performance SW filtering system from being developed and operated indiscriminately.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the present invention as defined by the following claims It can be understood that

10: WebHard 11: Setup File DB
21: SW # 1 22: SW # 2
23: SW # N 100: Software filtering device
110: feature information extraction unit 120: feature information search server
121: feature information DB 122: feature information DB management unit
130: software verification unit 140: filtering processing unit

Claims (17)

A method performed by a software filtering device,
Extracting first feature information from an installation file of the target software;
Determining whether information corresponding to the first feature information exists in the feature information DB; And
If the information corresponding to the first feature information exists in the feature information DB, the target software is determined to be illegal software
If there is no information corresponding to the first feature information in the feature information DB,
Determining whether the target software is legitimate software based on the distribution information for the target software;
Software filtering method. The method according to claim 1,
Wherein the first feature information comprises:
And at least one of header information, resource information, file setting information, and icon information included in the installation file.
Software filtering method. The method according to claim 1,
And updating the feature information DB using the feature information of the target software when the target software is determined to be legitimate software.
Software filtering method. The method according to claim 1,
If the target software is not identified as legitimate software,
Extracting second characteristic information from an executable file of the target software; And
If there is information corresponding to the second feature information in the feature information DB,
Determining that the target software is illegal software;
Software filtering method. The method of claim 4,
Wherein the second feature information comprises:
And the information included in the header of the executable file.
Software filtering method. The method of claim 4,
Wherein the first feature information and the second feature information include at least one of:
Is calculated through a hash function and expressed as a hash value.
Software filtering method. The method of claim 4,
If there is no information corresponding to the second feature information in the feature information DB,
Extracting third feature information from an executable file of the target software; And
And judging the target software as illegal software when the similarity information calculated based on the characteristic information DB and the third characteristic information is equal to or larger than a preset value.
Software filtering method. The method of claim 7,
Wherein the third feature information comprises:
And extracts a character string and an execution code included in the executable file,
Software filtering method. The method of claim 7,
If the similarity information calculated based on the feature information DB and the third feature information is less than a predetermined value,
Further comprising the step of determining that the target software is legitimate software,
Software filtering method. The method according to claim 1,
Further comprising evaluating performance against software filtering. ≪ RTI ID = 0.0 >
Software filtering method. The method of claim 10,
Wherein evaluating performance for the software filtering comprises:
Wherein the performance evaluation is performed by calculating at least one of robustness, consistency, system performance, feature size, and speed for filtering.
Software filtering method. Feature information DB;
A feature information extracting unit for extracting the first feature information, the second feature information, and the third feature information from the target software step by step;
Determining whether the target software is illegal software by using the feature information DB, the first feature information, the second feature information, and the third feature information,
If there is no information corresponding to the first feature information in the feature information DB,
And a software verification unit for verifying that the target software is legitimate software, based on distribution information about the target software.
Software filtering device. The method of claim 12,
Further comprising a filtering processing unit for filtering the target software determined to be illegal software by the software checking unit,
Software filtering device. The method of claim 12,
Further comprising a feature information DB management unit for extracting information corresponding to at least one of the first feature information, the second feature information, and the third feature information from the feature information DB and transmitting the extracted information to the software confirmation unit ,
Software filtering device. 15. The method of claim 14,
The feature information DB management unit,
If the target software is new software,
And the feature information DB is updated using the feature information of the target software.
Software filtering device. The method of claim 12,
Wherein the first feature information includes at least one of header information, resource information, file setting information, and icon information included in an installation file of the target software,
Wherein the second characteristic information is information included in a header of an executable file of the target software,
Wherein the third feature information comprises:
And extracting a character string and an executable code included in the executable file of the target software.
Software filtering device. 18. The method of claim 16,
Wherein the first feature information and the second feature information include at least one of:
Is calculated through a hash function and expressed as a hash value.
Software filtering device.

Images