KR101717941B1 - Method for malicious file diagnosis device and apparatus applied to the same - Google Patents

Method for malicious file diagnosis device and apparatus applied to the same Download PDF

Info

Publication number
KR101717941B1
KR101717941B1 KR1020150130900A KR20150130900A KR101717941B1 KR 101717941 B1 KR101717941 B1 KR 101717941B1 KR 1020150130900 A KR1020150130900 A KR 1020150130900A KR 20150130900 A KR20150130900 A KR 20150130900A KR 101717941 B1 KR101717941 B1 KR 101717941B1
Authority
KR
South Korea
Prior art keywords
file
diagnostic
area
buffer
malicious code
Prior art date
Application number
KR1020150130900A
Other languages
Korean (ko)
Inventor
김건우
Original Assignee
주식회사 안랩
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 안랩 filed Critical 주식회사 안랩
Priority to KR1020150130900A priority Critical patent/KR101717941B1/en
Application granted granted Critical
Publication of KR101717941B1 publication Critical patent/KR101717941B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a malicious code diagnosis method and a device applied thereto. That is, the diagnosis value is extracted in the course of each file area in the diagnosis target file in the form of a data stream passing through the buffer, and the malicious code is diagnosed based on the extracted diagnosis value, It is possible to perform quick and efficient diagnosis of the malicious code included in the diagnosis target file by using only a minimum amount of resources. In addition, as the malicious code is diagnosed by searching the diagnosis rule in the existing file-based Anti-Virus engine referring to the diagnostic value extracted from the file area, the correspondence to the malicious code is unified and the reliable diagnosis result And can diagnose various strains, thereby ensuring a high diagnostic yield.

Description

METHOD FOR MALICIOUS FILE DIAGNOSIS DEVICE AND APPARATUS APPLIED TO THE SAME

The present invention relates to a method for quickly and efficiently diagnosing malicious code that can be included in a diagnostic file having a data stream form.

In a method of diagnosing a malicious code such as a virus or a worm, which may be included in a diagnostic object file in the form of an existing data stream, the entire file area of the diagnostic object file transmitted to the network is recorded in the same space as the hard disk A temporary file is created, and a diagnosis of the temporary file is performed using a file-based anti-virus engine.

However, this method has an advantage that the above-mentioned file-based anti-virus engine can be used as it is. However, since recording of the entire file area is required, it takes up a lot of disk space, (I / O) operation to the space may cause the performance of the equipment to deteriorate.

Another method for diagnosing malicious codes in the diagnostic target file in the form of a data stream may be a method of calculating a hash value of the entire file without generating a temporary file and diagnosing it.

However, this method has a merit that the diagnosis speed is fast because it does not generate the temporary file, but it can not diagnose the variant and can not utilize the existing file-based anti-virus engine.

As a result, a new method for diagnosing malicious code using an existing file-based anti-virus engine is required even when the entire file area of the diagnostic object file having the data stream form is not recorded.

It is an object of the present invention to provide a file-based anti-virus engine in which even if an entire file area of a diagnostic object file having a data stream form is not recorded, And to enable diagnosis of malicious code used.

According to a first aspect of the present invention, there is provided a malicious code diagnosis apparatus for diagnosing malicious code among a plurality of file areas in a diagnosis target file that passes through a buffer in the form of a data stream, A confirmation unit for checking whether a reserved area, which is a file area to be read for extraction, is input to the buffer; An extracting unit for extracting the diagnostic value by reading the file contents of the reserved area input to the buffer when it is confirmed that the reserved area is inputted; And a diagnosis unit for diagnosing whether or not the malicious code in the diagnostic object file is included based on the diagnostic value.

More specifically, the reserved area includes a basic reserved area, which is a file area defined in the header area of the diagnostic object file, and the extraction of the diagnostic value in the course of reading the file contents of the basic reserved area, And an additional reserved area that is a file area that is not input.

More specifically, when the header area of the file to be diagnosed is inputted to the buffer, the extracting unit reserves the file area defined in the header area as the basic reserved area, and reading the file contents of the basic reserved area When the extraction of the diagnostic value for a file area not inputted to the buffer is requested, the file area not inputted to the buffer is reserved as the additional reserved area.

More specifically, the reserved area is output from the buffer by a file area that is newly input into the buffer after a point of time when the reserved area is input to the buffer, and the extracting unit extracts the reservation And reading the file content of the area to extract the diagnostic value.

More specifically, when the extraction of the diagnostic value is not completed before being output from the buffer, the reserved area is stored in a cache separate from the buffer, and the extracting unit extracts the reserved area from the buffer And reading the file content of the reserved area stored in the cache to extract the diagnostic value.

More specifically, the diagnosis unit may include a diagnosis rule that refers to the specific diagnostic value extracted by the extraction unit, and when a plurality of other diagnostic values other than the specific diagnostic value are referred to together in the diagnostic rule, If it is determined that the extraction of the other diagnostic value is completed and that the specific diagnostic value and the plurality of other diagnostic values are consistent with the diagnostic information defined in the diagnostic rule, it is determined that the malicious code in the diagnostic target file is included Thereby diagnosing the disease.

According to a second aspect of the present invention, there is provided an operation method of a malicious code diagnosis apparatus, the malicious code diagnosis apparatus comprising: A checking step of checking whether a reserved area which is a file area to be read in order to extract a diagnostic value is input to the buffer; An extraction step of extracting the diagnostic value by reading the file contents of the reserved area input to the buffer when it is confirmed that the reserved area is input; And a diagnostic step of diagnosing whether or not the malicious code in the diagnostic object file is included based on the diagnostic value.

More specifically, the reserved area includes a basic reserved area, which is a file area defined in the header area of the diagnostic object file, and the extraction of the diagnostic value in the course of reading the file contents of the basic reserved area, And an additional reserved area that is a file area that is not input.

More specifically, in the extracting step, when a header area of the diagnosis target file is input to the buffer, the file area defined in the header area is reserved as the basic reserved area, and the file contents of the basic reserved area are read When the extraction of the diagnostic value for a file area not input to the buffer is requested, the file area not inputted to the buffer is reserved as the additional reserved area.

More specifically, the reserved area is output from the buffer by a file area that is newly input into the buffer after a point of time when the reserved area is input to the buffer, and the extracting step includes: And reading the file content of the reserved area to extract the diagnostic value.

More specifically, when the extraction of the diagnostic value is not completed before being output from the buffer, the reserved area is stored in a cache separate from the buffer, and the extracting step includes: And extracting the diagnostic value by reading the contents of the reserved area stored in the cache after the output.

More specifically, in the diagnosis step, there is a diagnosis rule referring to the specific diagnosis value extracted in the extraction step, and when a plurality of other diagnosis values other than the specific diagnosis value are referred together in the diagnosis rule, If it is determined that the diagnostic value of the diagnosis target file has been extracted and that the specific diagnostic value and the plurality of other diagnostic values are identical to the diagnostic information defined in the diagnostic rule, .

According to the malicious code diagnosis method and apparatus of the present invention, the diagnosis value is extracted in the process of each file area in the diagnosis target file in the form of a data stream passing through the buffer, and based on the extracted diagnosis value, By diagnosing the code, it is possible to perform quick and efficient diagnosis of the malicious code included in the diagnostic object file even when the entire contents of the diagnostic object file are not recorded.

In addition, as the malicious code is diagnosed by searching the diagnosis rule in the existing file-based Anti-Virus engine referring to the diagnostic value extracted from the file area, the correspondence to the malicious code is unified and the reliable diagnosis result And can diagnose various strains, thereby ensuring a high diagnostic yield.

FIG. 1 is an exemplary diagram illustrating a configuration of a diagnostic system including a malicious code diagnostic apparatus according to an embodiment of the present invention. Referring to FIG.
2 is an exemplary diagram illustrating a configuration of a malicious code diagnosis apparatus according to an embodiment of the present invention.
3 is an exemplary view showing a container-PE file to be diagnosed in the present invention.
4 is a flowchart illustrating an operation method of a malicious code diagnosis apparatus according to an embodiment of the present invention.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It is to be understood, however, that the invention is not to be limited to the specific embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. Like reference numerals are used for like elements in describing each drawing.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted as either ideal or overly formal in the sense of the present application Do not.

Hereinafter, an embodiment of the present invention will be described with reference to the accompanying drawings.

1 is a diagram illustrating an example of a diagnostic system according to an embodiment of the present invention.

1, the diagnostic system according to an embodiment of the present invention includes a client terminal 100 and a server 200 that mutually transmit and receive a diagnostic object file in the form of a data stream, and a malicious code And a malicious code diagnosis apparatus 300 for diagnosing malicious codes.

Here, the malicious code diagnosis apparatus 300 refers to a device for diagnosing a malicious code in a diagnostic object file transmitted and received between the client terminal 100 and the server 200. [

The malicious code diagnosis apparatus 300 may be installed in the client terminal 100 or in the server 200 in the form of an engine or an application for malicious file diagnosis, for example.

In an embodiment of the present invention, it is assumed that the malicious code diagnosis apparatus 300 is installed in the client terminal 100. FIG.

In this regard, the client terminal 100 refers to a device for downloading a diagnostic object file in the form of a data stream from the server 200, or uploading a diagnostic object file to the server 200.

For example, the client terminal 100 may correspond to a network device such as an Intrusion Prevention System (IPS), or a personal device such as a PC, a notebook, a smart phone, a tablet PC, and a PDA. A device capable of downloading or uploading a diagnosis target file may be included.

Here, the file to be diagnosed refers to a file that can be transmitted and received in the form of a data stream. For example, moving image, image, text, and the like are applicable.

Meanwhile, according to an embodiment of the present invention, the malicious code diagnostic apparatus 300 diagnoses malicious code that can be included in the diagnostic object file in the form of a data stream.

In order to diagnose malicious code in the diagnostic target file in the form of a data stream, as described in the prior art, it is necessary to create a temporary file by recording the entire file area of the diagnostic target file in the same space as the hard disk, Value must be calculated.

First, when a temporary file is generated, a temporary file is diagnosed using a file-based anti-virus engine. In this case, there is an advantage that a file-based anti-virus engine can be used as it is, As the recording of the whole file area is required, it takes up a lot of disk space. Further, there is a disadvantage that it may cause performance degradation due to file input / output (I / O) operation performed on the disk space in malicious code diagnosis .

When the hash value of the entire file is calculated, the diagnosis is made using only the calculated hash value. In this case, it is possible to diagnose the malicious code even if the entire file area of the diagnosis target file is not recorded While there are advantages, there is a disadvantage that the existing file-based anti-virus engine can not be used.

As a result, in a situation where malicious code is rapidly spreading, there is a growing need to prevent malicious codes transmitted through a network from a network device or a server in advance. However, due to the problems of the related art, It is a reality that high-specification equipments and a lot of resources are necessary to deal with all amounts.

Thus, according to an embodiment of the present invention, a method of diagnosing a malicious code using an existing file-based anti-virus engine even without recording the entire file area of a diagnostic object file having a data stream form is proposed Hereinafter, the configuration of the malicious code diagnostic apparatus 300 for implementing the malicious code will be described in detail.

2 is a diagram showing a schematic configuration of a malicious code diagnosis apparatus 300 according to an embodiment of the present invention.

2, the malicious code diagnosis apparatus 300 according to an embodiment of the present invention may be configured such that a reserved area which is at least a part of a plurality of file areas in a diagnostic object file having a data stream form is input to the buffer 350 A diagnosis unit 330 for diagnosing whether or not the malicious code is included in the diagnosis object file based on the extracted diagnosis value, ).

In addition, the malicious code diagnosis apparatus 300 according to an embodiment of the present invention may also be configured to perform virtualization processing on the file contents of the reserved area input to the buffer 350, / O), a buffer 350 through which a plurality of file areas in the diagnosis target file pass, and a cache 360 in which the diagnostic area output from the buffer 350 is selectively stored . ≪ / RTI >

In the buffer 350, a plurality of file areas in the diagnostic object file are sequentially input. The file area input to the buffer 350 is pushed by the file area input later than the file area, ).

The size of the file area that can exist simultaneously in the buffer 350 may vary according to the size of the buffer in the setting, and the size of the buffer may be set according to the size of each file area in the diagnostic object file or the diagnostic object file Of course.

The entire configuration of the malicious code diagnosis apparatus 300 including the verification unit 310, the extraction unit 320, the diagnosis unit 330, the virtualization processing unit 340, the buffer 350, Some of them can be implemented in the form of a software module driven by an engine or an application installed in the client terminal 100. [

As a result, the malicious code diagnostic apparatus 300 according to an embodiment of the present invention can detect an existing file-based anti-virus engine even without recording the entire file area of the diagnostic object file having the data stream type In the following description, each configuration of the malicious code diagnostic apparatus 300 will be described in detail.

The verification unit 310 performs a function of verifying whether or not the reserved area among the plurality of file areas in the diagnostic object file having the data stream type is input to the buffer 350. [

More specifically, the verification unit 310 checks whether or not a reserved area, which is a file area reserved for diagnosis of malicious code, among a plurality of file areas in the diagnostic target file input to the buffer 350 is input to the buffer 350 .

In this case, when it is confirmed that the reserved area is input to the buffer 350, the confirmation unit 310 transmits a notification (e.g., a callback) about the reservation area input confirmation to the extraction unit 320, So that the diagnostic value can be extracted from the file contents of the reserved area.

Meanwhile, in order to confirm the reserved area input to the buffer 350, a process of reserving at least some file areas related to malicious code diagnosis among a plurality of file areas in the diagnosis target file as a reserved area must be preceded.

Here, the reserved area is additionally required to extract the diagnostic value in the process of extracting the diagnostic value by reading the file contents of the basic reserved area and the basic reserved area, which are file areas defined in the header area of the diagnostic object file, Which is a file area that has not yet been input by the extracting unit 320, and the reservation unit 320 can reserve the reserved area.

The extraction unit 320 receives the header area in the diagnosis object file into the buffer 350 and notifies the buffer 350 through the virtualization processing unit 340 when the acknowledgment is received from the verification unit 310, The file content of the header area inputted in the header area is extracted as a virtual file and the file area defined in the header area is checked with respect to the diagnosis of the malicious code through the analysis of the extracted file contents, do.

If a file area for which diagnostic value extraction is additionally required is identified in the process of extracting a diagnostic value from the file contents of the basic reservation area, the extracting unit 320 reserves the file area as an additional reservation area.

The reservation of the additional reserved area may be performed by the virtualization processing unit 340 that requests the extraction unit 320 to extract the file content of the additional reserved area.

That is, the extracting unit 320 requests the virtualization processing unit 340 to extract the file contents of the additional reserved region. In the virtualization processing unit 340, the file region requested by the extracting unit 320 is stored in the buffer 350 ), It is possible to reserve it as an additional reservation area.

When it is confirmed that the basic reservation area or the additional reservation area reserved by the extracting unit 320 among the plurality of file areas input to the buffer 350 is input to the buffer 340, To the extracting unit 320 so that the extracting unit 320 can analyze the contents of the file in the basic reservation area or the additional reservation area to extract diagnostic values required for diagnosing the malicious code.

The reservation and confirmation operation of the reservation area will be described with reference to FIG.

3 is a diagram for explaining a reservation and checking operation of a reserved area in the malicious code diagnosis apparatus 300 according to an embodiment of the present invention.

3 (S-1), when the header area in the diagnosis target file is input to the buffer 350, the verification unit 310 confirms that the header area has been input to the buffer 350 And delivers the notification to the extracting unit 320. [

The extracting unit 320 virtualizes the file contents of the header area input to the buffer 350 through the virtualization processing unit 340 and extracts the file contents as a virtual file, The file area defined in the header area is reserved in the basic reserved area C1 in association with the code diagnosis.

When the basic reservation area C1 is input to the buffer 350 as shown in FIG. 3 (S-2), the confirmation unit 310 confirms that the basic reservation area C1 is stored in the buffer 350 And sends a notification to the extracting unit 320 to indicate that the input is completed.

The extraction unit 320 extracts the file contents of the basic reservation area C1 input to the buffer 350 through the virtualization processing unit 340 as a virtual file and analyzes the contents of the extracted file The diagnostic value for malicious code diagnosis is extracted.

At this time, the extractor 320 can confirm that the diagnostic value extraction for the file area is additionally required in addition to the basic reserved area C1 in the process of extracting the diagnostic value from the basic reserved area C1.

In this case, the extracting unit 320 requests the virtualization processing unit 340 to extract the file contents of the file region. In the virtualization processing unit 340, the extraction unit 320 extracts the file contents If it is not yet entered into the buffer 350, it is reserved in the additional reserved area C2.

The extracting unit 320 extracts a diagnostic value from the reserved area.

The extracting unit 320 extracts malicious code from the file contents of the reserved area input to the buffer 350 when the notification is received from the checking unit 310 which confirms that the reserved area is input to the buffer 350, The diagnostic value required for the diagnosis is extracted.

At this time, the extracting unit 320 extracts the file contents of the reserved area input to the buffer 350 through the virtualization processing unit 340 as a virtual file, and analyzes the extracted file contents to detect the malicious code It is possible to extract the diagnostic value required for the diagnosis.

Here, the diagnostic value refers to various information having a similar or common value, for example, to variants of a specific malicious code or a general file, and being distinguished from other types of files.

On the other hand, in the case of the reserved area input to the buffer 350, the file 350 can be output (departed) from the buffer 350 by the file area newly input to the buffer 350, The reserved area is moved to the cache 360 and stored.

However, the reservation area is moved and stored in the cache 360 is limited to the state in which the extraction of the diagnostic value is not completed before the reservation area is output (released) from the buffer 350. [

In this regard, the extracting unit 320 extracts the diagnostic value before the reserved area input to the buffer 350 is output (released) from the buffer 350, and the reserved area is output from the buffer 350 The diagnostic value is extracted from the contents of the file of the reserved area which is moved to the cache 360. In this case,

The extracting operation of the diagnostic value by the extracting unit 320 will be described with reference to FIG.

First, as shown in Fig. 3 (S-3), from the time when the basic reserved area C1 inputted to the buffer 350 is outputted (departed) from the buffer 350, the file content of the basic reserved area C1 The basic reserved area is moved to the cache 350 and stored.

In this case, if the extraction unit 320 desires to extract the diagnostic value from the file contents of the basic reserved area C1 after the basic reserved area C1 is outputted (departed) from the buffer 350, 360) to extract the diagnostic value from the file contents of the stored reserved area.

When the additional reservation area C2 is input to the buffer 350 as shown in FIG. 3 (S-4), the confirmation unit 310 confirms that the additional reservation area C2 is the buffer 350 And sends a notification to the extracting unit 320 to indicate that the input is completed.

The extraction unit 320 extracts the file contents of the additional reservation area C2 input to the buffer 350 through the virtualization processing unit 340 as a virtual file and analyzes the contents of the extracted file The diagnostic value for malicious code diagnosis is extracted.

The diagnosis unit 330 performs a function of verifying whether malicious code is included in the diagnostic object file.

More specifically, the diagnosis unit 330 diagnoses whether or not a malicious code in the diagnostic object file is included based on the diagnostic value extracted by the extraction unit 320. [

At this time, the diagnosis unit 330 refers to the specific diagnostic value extracted by the extracting unit 320 and searches for a diagnostic rule for performing malicious code diagnosis. The diagnostic unit 330 extracts a specific diagnostic value The malicious code can be diagnosed in such a way as to confirm whether or not it matches.

For example, if the diagnostic value extracted from the reserved area is '1234' calculated from the Import Table in the reserved area, and there is a specific diagnostic rule for diagnosing malicious code referring to the hash value of '1234' It can be diagnosed that malicious code is included in the diagnostic target file.

Here, the diagnosis rule retrieved by the diagnosis unit 330 refers to a diagnosis rule supported by the file-based anti-virus engine mentioned in the prior art.

However, in the detected diagnosis rule, a plurality of diagnosis values are referenced together rather than a specific diagnosis value.

Accordingly, the diagnosis unit 330 determines that the extraction of the other diagnostic values referenced in the diagnostic rule retrieved using the specific diagnostic value is completed, and that all the extracted other diagnostic values match the diagnostic information defined in the diagnostic rule Only when confirmed, it can be diagnosed that it contains malicious code in the diagnostic file.

If some of the diagnostic values referenced in the retrieved diagnostic rule have not yet been extracted, diagnosis of the malicious code is suspended until the diagnostic value is extracted.

As described above, the malicious code diagnostic apparatus 300 according to the present invention extracts a diagnostic value in the course of passage of the reserved area in the diagnostic object file in the form of a data stream through the buffer 350, It is possible to quickly and efficiently diagnose malicious code included in the diagnosis target file by using only the minimum resources using the buffer 350 and the cache 360 even when the entire contents of the diagnosis target file are not recorded .

In addition, as the malicious code is diagnosed by searching the diagnosis rule in the existing file-based anti-virus engine that diagnoses malicious code by referring to the diagnostic value extracted from the reserved area, the response to the malicious code is unified And can provide a reliable diagnosis result, and it is possible to diagnose various variants, thereby ensuring a high diagnosis rate.

Hereinafter, the operation flow of the malicious code diagnosis apparatus 200 according to an embodiment of the present invention will be described in more detail with reference to FIG. Here, for convenience of description, the components shown in FIGS. 1 to 3 will be described with reference to corresponding reference numerals.

First, when it is confirmed that the header area in the diagnosis target file is input to the buffer 350, the verification unit 310 transmits a notification (e.g., a callback) to the extraction unit 320, So as to reserve the basic reservation area (S110 - S120).

When the notification is received from the verification unit 310, the extraction unit 320 extracts the file contents of the header area input to the buffer 350 through the virtualization processing unit 340 as a virtual file, Through the analysis of the extracted file contents, the file area defined in the header area is reserved as the basic reserved area in relation to the malicious code diagnosis (S130).

When it is confirmed that the reserved basic reservation area is input to the buffer 350, the confirmation unit 310 transmits a notification (e.g., a callback) to the extraction unit 320, So that the diagnostic value can be extracted from the file contents of the basic reservation area (S140 - S150).

The extracting unit 320 extracts the file contents of the basic reservation area input to the buffer 350 through the virtualization processing unit 340 as a virtual file and analyzes the contents of the extracted file, A diagnostic value for diagnosis is extracted (S160).

In operation S170, the extracting unit 320 may extract the diagnostic value for the file area in addition to the basic reserved area C1 in the analysis of the basic reserved area through step S160.

In this case, the extracting unit 320 requests the virtualization processing unit 340 to extract the file contents of the file area in which the diagnosis value is additionally requested. In the virtualization processing unit 340, If the requested file area is not yet input to the buffer 350, the reserved file area is reserved as an additional reserved area (S180).

In this case, when it is confirmed that the additional reserved area is input to the buffer 350, the verification unit 310 outputs a notification to the extraction unit 320 to indicate that the additional reserved area C2 is input to the buffer 350, .

On the other hand, the extracting unit 320 extracts the contents of the file of the additional reserved area input to the buffer 350 through the virtualization processing unit 340 as a virtual file. Through the analysis of the extracted header area, The diagnostic value for the diagnosis is extracted.

Then, the diagnosis unit 330 refers to the diagnostic value extracted from the reserved area and searches for a diagnostic rule for performing malicious code diagnosis (S190 - S220).

At this time, the diagnosis unit 330 refers to the specific diagnostic value extracted by the extracting unit 320 and searches for a diagnostic rule for performing the malicious code diagnosis, so that the specific diagnostic value extracted for the diagnostic information defined in the detected diagnostic rule So that they can check whether they match or not.

For example, if the diagnostic value extracted from the reserved area is '1234' calculated from the Import Table in the reserved area, and there is a specific diagnostic rule for diagnosing malicious code referring to the hash value of '1234' It can be diagnosed that malicious code is included in the diagnostic target file.

However, in the detected diagnosis rule, a plurality of diagnosis values are referenced together rather than a specific diagnosis value.

The diagnostic unit 330 extracts all of the other diagnostic values referred to in the diagnostic rule retrieved using the specific diagnostic value, and if all of the extracted other diagnostic values match the diagnostic information defined in the diagnostic rule It is possible to diagnose that malicious code is contained in the diagnostic target file.

If some of the diagnostic values referenced in the retrieved diagnostic rule have not yet been extracted, diagnosis of the malicious code is suspended until the diagnostic value is extracted.

As described above, according to the operation flow of the malicious code diagnostic apparatus 300 according to the present invention, the diagnostic value is extracted in the process of passing the reserved area in the diagnostic object file in the form of the data stream through the buffer 350, The malicious code is diagnosed on the basis of the extracted diagnosis value, so that even in a state in which the entire contents of the diagnosis target file are not recorded, the malicious code included in the diagnosis target file is used only by using the minimum resources using the buffer 350 and the cache 360 Thereby enabling quick and efficient diagnosis.

In addition, as the malicious code is diagnosed by searching the diagnosis rule in the existing file-based anti-virus engine that diagnoses malicious code by referring to the diagnostic value extracted from the reserved area, the response to the malicious code is unified And can provide a reliable diagnosis result, and it is possible to diagnose various variants, thereby ensuring a high diagnosis rate.

Meanwhile, the steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, or may be embodied in a computer readable medium, in the form of a program instruction, which may be carried out through various computer means. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

According to the malicious code diagnosis method and apparatus of the present invention, malicious code that can be included in a diagnostic object file having a data stream form can be diagnosed quickly and efficiently. It is not only the use of the related technology but also the possibility of commercialization or operation of the applied device, but it is an industrially applicable invention since it is practically possible to carry out clearly.

100: a client terminal
200: Server
300: Malicious code diagnostic device

Claims (13)

It is checked whether or not a reserved area which is a file area to be read in order to extract a diagnosis value related to diagnosis of a malicious code among a plurality of file areas in a diagnostic object file to be passed through the buffer in the form of a data stream is input to the buffer Verification unit;
When it is confirmed that the reserved area is input to the buffer, the contents of the file of the reserved area input to the buffer are read and the diagnostic value is extracted before the reserved area is output from the buffer through the buffer An extraction unit; And
And a diagnosis unit for diagnosing whether or not a malicious code in the diagnostic object file is included based on the diagnostic value. The method according to claim 1,
The reserved area includes:
Wherein the file is a file area defined in a header area of the diagnostic object file and an additional reservation area which is a file area that is additionally required to extract the diagnostic value in the process of reading the file contents of the basic reserved area, And a malicious code detection unit for detecting malicious code. 3. The method of claim 2,
The extracting unit extracts,
Wherein when a header area of the file to be diagnosed is input to the buffer, the file area defined in the header area is reserved as the basic reserved area,
And reserving a file area not input to the buffer as the additional reserved area when extraction of the diagnostic value for a file area not inputted to the buffer is requested in reading the file contents of the basic reserved area. And the malicious code is diagnosed as malicious code. delete The method according to claim 1,
The reserved area includes:
If extraction of the diagnostic value is not completed before being output from the buffer, the buffer is stored in a separate cache from the buffer,
The extracting unit extracts,
And reads the file content of the reserved area stored in the cache after the reserved area is output from the buffer to extract the diagnostic value. The method according to claim 1,
Wherein the diagnosis unit comprises:
If there is a diagnostic rule that refers to the specific diagnostic value extracted by the extraction unit and a plurality of other diagnostic values other than the specific diagnostic value are referred together in the diagnostic rule,
If it is determined that the extraction of the plurality of other diagnostic values is completed and that both the specific diagnostic value and the plurality of other diagnostic values match the diagnostic information defined in the diagnostic rule, The malicious code diagnosis apparatus comprising: It is checked whether or not a reserved area which is a file area to be read in order to extract a diagnosis value related to diagnosis of a malicious code among a plurality of file areas in a diagnostic object file to be passed through the buffer in the form of a data stream is input to the buffer Identification step;
When it is confirmed that the reserved area is input to the buffer, the contents of the file of the reserved area input to the buffer are read and the diagnostic value is extracted before the reserved area is output from the buffer through the buffer Extraction step; And
And diagnosing whether or not a malicious code is included in the diagnostic object file based on the diagnostic value. 8. The method of claim 7,
The reserved area includes:
Wherein the file is a file area defined in a header area of the diagnostic object file and an additional reservation area which is a file area that is additionally required to extract the diagnostic value in the process of reading the file contents of the basic reserved area, Wherein the malicious code diagnosis apparatus comprises: 9. The method of claim 8,
Wherein the extracting step comprises:
Wherein when a header area of the file to be diagnosed is input to the buffer, the file area defined in the header area is reserved as the basic reserved area,
And reserving a file area not input to the buffer as the additional reserved area when extraction of the diagnostic value for a file area not inputted to the buffer is requested in reading the file contents of the basic reserved area. Wherein the malicious code detecting device detects malicious code. delete 8. The method of claim 7,
The reserved area includes:
If extraction of the diagnostic value is not completed before being output from the buffer, the buffer is stored in a separate cache from the buffer,
Wherein the extracting step comprises:
And reading the file content of the reserved area stored in the cache after the reserved area is output from the buffer to extract the diagnostic value. 8. The method of claim 7,
The diagnostic step may comprise:
When there is a diagnostic rule referring to the specific diagnostic value extracted in the extraction step and a plurality of other diagnostic values other than the specific diagnostic value are referred to together in the diagnostic rule,
If it is determined that the extraction of the plurality of other diagnostic values is completed and that the specific diagnostic value and the plurality of other diagnostic values are identical to the diagnostic information defined in the diagnostic rule, The malicious code is diagnosed as having been diagnosed as having been diagnosed. A computer-readable recording medium recording a program for performing the method of any one of claims 7 to 9, 11, and 12.
KR1020150130900A 2015-09-16 2015-09-16 Method for malicious file diagnosis device and apparatus applied to the same KR101717941B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150130900A KR101717941B1 (en) 2015-09-16 2015-09-16 Method for malicious file diagnosis device and apparatus applied to the same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150130900A KR101717941B1 (en) 2015-09-16 2015-09-16 Method for malicious file diagnosis device and apparatus applied to the same

Publications (1)

Publication Number Publication Date
KR101717941B1 true KR101717941B1 (en) 2017-03-20

Family

ID=58502646

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150130900A KR101717941B1 (en) 2015-09-16 2015-09-16 Method for malicious file diagnosis device and apparatus applied to the same

Country Status (1)

Country Link
KR (1) KR101717941B1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4025882B2 (en) * 2004-04-26 2007-12-26 国立大学法人岩手大学 Computer virus specific information extraction apparatus, computer virus specific information extraction method, and computer virus specific information extraction program
US7802303B1 (en) * 2006-06-30 2010-09-21 Trend Micro Incorporated Real-time in-line detection of malicious code in data streams
US8042184B1 (en) * 2006-10-18 2011-10-18 Kaspersky Lab, Zao Rapid analysis of data stream for malware presence
KR20110134277A (en) * 2010-06-07 2011-12-14 삼성에스디에스 주식회사 Anti-malware system and method for action thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4025882B2 (en) * 2004-04-26 2007-12-26 国立大学法人岩手大学 Computer virus specific information extraction apparatus, computer virus specific information extraction method, and computer virus specific information extraction program
US7802303B1 (en) * 2006-06-30 2010-09-21 Trend Micro Incorporated Real-time in-line detection of malicious code in data streams
US8042184B1 (en) * 2006-10-18 2011-10-18 Kaspersky Lab, Zao Rapid analysis of data stream for malware presence
KR20110134277A (en) * 2010-06-07 2011-12-14 삼성에스디에스 주식회사 Anti-malware system and method for action thereof

Similar Documents

Publication Publication Date Title
KR101921052B1 (en) Method and apparatus for identifying security vulnerability and cause point thereof of executable binaries
US10133568B2 (en) Embedding code anchors in software documentation
RU2613535C1 (en) Method for detecting malicious software and elements
US10121004B2 (en) Apparatus and method for monitoring virtual machine based on hypervisor
JP5265061B1 (en) Malicious file inspection apparatus and method
US20160065613A1 (en) System and method for detecting malicious code based on web
KR101228899B1 (en) Method and Apparatus for categorizing and analyzing Malicious Code Using Vector Calculation
KR102317833B1 (en) method for machine LEARNING of MALWARE DETECTING MODEL AND METHOD FOR detecting Malware USING THE SAME
US10467413B2 (en) Method and apparatus of dynamic loading file extraction for an application running in an android container
US20140365833A1 (en) Capturing trace information using annotated trace output
US9747385B2 (en) Compression of cascading style sheet files
KR101228902B1 (en) Cloud Computing-Based System for Supporting Analysis of Malicious Code
KR101327740B1 (en) apparatus and method of collecting action pattern of malicious code
CN109033818B (en) Terminal, authentication method, and computer-readable storage medium
KR101717941B1 (en) Method for malicious file diagnosis device and apparatus applied to the same
EP3504597B1 (en) Identification of deviant engineering modifications to programmable logic controllers
CN110162729B (en) Method and device for establishing browser fingerprint and identifying browser type
US10242191B2 (en) Dynamically-loaded code analysis device, dynamically-loaded code analysis method, and dynamically-loaded code analysis program
CN109033426B (en) Method and system for storing data operation information based on private block chain network
KR102468431B1 (en) Method and apparatus for disarming ole object in ms-ooxml
KR20190055776A (en) Method and apparatus for identifying security vulnerability and cause point thereof of executable binaries
US9473523B1 (en) Execution of test inputs with applications in computer security assessment
KR101645412B1 (en) Malicious file diagnosis device and control method thereof
KR101436496B1 (en) System for remote diagnosis of malware
KR101331879B1 (en) Apparatus for managing instruction

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant