KR101725670B1 - System and method for malware detection and prevention by checking a web server - Google Patents

System and method for malware detection and prevention by checking a web server Download PDF

Info

Publication number
KR101725670B1
KR101725670B1 KR1020150149004A KR20150149004A KR101725670B1 KR 101725670 B1 KR101725670 B1 KR 101725670B1 KR 1020150149004 A KR1020150149004 A KR 1020150149004A KR 20150149004 A KR20150149004 A KR 20150149004A KR 101725670 B1 KR101725670 B1 KR 101725670B1
Authority
KR
South Korea
Prior art keywords
file
code
changed
malicious
signature
Prior art date
Application number
KR1020150149004A
Other languages
Korean (ko)
Inventor
황성운
한경현
Original Assignee
홍익대학교세종캠퍼스산학협력단
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 홍익대학교세종캠퍼스산학협력단 filed Critical 홍익대학교세종캠퍼스산학협력단
Priority to KR1020150149004A priority Critical patent/KR101725670B1/en
Application granted granted Critical
Publication of KR101725670B1 publication Critical patent/KR101725670B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/308Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content

Abstract

The present invention relates to a system and method for detecting and blocking a malicious code using a web server check. More particularly, the present invention relates to a system and method for detecting and forbidding malicious code using a web server check, To detect malicious posts from bulletin boards, to extract signatures for blocking malicious codes by using detected malicious codes, and to block malicious codes using signatures.

Description

[0001] System and method for detecting and blocking malicious code using web server check [

One embodiment of the present invention relates to a system and method for processing malicious code using a web server check, and more particularly, to a malicious code detection method for detecting a malicious code embedded in a web page or a bulletin board, And blocking access to malicious URL addresses.

Recently, malicious codes are spreading through websites, and these malicious codes are being downloaded and executed in a state that the user can not recognize, which is a big threat. The infected user's personal computer (PC) leaks important information such as an official certificate or personal information, or becomes a bot, causing secondary damage by performing an attack instead of an attacker's command.

Therefore, in order to protect the user's PC from these threats, studies are being actively conducted to identify where the malicious code is distributed. At the heart of the research is whether users can detect and block threatening sites. Until now, methods of detecting the modulation of web pages and analyzing the files linked to the link structure of web sites have been studied and classified as normal or abnormal sites (hereinafter, referred to as "eau") based on the analysis.

Conventional techniques are largely divided into a method of detecting in a web server and a method of detecting in a user environment. In a method of detecting by a web server, a specific event such as a file creation or a change is detected by using a callback function of a web server operating system, and a forgery or falsification is detected by comparing the file with a original file (a file stored in the original database) , The method of recovering to the original is used. However, this method can not be used when it is frequently changed by ordinary users such as bulletin boards (it is difficult to store and manage all the bulletin board files created by the user in the original database), and when the administrator updates the web page, The database also needs to be modified.

In the method of detecting in the user environment, since the web page received from the web server is checked in a separate module installed in the client, it is possible to prevent forgery and falsification in the intermediate path, but it is not effective when the web server is falsified.

SUMMARY OF THE INVENTION The present invention has been made to solve the above problems of the related art, and it is an object of the present invention to provide a web server that includes a bulletin board to be checked while detecting a change in a web server, automatically updates a normal web page update by a manager, It is intended to provide a technique for blocking the distribution of malicious code by an attacker by generating a blocking signature (which refers to a piece of code or a pattern held by malicious code).

However, the objects of the present invention are not limited to those mentioned above, and other objects not mentioned can be clearly understood by those skilled in the art from the following description.

According to an aspect of the present invention, there is provided a malicious code processing system comprising: a web server for providing a web page and a bulletin board; And a checking server for checking whether or not a malicious post including the suspicious code exists by checking whether a suspicious code preset in the bulletin board is included.

At this time, the malicious code may be at least one of a file received in connection with the suspicious code, a URL address connected with the suspect code, and the malicious post.

At this time, when the malicious post is found as a result of the inspection, the inspection server deletes the malicious post from the bulletin board or deletes the malicious code included in the malicious post and corrects the deletion .

The malicious code processing system may further include a backup file database for storing a file of a web page included in the web server as a backup file, and if the changed file exists in the web server, Checking the electronic signature of the file and comparing the backup file stored in the backup file database with the changed file to extract a changed code if the changed file is not a change made by an authorized user; Code to the central signature management server, and the changed file can be restored using the backup file.

At this time, if the changed file is changed by the authorized user as a result of checking of the digital signature, the checking server may update the changed file to the backup file database.

In this case, the inspection server may transmit malicious code included in the malicious post to the central signature management server, and the malicious code processing system may store the malicious code received from the inspection server in a malicious code database A central signature management server for analyzing the malicious code stored in the malicious code database to generate a signature for the malicious code and storing the signature in a signature database; And a blocking agent that receives the signature from the central signature management server and monitors traffic of the web server to block an attack packet including the signature.

According to another aspect of the present invention, there is provided a malicious code processing system comprising: a web server for providing a web page and a bulletin board; A backup file database for storing a file of a web page included in the web server as a backup file; And checking the digital signature of the changed file if the changed file exists in the web server, and if the changed file is not changed by the authorized user, the backup file and the changed file stored in the backup file database Extracts the changed code, and restores the changed file using the backup file.

At this time, the malicious code may be at least one of a file received in association with the changed file, and a URL address linked with the changed file.

At this time, if the changed file is changed by the authorized user as a result of checking of the digital signature, the checking server may update the changed file to the backup file database.

The malicious code processing system may further include a malicious code database for storing malicious code received from the malicious code database. The malicious code processing system may further comprise: A central signature management server for analyzing the malicious code stored in the malicious code database to generate a signature for the malicious code and storing the signature in a signature database; And a blocking agent that receives the signature from the central signature management server and monitors traffic of the web server to block an attack packet including the signature.

A malicious code processing method according to an embodiment of the present invention includes the steps of checking whether a suspicious code set in a post is included in a test server; And judging, by the inspection server, the post including the suspect code as a malicious post including a malicious code if a post including the suspect code exists as a result of the inspection, It is stored on the bulletin board included in the web server.

At this time, the malicious code may be at least one of a file received in connection with the suspicious code, a URL address connected with the suspect code, and the malicious post.

If the malicious post exists, the step of removing the malicious code may further include deleting the malicious post from the bulletin board or deleting the malicious code included in the malicious post and correcting the deletion.

In this case, the malicious code processing method may include: checking the digital signature of the changed file if the changed file exists in the web server at the inspection server; If the changed file is not changed by the authorized user, the inspection server compares the backup file stored in the backup file database with the changed file to extract the changed code, and transmits the changed code to the malicious code Determining and transmitting to the central signature management server; And restoring the modified file using the backup file stored in the backup file database in the inspection server.

The malicious code processing method may further include the step of updating the changed file in the backup file database by the inspection server if the changed file is changed by the authorized user as a result of the checking of the digital signature.

The malicious code processing method may further include transmitting malicious code included in the malicious post to the centralized signature management server at the inspection server if the malicious post including the suspicious code exists as a result of the inspection; Analyzing the malicious code received by the central signature management server to generate a signature for the malicious code; And blocking the attack packet including the signature by receiving the signature from the central signature management server at the blocking agent, monitoring the traffic of the web server, and blocking the signature.

According to another embodiment of the present invention, there is provided a malicious code processing method comprising the steps of: checking a digital signature of a changed file in a web server when a changed file exists in the web server; Comparing the backup file stored in the backup file database with the changed file and extracting the changed code if the changed file is not changed by the authorized user as a result of the checking of the digital signature; And restoring the changed file using the backup file stored in the backup file database in the inspection server.

At this time, the malicious code may be at least one of a file received in association with the changed file, and a URL address linked with the changed file.

The malicious code processing method may further include the step of updating the changed file in the backup file database by the inspection server if the changed file is changed by the authorized user as a result of the checking of the digital signature.

At this time, the malicious code processing method includes the steps of: the checking server determines that the changed code is a malicious code and transmits it to the central signature management server; Analyzing the malicious code received by the central signature management server to generate a signature for the malicious code; And blocking the attack packet including the signature by receiving the signature from the central signature management server at the blocking agent, monitoring the traffic of the web server, and blocking the signature.

The present invention can broaden the inspection range from the existing web page by checking the bulletin board page which has previously been difficult to check, and automatically update the inconvenience that the manager has to manually update the backup file database when the web page is changed. And can prevent malicious code from spreading by using the signature information obtained during the inspection process.

1 is a diagram showing a schematic configuration of a malicious code processing system using a web server check according to an embodiment.
2 is a flowchart illustrating a process of inspecting a malicious code in a system according to an embodiment and blocking a malicious code.
3 is a flowchart illustrating a process of inspecting a post by an inspection server of a system according to an exemplary embodiment of the present invention.
4 is a flowchart illustrating a process of inspecting a web page file in a check server of a system according to an embodiment of the present invention.
FIG. 5 is a flowchart illustrating a process of inspecting and blocking a post in an inspection server of a system according to an exemplary embodiment of the present invention.
FIG. 6 is a flowchart illustrating a process of inspecting and blocking a web page file in the inspection server of the system according to an exemplary embodiment of the present invention.

It is to be understood that the specific structural or functional descriptions of embodiments of the present invention disclosed herein are only for the purpose of illustrating embodiments of the inventive concept, But may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein.

Embodiments in accordance with the concepts of the present invention are capable of various modifications and may take various forms, so that the embodiments are illustrated in the drawings and described in detail herein. However, it is not intended to limit the embodiments according to the concepts of the present invention to the specific disclosure forms, but includes changes, equivalents, or alternatives falling within the spirit and scope of the present invention.

The terms first, second, or the like may be used to describe various elements, but the elements should not be limited by the terms. The terms may be named for the purpose of distinguishing one element from another, for example without departing from the scope of the right according to the concept of the present invention, the first element being referred to as the second element, Similarly, the second component may also be referred to as the first component.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between. Expressions that describe the relationship between components, for example, "between" and "immediately" or "directly adjacent to" should be interpreted as well.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, the terms "comprises ", or" having ", and the like, are used to specify one or more of the features, numbers, steps, operations, elements, But do not preclude the presence or addition of steps, operations, elements, parts, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the meaning of the context in the relevant art and, unless explicitly defined herein, are to be interpreted as ideal or overly formal Do not.

Hereinafter, embodiments will be described in detail with reference to the accompanying drawings. Like reference symbols in the drawings denote like elements.

Hereinafter, a malicious code processing system and method using a web server check according to an embodiment of the present invention will be described in detail with reference to FIGS. 1 to 4 attached hereto.

1 is a diagram showing a schematic configuration of a system for processing malicious code using a web server check according to an embodiment.

Referring to FIG. 1, a malicious code processing system using a web server check includes a web server 110, a check server 120, a central signature management server 130, and a blocking agent 140.

The web server 110 may include a signed web page file and a web server file system 111 having a bulletin board database, and may provide a web page and provide a bulletin board service according to a request.

The inspection server 120 may include a web page management unit 121, a backup file database 122, and a bulletin board management unit 123.

The web page management unit 121 periodically checks the web page file of the web server 110 every predetermined period and checks whether the web server 110 has a changed file. At this time, the web page management unit 121 may periodically check the web server 110, but may alternatively inspect the web server 110 whenever a change occurs.

The web page management unit 121 checks the digital signature of the changed file and verifies whether the digital signature of the changed file matches the digital signature of the authorized user.

If the digital signature of the changed file does not match the digital signature of the authorized user (that is, if the changed file is not changed by the authorized user), the web page management unit 121 stores the backup file stored in the backup file database 122 Compares the changed file and extracts the changed code from the changed file. Then, the web page management unit 121 determines that the changed code is a malicious code, transmits the modified code to the central signature management server 130, and can restore the changed file using the backup file.

On the other hand, if the digital signature of the changed file matches the digital signature of the authorized user (that is, if the changed file is changed by the authorized user), the web page management unit 121 updates the changed file to the backup file database 122 can do.

The backup file database 122 may store the file of the web page included in the web server as a backup file.

The bulletin board management unit 123 checks whether a predetermined suspicious code is included in the post of the bulletin board every predetermined period or whenever a bulletin is written on the bulletin board.

For example, if you use a hidden iframe that allows the user to visually notify the user of the web browser by setting the width and height properties to a very small value such as 0 or 1, the URL to which the redirection code connects The address of the current domain is set to an address of another domain other than the sub-address of the current domain, and the automatic file download function is used.

If there is a malicious post including the suspicious code, the bulletin board management unit 123 transmits the malicious code included in the malicious post to the central signature management server 130, and removes the malicious code from the bulletin board. When the malicious code is removed from the bulletin board management unit 123, the malicious code may be deleted from the bulletin board or the malicious code included in the malicious post may be deleted and corrected.

At this time, the malicious code may be at least one of a received file related to the suspicious code, a URL address associated with the suspicious code, and a malicious post.

The central signature management server 130 may include a malicious code database 131, an analysis unit 132, and a signature database 133.

The malicious code database 131 stores malicious codes received from the web page management unit 121 and the bulletin board management unit 123 of the inspection server 120. [

The analysis unit 132 may analyze the malicious code stored in the malicious code database 131 to generate a signature for the malicious code.

The signature database 133 may store the signature of the malicious code generated by the analysis unit 132 and may share the signature with the blocking agent 140.

The blocking agent 140 may include an updating unit 141 and a blocking unit 142.

The update unit 141 updates the signature to be added to the blocking unit 142 so as to block the shared signature from the central blocking unit 142 so that the shared signature can be blocked by the central signature management server 133 .

The blocking unit 142 monitors a traffic or a file to judge a packet or a file including the signature as an attack packet or a malicious code including a malicious code and block the malicious code.

Hereinafter, a malicious code processing method using the Web server check according to the present invention will be described with reference to the drawings.

2 is a flowchart illustrating a process of inspecting a malicious code in a system according to an embodiment and blocking a malicious code.

Referring to FIG. 2, the bulletin board management unit 123 of the inspection server 120 determines whether a malicious code inspection event of the bulletin board has occurred (210). At this time, the malicious code inspection event of the bulletin board may occur at a predetermined cycle or when a new post is posted or modified on the bulletin board.

As a result of the checking in step 210, when a malicious code checking event of the bulletin board occurs, the bulletin board managing unit 123 checks whether a malicious code exists in the bulletin and processes it (step 212). A more detailed description of step 212 will be described later with reference to FIG.

Meanwhile, the web page management unit 121 of the inspection server 120 checks whether a malicious code inspection event of the web page has occurred (220). At this time, the malicious code inspection event of the web page may occur at a predetermined cycle, or when a new web page file is added to the web page or a file of the existing web page is changed. In the following description, a newly added web page file or a modified web page file is described as a changed file.

If the malicious code checking event of the web page occurs in step 220, the web page management unit 121 checks the changed file in the web page file, checks whether the malicious code exists in the changed file, and processes the malicious code. A more detailed description of step 222 will be described later with reference to FIG.

Thereafter, the central signature management server 130 checks the malicious code database 131 storing the malicious code received from the web page management unit 121 and the bulletin board management unit 123 of the inspection server 120, (230).

If the malicious code exists in step 230, the analysis unit 132 of the central signature management server 130 analyzes the malicious code stored in the malicious code database 131 to generate a signature for the malicious code, The signature for the generated malicious code is stored in the signature database 133 (234).

Thereafter, the blocking unit 142 of the blocking agent 140 receives the signature of the malicious code analyzed from the central signature management server 130, monitors the traffic or the file, and transmits a packet or file containing the signature to the malicious code It is determined that the attack packet or malicious code is included and is blocked (234).

3 is a flowchart illustrating a process of inspecting a post by an inspection server of a system according to an exemplary embodiment of the present invention.

Referring to FIG. 3, the bulletin board management unit 123 of the inspection server 120 checks whether a postulated suspicious code is included in the post (310).

For example, if you set the width and height properties to a very small value such as 0 or 1, and you use a hidden iframe that will not be visible to the user on the web browser, redirection code The address of the URL to be connected is set to an address of another domain other than a sub-address of the current domain, or an automatic file download function is used.

If it is determined in step 310 that a malicious post including the suspicious code exists, the bulletin board management unit 123 extracts the malicious code included in the malicious post (312).

At this time, the malicious code may be at least one of a received file related to the suspicious code, a URL address associated with the suspicious code, and a malicious post.

Then, the bulletin board management unit 123 transmits the malicious code included in the malicious post to the central signature management server 130 (314).

Then, the bulletin board management unit 123 removes the malicious code from the bulletin board (316). At this time, as a method of removing malicious code from the bulletin board, a malicious post can be deleted from a bulletin board, or malicious code included in a malicious post can be deleted and corrected.

4 is a flowchart illustrating a process of inspecting a web page file in a check server of a system according to an embodiment of the present invention.

Referring to FIG. 4, the web page management unit 121 of the inspection server 120 determines whether a changed file exists in the web server 110 (410).

If the changed file exists in step 410, the web page management unit 121 examines the digital signature of the changed file to check whether the digital signature of the changed file matches the digital signature of the authorized user (412).

At this time, an authorized user such as an administrator has a secret key, so that a digital signature can be generated using a secret key.

If the digital signature of the changed file does not match the digital signature of the authorized user (that is, if the changed file is not changed by the authorized user), the web page management unit 121 updates the backup file database 122, The changed file is compared with the changed file and the changed code is extracted from the changed file (414).

Then, the web page management unit 121 determines that the changed code is a malicious code and transmits it to the central signature management server 130 (416), and restores the changed file using the backup file (418).

If the digital signature of the changed file matches the digital signature of the authorized user (that is, if the changed file is changed by the authorized user) as a result of the checking in step 412, the web page management unit 121 stores the changed file in the backup file database 122 (420).

As shown in FIG. 2, extraction of a malicious code from a web page and extraction of a malicious code from a bulletin board may be performed at the same time, or may be separately performed as shown in FIGS. 5 and 6 below.

FIG. 5 is a flowchart illustrating a process of inspecting and blocking a post in an inspection server of a system according to an exemplary embodiment of the present invention.

Referring to FIG. 5, the bulletin board management unit 123 of the inspection server 120 determines whether a malicious code inspection event of the bulletin board has occurred (510). At this time, the malicious code inspection event of the bulletin board may occur at a predetermined cycle or when a new post is posted or modified on the bulletin board.

If it is determined in step 510 that a malicious code inspection event of the bulletin board occurs, the bulletin board management unit 123 of the inspection server 120 checks whether a suspicious code set in the bulletin is included (512).

For example, if you set the width and height properties to a very small value such as 0 or 1, and you use a hidden iframe that will not be visible to the user on the web browser, redirection code The address of the URL to be connected is set to an address of another domain other than a sub-address of the current domain, or an automatic file download function is used.

If it is determined in step 512 that a malicious post including the suspicious code exists, the bulletin board management unit 123 extracts the malicious code included in the malicious post (514).

At this time, the malicious code may be at least one of a received file related to the suspicious code, a URL address associated with the suspicious code, and a malicious post.

Then, the bulletin board management unit 123 transmits the malicious code included in the malicious post to the central signature management server 130 (516).

Then, the bulletin board management unit 123 removes the malicious code from the bulletin board (518). At this time, as a method of removing malicious code from the bulletin board, a malicious post can be deleted from a bulletin board, or malicious code included in a malicious post can be deleted and corrected.

The analysis unit 132 of the central signature management server 130 analyzes the malicious code stored in the malicious code database 131 to generate a signature for the malicious code and transmits the signature of the generated malicious code to the signature database 133 (520).

Thereafter, the blocking unit 142 of the blocking agent 140 receives the signature of the malicious code analyzed from the central signature management server 130, monitors the traffic or the file, and transmits a packet or file containing the signature to the malicious code It is determined that the attack packet or malicious code is included and is blocked (522).

FIG. 6 is a flowchart illustrating a process of inspecting and blocking a web page file in the inspection server of the system according to an exemplary embodiment of the present invention.

Referring to FIG. 6, the web page management unit 121 of the inspection server 120 determines whether a malicious code inspection event of a web page has occurred (610).

At this time, the malicious code inspection event of the web page may occur at a predetermined cycle, or when a new web page file is added to the web page or a file of the existing web page is changed. In the following description, a newly added web page file or a modified web page file is described as a changed file.

If the malicious code detection event of the web page occurs in step 610, the web page management unit 121 of the inspection server 120 determines whether there is a changed file in the web server 110 (step 612).

If it is determined in step 612 that the changed file exists, the web page management unit 121 checks the digital signature of the changed file to check whether the digital signature of the changed file matches the digital signature of the authorized user (614). At this time, an authorized user such as an administrator has a secret key, so that a digital signature can be generated using a secret key.

If the digital signature of the changed file does not match the digital signature of the authorized user (that is, if the changed file is not changed by the authorized user), the web page management unit 121 updates the backup file database 122, The changed file is compared with the changed file and the changed code is extracted from the changed file (616).

Then, the web page management unit 121 determines that the changed code is a malicious code and transmits it to the central signature management server 130 (618), and restores the changed file using the backup file (620).

The analysis unit 132 of the central signature management server 130 analyzes the malicious code stored in the malicious code database 131 to generate a signature for the malicious code and transmits the signature of the generated malicious code to the signature And stores it in the database 133 (622).

Thereafter, the blocking unit 142 of the blocking agent 140 receives the signature of the malicious code analyzed from the central signature management server 130, monitors the traffic or the file, and transmits a packet or file containing the signature to the malicious code And determines and blocks the attack packet or the malicious code (624).

On the other hand, if it is determined in step 614 that the digital signature of the changed file matches the digital signature of the authorized user (that is, if the changed file is changed by the authorized user), the web page management unit 121 stores the changed file in the backup file database (Step 626).

The apparatus described above may be implemented as a hardware component, a software component, and / or a combination of hardware components and software components. For example, the apparatus and components described in the embodiments may be implemented within a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA) A programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For ease of understanding, the processing apparatus may be described as being used singly, but those skilled in the art will recognize that the processing apparatus may have a plurality of processing elements and / As shown in FIG. For example, the processing unit may comprise a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as a parallel processor.

The software may include a computer program, code, instructions, or a combination of one or more of the foregoing, and may be configured to configure the processing device to operate as desired or to process it collectively or collectively Device can be commanded. The software and / or data may be in the form of any type of machine, component, physical device, virtual equipment, computer storage media, or device , Or may be permanently or temporarily embodied in a transmitted signal wave. The software may be distributed over a networked computer system and stored or executed in a distributed manner. The software and data may be stored on one or more computer readable recording media.

The method according to an embodiment may be implemented in the form of a program command that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions to be recorded on the medium may be those specially designed and configured for the embodiments or may be available to those skilled in the art of computer software. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments. For example, it is to be understood that the techniques described may be performed in a different order than the described methods, and / or that components of the described systems, structures, devices, circuits, Lt; / RTI > or equivalents, even if it is replaced or replaced.

Therefore, other implementations, other embodiments and equivalents to the claims are within the scope of the following claims.

110: Web server
111: File system of the Web server
120:
121: Web page management unit
122: Backup file database
123: bulletin board manager
130: Central Signature Management Server
131: Malicious code database
132: Analysis section
133: Signature database
140: Blocking agent
141: Update section
142:

Claims (21)

A web server providing a web page and a bulletin board;
An inspection server for checking whether a predetermined suspicious code is included in a post of the bulletin board to check whether a malicious post including the suspicious code is present and transmitting the malicious code included in the malicious post to a central signature management server;
Storing the malicious code received from the inspection server in a malicious code database, generating a signature for the malicious code by analyzing the malicious code stored in the malicious code database and storing the signature in the signature database, server; And
And a blocking agent that receives the signature from the central signature management server and monitors traffic of the web server to block an attack packet including the signature,
The inspection server,
In the case of using a hidden iframe, if the address of the URL to which the redirection code is connected is set to an address of another domain other than the current address of the current domain, and the case of using the file automatic download function is included Judges that the suspect code is included,
The malicious code,
At least one of a file received in association with the suspect code, a URL address associated with the suspect code, and the malicious post
Malicious code processing system.
delete The method according to claim 1,
The inspection server,
If the malicious post exists, the malicious post is deleted from the bulletin board or the malicious code included in the malicious post is deleted and corrected
Malicious code processing system.
The method according to claim 1,
Further comprising a backup file database for storing a file of a web page included in the web server as a backup file,
The inspection server,
Checking the digital signature of the changed file if the changed file exists in the web server and comparing the backup file stored in the backup file database with the changed file if the changed file is not changed by the authorized user Extracts the changed code, judges the changed code as a malicious code, transmits the modified code to the central signature management server, and restores the changed file using the backup file
Malicious code processing system.
5. The method of claim 4,
The inspection server,
If the changed file is a change made by the authorized user as a result of the checking of the digital signature, updating the changed file to the backup file database
Malicious code processing system.
delete A web server providing a web page and a bulletin board;
A backup file database for storing a file of a web page included in the web server as a backup file;
Checking the digital signature of the changed file if the changed file exists in the web server and comparing the backup file stored in the backup file database with the changed file if the changed file is not changed by the authorized user Extracting the changed code, restoring the changed file using the backup file, judging the changed code as a malicious code, and transmitting it to the central signature management server;
Storing the malicious code received from the inspection server in a malicious code database, generating a signature for the malicious code by analyzing the malicious code stored in the malicious code database and storing the signature in the signature database, server; And
And a blocking agent that receives the signature from the central signature management server and monitors traffic of the web server to block an attack packet including the signature,
The malicious code,
At least one of a file received in association with the changed file and a URL address associated with the changed file
Malicious code processing system.
delete 8. The method of claim 7,
The inspection server,
If the changed file is a change made by the authorized user as a result of the checking of the digital signature, updating the changed file to the backup file database
Malicious code processing system.
delete Checking whether the posting includes a predetermined suspicious code at the inspection server;
And if the post including the suspicious code exists, the inspection server judges the post including the suspect code as a malicious post including the malicious code, and transmits the malicious code included in the malicious post to the central signature management Transmitting to a server;
Transmitting the malicious code included in the malicious post to the central signature management server at the inspection server if the malicious post including the suspicious code exists;
Analyzing the malicious code received by the central signature management server to generate a signature for the malicious code; And
Blocking agent intercepting the attack packet including the signature by receiving the signature from the central signature management server and monitoring traffic of the web server,
The post is stored in a bulletin board included in a web server to be inspected of the inspection server,
Wherein the inspecting comprises:
In the case of using a hidden iframe, if the address of the URL to which the redirection code is connected is set to an address of another domain other than the current address of the current domain, and the case of using the file automatic download function is included Judges that the suspect code is included,
The malicious code,
At least one of a file received in association with the suspect code, a URL address associated with the suspect code, and the malicious post
How to handle malware.
delete 12. The method of claim 11,
And if the malicious post exists, deleting the malicious post from the bulletin board or deleting the malicious code included in the malicious post and correcting the deletion
How to handle malware.
12. The method of claim 11,
Checking the digital signature of the changed file if the changed file exists in the web server;
If the changed file is not changed by the authorized user, the inspection server compares the backup file stored in the backup file database with the changed file to extract the changed code, and transmits the changed code to the malicious code Determining and transmitting to the central signature management server; And
And restoring the modified file using the backup file stored in the backup file database at the inspection server
How to handle malware.
15. The method of claim 14,
If the changed file is a change made by the authorized user as a result of the checking of the digital signature, updating the modified file to the backup file database by the inspection server
How to handle malware.
delete Checking the electronic signature of the changed file if the changed file exists in the web server in the inspection server;
Comparing the backup file stored in the backup file database with the changed file and extracting the changed code if the changed file is not changed by the authorized user as a result of the checking of the digital signature;
Restoring the changed file using the backup file stored in the backup file database at the inspection server;
Determining that the changed code is a malicious code and transmitting the modified code to a central signature management server;
Analyzing the malicious code received by the central signature management server to generate a signature for the malicious code; And
Blocking agent receives the signature from the central signature management server and monitors the traffic of the web server to block an attack packet including the signature,
The malicious code,
At least one of a file received in association with the changed file and a URL address associated with the changed file
How to handle malware.
delete 18. The method of claim 17,
If the changed file is a change made by the authorized user as a result of the checking of the digital signature, updating the modified file to the backup file database by the inspection server
How to handle malware.
delete A computer-readable recording medium having recorded thereon a program for executing the method according to any one of claims 11, 13 to 15, 17 and 19.
KR1020150149004A 2015-10-26 2015-10-26 System and method for malware detection and prevention by checking a web server KR101725670B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150149004A KR101725670B1 (en) 2015-10-26 2015-10-26 System and method for malware detection and prevention by checking a web server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150149004A KR101725670B1 (en) 2015-10-26 2015-10-26 System and method for malware detection and prevention by checking a web server

Publications (1)

Publication Number Publication Date
KR101725670B1 true KR101725670B1 (en) 2017-04-26

Family

ID=58704860

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150149004A KR101725670B1 (en) 2015-10-26 2015-10-26 System and method for malware detection and prevention by checking a web server

Country Status (1)

Country Link
KR (1) KR101725670B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102367545B1 (en) * 2021-05-07 2022-02-25 (주) 코아맥스테크놀로지 Method and system for preventing network pharming
KR102495371B1 (en) * 2022-05-13 2023-02-06 프라이빗테크놀로지 주식회사 System for controlling data flow based on application test and method thereof

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070220068A1 (en) 2006-02-15 2007-09-20 Bruce Thompson Electronic document and business process control

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070220068A1 (en) 2006-02-15 2007-09-20 Bruce Thompson Electronic document and business process control

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102367545B1 (en) * 2021-05-07 2022-02-25 (주) 코아맥스테크놀로지 Method and system for preventing network pharming
KR102495371B1 (en) * 2022-05-13 2023-02-06 프라이빗테크놀로지 주식회사 System for controlling data flow based on application test and method thereof

Similar Documents

Publication Publication Date Title
CN107659583B (en) Method and system for detecting attack in fact
US11165820B2 (en) Web injection protection method and system
US8621624B2 (en) Apparatus and method for preventing anomaly of application program
US8572750B2 (en) Web application exploit mitigation in an information technology environment
US9954889B2 (en) Method and system for malicious code detection
US20160065600A1 (en) Apparatus and method for automatically detecting malicious link
US20140053267A1 (en) Method for identifying malicious executables
US9323925B2 (en) Method and system for prevention of windowless screen capture
CN103856471B (en) cross-site scripting attack monitoring system and method
US20110252476A1 (en) Early detection of potential malware
KR101080953B1 (en) System and method for detecting and protecting webshell in real-time
US10230757B2 (en) Method and system for handling malware
US10033761B2 (en) System and method for monitoring falsification of content after detection of unauthorized access
KR20070049514A (en) Malignant code monitor system and monitoring method using thereof
KR100912794B1 (en) Web hacking management system and manegement method thereof for real time web server hacking analysis and homepage hacking search
WO2012103646A1 (en) Determining the vulnerability of computer software applications to privilege-escalation attacks
WO2016121348A1 (en) Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored
US10412101B2 (en) Detection device, detection method, and detection program
JP5656266B2 (en) Blacklist extraction apparatus, extraction method and extraction program
US20170104776A1 (en) System for analyzing and maintaining data security in backup data and method thereof
KR100745639B1 (en) Method for protecting file system and registry and apparatus thereof
KR101725670B1 (en) System and method for malware detection and prevention by checking a web server
KR101372906B1 (en) Method and system to prevent malware code
US10880316B2 (en) Method and system for determining initial execution of an attack
Ceponis et al. Evaluation of open source server-side XSS protection solutions

Legal Events

Date Code Title Description
GRNT Written decision to grant