KR101842267B1 - Apparatus for categorizing unknown softwares using mld and method thereof - Google Patents

Abstract

According to the present invention, in classification of software, an MLD value based on an API included in an executable file of each software is calculated for a plurality of software pirated or not plagiarized, and a classification And comparing the MLD value calculated based on the API of the classification target software with the filtering database to more accurately determine the category of the classification target software, Thereby reducing the overhead of software filtering operations for detecting plagiarism.

Description

[0001] APPARATUS FOR CATEGORIZING UNKNOWN SOFTWARES USING MLD AND METHOD THEREOF [0002]

More particularly, the present invention relates to software classification, and more particularly, to software classification, in which a MLD (Machine Learning Data) value based on an API (Application Program Interface) included in an executable file of each software for a plurality of software pirated or not plagiarized A software filtering database in which a plurality of software is classified based on the MLD value is generated and then the MLD value calculated based on the API of the classification target software is compared with the filtering database, A MLD generation device for software classification and a software classification device using the MLD and a method thereof for allowing a software category to be more accurately determined, thereby reducing an overhead of software filtering operation for detecting illegal copying or plagiarism of software will be.

Today, with the development of the Internet and communication network, distribution and distribution of software has greatly increased. Recently, as a smart phone, a lot of users have been able to download and use the software easily through the application market. This change in circumstances has led to a decisive momentum for product selection to move from hardware to software.

However, due to the development of communication such as the Internet, software piracy and plagiarism have soared, which has hampered the development of the software industry. For example, pirated programs, counterfeit or altered programs are distributed through various channels such as web hard, torrents, black market, blogs, and cafes, and pirated programs , Illegal software such as forged or altered programs and hacked mobile apps have caused adverse effects such as a decline in sales of software developers and copyright holders, software technology development, manpower training, and investment reduction.

Here, piracy of software means copying and distributing certain software as it is, and plagiarism / theft of software means that the whole code or some code of software is reverse- engineering, etc.).

On the other hand, software filtering is being introduced to detect and block such illegal software.

In this case, when the suspicious program is uploaded / downloaded, the software filtering method is to compare the suspicious program with the existing database (DB) and determine whether the program is one of the registered programs in the existing database To determine whether or not the software is illegal. However, in the conventional software filtering technique as described above, there is a problem that the filtering processing time increases due to the simple comparison of the suspect program to all programs registered in the database on a one-to-one basis.

Accordingly, in order to solve problems of overhead such as an increase in filtering processing time due to a simple one-to-one comparison of a program registered in a database and a suspicious program in software filtering in recent years, a technique of classifying software Has been proposed.

However, in the proposed software classification method, there is no definite criterion for classifying the software into a specific category, so that the reliability of the software filtering operation through the software classification technique is not secured.

(Patent Literature)

Korean Registered Patent No. 10-1604891 (Registered Date March 14, 2016)

Therefore, in the present invention, the MLD value based on the API included in the executable file of each software is calculated for a plurality of software that are illegally copied or not plagiarized in the classification of the software, and the MLD value based on the MLD value is classified And comparing the MLD value calculated based on the API of the classification target software with the filtering database to more accurately determine the category of the classification target software, The present invention provides an MLD generator for software classification and a software classification apparatus using MLD and a method for reducing the overhead of software filtering for detecting plagiarism.

The MLD generation apparatus for classifying software according to the present invention comprises an input unit for receiving a plurality of software items classified into categories in advance, an extraction unit for extracting the plurality of software-specific API information, And an MLD generator for generating a first MLD value based on the reference frequency of each API included in the API information.

In addition, the API information includes a file name of a plurality of APIs included in an executable file constituting each software, a reference frequency of each API, and the number of software using each API.

The MLD generation unit may divide the reference frequency of each API included in the category into a plurality of APIs included in each category by the number of software using each API, Is calculated.

The MLD generation unit may exclude the specific API from the API information when the frequency of the reference to a specific API among the plurality of APIs exceeds a predetermined threshold value.

The present invention also provides a software classifying device, comprising: an MLD DB storing a first MLD value for each API for a plurality of software classified into categories, generated by the generating device according to any one of claims 1 to 4; A feature information calculation unit for extracting information on a file name of a plurality of APIs included in an executable file constituting the software and reference frequency of each API when the software to be classified is recognized; An MLD calculation unit for calculating a second MLD value for each API of the classification target software using information on a name and a reference frequency of each of the APIs; and a second MLD calculating unit for calculating a second MLD value calculated through the MLD calculating unit from the MLD DB And a category determination unit for determining a category to which the classification target software belongs by comparing the first MLD value for each of the stored categories.

The category determination unit compares the second MLD value of the classification target software with the first MLD value of each category in the MLD DB to determine a category having the highest similarity between the first MLD value and the second MLD value The category of the software to be classified is determined.

The feature information calculation unit may extract a file name of each API of the classification target software and a reference frequency of each API from the header and sections of the classification target software.

The execution file is at least one of a Microsoft Windows EXE file, a Java byte file, or a Linux a.out file.

According to another aspect of the present invention, there is provided an MLD generation method for software classification, comprising: inputting a plurality of software items classified into categories in advance; extracting API information for each of the plurality of software items; And generating a first MLD value based on the API reference frequency included in the API information.

The generating of the first MLD value may include extracting a file name of a plurality of APIs included in each software for the plurality of software programs, Calculating the number of software, and calculating the first MLD value for each API by dividing the reference frequency by the number of the software.

The present invention also provides a software classification method, comprising: a MLD DB storing a first MLD value per API for a plurality of software classified into categories, generated by the generating device according to any one of claims 1 to 4; Extracting feature names of a plurality of APIs included in an executable file that constitutes the classification target software and a reference frequency of each API when the classification target software is recognized; Calculating a second MLD value for each API of the classification target software by using information about a file name of the API of the MLD and a reference frequency of each of the APIs; And comparing the first MLD value with the first MLD value to determine a category to which the classification target software belongs.

The step of determining the category may further include the steps of: comparing the second MLD value of the classification target software with the first MLD value for each category in the MLD DB; comparing the first MLD value with the second MLD value And determining a category having the highest degree of similarity as the category of the classification target software.

According to the present invention, in classification of software, an MLD value based on an API included in an executable file of each software is calculated for a plurality of software pirated or not plagiarized, and a classification And comparing the MLD value calculated based on the API of the classification target software with the filtering database to more accurately determine the category of the classification target software, There is an advantage of reducing the overhead of software filtering operations for detecting plagiarism.

1 is a detailed block diagram of an MLD generation apparatus for software classification according to an embodiment of the present invention;
FIG. 2 is an operation control flowchart for calculating an MLD value for each software in an MLD generating apparatus for classifying software according to an embodiment of the present invention; FIG.
3 is an exemplary MLD value computed for an API according to an embodiment of the present invention,
4 is a diagram illustrating an MLD-based category classification according to an embodiment of the present invention,
FIG. 5 is a conceptual diagram for explaining an environment to which a software classification apparatus according to an embodiment of the present invention is applied;
6 is a detailed block diagram of a software classification apparatus according to an embodiment of the present invention.
7 is a flowchart of an operation control for classifying categories of software to be classified in a software classification apparatus according to an embodiment of the present invention.

Hereinafter, the operation principle of the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions of the present invention, and these may be changed according to the intention of the user, the operator, or the like. Therefore, the definition should be based on the contents throughout this specification.

FIG. 1 shows a detailed block configuration of an MLD generation apparatus for software classification according to an embodiment of the present invention, and may include an input unit 102, a feature information extraction unit 104, an MLD generation unit 106, and the like .

Hereinafter, operation of each component of the MLD generation apparatus 100 for software classification according to an embodiment of the present invention will be described in detail with reference to FIG.

First, the input unit 102 receives a plurality of software items whose categories are classified in advance. Such software is software for machine learning training for classification of software, preferably but not limited to, pirated or non-pirated software. Such software is software classified into a plurality of categories in advance and is classified into any one of categories such as Audio Player, Browser, CD Writer, FTP, Image Viewer, Messenger, Text Editor, Video Player, .

The feature information extracting unit 104 extracts feature information for each software for a plurality of software categories pre-classified by the input unit 102. In this case, the feature information may be, for example, API information included in an executable file constituting software, and the API information may include a file name of a plurality of APIs included in an executable file constituting each software, Reference frequency, and the number of software using each API. In this case, the reference frequency may refer to the number of times each API is called, but is not limited thereto.

The MLD (Machine Learning Data) generation unit 106 can generate MLD values for each software API by using a plurality of software-specific API information extracted from the feature information extraction unit 104. [ In this case, the MLD value may mean information that allows the software to classify the software having a characteristic based on the API. That is, the MLD value calculated for each API may be a value that instructs the software to be classified as belonging to, for example, Audio Player, Browser, CD Writer, FTP, Image Viewer, Messenger, Text Editor, .

In calculating the MLD value as described above, the MLD generation unit 106 calculates the reference frequency of each API for each of a plurality of software and the number of other software using each API, The MLD value for each API can be generated by dividing the reference frequency of each API by the number of software.

In this case, when it is desired to classify software by using the API-based MLD value as described above, as an approach for improving the accuracy of MLD, there is an API that has about 40% or more of the software using the API in the category Is preferably used. Also, it is preferable to use an API included in a DLL used in a relatively large number of programs such as KERNEL32 and USER32 provided by a window. In addition, when MLD is calculated by using API reference frequency, a lot of observation data values are included in one attribute. In the same category, measurement data similar or identical to each other helps to improve the accuracy of MLD value But is not limited thereto. On the other hand, it is desirable to exclude the APIs referenced by more than a predetermined percentage of the total software, such as 80% or 90% of other APIs, in the feature information. This is because APIs referenced by more than 80% or 90% of the total software used for machine learning can not be the main feature information that distinguishes each category. In other words, it may be desirable to exclude, for example, the API referred to by most software among all software, since it contributes little to software classification.

Also, the MLD generation unit 106 selects N APIs in order of increasing MLD value in each category, and indicates the number of API reference frequencies for each software for N APIs selected in the category to which each software belongs You can create a database.

For example, assuming that the set of software used for machine learning is classified into nine categories, and the number of software for each category is 55, the total number of software can be 495. In this case, N may be variable, and may be 300, 500, 700, 900, 1000, and so on. If N is infinite, all APIs referred to even once may be feature information. If N is 500, 500 APIs having a large MLD value can be selected as feature information for each category. If N is 500 and the selected APIs in each category do not overlap at all, The number can be 500 * 9 = 4500. Also, if N is 500 and the APIs selected in each category are overlapped with the APIs selected in other categories, then the total number of APIs selected as feature information may be less than 4,500. For example, assuming that the number of APIs selected by the entire feature information is M, the relation of N < M is established and M < = 4500. In this case, the MLD value for the entire software is 495 rows and M It can be expressed as a matrix with columns. That is, a row can be represented by each software, and a column by an API. The MLD value represented by this matrix can be used as a database for classifying software, and this database is provided as a software classifying device described below, and classifies the newly classified classifying software into a software classifying device It can be used as reference information.

FIG. 2 illustrates MLD values calculated for each API, and FIG. 3 illustrates MLD-based category classification data that allows each software to classify software belonging to a certain category using MLD values calculated for each API It is.

At this time, the MLD DB 200 may store information on MLD values for each API of each category of software as shown in FIG. In this case, each row in FIG. 3 may represent one program.

4 shows an operation control flow for calculating an MLD value for a plurality of software for machine learning training in which categories are classified in advance in the MLD generating apparatus for software classification according to the embodiment of the present invention. Hereinafter, an embodiment of the present invention will be described in detail with reference to FIG. 4 in FIG.

First, the MLD generation apparatus for software classification 100 receives a plurality of illegally copied or non-plagiarized software classified as categories as software for machine learning training (S400).

Next, the MLD generation apparatus for software classification 100 extracts the API information included in the execution files of the respective software for a plurality of illegally copied or non-plagiarized software (S402). At this time, the API information may be information such as the file name of the API, the reference frequency of each API, the number of software using the API, and the like, but is not limited thereto.

Next, the MLD generation apparatus for software classification 100 uses the reference frequency referred to by the other software and the number of software using each API for a plurality of APIs of a plurality of software for each category, The MLD value for each API is generated by dividing the reference frequency by the number of software as in Equation (1) (S404).

In generating the MLD value, the MLD generation apparatus for software classification 100 may select the top N APIs having a large MLD value for each category (S406). In addition, the MLD generation apparatus for software classification 100 may display the API reference number for each software for the N APIs selected in the category to which each software belongs (S408). At this time, the API reference number may be the MLD value indicating the category characteristic of each software.

Next, the MLD generation apparatus for software classification 100 stores the MLD value for each API of all the software created by the above-described category as MLD DB 200 as software classification database information (S410).

At this time, the MLD DB 200 is provided as a software classification device described later, and can be utilized as reference information in classifying the classification target software newly input by the software classification device.

5 is a conceptual diagram illustrating an environment in which a software classification apparatus according to an embodiment of the present invention is applied.

5, a plurality of types of software 20, 30, 40, ... can be uploaded by a plurality of users on a web hard 10. Here, the web hard 10 includes a plurality of Refers to a kind of cloud storage space in which a user of the computer can upload software or contents. It may be a concept covering various online storage spaces regardless of the name of WebHard.

The software classification apparatus 500 according to the embodiment of the present invention can classify the category of the corresponding software in the uploading step for the target software 20, 30, 40, ..., have.

In classifying the categories of software as described above, the software classifying device 500 may classify the category of the software by using MLD values calculated in advance for a plurality of software categories classified by using feature information such as API information included in the executable file of the software The classification of the software to be classified can be classified using the MLD (Machine Learning Data) DB 200 stored.

That is, when the software is uploaded from the user's computer terminal to the cloud storage space of the web hard 10 or the like, the software classification apparatus 500 extracts the software feature information from the software to be uploaded and transmits the extracted feature information to the MLD DB 200 ), It can be classified into a specific category.

In this case, the operation of classifying the software into specific categories using the feature information of the classification target software in the software classifying apparatus 500 is shown in detail in the block diagram of the software classifying apparatus, and in FIG. 6 Will be described in detail.

In addition, when the category of the software is classified through the software classifying device 500, the software classified as such category may be classified into software category It is possible to detect whether the program is illegally copied or falsified / modulated compared with the normal software pre-registered by category in a software illegal detection device (not shown) that can be interlocked with the device 500.

In the above description, a software classification process for software that is uploaded from a user terminal such as a personal computer to a cloud storage space such as the WebHard 10 has been described. However, Process can be applied.

In addition, the software classification apparatus 500 according to the embodiment of the present invention can be used not only for classifying software to be uploaded / downloaded into the web hard 10 into more accurate categories, and for facilitating detection of illegal copying or plagiarism of software But can also be applied to a software classification process for facilitating the detection of piracy or plagiarism of the software in an off-line state. For example, when searching for a storage device such as a hard disk mounted on a detection target computer and detecting the presence of illegal copying or plagiarism software, it is also possible to classify the software for the purpose of faster detection of the target software, Apparatus 500 may be utilized.

6 shows a detailed circuit configuration of a software classification apparatus using API feature information of an executable file according to an embodiment of the present invention. The feature classification information extraction unit 510, the MLD calculation unit 520, the category determination unit 530 ), MLD DB 200, and the like.

Hereinafter, operation of each component of the software classifier 500 will be described in more detail with reference to FIG.

First, when the classification target software is recognized, the characteristic information extracting unit 510 may extract partial information including the core characteristic information of the executable file that constitutes the classification target software as characteristic information of the classification target software. At this time, the core feature information of the executable file may be information such as a string included in the executable file, a file name of an API (application programming interface), a reference frequency of an API, and the like.

That is, when the classification target software is recognized, the characteristic information extracting unit 510 extracts the file names of the plurality of APIs included in the executable file that constitutes the classification target software and the information about the reference frequency of each API, But the present invention is not limited thereto.

On the other hand, an executable file can take various forms according to the operating platform of the target software. For example, the executable file may be an EXE file in the PE file format if the operating system (OS) constituting the operating platform is Microsoft Windows, a byte file in the case where the runtime environment is Java, byte) file, or a.out file if the operating system is Linux. This document describes the MS Windows environment in detail, and is applicable to other runtime environments and operating systems.

The MS Windows PE file format also includes dynamic library references for links, tables for exporting and importing APIs, resource management data, and TLS: Thread Local Storage) data, and the like. The PE file also contains a large number of headers and sections to enable the dynamic linker to map the file to memory.

That is, when an executable file is loaded, the Windows loader loads all the DLLs used by the application and maps them onto the process address space, IAT (Import Address Table). In the above example, the IAT is referred to in the above example, but the API information can be extracted from the header or sections of the executable file.

At this time, the feature information extracting unit 510 can check the file name of the API of the classification target software by referring to the IAT of the execution file, and compare the address stored in the IAT and the information of the .text section to check the reference frequency of each API But is not limited thereto.

The above-described software to be classified may be software that is uploaded from a user terminal such as a personal computer to a cloud storage space such as the WebHard 10 or software downloaded from the WebHard 10, But may be software stored in a storage device such as a hard disk mounted on a computer, but is not limited thereto. In addition, the software to be classified may mean software that is illegally copied or has not been checked for falsification / alteration, but is not limited thereto.

The MLD (Machine Learning Data) calculating unit 520 may calculate the MLD value for each API by using information on a file name of a plurality of APIs included in an execution file of the software to be classified and a reference frequency of each API.

In this case, the MLD value may mean information that allows the software to classify the software having a characteristic based on the API. That is, the MLD value calculated for each API can be a value indicating that the software can be classified as belonging to, for example, Audio Player, Browser, CD Writer, FTP, Image Viewer, Messenger, Text Editor, Video Player and the like.

In calculating the MLD value as described above, the MLD calculation unit 520 displays the reference frequency referring to each API in the corresponding software for the M APIs selected as the feature information of the classification target software, and calculates the MLD value Can be calculated.

The category determination unit 530 compares the MLD value of the classification target software calculated through the MLD calculation unit 520 with the MLD value of each category stored in the MLD DB 200 to determine the category to which the classification target software belongs.

That is, the category determination unit 530 compares the MLD value calculated for the classification target software with the MLD value calculated and stored in advance for a plurality of software items in the MLD DB 200, As a category.

7 shows an operation control flow for classifying categories of software to be classified in the software classification apparatus according to the embodiment of the present invention. Hereinafter, embodiments of the present invention will be described in detail with reference to FIGS. 5 to 7. FIG.

First, if the software to be classified is recognized (S700), the software classifier 500 extracts partial information including the core feature information of the executable file that constitutes the classification target software as feature information of the software to be classified S702).

At this time, the core feature information of the executable file may be information such as a string included in the executable file, a file name of an API (application programming interface), a reference frequency of an API, and the like.

That is, when the software to be classified is recognized, the software classification apparatus 500 classifies the file names of the plurality of APIs included in the executable file that constitutes the classification target software and the information about the reference frequency of each API as the characteristics Information, but it is not limited thereto.

At this time, in extracting the file names of the plurality of APIs included in the executable file constituting the classification target software and the information about the reference frequency of each API, the software classification apparatus 500 refers to the IAT of the execution file, The API file name can be confirmed and the reference frequency of each API can be confirmed by comparing the information stored in the IAT with the information of the .text section. However, the present invention is not limited thereto.

In operation S704, the software classification apparatus 500 calculates the MLD value for each API using the file names of the plurality of APIs included in the execution file of the classification target software and information about the reference frequency of each API.

In this case, the MLD value may mean information that allows the software to classify the software having a characteristic based on the API. That is, when referring to the calculated MLD value for each API, it is a value indicating that the software can be classified as belonging to, for example, Audio Player, Browser, CD Writer, FTP, Image Viewer, Messenger, Text Editor, .

In calculating the MLD value as described above, the software classifying device 500 displays the reference frequency referring to each API in the corresponding software for the M APIs selected as the feature information of the classification target software, and calculates the MLD value Can be calculated.

Next, the software classifier 500 compares the MLD value calculated in the above manner with the information stored in the MLD DB 200 to determine a category to which the classification target software belongs (S706).

That is, the software classification apparatus 500 compares the MLD value calculated for the classification target software with the MLD value calculated and stored in advance for a plurality of software items in the MLD DB 200, As a category.

Accordingly, when the category to which the classification target software belongs is classified as described above, it is necessary to compare one-to-one with the software included in the category to which the classification target software belongs, so that the overhead of the software filtering operation for detecting illegal copying or plagiarism of the software .

As described above, according to the present invention, in the classification of software, an MLD value based on an API included in an executable file of each software is calculated for a plurality of software pirated or not plagiarized, and a plurality The category of the software to be classified is more accurately determined by comparing the MLD value calculated based on the API of the classification target software with the filtering database after creating the software filtering database that classifies the software of the classification target software, Thereby reducing the overhead of software filtering operations for software piracy or detection of plagiarism.

Combinations of the steps of each flowchart attached to the present invention may be performed by computer program instructions. These computer program instructions may be loaded into a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus so that the instructions, which are executed via a processor of a computer or other programmable data processing apparatus, Lt; / RTI > These computer program instructions may also be stored in a computer usable or computer readable memory capable of directing a computer or other programmable data processing apparatus to implement the functionality in a particular manner so that the computer usable or computer readable memory It is also possible to produce manufacturing items that contain instruction means for performing the functions described in each step of the flowchart. Computer program instructions may also be stored on a computer or other programmable data processing equipment so that a series of operating steps may be performed on a computer or other programmable data processing equipment to create a computer- It is also possible for the instructions to perform the processing equipment to provide steps for executing the functions described in each step of the flowchart.

In addition, each step may represent a module, segment, or portion of code that includes one or more executable instructions for executing the specified logical function (s). It should also be noted that in some alternative embodiments, the functions mentioned in the steps may occur out of order. For example, the two steps shown in succession may in fact be performed substantially concurrently, or the steps may sometimes be performed in reverse order according to the corresponding function.

While the invention has been shown and described with reference to certain preferred embodiments thereof, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention. Accordingly, the scope of the invention should not be limited by the described embodiments but should be defined by the appended claims.

102: input unit 104: feature information extraction unit
106: MLD generation unit 200: MLD DB
500: Software classifying apparatus 510: Feature information extracting unit
520: MLD calculating section 530: category determining section

Claims (12)

delete delete delete delete An MLD DB storing a first MLD value for each API for a plurality of software classified into categories,
A feature information calculating unit that extracts information on a file name of a plurality of APIs included in an executable file that constitutes the software and reference frequency of each API when the software to be classified is recognized;
An MLD calculation unit for calculating a second MLD value for each API of the classification target software by using information on the file names of the plurality of APIs and the reference frequency of each of the APIs;
A category determination unit for determining a category to which the classification target software belongs by comparing the second MLD value calculated through the MLD calculation unit with the first MLD value for each category stored in the MLD DB,
The software classification apparatus comprising: 6. The method of claim 5,
Wherein the category determination unit comprises:
Compares the second MLD value of the classification target software with the first MLD value of the category in the MLD DB to classify the category having the highest similarity between the first MLD value and the second MLD value into a category of the classification target software Determining a software classification device. 6. The method of claim 5,
Wherein the feature information calculating unit comprises:
And extracts a file name of each API of the classification target software and a reference frequency of each of the APIs from the header and sections of the classification target software. 6. The method of claim 5,
The executable file includes:
A Microsoft Windows EXE file, a Java byte file, or a Linux a.out file. delete delete Generating an MLD DB storing a first MLD value per API for a plurality of software classified as a category;
Extracting a file name of a plurality of APIs included in an executable file constituting the classification target software and characteristic information about a reference frequency of each API when the classification target software is recognized;
Calculating a second MLD value for each API of the classification target software using information on the file names of the plurality of APIs and the reference frequency of each of the APIs;
Comparing the second MLD value with a first MLD value for each category stored in the MLD DB to determine a category to which the classification target software belongs
Gt;. ≪ / RTI > 12. The method of claim 11,
Wherein the step of determining the category comprises:
Comparing the second MLD value of the classification target software with the first MLD value for each category in the MLD DB;
Determining a category having the highest degree of similarity between the first MLD value and the second MLD value as a category of the classification target software
Gt;. ≪ / RTI >

Images