KR101869377B1 - Device and methods of analyzing dependency between network signatures or between signature pairs - Google Patents

Abstract

The machine language analyzing apparatus includes a function specifying unit, a request signature generating unit, a response signature generating unit, and a signature dependency analyzing unit. The function specifying unit may include a plurality of external reference functions for controlling each of the terminals to request the terminal according to a request format including a predetermined item for the response data of the external terminal connected to the communication network to decompile the machine code ) Within the text. The request signature generator generates a plurality of request signatures each having a request regular expression representing every case that the request item data corresponding to the item of the request type can have, based on a regular expression method. The response signature generation unit generates a plurality of response signatures each having a response regular expression expressed on the basis of the regular expression method in every case that the extracted item data corresponding to the extracted item used by the terminal among the response data can have. The signature dependency analysis unit analyzes the dependency between the request signatures and the response signatures based on whether or not the extracted item of the one response signature among the response signatures affects the item of the one request signature among the request signatures.

Description

Technical Field [0001] The present invention relates to a machine language analyzing apparatus and a machine language analyzing method for analyzing dependency between network signatures or between signature pairs,

The present invention relates to a machine language analysis method, and more particularly, to a machine language analysis method and a machine language analysis apparatus for analyzing a protocol of an application that performs network behavior based on dependencies between signatures or signature pairs.

With the development of semiconductor technology, smart devices that are easy to carry and have improved performance are being manufactured. Unlike conventional electronic devices, smart devices can connect to the Internet and exchange information with other devices based on improved performance.

However, as the number of smart devices connected to the Internet increases, web traffic generated by smart devices has also increased. In particular, applications running on smart devices generate web traffic while performing network actions according to the purpose of each service.

Therefore, it is necessary to efficiently manage the web traffic so as to provide timely and appropriate services in response to the increased web traffic. In particular, if unique characteristics of web traffic generated by each application on the web can be analyzed, web traffic management corresponding to each application can be made possible.

To this end, the prior art documents described above give priority to web traffic, but they do not include contents for analyzing unique characteristics of web traffic generated by each application.

Korean Patent Publication No. 2000-0071957 (published on December 05, 2000)

It is an object of the present invention to provide a machine language analyzing apparatus capable of analyzing intrinsic characteristics of Web traffic input / output in a terminal in which an application is running.

It is another object of the present invention to provide a machine language analysis method capable of analyzing intrinsic characteristics of Web traffic input / output to / from a terminal on which an application is running.

It should be understood, however, that the present invention is not limited to the above-described embodiments, and may be variously modified without departing from the spirit and scope of the present invention.

In order to accomplish one object of the present invention, a machine language analyzing apparatus according to embodiments of the present invention is a machine language analyzing apparatus for analyzing response data of an external terminal connected to a communication network, A function specifying unit for specifying a plurality of external reference functions to be controlled in decompressed text of a machine code executed in the terminal, all cases in which request item data corresponding to the item of the request format can have A request signature generator for generating a plurality of request signatures each having a request regular expression expressed on the basis of a regular expression method, a request signature generation unit for generating extraction signature data corresponding to an extraction item used by the terminal, A response represented by the regular expression method A response signature generation unit that generates a plurality of response signatures each having an exponentiation expression, and a response signature generation unit that, based on whether the extracted item of the one response signature of the response signatures affects the item of the request signature of the request signatures And a signature dependency analyzer for analyzing a dependency between the request signatures and the response signatures.

According to one embodiment, the machine language analysis apparatus includes a signature pair generator for generating a plurality of signature pairs by associating the request signatures with the response signatures based on whether the external reference functions are common, And a signature pair correspondence unit that associates one signature pair among the signature pairs with another signature pair based on the signature pair.

According to an embodiment, the machine language analyzing apparatus may further include a decompiling unit for generating the decompiled text.

According to an embodiment of the present invention, the machine language analyzing apparatus includes a request slice extracting unit that extracts a request format generating part that affects generation of the request format among the decompressed texts, And a response slice extracting unit for extracting a response data processing part for receiving the response data, wherein the request signature can be generated by analyzing the request type generating part, and the response signature can be generated by analyzing the response data processing part have.

According to an embodiment, the request format may include at least one of an address item corresponding to the address of the external terminal, a location item corresponding to the location of the response data in the external terminal, And an authority item.

According to an embodiment, the request signature generating unit may include a request signature item specifying unit for specifying the item of the request format by searching for a predetermined function in the decompiled text, A request regular expression generating unit for generating the request regular expression expressing all cases of the request item data, and a request regular expression correspondence unit for associating the item of the request format with the generated request regular expression.

According to one embodiment, the predetermined function may be a function for mapping the item data in the request format to the item data.

According to an embodiment, the response signature generator may include a response signature item specifying unit for specifying the extracted item by searching for a predetermined function in the decompiled text, A response regular expression generating unit for generating the response regular expression expressing all cases, and a response regular expression correspondence unit for associating the extracted item with the generated response regular expression.

According to an embodiment, the predetermined function may be a function of extracting the extracted item data from the response data.

According to another aspect of the present invention, there is provided a machine language analysis method for analyzing response data of an external terminal connected to a communication network, the method comprising: Specifying a plurality of external reference functions to be controlled in the decompiled text of a machine code executed in the terminal; and all cases in which the request item data corresponding to the item of the request format can have a basis of a regular expression method The method includes generating a plurality of request signatures each having a request regular expression expressed by a regular expression, and generating all of the cases in which the extracted item data corresponding to the extracted item used by the terminal among the response data can have, Multiple response signatures each having an expression Based on whether the extracted item of the one of the response signatures affects the item of the one request signature of the request signatures, the dependency between the request signatures and the response signatures Lt; / RTI >

According to one embodiment, the machine language analysis method comprises generating a plurality of signature pairs by mapping the request signatures to the response signatures based on whether the external reference functions are common, And associating one of the signature pairs with another signature pair.

According to an embodiment, the machine language analysis method may further include generating the decompiled text.

According to an embodiment, the machine language analysis method may further include extracting a request format generation part that affects generation of the request format among the decompressed texts, and extracting a response format data item The request signature may be generated by analyzing the request format generation portion, and the response signature may be generated by analyzing the response data processing portion.

According to an embodiment, the step of generating the request signatures may include the steps of: specifying the item of the request format by searching for a predetermined function in the decompiled text; Generating the request regular expression expressing all cases of the request item data, and associating the generated request regular expression with the item of the request format.

According to an embodiment of the present invention, the step of generating the response signatures may include the steps of: identifying the extracted item by searching for a predetermined function in the decompiled text; extracting all of the extracted item data Generating the response regular expression expressing the case, and associating the extracted item with the generated response regular expression.

The machine language analysis apparatus and the machine language analysis method according to embodiments of the present invention can analyze unique characteristics of web traffic generated by an application by generating request signatures and response signatures having a regular expression.

Further, the machine language analysis apparatus and the machine language analysis method according to the embodiments of the present invention can analyze the correlation between web traffic generated by the application by analyzing the dependency between the request signatures and the response signatures.

However, the effects of the present invention are not limited to the above effects, and may be variously extended without departing from the spirit and scope of the present invention.

1 is a block diagram illustrating a machine language analysis apparatus according to embodiments of the present invention.
2 is a block diagram illustrating an example of a communication system for generating web traffic associated with the machine language analysis apparatus of FIG.
3 is a diagram illustrating an example of request format and response data transmitted between a terminal and an external terminal in the communication system of FIG.
FIG. 4 is a diagram illustrating an example of a decompressed text generated by decompiling a machine code executed in a terminal in the communication system of FIG. 2. FIG.
FIG. 5 is a diagram illustrating an example of a request signature and a response signal generated by analyzing the decommissioned text of FIG.
6 is a flowchart illustrating a machine language analysis method according to embodiments of the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. The same reference numerals are used for the same constituent elements in the drawings and redundant explanations for the same constituent elements are omitted.

1 is a block diagram illustrating a machine language analysis apparatus according to embodiments of the present invention.

Referring to FIG. 1, the machine language analyzer 100 may include a function specifying unit 120, a request signature generating unit 140, a response signature generating unit 160, and a signature dependency analyzing unit 180. According to an embodiment, the machine language analysis apparatus 100 may further include a signature pair generation unit and a signature pair correspondence unit, and may further include a reverse compilation unit, and may further include a request slice extraction unit and a response slice extraction unit .

The decompiling unit can generate the decompiled text (DT) by decompiling the machine code executed in the terminal. By decompiling the machine language at a relatively low level, high level program code that is relatively easy to analyze can be generated, and a decompiled text DT containing such program code can be generated. According to an embodiment, the machine language can run the terminal on the Android operating system. For example, an Android application package (APK), which is a collection of machine language that runs a terminal on an Android operating system, can be relatively easily decompiled with program code composed of a high-level programming language such as Java (JAVA) have.

The control of the operation of the terminal may be machine code executed in the terminal. The machine language can be generated by compiling the decompiled text (DT), so that the machine code executed in the terminal can be analyzed by analyzing the decompiled text (DT).

The function specifying unit 120 can specify a plurality of external reference functions f in the decompiled text DT. Here, the external reference functions f can control the terminals, respectively, and the terminal can request the response data of the external terminal to the external terminal connected to the communication network under the control of the external reference functions f. According to the embodiment, the external reference functions f can control each of the terminals so that the terminal receives the response data of the external terminal.

The decompiled text DT may be generated by the decompiling unit, but may be a separate input by the user of the machine language analyzer 100 of the decompiled text DT of the decompiled machine code.

The terminal may require response data of the external terminal according to the purpose of the application running on the terminal, and may request the external terminal to transmit the response data.

The machine language controlling the operation of these terminals can be analyzed by analyzing the decompiled text (DT) which has been decompiled. Therefore, by analyzing the external reference functions f controlling the operation in the decompiled text DT, the intrinsic characteristics of the web traffic generated in the operation of the terminal can be analyzed.

Here, the terminal may request response data according to a request format including a predetermined item. According to an embodiment, the request format may include an address entry, a location entry, and an authority entry. The address item may correspond to the address of the external terminal. The location item may correspond to the location of the response data in the external terminal. An authority entry may correspond to authority to access response data.

For example, the address entry may correspond to the address data of the server having the response data required by the application. The location item may correspond to location data indicating a specific location of the response data in the server. The authorization item may correspond to authorization data that can access the response data.

In one embodiment, the response data may include at least one or more items. The terminal can use only a part of the response data. Here, the extracted item may be an item corresponding to the extracted item data used by the terminal among the items of the response data.

For example, the response data may include a login data item, a login time item, a first message item, and a second message item. Here, the login data item may correspond to the login data having information such as whether or not the login is successful, the login time item may correspond to the login time data having the information such as the login time, and the first message item may be associated with the login 1 message data, and the second message item may correspond to the second message data associated with the login.

The terminal may not use the login time data corresponding to the login time item in the response data. In this case, the extracted item may be a login data item, a first message item, and a second message item.

In another embodiment, the response data may only include a request status code indicating that the request for the terminal has been received.

The request slice extractor may extract a request format generation part that affects the generation of the request format among the decompiled text (DT). The unique characteristic of the web traffic output from the terminal can be determined by the request format generation part. Therefore, the efficiency of the analysis can be increased by limiting the scope of the analysis to the request format generation part. For example, the request signatures (QSG) may be generated by analyzing the request format generation portion.

It can be determined whether it affects the generation of the request format by tracking the variables associated with the items included in the request format. For example, the request format generation part can be extracted from the decompiled text (DT) by tracking the variable based on the taint analysis method, which is one of the static analysis methods.

The request signature generation unit 140 generates a plurality of request signatures (QSG) each having a request regular expression expressed on the basis of a regular expression method for every case that the request item data corresponding to the item can have . Here, the regular expression method may be a method of representing a set of strings having a specific rule using a formal language. Therefore, by analyzing the rule of the request item data, all the cases that the request item data can have can be expressed as a regular expression. For example, a string can simply be represented as '. *'.

Since the request regular expression is generated by reflecting the rule of the request item data, the request signatures (QSG) including the request regular expressions can represent the characteristic of the web traffic outputted from the terminal. That is, by generating the request signatures (QSG), the intrinsic characteristics of the web traffic generated by the application running on the terminal can be analyzed.

According to the embodiment, the request signature generation unit 140 may include a request signature item specification unit, a request regular expression generation unit, and a request regular expression correspondence unit.

The Request Signature Item Specification can identify an item by looking for a predefined function in the decompiled text (DT). Here, the predetermined function may be a function for mapping the item item data to the item. For example, the predetermined function may be a function that maps address data to address items included in a request format, a function that maps position data to position items, and a function that maps authority data to authority items. If there is a function preset in the decompressed text (DT), there may be an item related to it. Thus, the item associated with the function can be specified by looking for a preset function in the decompiled text (DT).

The requesting regular expression generating unit can generate a request regular expression expressing all cases of the request item data according to the data format given to the item. The data format may be substantially different for each item, and the requested regular expression generated based thereon may also be substantially different. For example, if the data type given to the address entry is a string, a request regular expression such as '. *' May be generated to represent it.

The request regular expression correspondence unit can match the item with the generated request regular expression. A substantially different request regular expression may be generated for each item, and the generated request regular expression may correspond to each item. For example, an address entry and a request regular expression such as '. *' Generated above can be matched to each other.

The response slice extracting unit can extract a response data processing part affected by the extracted item in the decompiled text (DT). The unique characteristic of the web traffic inputted to the terminal can be determined by the response data processing part. Therefore, the efficiency of analysis can be increased by limiting the scope of the analysis to the response data processing part. For example, response signatures (RSG) may be generated by analyzing the response data processing portion.

By tracking the variables associated with the extracted items, it can be determined whether they are affected by the extracted items. For example, the response data processing portion can be extracted in the decompiled text (DT) by tracking the variable based on the taint analysis method, which is one of the static analysis methods.

The response signature generator 160 may generate a plurality of response signatures (RSG) each having a response regular expression expressed on the basis of the regular expression method for every instance of the extracted item data. Here, the regular expression method may be a method of representing a set of strings having a specific rule using a formal language. Therefore, by analyzing the rule of the extracted item data, all the cases that the extracted item data can have can be expressed as a regular expression. For example, a string can be simply represented as '. *'.

Since the response regular expression is generated by reflecting the rules of the extracted item data, the response signatures (RSG) including the response regular expressions can represent the unique characteristics of the web traffic inputted to the terminal. That is, the unique characteristics of the web traffic generated by the application running on the terminal can be analyzed by generating the response signatures (RSG).

According to an embodiment, the response signature generator 160 may include a response signature item specifying unit, a response regular expression generating unit, and a response regular expression correspondence unit.

The Response Signature Item Specification can identify the extraction item by looking for a predetermined function in the decompiled text (DT). Here, the predetermined function may be a function for extracting extraction item data corresponding to the extraction item from the response data. For example, the predetermined function may be a function extracting the login data from the related extraction item of the response data, and may be a function extracting the first message data from the related extraction item of the response data, It can be a function to extract from the related extraction item. Thus, if there is a function preset in the decompressed text (DT), there may be an extraction item related to it. Thus, an extraction item associated with a function can be identified by looking for a predetermined function in the decompiled text (DT).

The response regular expression generation unit can generate a response regular expression expressing all cases of the extracted item data according to the data format given to the extracted item. The data format may be substantially different for each extraction item, and the response regular expression generated based thereon may also be substantially different. For example, if the data type given to the login data item is a string, a response regular expression such as '. *' May be generated.

The response regular expression correspondence unit can match the extracted item with the generated response regular expression. For each extracted item, a substantially different response regular expression may be generated, and the generated response regular expression may correspond to each extracted item. For example, the login data item and the response regular expression such as '. *' Generated above may correspond to each other.

The signature dependency analysis unit 180 can analyze the dependency (DPD) between the request signatures (QSG) and the response signatures (RSG). To this end, the signature dependency analysis unit 180 can determine whether the extracted item included in one response signature of the response signatures (RSG) affects items included in one request signature of the request signatures (QSG) have. For example, it can be determined whether the data extracted from the first response data by the terminal is used in a request format for requesting the second response data.

The signature dependency analyzer 180 can determine whether or not it influences an item for generating a request format by tracking a variable related to the extracted item. For example, it can be determined whether the extracted item of one response signature affects an item of one request signature by tracking the variable based on the Tainted analysis method, which is one of the static analysis methods.

Depending on the embodiment, there may be a dependency (DPD) between the one response signature and the one request signature when some of the items of the one response signature are substantially the same as some of the items of the one request signature. For example, if the extract item data corresponding to the one extract item of the first response data is used substantially the same as the one item of the request format necessary for requesting the second response data, There may be a dependency (DPD) between the signature and one request signature corresponding to the second response data.

The signature pair generation unit can generate a plurality of signature pairs by mapping request signatures (QSG) to response signatures (RSG). To this end, the signature pair generator can determine whether the external reference functions f are common between the request signatures (QSG) and the response signatures (RSG). For example, one response signature corresponding to the processing of the one request signature corresponding to the request format entered into one out of the xref functions (f) and the response data received by the one xref function will correspond And as a result, one signature pair can be generated.

The signature pair correspondence section can map one of the signature pairs generated by the signature pair generation section to another signature pair based on the dependency (DPD). For example, if there is a dependency between one response signature included in one signature pair and one request signature included in another signature pair, the signature pair correspondence unit can associate the one signature pair with another signature pair.

The machine language analysis apparatus 100 according to embodiments of the present invention can analyze unique characteristics of web traffic generated by an application by generating request signatures (QSG) and response signatures (RSG) having a regular expression.

Furthermore, the machine language analysis apparatus 100 according to embodiments of the present invention analyzes the dependency (DPD) between request signatures (QSG) response signatures (RSG) Can be analyzed.

FIG. 2 is a block diagram illustrating an example of a communication system for generating web traffic related to the machine language analyzing apparatus of FIG. 1, FIG. 3 is a diagram illustrating a request format and response data transmitted between a terminal and an external terminal in the communication system of FIG. Fig.

2 and 3, the communication system may include a terminal 220 and an external terminal 240. The terminal 220 may be connected to the external terminal 240 through a communication network. The terminal 220 can request the response data RD of the external terminal 240 through a request format (RF) generated based on the protocol. Here, the request format (RF) may have a predetermined item. The external terminal 240 can transmit the response data RD generated based on the protocol to the terminal 220 according to the purpose of the request format (RF).

The request format (RF) may include an address item (ADDRESS), a location item (LOCATION), and an authorization item (ID, PASSWORD). The address item ADDRESS may correspond to the address of the external terminal 240. The location item LOCATION may correspond to the location of the response data RD in the external terminal 240. The authorization item (ID, PASSWORD) may correspond to the authority to access the response data (RD).

For example, the address item ADDRESS may correspond to the address data A of the server having the response data RD required by the application. The location item LOCATION may correspond to location data B indicating the specific location of the response data RD in the server. The authorization item (ID, PASSWORD) may correspond to authorization data (C, D) that can access the response data (RD).

The response data RD may have at least one item. The terminal 220 can use only a part of the response data RD. Here, the extracted item may be an item corresponding to the extracted item data used by the terminal 220 among the items of the response data RD.

For example, the response data RD may include a login data item LOGIN, a login time item TIME, a first message item MSG1, and a second message item MSG2. Here, the login data item LOG IN may correspond to the login data E having information such as whether or not the login is successful, and the login time item TIME corresponds to the login time data F having information such as the login time And the first message item MSG1 may correspond to the first message data G related to the login and the second message item MSG2 may correspond to the second message data H related to the login have.

The terminal 220 may not use the login time data F corresponding to the login time item TIME among the response data RD. In this case, the extracted item may be a login data item (LOG IN), a first message item (MSG1), and a second message item (MSG2).

Here, it can be determined whether or not the item that generates the request format is affected by tracking the variables related to the extracted items (LOG IN, MSG1, MSG2). According to an embodiment, there is a dependency between the one response signature and the one request signature when some of the one of the one response signature's signature (LOG IN, MSG1, MSG2) is substantially the same as some of the items of the one request signature . For example, extraction item data (e.g., first message data G) corresponding to a first extraction item (for example, first message item MSG1) among extraction items (LOG IN, MSG1, MSG2) There may be a dependency between one response signature corresponding to the response data RD and one request signature corresponding to the other response data when used substantially the same to generate one item of the request format required to request the other response data .

FIG. 4 is a diagram illustrating an example of decompressed text generated by decompiling a machine code executed in a terminal in the communication system of FIG. 2. FIG. 5 is a diagram illustrating an example of a request signature and response 1 is a diagram showing an example of a signal.

4 and 5, the decompiled text DT may include a request format generation portion QSL, a boundary point DP, and a response data processing portion RSL.

The external reference function f can control the terminal to request the terminal according to the request format RF including the predetermined item of the response data RD of the external terminal connected to the communication network, The terminal can be controlled to receive it. For example, the external reference function f may be a function that receives the request format (RF) and outputs the response data RD within the decompiled text DT. Therefore, the request format generation part QSL and the response data processing part RSL can be separated from each other by the external reference function f. That is, the external reference function f may be a boundary point DP.

This external reference function f may be specified within the decompiled text DT. By analyzing the request format generation part (QSL) and the response data processing part (RSL) by specifying the external reference function (f), the unique characteristics of the web traffic generated by the application running on the terminal can be analyzed.

A Request Format Generation Part (QSL) may be extracted that affects the generation of Request Format (RF) among the decompiled text (DT). The unique characteristic of the web traffic output from the terminal can be determined by a request format generation part (QSL). Therefore, the efficiency of the analysis can be increased by limiting the scope of the analysis to the request format generation part (QSL). For example, the request signature (QSG) may be generated by analyzing the request format generation portion (QSL).

It can be determined whether it affects the generation of the request format by tracking the variables (A, B, C, D) associated with the items included in the request format (RF). For example, the request format generation part (QSL) can be extracted from the decompiled text (DT) by tracking the variables (A, B, C, D) based on the Tain analysis method, which is one of the static analysis methods.

(ADDRESS, LOCATION, ID, PASSWORD, ...) can be specified by searching for the predetermined functions g1, g2, g3, g4, ... in the decompiled text DT. Here, the predetermined functions g1, g2, g3, g4, ... may be a function for associating the request item data A, B, C, D, ... with the items ADDRESS, LOCATION, ID, PASSWORD, For example, the predetermined function may be a function g1 for associating the address data A with the address item ADDRESS included in the request format RF, and the position data B in the position item LOCATION And may be a function g3 or g4 for associating the authority data C and D with the authority item ID and PASSWORD. If the predefined functions (g1, g2, g3, g4, ...) exist in the decompressed text DT, there may exist items related thereto (ADDRESS, LOCATION, ID, PASSWORD, ...). Therefore, items (ADDRESS, LOCATION, ID, PASSWORD, ...) related to the function can be specified by searching for the predetermined functions g1, g2, g3, g4, ... in the decompiled text DT.

(RE1, RE2, RE3, RE4) representing all the cases of the request item data (A, B, C, D, ...) according to the data format given to the item (ADDRESS, LOCATION, ID, PASSWORD, , ...) can be generated. The data format may be substantially different for each item (ADDRESS, LOCATION, ID, PASSWORD, ...) and the requested regular expression RE1, RE2, RE3, RE4, ... generated based thereon may also be substantially different . For example, if the data type given to the address item (ADDRESS) is a string, a request regular expression (RE1) such as '. *' That can express it can be generated.

The generated REQUEST REGULATION REQUIREMENTS RE1, RE2, RE3, RE4, ... may correspond to the items (ADDRESS, LOCATION, ID, PASSWORD, ...). The request regular expressions RE1, RE2, RE3, RE4, ... which are substantially different from one another can be generated for each item ADDRESS, LOCATION, ID, PASSWORD, RE4, ...) may correspond to each item (ADDRESS, LOCATION, ID, PASSWORD, ...). For example, an address entry (ADDRESS) and a request regular expression (RE1) such as '. *' Generated above may correspond to each other.

As a result, the request regular expressions RE1, RE2, RE3, RE4, ... can have request item data A, B, C, D, ... corresponding to the items ADDRESS, LOCATION, ID, PASSWORD, (RE1, RE2, RE3, RE4, ...) corresponding to the items (ADDRESS, LOCATION, ID, PASSWORD, ...) can be represented on the basis of the regular expression method and the request signature (QSG) Lt; / RTI >

The response data processing part RSL affected by the extracted items LOG IN, MSG1, MSG2, ... in the decompressed text DT can be extracted. The unique characteristics of the web traffic inputted to the terminal can be determined by the response data processing part (RSL). Thus, by limiting the scope of the analysis to the Response Data Processing Part (RSL), the efficiency of the analysis can be increased. For example, a response signature (RSG) may be generated by analyzing the response data processing portion (RSL).

It can be judged whether or not it is influenced by the extracted items (LOG IN, MSG 1, MSG 2, ...) by tracking the variables (E, G, H, ...) related to the extracted items (LOG IN, MSG 1, MSG 2, . For example, the response data processing part (RSL) may be extracted from the decompiled text (DT) by tracking the variables (E, G, H, ...) based on the Tain analysis method, which is one of the static analysis methods.

(LOG IN, MSG1, MSG2, ...) can be specified by finding predetermined functions h1, h2, h3, ... in the decompiled text DT. Here, the predetermined functions h1, h2, h3,... Are extracted from the response data RD from the extraction item data E, G, H, ... corresponding to the extraction items LOG IN, MSG1, MSG2, Function. For example, the predetermined function may be a function h1 for extracting the login data E from the related extraction item LOG IN of the response data RD, and the first message data G to the response data RD And a function h3 for extracting the second message data H from the related extraction item MSG2 of the response data RD. The function h2 may be a function h2 extracted from the related extraction item MSG1 of the response data RD. Thus, if there are functions (h1, h2, h3, ...) predefined in the decompressed text DT, the extracted items LOG IN, MSG1, MSG2,. Therefore, the extraction items (LOG IN, MSG1, MSG2, ...) associated with the function can be specified by finding the predetermined functions h1, h2, h3, ... in the decompiled text DT.

(RE5, RE6, RE7, ...) expressing all cases of the extracted item data (E, G, H, ...) according to the data format given to the extracted items LOG IN, MSG1, MSG2, Lt; / RTI > The data format may be substantially different for each extraction item (LOG IN, MSG1, MSG2, ...), and the extraction regular expressions (RE5, RE6, RE7, ...) generated based thereon may also be substantially different. For example, if the data type given to the login data item (LOG IN) is a string, an extraction regular expression (RE5) such as '. *' That can express it can be generated.

The extracted items (LOG IN, MSG1, MSG2, ...) and the extracted extracted regular expressions (RE5, RE6, RE7, ...) can be matched. RE6, RE7, ...) may be generated for each of the extracted items (LOG IN, MSG1, MSG2, ...), and the extracted extracted regular expressions (RE5, RE6, Can correspond to each extracted item (LOG IN, MSG1, MSG2, ...). For example, the login data item (LOG IN) and the extracted regular expression (RE5) such as '. *' Generated above may correspond to each other.

As a result, the extraction regular expressions (RE5, RE6, RE7, ...) are all cases in which the extraction item data (E, G, H, ...) corresponding to the extraction items (LOG IN, MSG1, MSG2, And the response signature RSG may have extraction regular expressions RE5, RE6, RE7, ... corresponding to the extracted items LOG IN, MSG1, MSG2, ....

6 is a flowchart illustrating a machine language analysis method according to embodiments of the present invention.

Referring to FIG. 6, in analyzing the machine language, the outer reference functions may be specified (S120) within the decompiled text, a plurality of request signatures may be created (S140), a plurality of response signatures are generated ), And the dependency between the request signatures and the response signatures can be analyzed (S180). According to an embodiment, a plurality of signature pairs may be generated, and one signature pair and another signature pair may be mapped. Depending on the embodiment, the decompiled text may be generated. According to the embodiment, the request format generation portion can be extracted, and the response data processing portion can be extracted.

The decompiled text can be generated by decompiling the machine code executed in the terminal. By decompiling a relatively low level machine language, high level program code can be generated that is relatively easy to analyze, and decompile text containing such program code can be generated. According to an embodiment, the machine language can run the terminal on the Android operating system. For example, an Android application package, which is a collection of machine language that runs on a terminal on the Android operating system, can be relatively easily decompiled with program code composed of Java, etc., which is a high-level programming language.

The control of the operation of the terminal may be machine code executed in the terminal. Since the machine language can be generated by compiling the decompiled text, the machine code executed on the terminal can be analyzed by analyzing the decompiled text.

A plurality of external reference functions may be specified (S120) within the decompiled text. Here, the external reference functions can control each of the terminals, and the terminal can request response data of the external terminal to external terminals connected to the communication network under the control of the external reference functions f. According to an embodiment, the external reference functions can control each of the terminals so that the terminal receives the response data of the external terminal.

The terminal may require response data of the external terminal according to the purpose of the application running on the terminal, and may request the external terminal to transmit the response data.

The machine language that controls the operation of these terminals can be analyzed by analyzing the decompiled text of the decompiled text. Thus, by analyzing the external reference functions controlling the operation within the decompiled text, the intrinsic characteristics of the web traffic generated by the operation of the terminal can be analyzed.

Here, the terminal may request response data according to a request format including a predetermined item. According to an embodiment, the request format may include an address entry, a location entry, and an authority entry. The address item may correspond to the address of the external terminal. The location item may correspond to the location of the response data in the external terminal. An authority entry may correspond to authority to access response data.

For example, the address entry may correspond to the address data of the server having the response data required by the application. The location item may correspond to location data indicating a specific location of the response data in the server. The authorization item may correspond to authorization data that can access the response data.

In one embodiment, the response data may include at least one or more items. The terminal can use only a part of the response data. Here, the extracted item may be an item corresponding to the extracted item data used by the terminal among the items of the response data.

For example, the response data may include a login data item, a login time item, a first message item, and a second message item. Here, the login data item may correspond to the login data having information such as whether or not the login is successful, the login time item may correspond to the login time data having the information such as the login time, and the first message item may be associated with the login 1 message data, and the second message item may correspond to the second message data associated with the login.

The terminal may not use the login time data corresponding to the login time item in the response data. In this case, the extracted item may be a login data item, a first message item, and a second message item.

In another embodiment, the response data may only include a request status code indicating that the request for the terminal has been received.

A portion of the request format generation that affects the generation of the request format among the decompiled texts may be extracted. The unique characteristic of the web traffic output from the terminal can be determined by the request format generation part. Therefore, the efficiency of the analysis can be increased by limiting the scope of the analysis to the request format generation part. For example, request signatures can be generated by analyzing the request format generation portion.

It can be determined whether it affects the generation of the request format by tracking the variables associated with the items included in the request format. For example, the request format generation part can be extracted from the decompiled text by tracking the variable based on the Tain analysis method, which is one of the static analysis methods.

A plurality of request signatures each having a request regular expression expressing every case that the request item data corresponding to the item can have (S140) can be generated based on the regular expression method. Here, the regular expression method may be a method of representing a set of strings having a specific rule using a formal language. Therefore, by analyzing the rule of the request item data, all the cases that the request item data can have can be expressed as a regular expression. For example, a string can simply be represented as '. *'.

Since the request regular expression is generated by reflecting the rule of the request item data, the request signatures including the request regular expression can represent the characteristic of the web traffic outputted from the terminal. That is, the unique characteristics of the web traffic generated by the application running on the terminal can be analyzed by generating the request signatures.

In accordance with an embodiment, in request signatures are created (S140), an item of the request form can be specified, a request regular expression can be generated, and the item and the request regular expression can be matched.

The item can be specified by looking for a preset function in the decompiled text. Here, the predetermined function may be a function for mapping the item item data to the item. For example, the predetermined function may be a function that maps address data to address items included in a request format, a function that maps position data to position items, and a function that maps authority data to authority items. If there is a predefined function in the decompiled text, there may be an item related to it. Thus, the item associated with the function can be specified by looking for a preset function in the decompiled text.

A request regular expression expressing all cases of the request item data may be generated according to a data format given to the item. The data format may be substantially different for each item, and the requested regular expression generated based thereon may also be substantially different. For example, if the data type given to the address entry is a string, a request regular expression such as '. *' May be generated to represent it.

The item and the generated request regular expression can be matched. A substantially different request regular expression may be generated for each item, and the generated request regular expression may correspond to each item. For example, an address entry and a request regular expression such as '. *' Generated above can be matched to each other.

The response data processing part affected by the extracted items in the decompiled text can be extracted. The unique characteristic of the web traffic inputted to the terminal can be determined by the response data processing part. Therefore, the efficiency of analysis can be increased by limiting the scope of the analysis to the response data processing part. For example, response signatures can be generated by analyzing the response data processing portion.

By tracking the variables associated with the extracted items, it can be determined whether they are affected by the extracted items. For example, the response data processing part can be extracted from the decompiled text by tracing the variable based on the taint analysis method, which is one of the static analysis methods.

A plurality of response signatures each having a response regular expression expressing every case that the extracted item data can have based on the regular expression method may be generated (S160). Here, the regular expression method may be a method of representing a set of strings having a specific rule using a formal language. Therefore, by analyzing the rule of the extracted item data, all the cases that the extracted item data can have can be expressed as a regular expression. For example, a string can be simply represented as '. *'.

Since the response regular expression is generated by reflecting the rule of the extracted item data, the response signatures including the response regular expressions can represent the characteristic of the web traffic inputted to the terminal. That is, the unique characteristics of the web traffic generated by the application running on the terminal can be analyzed by generating the response signatures.

In accordance with an embodiment, in generating response symbols (S160), an extraction item can be specified, a response regular expression can be generated, and the extraction item and the response regular expression can be matched.

The extracted item can be specified by looking for a preset function in the decompiled text. Here, the predetermined function may be a function for extracting extraction item data corresponding to the extraction item from the response data. For example, the predetermined function may be a function extracting the login data from the related extraction item of the response data, and may be a function extracting the first message data from the related extraction item of the response data, It can be a function to extract from the related extraction item. If there is a predefined function in the decompiled text, there may be an extraction item related to it. Thus, the extraction items associated with the function can be specified by looking for a preset function in the decompiled text.

A response regular expression expressing all cases of the extracted item data may be generated according to the data format given to the extracted item. The data format may be substantially different for each extraction item, and the response regular expression generated based thereon may also be substantially different. For example, if the data type given to the login data item is a string, a response regular expression such as '. *' May be generated.

The extracted item and the generated response regular expression can be matched. For each extracted item, a substantially different response regular expression may be generated, and the generated response regular expression may correspond to each extracted item. For example, the login data item and the response regular expression such as '. *' Generated above may correspond to each other.

The dependency between the request signatures and the response signatures can be analyzed (S180). To this end, it may be determined whether the extracted item included in one response signature of the response signatures affects items included in one request signature of the request signatures. For example, it can be determined whether the data extracted from the first response data by the terminal is used in a request format for requesting the second response data.

It can be judged whether or not the item generating the request format is influenced by tracking the variable related to the extracted item. For example, it can be determined whether the extracted item of one response signature affects an item of one request signature by tracking the variable based on the Tainted analysis method, which is one of the static analysis methods.

Depending on the embodiment, there may be a dependency between the one response signature and the one request signature when some of the items of the one response signature are substantially the same as some of the items of the one request signature. For example, if the extract item data corresponding to the one extract item of the first response data is used substantially the same as the one item of the request format necessary for requesting the second response data, There may be a dependency between the signature and one request signature corresponding to the second response data.

By associating request signatures with response signatures, a plurality of signature pairs can be generated. To this end, it may be determined whether the external reference functions are common between the request signatures and the response signatures. For example, one response signature corresponding to the processing of one request signature corresponding to the request format entered into one out of the external reference functions and the response data received by the one external reference function may correspond, As a result, one signature pair can be generated.

Depending on the dependency, one of the signature pairs may be mapped to another signature pair. For example, if there is a dependency between one response signature included in one signature pair and one request signature included in another signature pair, the one signature pair and the other signature pair may correspond to each other.

The machine language analysis method according to embodiments of the present invention can analyze unique characteristics of web traffic generated by an application by generating request signatures and response signatures having a regular expression.

Furthermore, the machine language analyzer and the machine language analysis method according to the embodiments of the present invention can analyze the correlation between web traffic generated by the application by analyzing the dependency between the request signatures and the response signatures.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it should be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined in the following claims. And can be modified and changed by those skilled in the art. For example, address items, location items, and authority items are illustrated as items in the above description, but the types of items are not limited thereto.

The present invention can be variously applied to an electronic apparatus that can drive an application that requests response data of an external terminal. For example, the present invention may be applied to a computer, a notebook, a digital camera, a video camcorder, a mobile phone, a smart phone, a smart pad, a PMP, a PDA, an MP3 player, A motion detection system, and the like.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those skilled in the art that various changes and modifications may be made therein without departing from the spirit and scope of the invention as defined in the appended claims. You will understand.

100: Machine tool analyzer
120: function specific part
140: request signature generation unit
160: Response signature generation unit
180: Signature Dependency Analysis Unit
220: terminal
240: external terminal

Claims (15)

A plurality of external reference functions for controlling each of the terminals to request the terminal according to a request format including a predetermined item with respect to the response data of the external terminal connected to the communication network are decompiled into machine code executed in the terminal, A function specification part specifying in the text;
A request signature generation unit for generating a plurality of request signatures each having a request regular expression expressing every case that request item data corresponding to the item of the request format can have on the basis of a regular expression method, ;
A response signature generation unit for generating a plurality of response signatures each having a response regular expression in which all items of the response data corresponding to the extracted item used by the terminal can be represented based on the regular expression method; And
And analyzing a dependency between the request signatures and the response signatures based on whether the extracted item of the one of the response signatures affects the item of the one request signature of the request signatures. And a signature dependency analyzing unit for analyzing the signature. The method according to claim 1,
A signature pair generation unit for generating a plurality of signature pairs by associating the request signatures with the response signatures based on whether the external reference functions are common; And
And a signature pair correspondence unit for associating one signature pair among the signature pairs with another signature pair based on the dependency. The method according to claim 1,
And a decompiling unit for generating the decompiled text. The method according to claim 1,
A request slice extracting unit for extracting a request format generation part that affects generation of the request format among the decompiled texts; And
And a response slice extracting unit for extracting a response data processing part affected by the extraction item among the decompiled texts,
Wherein the request signature is generated by analyzing the request format generation portion and the response signature is generated by analyzing the response data processing portion. The method of claim 1,
An address item corresponding to an address of the external terminal;
A position item corresponding to a position of the response data in the external terminal; And
And an authority item corresponding to an authority to access the response data. The method of claim 1, wherein the request signature generator
A request signature item specifying unit for specifying the item of the request format by finding a predetermined function in the decompiled text;
A request regular expression generation unit for generating the request regular expression expressing all cases of the request item data according to a data format given to the item of the request format; And
And a request regular expression correspondence unit for associating the item of the request format with the generated request regular expression. The machine analysis apparatus of claim 6, wherein the predetermined function is a function for mapping the request item data to the item of the request format. The method of claim 1, wherein the response signature generation unit
A response signature item specifying unit for specifying the extracted item by finding a predetermined function in the decompiled text;
A response regular expression generation unit for generating the response regular expression expressing all cases of the extracted item data according to a data format given to the extracted item; And
And an answer regular expression correspondence unit for associating the extracted item with the generated response regular expression. The machine analysis apparatus according to claim 8, wherein the predetermined function is a function for extracting the extraction item data from the response data. A machine language analysis method executed in a machine language analysis apparatus,
A plurality of external reference functions for controlling each of the terminals to request the terminal according to a request format including a predetermined item with respect to the response data of the external terminal connected to the function specific accessory communication network, Specifying within the text;
Generating a plurality of request signatures each having a request regular expression each representing a case in which the request signature generator generates all cases that the request item data corresponding to the item of the request format can have, based on the regular expression method;
Generating a plurality of response signatures each having a response regular expression in which all of the response item data corresponding to the extracted item used by the terminal among the response data is represented based on the regular expression method; And
The signature dependency analysis unit determines the dependency between the request signatures and the response signatures based on whether the extracted item of the one of the response signatures affects the item of the request signature of the request signatures And analyzing the machine language. 11. The method of claim 10,
Generating a plurality of signature pairs by mapping the request signatures to the response signatures based on whether the external reference functions are common; And
Further comprising: mapping a signature pair of the signature pairs to another signature pair based on the dependency of the signature pair counterpart. 11. The method of claim 10,
And the decompiling unit generates the decompiled text. ≪ Desc / Clms Page number 19 > 11. The method of claim 10,
Extracting a request format generation part that affects the request slice extraction part to generate the request format among the decompiled text; And
The response slice extracting step extracting a response data processing part affected by the extraction item in the decompiled text,
Wherein the request signature is generated by analyzing the request format generation portion and the response signature is generated by analyzing the response data processing portion. 11. The method of claim 10, wherein generating the request signatures comprises:
Identifying the item of the request type by the requested signature item specific part looking for a predetermined function in the decompiled text;
The request regular expression generating unit generating the request regular expression expressing all cases of the request item data according to the data format given to the item of the request format; And
And the requesting regular expression correspondence unit associating the item of the request format with the generated request regular expression. 11. The method of claim 10, wherein generating the response signatures comprises:
Identifying the extracted item by finding a predetermined function in the decompiled text of the response signature item specifying part;
The response regular expression generating unit generating the response regular expression expressing all cases of the extracted item data according to a data format given to the extracted item; And
And the response regular expression correspondence unit associating the extracted item with the generated response regular expression.

Images