KR101922956B1 - Method of detecting malware based on entropy count map of low dimensional number - Google Patents

Abstract

Disclosed is a method of detecting a malicious code based on an entropy count map in a lower dimensional number. Byte-based entropy feature data extracted from learning files of a plurality of normal programs and malicious codes provided as input data are mapped to a presence frequency for each range of entropy values and converted into a plurality of byte entropy count map feature data in a lower dimensional number. Machine learning is performed using the byte entropy count map feature data to generate a detection model capable of classifying the normal programs and the malicious codes. Based on the generated detection model, detection is made regarding whether or not any analysis target file corresponds to the malicious codes. Since the feature of the entropy count map is formed with a distribution of entropy values in a lower dimensional number, it is possible to minimize the redundancy and the noise problems of malicious code data, to improve detection accuracy, to speed up learning and detection, and to improve flexibility, thus a sufficient learning effect can be obtained in the smaller amount of learning data.

Description

TECHNICAL FIELD [0001] The present invention relates to an entropy count map detecting method,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to the field of information security technology, and more particularly, to a technology for detecting malware using an entropy count map.

Various malicious codes are constantly being generated. For example, Ransomware and intelligent new malware and myriad variants have been increasing rapidly in recent years. One of the ways to detect malicious code is sign-based detection. This detection method is a method of extracting signatures for malicious codes and arbitrary binary files that are subject to malicious existence, and comparing the calculated similarities to malicious code detection and classification. However, signature-based detection methods can only respond to known malicious codes, and have great limitations in detecting new or variant malicious codes.

A machine learning based detection method has been proposed to overcome the limitations of signature-based detection methods and cope with the diversification of malicious codes. A known machine learning-based malicious code detection method known in the art is to create a detection model learned from a file containing normal files and malicious codes (hereinafter, simply referred to as "malicious code"), It is to detect whether the file is malicious code. This detection method has the advantage of detecting new or variant malicious codes.

 In order to use machine learning based detection method, new malicious code data should be learned and malicious code detection model should be updated constantly. Previously known machine learning based malware detection techniques have disadvantages such as data duplication problem between existing data and new data about newly created malicious code, noise data problem, and model extensibility restriction. The amount of data to be processed due to data duplication becomes unnecessarily large, and the updating of the detection model becomes difficult. In addition, redundancy of data can be a factor that deteriorates the performance of the detection model. There is a problem that the detection success rate due to noise data is lowered.

As hackers become more intelligent day by day, attack methods and attack routes using malicious code are evolving to complex and unpredictable. There are many new malicious codes that are newly created, and many variants of them are generated. It is necessary to constantly evolve malicious code detection capability by updating existing malicious code detection models by acquiring new malicious code and malicious malicious code data.

Most recent intelligent malicious codes are increasingly being attacked by bypassing existing vaccine programs. Most malicious codes are obfuscated or compressed to circumvent malware detection technology. To get more accurate information about obfuscated and compressed malware, you need to remove the obfuscation of the malware and uncompress it. However, these tasks require expert knowledge and time. In the case of malicious code that is obfuscated, which is not known, there are limitations in performing such an operation. Therefore, it is necessary not only to detect common malicious codes but also to extract malicious codes that can detect malicious codes that are obfuscated or compressed.

Features for detecting byte-based malware include N-gram, Metadata, Entropy, Image representation, and String length. In detection of malicious codes through machine learning, there may be a difference in detection accuracy and learning time depending on which feature is selected. Especially, as the dimension of the feature increases, the data required for learning increases exponentially, and it takes a long learning time.

According to the present invention, accurate detection performance can be exhibited even with limited learning data by using low-dimensional entropy count map feature data extracted from normal learning files and byte data of malicious codes, and a flexible malicious code detection model To detect a malicious code to provide a malicious code detection method.

The present invention also enables detection of malicious code based on a malicious code detection model generated using prototype data selected from entropy count map feature data of a low dimensional number to solve the problem of data duplication in detection model generation and update To provide a malicious code detection method that can be strong against data noise, increase detection accuracy, and minimize learning time.

The present invention is not limited to the above-described embodiments, and various modifications may be made without departing from the spirit and scope of the invention.

A low-dimensional entropy count map-based malicious code detection method according to embodiments for realizing the object of the present invention is a method for detecting a malicious code using a computer program executed in a computing device. The method includes: extracting a plurality of byte-based entropy feature data from a plurality of normal programs and malicious code learning files provided as input data; Converting the extracted plurality of byte-based entropy feature data into a plurality of byte entropy count map feature data of a lower dimensional number by mapping the extracted plurality of byte-based entropy feature data to a presence frequency of each 'range of entropy values'; Generating a detection model capable of classifying normal programs and malicious codes by performing machine learning using the plurality of byte entropy count map feature data; And a detection step of analyzing whether or not any analysis target file corresponds to a malicious code based on the generated detection model.

In the exemplary embodiments, the step of extracting a plurality of byte-based entropy characteristic data includes: setting a size of a window for analyzing a byte array of the learning files and a window movement step size; N windows (where N is a natural number greater than 2) are generated while moving the window by the window moving step size from the beginning to the end with respect to the entire byte array of each learning file, and each window Calculating N byte histograms corresponding to the N bytes; Integrating all of the N byte histograms to generate a byte histogram array; And converting the byte histogram array into a byte entropy array through byte entropy computation.

In the exemplary embodiments, the size of the window is set to be larger than the window moving step size, and can be overlapped between adjacent front and rear windows before and after the movement.

In the exemplary embodiments, the step of 'calculating N byte histograms' may include counting the frequency of decimal values of all the bytes of the byte array included in each window for each of the N windows; And generating the N byte histograms corresponding to the N windows by generating the frequency of the decimal values counted for each window with the byte array histogram corresponding to the corresponding window.

In the exemplary embodiments, the step of 'converting into a byte entropy array' may include a step of converting a byte frequency ratio (= all of the elements in the arbitrary byte histogram area) in each of the first through Nth byte histograms constituting the byte histogram array Calculating a ratio of a value of each element to a sum of values of the first to Nth byte frequency non-arrays; Calculating first through Nth byte entropy arrays by calculating a byte entropy with respect to a byte frequency ratio for each window using the first through Nth byte frequency array arrays; And generating the byte entropy arrays of the training file by integrating the calculated first through Nth byte entropy arrays as a whole.

을 이용하여 계산될 수 있다. 여기서,

는 윈도우내 원소 i번째 엔트로피 값을 나타내고,

는 윈도우의 원소 i번째 바이트 주파수 비를 나타낸다.In the exemplary embodiments, the byte entropy for the byte frequency ratio is given by Equation

. ≪ / RTI > here,

Represents the i-th entropy value of the element in the window,

Represents the i-th byte frequency ratio of the window element.

In the exemplary embodiments, the step of converting into 'a plurality of byte entropy count map feature data' may be a step of converting the first through Nth byte entropy arrays constituting the byte entropy array into a Nx1 size two-dimensional byte entropy matrix Converting; And mapping the elements of the two-dimensional byte entropy matrix into ranges of byte entropy values separated by R (where R is a natural number greater than 2), so as to convert the elements into an existence frequency of the byte entropy value And generating the byte entropy count map represented by the byte entropy count map.

In the exemplary embodiments, the range of the byte entropy value may be defined by dividing the byte entropy value of 0 to less than 0.6 into R-1 ranges, dividing the byte entropy value of 0.6 or more into one range, ≪ / RTI >

In exemplary embodiments, R may be 7.

In the exemplary embodiments, the step of generating the byte entropy count map may include determining whether the N byte entropy values belonging to the column of each of the two-dimensional byte entropy matrix belongs to which of the R ranges Counting the number of byte entropy values belonging to each of the R ranges; And representing the count result as a R x Q size two-dimensional matrix. Here, R is the number of ranges of byte entropy values, Q is the number of decimal digits represented by 1 byte, and N >> R.

In exemplary embodiments, the malicious code detection method may use the entirety of the plurality of byte-based entropy feature data, or a small number of prototype data representative of the entirety as part of the overall, For example.

In the exemplary embodiments, the 'generating the detection model' may be a step of representing the byte entropy count map feature data belonging to the class of each learning file using the non-guide diagram and the class information between the data of the learning file Selecting prototype data; And generating the detection model by performing the machine learning using a set of the selected prototype data as a new learning data set.

In exemplary embodiments, the class regions of the learning files are divided into proto-type data and phrases defined by a radius centered on the proto-type data, and the radius is the same class data as the closest other class data As shown in FIG.

In exemplary embodiments, the detecting includes extracting a byte entropy characteristic data of the analysis target file; Converting the extracted byte entropy characteristic data of the analysis target file into low dimensional number of byte entropy count map characteristic data; And analyzing the converted byte entropy count map feature data of the analysis target file based on the detection model to determine whether the analysis target file corresponds to a normal program or a malicious code.

In exemplary embodiments, a computer executable program stored on a computer-readable recording medium may be provided to perform the above-described malicious code detection methods.

In exemplary embodiments, a computer-readable recording medium on which a computer-executable program for performing the above-mentioned malicious code detection method is recorded may be provided.

Since the existing malware detection method based on general machine learning learns by using high-dimensional data, data for model learning is also needed exponentially. In addition, it takes a lot of learning time. Data redundancy and noise issues may exist and the accuracy of the detection may be low. In contrast, the malicious code detection method according to the present invention generates a detection model by converting a byte-based entropy feature of learning data into entropy count map feature data having a low number of dimensions. Likewise, the low-dimensional-number entropy count map feature data is extracted for the analysis target file, and malicious code detection is determined using the detection model.

The main advantage of entropy count map feature data is that the number of dimensions is low. According to the 'curse of dimension' theory, as the dimension increases, the learning data for generating the accurate model increases exponentially. In reality, however, it is impossible to cover the exponential growth of learning data. Assuming this realistic situation that the number of learning data is limited within a predetermined range, a more accurate model can be made by reducing the number of dimensions. That is, the number of dimensions of the entropy count map used for generation of the detection model is low, and a sufficient learning effect can be provided with less data. It is possible to quickly learn new malicious code data in the detection model.

 Since the entropy count map feature data is obtained by converting the byte entropy values into the frequencies of each size range, the detection model created using the entropy count map feature data has a strong advantage on the noise of the data.

This data noise-robust and accurate detection model can provide good malware detection performance. The entropy count map feature data of the low dimensional number makes this possible.

Because the detection model is created using the entropy count map feature, it can detect common malicious code as well as malicious code that is obfuscated or compressed.

The malicious activity that the malicious code mainly performs is to require the user to have the device administrator authority, and may include taking the user's personal information, device information, call recording, and location information. Each of these malicious behaviors can be grouped into different classes. According to the present invention, instead of using the entire entropy count map feature data extracted from the training data, a detection model can be created by selecting prototype data representative of each class from the whole feature data. According to this method, instead of storing the entire entropy count map feature data, only a plurality of prototype data representative of the entropy count map feature data can be stored, thereby saving the storage space of the computer considerably.

In addition, the method of constructing the detection model using only the prototype data can further reduce the redundancy and noise problem of the data, thereby further enhancing the performance of the detection model. Furthermore, since the detection model is generated with only a few prototype data representative of all the entropy count map feature data, there is an advantage that the malicious code learning process is relatively short.

As malicious code evolves day by day, new malware can not be detected by the sphere detection model. Therefore, it is necessary to periodically update the old detection model with the new detection model. In other words, the ability to detect new malicious code needs to be added to the detection performance of the old detection model. According to the present invention, in the sphere detection model, new malicious code data is added considering only information of prototype data. Prototype data representing each class may or may not be changed by new malicious code data.

If the prototype data selection technology is not applied, the whole entropy count map characteristic data must be considered. However, if the prototype data selection technology is applied, new malicious code data can be compared with the prototype data only, .

In addition, since the detection model is created using a prototype based on the entropy count map feature, not only can it detect common malicious codes, but also malicious codes that are obfuscated or compressed can be detected.

1 is a flowchart illustrating an overall generation process of a malicious code detection model according to an embodiment of the present invention.
2 is a flowchart schematically illustrating a malicious code detection process using a malicious code detection model according to an embodiment of the present invention.
3 is a flow diagram illustrating a process for generating a byte-based entropy count map in accordance with an exemplary embodiment of the present invention.
FIGS. 4 to 8 are diagrams for explaining a byte histogram array calculation step of a target file. FIG. 4 illustrates a window size setting for calculating a byte histogram. FIG. 5 illustrates a byte histogram FIG. 6 illustrates moving a window by a moving step size to set a new window, and FIG. 7 illustrates creating a byte histogram for a byte array in the window in the same way for a newly set window FIG. 8 illustrates the generation of a byte histogram array by gathering byte histograms of the entire window region.
Figure 9 illustrates the translation of a byte histogram array into a byte entropy array through byte entropy computation.
FIG. 10 schematically illustrates a method of calculating byte entropy characteristic data.
FIG. 11 illustrates the transformation of a byte entropy array into a two-dimensional byte entropy matrix.
12 illustrates the transformation of a two-dimensional byte entropy matrix into entropy count map feature data.
13 is a diagram showing that the amount of data necessary for learning increases exponentially as the dimension increases.
14 is a distribution diagram of entropy count map feature data of a normal program for machine learning and malicious code used for generation of a detection model.
FIG. 15 is a diagram for explaining updating of a detection model obtained through machine learning using the entropy count map characteristic data of FIG. 14 with new entropy count map data.
FIG. 16 shows prototype data representing the entirety of entropy count map feature data for each class shown in FIG.
FIG. 17 is a diagram for explaining updating of a detection model obtained through machine learning using the prototype data of FIG. 16 with new entropy count map data. FIG.
18 and 19 are diagrams for explaining an example of a case where a byte entropy count map feature data (indicated by a blue circle in the drawing) extracted from a normal program file and a byte entropy count map feature data (represented by a red color x in the drawing) extracted from a malicious code It represents the process of machine learning.

For the embodiments of the invention disclosed herein, specific structural and functional descriptions are set forth for the purpose of describing an embodiment of the invention only, and it is to be understood that the embodiments of the invention may be practiced in various forms, The present invention should not be construed as limited to the embodiments described in Figs.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. The same reference numerals are used for the same constituent elements in the drawings and redundant explanations for the same constituent elements are omitted.

In general, various information may exist in the byte area of the malicious code. Each of these pieces of information is an important factor in identifying malicious code. One global feature is inadequate to represent each piece of information contained in the malicious code. Therefore, by using 'Window', it is possible to extract local features and express each information in byte area of malicious code. It is known that local feature points perform better than global feature points. Using both local and global feature points can lead to better performance. However, malicious code detection is not appropriate because there is a limitation on the number of data required depending on the increasing level.

Entropy on information represents the number of bits needed to encode information optimally. The larger the entropy, the less the information. The high occurrence frequency elements may be represented by a small number of bits (low cost), and the low occurrence frequency elements may be economical (optimal encoding is possible) if they are represented by a large number of bits (high cost).

In an embodiment of the present invention, the entropy can be used as an evaluation factor that can indicate the irregularity of bytes. The byte - based entropy feature extraction method can be used not only for general malicious code but also for malicious code with obfuscation.

The entropy value can be obtained using the following equation.

......(1)

......(One)

는 윈도우내 원소 i번째 엔트로피 값을 나타내고,

는 윈도우의 원소 i번째 주파수 값을 나타낸다.here,

Represents the i-th entropy value of the element in the window,

Represents the ith frequency value of the window.

According to the present invention, a method for extracting a byte-based entropy count map feature data from learning files to generate a malicious code detection model and detecting whether the analysis target file corresponds to a malicious code using the detection model .

1 is a flow diagram illustrating a process for generating a malicious code detection model using entropy count map feature data in accordance with an exemplary embodiment of the present invention.

The malicious code detection model according to the exemplary embodiment can be generated through execution of the malicious code detection model generation method described below. The method of generating the malicious code detection model can be implemented as a computer program (hereinafter referred to as a malicious code detection program). The malicious code detection program can be executed by a computer device.

Referring to FIG. 1, a malicious code detection model can be generated by performing machine learning using learning data. Prepare training data for machine learning first. Prepare both normal program data and malicious code data with learning data. A malicious code file infected with a specific malicious code and a normal program file pair not infected with the malicious code file can be used as learning data. Malicious Code File - Ensure that there are enough normal program file pairs. A plurality of prepared pairs of learning files may be provided as input data of a detection model generation program installed in the computer device (S10).

One of the important things in collecting and analyzing malicious code is the process of extracting features from existing known malware groups for analysis. The malicious code feature extraction process must be accurately performed so that the malicious code candidate program can be accurately analyzed and classified when the program appears in the future. Therefore, malicious code analysis and detection technology should sufficiently reflect characteristics of existing malicious code classes.

The detection model generation program executed in the computer device can extract the byte-based entropy feature data from the learning data of the normal program and the malicious code provided as input data (S20).

According to an exemplary embodiment, the detection model generation program can convert the extracted byte-based entropy feature data into a presence frequency of each 'range of entropy values' to convert it into a lower-dimensional number of byte entropy count map feature data (S30).

The detection model generation program can perform machine learning using the extracted byte entropy count map data. Through the machine learning, a detection model (classifier) capable of classifying normal programs and malicious codes can be generated (S40). According to an exemplary embodiment, the learning data used for machine learning for generation of the detection model may be the entirety of the plurality of byte entropy count map data obtained in step S30.

A file in which a file is infected with malicious code and a file in a normal state that is not infected have different entropy characteristics. The difference between the entropy characteristics of the two files, that is, the difference between the values of the entropy count map feature data and the values of the entropy count map feature data and the values of the entropy count map feature data corresponding to the normal program, in the malicious code. This machine learning is repeatedly performed with respect to a plurality of learning file pairs. In this way, the entropy count map feature data obtained from the byte data of a certain file can be input to generate a classifier, i.e., a detection model, which can discriminate whether it is a malicious code or a normal program.

According to the exemplary embodiment, instead of using all of the plurality of entropy count map feature data obtained in step S30, prototype data representing the entire data is selected as a part of the whole data (S50), and the selected prototype data A malicious code detection model may be created by performing machine learning using the detected malicious code (S60). Prototype data may include prototype data for each of the normal code (class A) and malicious code (class B). Here, the prototype data of a class means entropy count map feature data representing the entire entropy count map feature data of the class. When the prototype data is selected, a desired detection model can be generated by receiving the prototype data selected from the normal program (class A) and the malicious code (class B), respectively, and performing machine learning (S60).

If a detection model is created by using a small number of prototype data representing the entire data instead of the whole entropy count map characteristic data of a specific class, the amount of data to be stored is greatly reduced, and accordingly, In particular, the storage space of data can be greatly reduced. Even when the malicious code learning data that is generated continuously is applied to the existing detection model, since the data amount is small, malicious code learning can be performed quickly. In addition, the prototype feature data-based detection technique can reduce the redundancy and noise problem of data by selecting the prototype from the whole feature data, and can enhance the performance of the detection model. Because of these advantages, prototype feature data can be used as a way to overcome the disadvantages of conventional machine learning based detection techniques.

2 is a flowchart schematically illustrating a malicious code detection process using a malicious code detection model according to an embodiment of the present invention.

Referring to FIG. 2, a malicious code detection program implementing an algorithm described below may be installed and executed in a computer device. The pre-generated detection model can be input and reflected as a part of the malicious code detection program (S60).

An arbitrary file (hereinafter, referred to as 'analysis object file') to be a malicious code detection object may be input to the computer apparatus in which the malicious code detection program based on the input detection model is executed (S70).

The malicious code detection program can extract entropy feature data based on the byte data of the analysis object file (S80).

The malicious code detection program can convert the extracted entropy feature data into entropy count map feature data (S90).

The malicious code detection program can use the detection model to determine whether the entropy count map feature data corresponds to a malicious code (S95).

In order to create a malicious code detection model according to an embodiment of the present invention and to detect whether the analysis target file is a malicious code using the detection model, byte-based entropy feature data of the file is extracted (S20 and S80 ), And converting the extracted byte entropy characteristic data into byte entropy count map characteristic data (steps S30 and S90). In this regard, FIG. 3 is a flowchart illustrating a process for extracting byte-based entropy count map feature data of an analysis object file according to an exemplary embodiment of the present invention.

3, the process of extracting the entropy count map feature data from the malicious code for learning, the normal program, and the analysis object file (hereinafter collectively referred to as 'object file') will be described in detail.

According to an exemplary embodiment, the process of extracting the entropy count map feature data includes calculating a byte histogram array 130 of a target file 110, a byte histogram array 130 into a byte entropy array 140, (Step S300) of transforming the byte entropy array 140 into a two-dimensional byte entropy matrix 145, and converting the two-dimensional byte entropy matrix 145 into entropy count map feature data (step S200) 150) (S400).

First, a step S100 of calculating a byte histogram array of an arbitrary object file 110 will be described. Figures 4-8 illustrate step S100 of calculating a byte histogram array of the object file 110. In this step S100, a byte histogram is calculated through each window while the window is shifted by a predetermined unit with respect to the byte array 115 of an arbitrary object file 110, and the calculated byte histogram is integrated into one byte Create a histogram array.

4 illustrates a window size setting for calculating a byte histogram. Referring to FIG. 4, the target file 110 includes a learning data file (including a normal program and a malicious code) for generating a detection model, or a file to be analyzed, which detects whether or not the malicious code is generated using a pre- . In order to calculate the byte histogram of the byte array 115 of the target file 110, the size of the byte histogram generation window 120 and the unit for moving the window 120, Can be set. The size of the window and the moving step size can be set, for example, in units of bytes.

In an exemplary embodiment, the size of the window may be set to be larger than the moving step size in order to overlap between adjacent front and rear windows before and after the movement. This is advantageous for increasing the accuracy of malware detection. Detection of malicious code requires connection between generated window data. For example, supposing that there are three pieces of information, that is, ConnectNetwork, DownloadFromURL, and ShellExecute, in the analysis object file 110, when these three pieces of information are included in different windows, three pieces of window data [ConnectNetwork], [DownloadFromURL] ShellExecute] may have poor connectivity between data. On the other hand, if the above three pieces of information are included in a plurality of windows, for example, if window data such as [ConnectNetwork, DownloadFromURL], [DownloadFromURL, ShellExecute] are generated, the inter-data linkage is increased. In other words, through the data of [ConnectNetwork], only the information "I connected to the network" is known, and it is difficult to judge whether this information is malicious code. However, the data of [ConnectNetwork, DownloadFromURL] can be used to know the information "I connected to the network and downloaded something", so it is much easier to determine whether it is malicious code or not, . In determining whether the malicious code is malicious code, a plurality of related information may be more meaningful data than a single independent information. Therefore, in order to obtain a plurality of pieces of information that are related to each other, it is preferable to set the window size to be larger than the window movement step size. The above example has been described by way of example for the sake of understanding, and in fact, the data of the target file 110 is invisible byte data.

If the window movement step size is set too small as compared with the window size, the overlapping interval between adjacent windows becomes large, and the accuracy of detection increases, but the calculation amount can be greatly increased. The size of the overlapping section between adjacent windows should be appropriately set in consideration of the execution environment. 4 shows a case where the window size is set to, for example, 1024 bytes, and the moving step size of the window is set to 256 bytes, for example. This is merely an example, and the window size and the moving step size may be set to different sizes. 1 byte is displayed from 00 to FF, and when it is expressed in decimal number, it can be expressed from 0 to 255.

When the size and the moving step size of the window 120 are determined, a plurality of windows are generated while moving the window 120 by moving step size units from the beginning to the end of the entire byte array of the analysis object file 110, A byte histogram corresponding to each window can be calculated through each of the plurality of windows.

In this regard, Figure 5 illustrates calculating a byte histogram for a byte array in a set window area.

Referring to FIG. 5, the first window 120-1 may be set first. In the first window 120-1, a byte array is formed from the first byte of the analysis object file 110 to the window size 1024th byte. The frequency of the decimal value of the total bytes of the byte array included in the first window 120-1 is counted. The frequency of the counted decimal values may be stored in an array form so that the first byte histogram 130-1 corresponding to the first window 120-1 may be generated. FIG. 5 illustrates a case where the byte array included in the first window 120-1 is counted by including 0 as 24, 1 as 9, 2 as 12, and 255 as 9 decimal values .

FIG. 6 illustrates setting a new window by moving the window by the moving step size.

Referring to FIG. 6, after the decimal value frequency count for the first window 120-1 is completed, as shown in FIG. 6, the window moving step size (for example, 256 bytes) at the position of the first window 120-1 A new window 120-2 can be set. The second window 120-2 includes the 257th byte to the 257th + 1024th byte of the analysis target file 110. [

Figure 7 illustrates the generation of a byte histogram for a byte array in the window in the same way for a newly set window.

When the second window 120-2 is set through the window movement, as shown in FIG. 7, the 1024 byte array included in the second window 120-2 is also the same as that in the first window 120-1 The second byte histogram 130-2 can be generated by counting the frequency of the decimal value. That is, the second byte histogram 130-2 can be generated by counting the frequency of the decimal values represented by each of the 1024 bytes included in the second window 120-2 and storing the frequency in an array form.

In this manner, the number of windows (120-1, 120-2, ..., N-1) in which N (N is a natural number greater than 2) 120-1, 120-2, ... are moved by the movement step size with respect to the entire byte array of the analysis object file 110 ..., and N-byte histograms 130-1, 130-2, ..., and 130-N corresponding to the N windows 120-1, 120-2, ..., -N) < / RTI >

FIG. 8 illustrates generation of the byte histogram array 130 by collecting all of the N byte histograms 130-1, 130-2, ..., 130-N of the entire window region. 8, all of the N byte histograms 130-1, 130-2, ..., 120-N generated through the N windows 120-1, 120-2, ..., 120- 130-N may be concatenated in a single line to generate a single byte histogram array 130.

In calculating the byte histogram, the larger the size of the analysis target file 100, the more the number of windows N to be generated will increase. The size of the integrated byte histogram array 130 will also vary according to the number of windows generated.

Next, FIG. 9 schematically illustrates a step S200 of converting the byte histogram array 130 of the object file 110 into the byte entropy array 140 through the byte entropy calculation. 10 schematically illustrates a method of calculating a byte entropy from a byte histogram.

A method of generating the byte entropy array 140 will be described in detail with reference to FIGS. 9 and 10. FIG. In step S200, after calculating the byte frequency ratio of the byte histogram array 130 obtained in step S100, the byte entropy array is calculated using the calculated byte frequency ratio to generate the byte entropy array 140 .

Specifically, in order to calculate the byte entropy of the object file 110, first, the byte histograms 130-1, 130-2, ..., 130-N of the byte histogram array 130 constituting the byte histogram 130-1, Frequency ratio. Here, the byte frequency ratio means the ratio of the values of the respective elements to the total of the values of all the elements in the arbitrary byte histogram region.

10, the frequency of the byte data existing in the first byte histogram 130-1 of the byte histogram array 130 is counted to generate the first byte frequency array 135-1 . For example, if all elements of the first byte histogram 130-1 are (24, 9, 12, ..., 9) and the sum of the values of these elements is 400, the frequency ratio of each element is (24/400 , 9/400, 12/400, ..., 9/400). 9, 12, ..., 9) of each element of the first byte histogram 130-1 as the value of the byte frequency ratio (24/400, 9/400, 12/400,. The first byte histogram 130-1 of the first window 120-1 region can be converted into the first byte frequency ratio array 135-1 (see FIG. 10 (B)).

The second through Nth byte frequency arrays 135-2 and 135-N perform the same process for the remaining second through Nth byte histograms 130-2 through 130- 3, ..., 135-N. If the first to Nth byte frequency arrays 135-1 to 135-N corresponding to the first to Nth windows 120-1 to 120-N are all combined, the byte frequency ratio of the object file 110 An array 135 can be created.

The first to Nth-byte entropy arrays 140-1, 140-2, ..., 140-N are calculated for each window using the byte frequency non-arrays 135 thus generated, N-byte entropy arrays 140-1, 140-2, ..., and 140-N into a single line to generate the byte entropy array 140 of the object file 110. [

Specifically, referring to FIGS. 10B and 10C, in the first byte frequency non-array 135-1, the total byte frequency non-elements 24/400, 9/400, 12/400,. .., 9/400), respectively. The byte entropy for each byte frequency ratio can be calculated using Equation (1). For example, the first, second, of the single-frequency non-array 135-1 3, ..., the N bytes of the frequency ratio (x _1, x _2, x _3, ..., x _N) values Is substituted into equation (1) to obtain the first, second, and third values, respectively, since they are 0.06 (= 24/400), 0.02 (= 9/400), 0.03 2, 3, ..., N-byte Entropy values are calculated as follows:

Thereby, the first byte entropy array 140-1 is obtained as (0.24, 0.11, 0.15, ..., 0.11).

In this manner, also for each of the remaining second to Nth byte non-frequency arrays 135-1, 135-2, ..., 135-N, the byte entropy value is calculated for all the elements of each byte non- . Through this, the second through Nth byte entropy arrays 140-2 through 140-N can be obtained.

Through this process, if the first to N-th byte entropy arrays 140-1, 140-2, ..., 140-N are obtained through the entire N windows for the object file 110, The byte entropy array 140 can be generated. All the elements of the byte entropy array 140 are obtained by converting all the elements (byte frequency ratio) of the byte frequency ratio array 135 into byte entropy values (see FIGS. 9 (b) and 9 (c)).

FIG. 11 illustrates the transformation of a byte entropy array into a two-dimensional byte entropy matrix.

When the byte entropy array 140 is secured, the step 14000 of converting the byte entropy array 140 into a two-dimensional byte entropy matrix 145 may be performed. Referring to FIG. 11, in this conversion step S300, the N byte entropy arrays 140-1, 140-2, ..., 140-N constituting the byte entropy array 140 are sequentially They can be stacked and relocated in one row. Through such relocation, the byte entropy array 140 can be transformed into a two-dimensional byte entropy matrix 145 of Nx1 size. Therefore, in the two-dimensional byte entropy matrix 145, N elements (byte entropy values) at the same index of each of the byte entropy arrays 140-1, 140-2, ..., 140-N are arranged in the same column.

Once the two-dimensional byte entropy matrix 145 is obtained, it may perform step S400 of converting it into entropy count map feature data 150. FIG. 12 illustrates a step (S400) of converting a two-dimensional byte entropy matrix 145 into entropy count map feature data 150 by mapping a range of entropy values to frequency.

In the field of machine learning, there is the concept of 'curse of dimensionality'. As shown in FIG. 13, the number of data required for learning increases exponentially and the prediction accuracy is lowered because the degree of the sparsity of the unit area increases as the dimension of the dimension becomes higher . The number of windows increases as the file size increases. When the byte entropy feature is extracted, the dimension is increased. Data for learning is very limited. Therefore, as the dimension increases, the amount of data required for learning can not be met, and the accuracy of the detection model can be drastically lowered.

In generating the malicious code detection model, when the machine learning is performed using the object file 110, that is, the byte entropy characteristic data extracted from the learning data, as it is, there arises a problem of falling into the 'curse of dimension' due to too many dimensions. To solve this problem, according to an exemplary embodiment of the present invention, the concept of a " byte entropy count map " is introduced to reduce the number of dimensions of learning data.

Instead of using the high byte entropy data as it is, the byte entropy feature data is converted into the feature data of the low-order byte entropy count map. By using the byte entropy count map, the effect of lowering the dimension by converting the value of the byte entropy to the value distribution can be obtained, and at the same time, the influence of the noise can be alleviated.

The byte entropy count map may specify a range of byte entropy values in a predetermined number of steps. The present inventors have found that the values of significant byte entropy characteristic data are mostly in the range of 0 to less than 6, and there is little value larger than 6. In consideration of this point, the entropy values of the entropy characteristic data can be divided into a plurality of ranges, that is, R ranges (where R is a natural number of 2 or more) between 0 and 6. Then, the elements of the two-dimensional byte entropy matrix 145 can be mapped to the 'range of entropy values'. Through this mapping, a byte entropy count map can be obtained.

In the exemplary embodiment, a 'value range' for converting the values of the byte entropy characteristic data into the byte entropy count map as illustrated in FIG. 12 can be set as follows. Of course, the ranges of the entropy values shown in Table 1 below are exemplary. The range of the entropy value may be divided into seven or less intervals, and the range of each interval may be set differently.

Interval index Range of byte entropy values One 0 to less than 0.1 2 0.1 or more and less than 0.2 3 0.2 to less than 0.3 4 0.3 or more and less than 0.4 5 0.4 to less than 0.5 6 0.5 or more and less than 0.6 7 0.6 or more

The two-dimensional byte entropy matrix 145 is converted into an entropy count map using the range of entropy values in Table 1. [ This conversion compares the N byte entropy values belonging to the column in each column of the two-dimensional byte entropy matrix 145 with which range of the R number of ranges belongs, and counts the number of byte entropy values belonging to each of the R number of ranges And the like.

12, N byte entropy values (0.24, 0.28, 0.12, 0.22, ..., 0.09, 0.14, 0.42, and 0.22) belonging to the first column of the two-dimensional byte entropy matrix 145 are shown in Table 1 And the entropy value range of the seven intervals. 12, the count result of the first column of the two-dimensional byte entropy matrix 145 is divided into a first interval (0.0 to 0.1), a second interval (0.1 to 0.2), ..., a seventh interval 0.6 or more) are a1, a2, ..., a7, respectively. The sum of the counted numbers is N (= a1 + a2 + a3 + a4 + a5 + a6 + a7).

The N entropy values in the second column of the two-dimensional byte entropy matrix 145 are also counted in the same manner as described above. 12, the count result of the second column indicates the number of entropy values belonging to the first section (0.0 to 0.1), the second section (0.1 to 0.2), ..., the seventh section (0.6 or more) B1 + b2 + b3 + b4 + b5 + b6 + b7), where b1, b2, ..., For each of the remaining third to 256th columns, N entropy values belonging to each column can be counted in the same manner as described above.

The entropy count map 150 obtained by such a transformation can be expressed by a two-dimensional matrix of R x Q size. Where R is the number of ranges of byte entropy values, and Q is the number of decimal digits represented by one byte, that is, 256. 12, the entropy count map 150 is a 2-dimensional matrix of 7x256 size. The two-dimensional byte entropy matrix 145 before conversion is a two-dimensional matrix of Nx256 size, where N represents the number of windows 120. [ In most cases, the number N of windows 120 is much larger than R (i.e., N >> R). Thus, a significant reduction in the number of dimensions can be obtained by converting the two-dimensional byte entropy matrix 145 into the entropy count map 150. This can free you from the curse of the dimension. A low number of training data can be used when generating the detection model.

Referring again to FIG. 1, steps S10, S20, and S30 are performed for each of a number of learning file pairs (malicious code file-normal program file pair), and a byte entropy count map 150 corresponding to each pair of learning files Can be obtained.

FIG. 14 exemplarily shows a distribution diagram of the plurality of byte entropy count map 150 feature data thus obtained. FIG. 15 is a diagram for explaining updating of a detection model obtained through machine learning using the entropy count map characteristic data of FIG. 14 with new entropy count map data.

14 and 15, the characteristic data of the full-byte entropy count map 150 obtained for the detection model learning can be classified into Class A and Class B. For example, In the figure, Class A is a distribution diagram of the total byte entropy count map 150 feature data extracted from the normal program file, and Class B is a distribution diagram of the total byte entropy count map 150 feature data extracted from the malicious code file. Each dot shown in the circular dashed lines in Class A and Class B (eg malicious behavior by malicious code called Trojan Horse) represents full byte entropy count map (150) feature data of normal and malicious programs, respectively.

The entropy count map feature data of the normal program and the entropy count map feature data of the malicious code may be distributed collectively in a predetermined area. Machine learning can be performed by using class A, which is a set of entropy count map feature data of a normal program having such a distribution, and class B, which is an aggregate of entropy count map feature data of malicious codes, as input data. The malicious code classifier 200 that can distinguish the normal program (class A) from the malicious code (class B) through the machine learning, that is, the detection model can be obtained.

The process of generating a detection model through machine learning consists of preprocessing the acquired learning data and then performing exploratory data analysis to select the best model, And the final model is finalized after the evaluation.

18 and 19 are diagrams for explaining an example of a case where a byte entropy count map feature data (indicated by a blue circle in the drawing) extracted from a normal program file and a byte entropy count map feature data (represented by a red color x in the drawing) extracted from a malicious code It represents the process of machine learning.

Referring to FIGS. 18 and 19, a detection model to be obtained can be expressed by, for example, the following function formula. Where x ₁ and x ₂ are input variables, and w ₀ w ₁ and w ₂ are coefficients.

......(2)

......(2)

Generating a detection model is a task of finding a value capable of exhibiting the best detection performance by continuously updating the value of the coefficient w for a given input data x. When the right side of Equation (2) is set to 0, (x ₁ , x ₂ ) satisfying this condition is a straight line on the plane. For example, if the initial values W ₀ = 80, W ₁ = -3 and W ₂ = 1 are given to the coefficient w, the classifier 450a shown in FIG. 18A can be obtained. This classifier 450a has a high ratio of misclassifying the normal code characteristic data and the malicious code characteristic data. If the value of the coefficient w is adjusted to be W ₀ = 40, W ₁ = -3, and W ₂ = 2, the number of erroneously classified feature data decreases as shown in FIG. 18 (B) , The normal code characteristic data and the malicious code characteristic data may still be classified incorrectly. When the values of the coefficients w are adjusted again to W ₀ = -50, W ₁ = -1 and W ₂ = 2, as shown in FIG. 19, both the normal code characteristic data and the malicious code characteristic data are correctly classified . The detection model (that is, the classifier that classifies the normal code and the malicious code) is selected by applying the coefficient at this time is as follows. After the evaluation of the performance of the selected detection model, the detection model can finally be confirmed.

......(3)

(3)

The feature data of the analysis target file can be classified using the obtained detection model. For example, when the value of the input variable x ₁ , x ₂ is, for example, (40, 40), the value of f (40, 40) is smaller than 0 and can be classified as a malicious code class.

f (40, 40) = -50 -40 + 2x40 <0

The machine learning method for generating the detection model described above is exemplary. Of course, many of the known machine learning methods are applicable to the present invention.

 As shown, the number of dimensions of feature data is very large. In the general machine learning method, 'all' learning data included in each class is classified into Class A and Class B as shown in FIG. Therefore, there is a problem that the accuracy of the detection model deteriorates because the feature data may be redundant and contain a lot of noise data. It may also be inefficient that a lot of data is needed for learning to generate a detection model.

The entropy count map feature data of the two classes shown in FIG. 15 are distributed in a circle (or a circle) of a predetermined size, and the malicious code classifier 200, which is a criterion for distinguishing the two, is shown as a straight line. Is an example only. The entropy count map feature data of the two classes may be distributed, for example, in a three-dimensional space, and the malicious code classifier 200 that distinguishes the two classes may be any type of curve.

Since new and variant malicious codes are steadily appearing, the detection model needs to update the detection model by learning new or variant malicious codes accordingly. The new malicious code file and the corresponding normal program file can be collected and used as learning data for updating the detection model. The new byte entropy map characteristic data 300 is extracted from the learning data for updating in the same manner as described above and the detected newest entropy map characteristic data 300 is learned to the existing detection model to update the detection model have.

However, in order to allow the new byte entropy map feature data 300 to be learned by the existing detection model, all of the data used for generating the existing detection model must be considered. In order to update the detection model, the whole data must be considered, so that the learning time of the new data becomes long and the flexibility of the detection model may be low.

In an exemplary embodiment, the detection model may be generated through prototype-based machine learning. FIG. 16 shows prototype data representing the entirety of entropy count map feature data for each class shown in FIG. FIG. 17 is a diagram for explaining updating of a detection model obtained through machine learning using the prototype data of FIG. 16 with new entropy count map data. FIG.

Prototype-based machine learning is a way to overcome these shortcomings. A prototype can be defined as a small number of data that can represent data in a class of learning data in machine learning. According to prototype-based machine learning, as shown in FIG. 16, prototype data 350a is selected in a predetermined method based on full-byte entropy count map feature data belonging to Class A representing a normal program. Likewise, the prototype data 350b is selected in a predetermined method based on the full-byte entropy count map feature data belonging to Class B representing the malicious code. The selected prototype data 350a, 350b represent the corresponding class.

Prototype - based classification learning can be composed of two steps: selection of representative data and classification learning. In the first step, representative prototypes can be selected by using the information between the learning data and the class information. It is assumed that the selected prototypes consist of fewer than the number of prepared learning data, represent each class data, and are applicable to the learning classification algorithm. Secondly, we can learn with learning data sets composed of representative prototype data selected and perform classification prediction on test data.

According to the exemplary embodiment, the class region represented by each learning feature data can be divided into a sphere, for example. For example, the nearest neighbor rule, which is an algorithm for classifying the analysis target data into the class of the learning data closest to the target, may be applied, and the inside of the phrase may include only the characteristic data of the same class. That is, the class A and the class B can be distinguished through the prototype data 350a and 350b of each class and the radius r centering on the prototype data 350a and 350b. According to the exemplary embodiment, the prototype data 350a and 350b may be the center point of the sphere, and the radius r of the prototype may be determined as the intermediate distance value of the same class data farthest from the closest other class data.

A set of prototype data (350a, 350b) defined above is used as a new learning data set, and machine learning is performed to generate a classifier 250, that is, a prototype data-based detection model capable of distinguishing malicious code from normal programs . The prototype data set can be used to predict the class of learning data by applying nearest neighborhood rules in machine learning.

According to the method of generating a detection model based on prototype data, since many feature data included in each class are represented by one prototype data, the amount of related data can be greatly reduced. Therefore, there is little data duplication and noisy problem, so the accuracy of the detection model is high. Also, there is an advantage that the model can be learned with a small amount of data.

17, in order to learn new feature data 300 to an existing detection model generated based on prototype data 350a and 350b, the new feature data 300 is divided into prototype data of the class 350a, and 350b. As described above, the new data learning method based on the prototype model requires only a short learning time and high flexibility of the detection model since only the existing detection model needs to be updated considering only the prototype data 350a and 350b representative of each class. Detection models based on prototype data can make updates faster and more flexible because of these advantages.

The detection model generated through the methods described above can be reflected in the malicious code detection program as mentioned in the description of FIG. The malicious code detection program can be executed in a computer device, and thereby it is possible to determine whether an arbitrary analysis target file is malicious code in real time or in non-real time. That is, for this discrimination, the byte entropy characteristic data is extracted by using the byte data of the analysis object file (S80), and it is converted into low byte entropy count map characteristic data again (S90). The byte entropy count map feature data 400 of the converted analysis target file is analyzed using a detection model to determine whether the analysis target file is a malicious code or a normal program (S95).

According to the embodiments of the present invention described above, the malicious code detection model is generated using the feature data of the byte entropy count map with a low number of dimensions. The malicious code detection model can be generated based on the prototype that represents each malicious code class by selecting a low dimensional number of entropy count map features. According to this, the feature of the entropy count map is strong in noise of data because it consists of a range-dependent distribution of entropy values having a low number of dimensions. This advantage is reflected in the detection model created using the prototype based on the entropy count map feature. That is, the detection model according to the present invention can minimize the problem of duplication and noise of malicious code data and improve the detection accuracy. The entropy count map used to generate the detection model is low in dimension and can provide sufficient learning effect with less data. Therefore, it is possible to quickly learn new malicious code data in the detection model, thus improving the speed and flexibility of learning and detection. Also, embodiments of the present invention detect malicious code using a byte-based entropy feature, so that it can detect general malicious code, obfuscated malicious code, or compressed malicious code.

The method according to an embodiment may be implemented in a form that includes a computer program, code, instructions, or a combination of any one or more thereof (collectively referred to as "software") that may be executed by various computing devices Can be implemented. The software may configure the processing device to operate as desired or may independently or collectively command the processing device. Software and / or data may be stored on any type of machine, component, physical device, virtual equipment, or computer readable storage medium, such as a computer readable medium, Or may be permanently or temporarily embodyed on the device. The computer programs may be distributed on a networked computer system and stored or executed in a distributed manner.

The software and data may be stored on one or more computer readable recording media. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions to be recorded on the medium may be those specially designed and configured for the embodiments or may be available to those skilled in the art of computer software. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

Devices and components capable of executing software in accordance with embodiments of the present invention include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable array, a programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to execution of the software.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the present invention as defined by the following claims. It can be understood that it is possible.

The present invention can be used for detecting malicious codes in various computing devices.

110: File to be analyzed 115: Byte array
120: Window 130: Byte Histogram Array
135: Byte frequency non-array 140: Byte entropy array
145: two-dimensional byte entropy matrix 150: byte entropy count map
200: Malware classifier
300: New byte entropy map feature data
400: byte entropy count of the file to be analyzed map feature data

Claims (16)

CLAIMS 1. A method for detecting malicious code using a computer program running on a computing device,
Extracting a plurality of byte-based entropy feature data from learning files of a plurality of normal programs and malicious codes provided as input data;
Converting the extracted plurality of byte-based entropy feature data into a plurality of byte entropy count map feature data of a lower dimensional number by mapping the extracted plurality of byte-based entropy feature data to a presence frequency of each 'range of entropy values';
Generating a detection model capable of classifying normal programs and malicious codes by performing machine learning using the plurality of byte entropy count map feature data; And
And a detection step of analyzing whether or not any analysis target file corresponds to a malicious code based on the generated detection model,
Converting the first to Nth-byte entropy arrays constituting the byte entropy array into an Nx1-sized two-dimensional byte entropy matrix; And mapping the elements of the two-dimensional byte entropy matrix into ranges of byte entropy values separated by R (where R is a natural number greater than 2), so as to convert the elements into an existence frequency of the byte entropy value And generating the byte entropy count map represented by the entropy count map based on the low-dimensional number. The method of claim 1, wherein the step of extracting the plurality of byte-based entropy characteristic data comprises: setting a size of a window for analyzing a byte array of the learning files and a window movement step size; N windows (where N is a natural number greater than 2) are generated while moving the window by the window moving step size from the beginning to the end with respect to the entire byte array of each learning file, and each window Calculating N byte histograms corresponding to the N bytes; Integrating all of the N byte histograms to generate a byte histogram array; And converting the byte histogram array to a byte entropy array through byte entropy computation. &Lt; Desc / Clms Page number 21 &gt; 3. The method of claim 2, wherein the size of the window is set to be larger than the size of the window movement step, and overlapped between adjacent front and rear windows before and after the movement. 3. The method of claim 2, wherein the calculating the N byte histogram comprises: counting the frequency of decimal values of all the bytes of the byte array included in each window for each of the N windows; And generating the N bytes of histograms corresponding to the N windows by generating a frequency of the decimal values counted for each window with a byte array histogram corresponding to the corresponding window, Map based malware detection method. 3. The method according to claim 2, wherein the step of converting into the byte entropy array is a step of converting the byte frequency ratio (= the value of all the elements in the arbitrary byte histogram area) of each of the first through Nth byte histograms constituting the byte histogram array Calculating a ratio of a value of each element to a sum of the first to Nth byte frequency non-arrays; Calculating first through Nth byte entropy arrays by calculating a byte entropy with respect to a byte frequency ratio for each window using the first through Nth byte frequency array arrays; And summing the calculated first through Nth byte entropy arrays to generate the byte entropy array of the learning file. &Lt; Desc / Clms Page number 19 &gt; 6. The method of claim 5, wherein the byte entropy for the byte frequency ratio is expressed by the following equation:

, Where &lt; RTI ID = 0.0 &gt;

Represents the i-th entropy value of the element in the window,

Represents a frequency ratio of an i-th byte of an element of the window, and a low-dimensional-number entropy count map-based malicious code detection method. delete 2. The method of claim 1, wherein the byte entropy value ranges from 0 to less than 0.6, and the byte entropy value is divided into a range of R-1, Wherein the entropy count map is divided into a low-dimensional number of entropy count map and a low-dimensional number of entropy count map. 9. The method of claim 8, wherein the R is 7. 2. The method of claim 1, wherein the step of generating the byte entropy count map compares a range of N number of byte entropy values belonging to the column with respect to each row of the two-dimensional byte entropy matrix, Counting the number of byte entropy values belonging to each of the R ranges; And expressing the count result as a two-dimensional matrix of R x Q size, where R is the number of ranges of byte entropy values, Q is the number of decimal numbers represented by one byte, and N >> R A low dimensional number of entropy count map based malicious code detection method. 2. The method of claim 1, wherein a small number of prototype data representing the entirety of the plurality of byte-based entropy feature data is used for generation of the detection model. Entropy count map based malware detection method of dimension number.  The method according to claim 1, wherein the step of generating the detection model comprises: a step of generating a detection model representing a prototype representing the byte entropy count map characteristic data belonging to the class of each learning file by using the non- Selecting data; And generating the detection model by performing machine learning by using a set of the selected prototype data as a new learning data set, thereby generating a detection model based on the entropy count map. 13. The method of claim 12, wherein the class regions of the learning files are divided into proto-type data and phrases defined by a radius centering on the proto-type data, and the radius is a half of the class data that is farthest from the closest other class data And the distance value is determined as a value of the entropy count map. The method of claim 1, wherein the detecting step comprises: extracting byte entropy characteristic data of the analysis target file; Converting the extracted byte entropy characteristic data of the analysis target file into low dimensional number of byte entropy count map characteristic data; And analyzing the converted byte entropy count map feature data of the analysis target file based on the detection model to determine whether the analysis target file corresponds to a normal program or a malicious code Entropy count map based malware detection method of dimension number. A computer-executable program stored in a computer-readable recording medium for performing the malicious code detection method according to any one of claims 1 to 6 and 8 to 14. A computer-readable recording medium on which a computer-executable program for performing the malicious code detection method according to any one of claims 1 to 6 and 8 to 14 is recorded.

Images