KR102005107B1 - Method and Apparatus for Analyzing Malicious Code Using API Call Sequence - Google Patents

Abstract

According to embodiments of the present invention, provided is an apparatus for analyzing a function of a malicious code, which abstracts lower level first behavior information into higher level second behavior information based on an action rule defined in consideration of parameters used in the API call and is capable of predicting the main purpose or core functions of a malicious code by estimating function information from the higher level second behavior information based on a function rule in accordance with the sequence.

Description

TECHNICAL FIELD The present invention relates to a method and apparatus for analyzing malicious code using an API call sequence,

The technical field to which the present invention pertains is a method and apparatus for predicting the purpose or core function of malicious code.

The contents described in this section merely provide background information on the present embodiment and do not constitute the prior art.

As information technology is developed, reliance on networks and systems is increasing and security is becoming more important. Cyber attackers are attacking with clever and intelligent hacking techniques using vulnerabilities inherent in the targeted network and system to achieve their specific purpose. Therefore, automation tools such as vulnerability analysis tools and risk analysis tools are being developed to detect vulnerabilities inherent in networks and systems, and studies on the features, patterns, and types of cyber attacks and their countermeasures are actively pursued. It is progressing.

In order to respond to not only threats but also unknown malicious codes from existing malicious codes, it is necessary to establish a cyber threat intelligence system in industrial fields such as defense using cyber infrastructure. You need to know if it works.

Korean Patent Registration No. 10-1589656 (Jan. 28, 2016) Korean Registered Patent No. 10-1537088 (July 15, 2015)

The embodiments of the present invention abstract the first action information of the lower level on the basis of the action rule defined in consideration of the parameter used in the API call as the second action information of the upper level, There is a main purpose of the invention in predicting the main purpose or core function of the malicious code by estimating the function information from the second level of action information of the upper level.

Other and further objects, which are not to be described, may be further considered within the scope of the following detailed description and easily deduced from the effects thereof.

According to an aspect of this embodiment, there is provided a computer program product comprising at least one processor and a memory for storing one or more programs executed by the one or more processors, the processor analyzing the malicious code to extract first- , Abstracting the first action information of the lower level with the second action information of the higher level on the basis of the predetermined action rule and estimating the function information from the second action information of the higher level on the basis of the predetermined function rule A malicious code function estimating device is provided.

According to another aspect of this embodiment, there is provided a computer program recorded on a computer-readable storage medium including computer program instructions executable by a processor, wherein, when the computer program instructions are executed by at least one processor of the computing device, Analyzing the malicious code to extract first action information of a lower level, abstracting the first action information of the lower level into second action information of a higher level based on a predetermined action rule, And estimating function information from the second-level second action information on the basis of the second action information.

As described above, according to the embodiments of the present invention, the first action information of the lower level is abstracted as the second action information of the upper level based on the action rule defined by considering the parameters used in the API call, It is possible to predict the main purpose or core function of the malicious code by estimating the function information from the second level of action information based on the function rule according to the sequence and to perform the same function with respect to the variant malicious code calling another API Can be determined.

Even if the effects are not expressly mentioned here, the effects described in the following specification which are expected by the technical characteristics of the present invention and their potential effects are handled as described in the specification of the present invention.

FIG. 1 and FIG. 2 are views illustrating operations of a malicious code function analyzing apparatus according to an embodiment of the present invention.
3 is a diagram illustrating data stored in a malicious code database by a malicious code analysis module of a malicious code function analyzing apparatus according to an embodiment of the present invention.
4 is a diagram illustrating an action abstraction module of a malicious code function analyzing apparatus according to an embodiment of the present invention.
5 is a diagram illustrating a function estimation module of a malicious code function analysis apparatus according to an embodiment of the present invention.
6 is a diagram illustrating a malicious code function defined by a malicious code function analyzing apparatus according to an embodiment of the present invention.
FIGS. 7 to 11 are diagrams illustrating a second sequence defined by a malicious code function analyzing apparatus according to an embodiment of the present invention with respect to a basic behavior of each malicious code. FIG.
FIG. 12 is a diagram illustrating a malicious code function analyzing apparatus according to an embodiment of the present invention for measuring the similarity of an action using a first sequence; FIG.
13 is a block diagram illustrating and illustrating a computing environment including a computing device suitable for use in the exemplary embodiments.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. Will be described in detail with reference to exemplary drawings.

The existing malicious code analysis method uses only piecemeal behavior information of malicious code by checking only whether individual API (Application Programming Interface) is called. When using only API call information, there is a high risk of generating a false positive for a normal program calling the API, and there is a problem that it is difficult to determine the same behavior information when performing the same action but calling another API.

The embodiments of the present invention are based on the malicious code's behavior information, and grasp the malicious code's core function as the final purpose of the malicious code to grasp the operation of the malicious code and provide information to effectively respond to the malicious code.

In the present embodiments, the API call data (first behavior information) of the malicious code is abstracted as the basic behavior information in consideration of the parameter information used at the time of the API call, and the sequence of the abstracted basic action information To determine the main function of the malicious code.

These embodiments can define a basic action for each malicious code and define a basic action for each malicious code. Even if another API is called, the purpose and meaning of the malicious code can be analyzed and abstracted into the same basic action. It can be judged that the code performs the same function

These embodiments abstract not only whether an API is called, but also basic action information that contains the purpose and meaning of the call using parameter information used in the API call. For example, even if the same file creation (create file) action is performed, an Internet related registry key file creation and an exe executable file are distinguished. The function of malicious code is analyzed by using organic relation (sequence) between basic action information.

The terms used in this specification are defined as follows.

The API call command includes the function name of the Windows API that the malicious code calls during execution and the parameters used in the call, such as the path of the directory or file, the registry, and the process name.

The API call sequence is data in which the APIs called by the malicious code are listed in the order in which they are called. The sequence follows the flow of time and can be called at the same time or at any time, and can include sequential processing or parallel processing.

The basic action information is information obtained by abstracting an action indicating a specific malicious action by analyzing an API call command.

An action rule is a rule defined to abstract an API call command as a malicious action. If an API call information of the malicious code is consistent with a defined rule, the action rule provides a criterion for performing the corresponding action.

The basic action sequence is data in which the basic actions extracted by the action rule are listed in chronological order, and the time may be the time of the API call information in which the action is detected.

A functional rule is a rule that defines a basic action sequence that appears when a malicious code includes a specific function. If the basic action sequence extracted through an action rule matches a defined rule, the functional rule includes a corresponding function and provides a judgment criterion.

FIG. 1 and FIG. 2 are views illustrating operations of a malicious code function analyzing apparatus according to an embodiment of the present invention.

The malicious code's functional analysis apparatus may include one or more processors and a memory for storing one or more programs executed by the one or more processors. The processor may control operations of the malicious code analysis module 210, the behavior abstraction module 220, and the function estimation module 230.

Referring to FIG. 1, in step S110, the processor analyzes malicious code and extracts first-level action information at a lower level. In step S120, the processor abstracts the first behavior information of the lower level based on the predetermined action rule as the second behavior information of the higher level. In step S130, the processor estimates the function information from the second-level second action information based on the predetermined function rule.

The lower level first behavior information includes a first sequence and parameters for an Application Programming Interface (API) call instruction.

The second level of action information includes a second sequence in which the basic actions of the malicious code that abstracts the second action information of the lower level are arranged in order. The second level of action information of the upper level may be interpreted as another basic action according to the parameter even if the same application programming interface call instruction is read.

The malicious code analysis module 210 performs a static analysis and / or a dynamic analysis on the inputted malicious code samples to extract various types of malicious code information including behavior information (window API call information and parameters).

The behavior abstraction module 220 abstracts the behavior information (API and parameters) of the API function level into basic action information, which is a basic operation unit of the malicious code. The behavior abstraction module 220 abstracts the malicious code into basic action information indicating an action of the malicious code through an action rule stored in the database using action information (window API and parameters) of the malicious code. Defines a basic action sequence (second sequence) that can detect each function using extracted information (debugger detection, crypto key generation, file movement, network connection, system information collection, etc.) And stores it in the malicious code database.

The function estimation module 230 detects basic functions of the malicious code using the basic action information. The function estimation module 230 compares the basic action sequence stored in the database with the basic action sequence using the extracted basic action information to check whether the basic action sequence matches the basic action sequence.

3 is a diagram illustrating data stored in a malicious code database by a malicious code analysis module of a malicious code function analyzing apparatus according to an embodiment of the present invention.

The processor or malicious code analysis module 210 performs static analysis for testing without executing malicious code or dynamic analysis for testing by executing malicious code to extract lower level behavior information. Extracts API call information (API name, parameters, directory, file, registry) of malicious code and stores it in malicious code database.

3 is an example of extracting the API information. 3 as one row per API. In addition to the API, file and registry information is also stored together as a single line.

4 is a diagram illustrating an action abstraction module of a malicious code function analyzing apparatus according to an embodiment of the present invention.

The processor or behavior abstraction module 220 abstracts first behavior information of a lower level based on an action rule into second behavior information of a higher level. The action rule defines the relationship between the first action information of a lower level and the second action information of a higher level.

The processor or behavior abstraction module 220 matches the API call information, which is lower-level behavior information of the malicious code extracted by the malicious code analysis module 210, with the action rules 220 stored in the database, do.

The second action information or basic action information refers to basic actions of malicious code such as 'file move', 'process search', 'approach to MBR area'. At this time, the malicious code's behavior should be interpreted as another action depending on the parameter, even if the malicious code calls the same API. For example, the CreateFile API function is typically used to create a file in a specific path, with the path of the file as a parameter. On the other hand, entering the path of the MBR (Master Boot Record) area should be interpreted as an act of accessing the MBR area, not opening the file.

The action rule defines a rule for abstracting what malicious code is doing by taking into account the API called by the malicious code and its parameters. It is created based on whether malicious code accesses, changes, or calls specific objects, and can include Windows APIs, parameters, directories, files, and registries.

For example, if malicious code uses '\\. \ PhysicalDrive0' as a parameter of the API while calling CreateFile, which is a Windows API, it is defined as 'access to MBR area'.

As shown in FIG. 3, CreateFile of the second row can be abstracted as 'access to MBR area' because it uses the path ('\\. \ PhysicalDrive0') indicating the MBR area as a parameter.

When the API sequence (first sequence), which is low-level behavior information, is abstracted as basic action information, which is high-level action information, a sequence (second sequence) composed of basic action information is created. Since not all API calls match each action, the length of the action sequence found in the malicious code varies according to the length of the API sequence and the action rules. The action information matched according to the API call sequence is represented as a sequence, and this is defined as a basic action sequence.

5 is a diagram illustrating a function estimation module of a malicious code function analysis apparatus according to an embodiment of the present invention.

The processor or the function estimation module 230 estimates the function information from the second level of action information based on the predetermined function rule. The function rule defines the relationship between the second action information and the function information at the upper level. The processor compares the estimated second behavior information and the previously stored second behavior information to estimate the function information.

The function estimation module 230 matches the basic action sequence with the function rule. The functional rule is defined in the same way as 'basic action 1 -> basic action 2 - basic action 3', followed by function 1. The basic rules are shown in detail in Figs. 7 to 11. Fig.

6 is a diagram illustrating a malicious code function defined by a malicious code function analyzing apparatus according to an embodiment of the present invention.

The functional information may include (i) an advertisement, (ii) a vaccine detection, (iii) a debugging interrupt, (iv) a sandbox check, (v) a privilege acquisition, (vi) a remote control, (vii) (ix) file installation, (x) information takeover, (xi) key hooking, (xii) master boot area change, (xiii) encryption, (xiv) concealment, (xv) .

(i) Adware is a function of displaying advertisements without user's consent, (ii) Anti-av is a function of detecting and bypassing and terminating a vaccine program, (iii) Anti-dbg ) Is a function that interferes with debugging, (iv) Anti-sandbox is a function that checks whether the execution environment is a sandbox, (v) Backdoor obtains permission (Vi) remote control (Botnet) is a function that makes the target of infection become a bot, making it possible to remotely access or control through the network, (vii) Code-injection is a malicious process (Viii) a downloader is a function of downloading malicious code from an external source to infect a target; (ix) a file dropper is a function of installing and executing a file; (x) Infostealer is the Internet (Xi) a key hooking function is a function of hooking and recording a keyboard input event, and (xii) a master boot area change (MBR-destroyer) (Xiii) Encryption (Ransomware) is a function of encrypting a user's file, (xiv) Stealth is a function of concealing itself, (xv) Worm refers to the ability to copy itself and spread it on the network to infect other devices.

FIGS. 7 to 11 are diagrams illustrating a second sequence defined by a malicious code function analyzing apparatus according to an embodiment of the present invention with respect to a basic behavior of each malicious code. FIG.

Referring to the advertisement function shown in (a) of FIG. 7, the basic action sequence of the adware function proceeds after the execution of an action for opening a web browser after the installation, and information change or browser setting change. First, it conducts 'current process search' action. After that, 'Attempt to access process' is performed. After that, the 'Launch Browser' action successfully launches the browser and performs 'Take Information' or 'Change Browser Settings'.

The action rules of the action corresponding to the adware function are as follows.

- There are Process32FirstW and Process32NextW API calls in the process of searching for a running process.

- There is a RegOpenKeyExA or NtOpenProcess API call to access the process.

- The browser execution behavior reads the registry and verifies that the web browser (eg, FireFox, Chrome web browser) has been executed.

- The browser setting change action is to create a new browser profile file directly with NtWriteFile or create a communication related setting (for example, SPDY communication, HTTP2.0 communication setting) in the browser.

Referring to the anti-av function shown in (b) of FIG. 7, the basic action sequence of the anti-virus function performs two actions after performing the 'vaccine program detection' And performs a 'detection bypass attempt' and an 'end of vaccination program' in which an attempt is made to bypass the vaccine program or to terminate the vaccine program.

The action rules of the action corresponding to the anti-av (anti-av) function are as follows.

- Detection of vaccine program uses registry key or installed file information to check whether AV is installed.

- Detection bypass attempt changes its process name to a widely known process name using CreateProcessInternalW or ShellExecuteExW.

- The termination of the anti-virus program terminates the AV process and service with ControlService or NtTerminateProcess.

Referring to the anti-dbg function shown in (c) of FIG. 7, the basic action sequence of the anti-dbg function first performs a 'debugger check' operation to confirm the debugging. If a running debugger is detected, it performs a 'debugging interrupt' action to terminate the debugger or to delete the debugger related file to prevent debugging.

The action rules of the action corresponding to the debugging interruption (anti-dbg) function are as follows.

- There are CheckRemoteDebuggerPresent, IsDebuggerPresent, and SystemKernelDebuggerInformation API calls for the debugger check.

- NtTerminateProcess, DeleteService and DeleteFileW API calls exist for debugging interrupts.

Referring to FIG. 8 (a), there is no specific sequence of basic action sequences of the anti-sandbox function, and there are four actions as follows .

(i) When searching a directory that exists only in a specific sandbox environment, it performs a 'search for a file related to a sandbox'. (ii) periodically perform a 'foreground window inspection' operation to detect whether the user is using the window directly. (iii) periodically perform an 'idle time check' operation to detect some idle time that may occur in a sandbox environment. (iv) The sandbox performs a 'process delay' action to interfere with the analysis using the fact that it runs for a set period of time.

The action rules of the action corresponding to the anti-sandbox function are as follows.

- The search of sandbox related files searches for the presence of files that exist only in the sandbox environment.

- There is a GetForegroundWindow and NtDelayExecution API call for foreground window inspection.

- Idle time checking behavior exists when the NtQuerySystemInformation API call exists and passes SystemProcessofPerformanceInformation as the first argument of this function.

- There is an NtDelayExecution API call for process delay behavior.

Referring to the backdoor function shown in (b) of FIG. 8, the basic action sequence of the backdoor function first performs a 'network activity' action. Network activity can be identified through the exchange of network packets. Then, the malicious process operation is performed.

The action rules of the action corresponding to the backdoor function are as follows.

- Network activity initiation is detected network activity (network packet sending / receiving behavior, network connection with ICMP server, etc.).

- Malicious process operation behavior includes NtAllocateVirtualMemory, NtProtectVirtualMemory, WriteProcessMemory, NtMapViewOfSection, NtUnmapViewOfSection, VirtualProtectEx, Process32NextW, and Process32FirstW API calls.

Referring to the remote control (Botnet) function shown in (c) of FIG. 8, the basic action sequence of the remote control (botnet) function performs the 'system information collection' action. In order to transfer the system information to the CNC (Command & Control) server, the CNC server is connected to the network, which can be confirmed by 'CNC network connection'. Then, a 'process creation' operation is performed to create a new process to use a multi-process, and a 'file drop' operation is performed through the generated process. In order to register the automatic execution, it creates an auto run program key in the registry or creates an auto run process. In this case, an 'automatic execution' action is also recorded.

The action rules of the action corresponding to the remote control (botnet) function are as follows.

- GetSystemInfo or RegQueryValueEx API call exists for collecting system information.

- The CNC network connection action verifies the network connection to an IRC (Internet Relay Chat) server or an ICMP (Internet Control Message Protocol) server.

- Process creation behavior exists when CreateThread API call exists or wbemServices_ExecMethod or IWbemServices_ExecMethodSync API call exists and access Win32_Process process.

- The file drop action drops a file with an exe extension or an executable binary file in the application-specific folder.

- Autorun creates an autorun program key in the registry.

Referring to the code-injection function shown in FIG. 9 (a), the basic action sequence of the code-injection function is to perform a malicious code injection operation to a file, Injection 'action. It injects malicious code into a running file or an existing file and performs an 'injection malicious code' action so that an attacker can take an action. Likewise, malicious code is injected into a running process immediately, malicious behavior is immediately executed, a non-child process is created, and a malicious code injection process is performed to obtain a remote access right. Or injects malicious code through the process of modifying or changing the process's memory. In this case, a 'change memory' action is also recorded.

The action rules of the action corresponding to the code-injection function are as follows.

- Malicious code injection into a file is detected when an action is taken to modify the file's memory and virtual memory space.

- Malicious code injection into a process gains remote access to the process using the NtSetContextThread API call.

- The memory change behavior is to overwrite the memory of another process in the virtual memory space.

Referring to the downloader function shown in (b) of FIG. 9, the basic action sequence of the downloader function first starts a network activity with the 'network activity start' action. Network activity can be detected by checking the packets sent and received. Next, the malicious code is downloaded from another device. And receiving packets from another device to the network. Finally, 'malicious code execution' is performed by using malicious code execution API.

The action rules of the action corresponding to the downloader function are as follows.

- Network activity initiation is detected network activity (network packet sending / receiving behavior, network connection with ICMP server, etc.).

- There is an API call that receives packets such as Recv, RecvFrom, recv, recvFrom and so on.

- There is ShellExecuteExW API call for malicious code execution.

Referring to the file drop function shown in FIG. 9C, the basic action sequence of the file drop function creates a binary file that can be executed by performing a 'binary file creation' operation. After that, execute the 'install executable' action to install and run the exe file.

The action rules of the action corresponding to the file installation (dropper) function are as follows.

- Binary file creation behavior is to create binary file using CreateProcessInternalW and ShellExecuteExW and execute it.

- The executable file installation action drops a file with the extension exe or an executable binary file in the application-related folder (for example, MyApp).

Referring to the infostealer function shown in FIG. 10 (a), the basic action sequence of the infostealer function performs an 'internet browser storage path search' action or an 'authority check' action , And 'change browser security settings'.

The action rules of the action corresponding to the infostealer function are as follows.

- Internet Browser The search path of the storage path searches the registry and directory of the Internet browser (eg, Chrome, FireFox web browser) to determine the browser's location.

- The privilege checking action is a LookupPrivilegeValue API call.

- Changing the browser security settings changes browser-related registry values.

- Personal information hijacking accesses the registry and files used by Internet browsers (eg, Chrome, FireFox), FTP clients (eg FTP Explorer), and mail clients (eg Outlook Express).

Referring to FIG. 10 (b), the basic action sequence of the adware function performs a 'keyboard / mouse hooking' action. It performs two actions regardless of order, as well as keyboard input value and hooking for mouse event monitoring. Then, the hooked information is directly transmitted to the C & C server. In this case, the 'information transmission' action is also recorded.

The action rules of the action corresponding to the key hook function are as follows.

- The keyboard hooking behavior hooks keyboard input values using the WH_KEYBOARD_LL parameter in the SetWindowsHookExA, SetWindowsHookExW call.

- Mouse hooking behavior hooks mouse input values using the WH_MOUSE_LL parameter in SetWindowsHookExA, SetWindowsHookExW call.

- The information transmission action generates suspicious IP address or unspecified number of IP address and network traffic to the C & C server.

Referring to the master boot area change (MBR-destroyer) function shown in FIG. 10C, the basic action sequence of the MBR-destroyer function starts with the 'open MBR area' And performs an 'MBR area change' operation to destroy the MBR area.

The action rules of the action corresponding to the master boot area change (MBR-destroyer) function are as follows.

- Open MBR area has CreateFile API call, and the file name to be passed as CreateFile parameter is '\\. \ PhysicalDrive0' to '\\. \ PhysicalDrive25'.

- There is WriteFile API call in MBR area change action, and it has the file handle value of CreateFile as a parameter.

Referring to the encryption (Ransomware) function shown in FIG. 11A, the basic action sequence of encryption (Ransomware) performs a 'target file search' operation to search all the target files existing in the corresponding directory. Then, it moves the file to a directory and performs a 'move file' operation. In order to encrypt files collected in the directory in batch, 'file encryption' is performed, and existing files are deleted and a 'file creation' action is performed to generate a new encrypted file.

The action rules of the action corresponding to the encryption (Ransomware) function are as follows.

- There is a FindNextFile and FindFirstFileEx API calls for the target file search behavior.

The move file action moves the target file via the MoveFileWithProgress API call.

- The file encryption behavior changes the file attribute to ENCRYPTED through the SetFileAttributes API call.

- The file creation action creates a file with a new extension name through the CreateFile and CopyFile API calls.

Referring to the stealth function shown in FIG. 11 (b), the basic action sequence of the stealth function performs a 'background process execution' action or a 'process spoofing' action. In order to create a process invisible to the normal user, the execution of the 'background process' is performed to hide the execution of the malicious action. It masquerades as a normal process and executes 'process disguising' action so as not to recognize that malicious action is executed from normal user or anti-virus program.

The action rules of the action corresponding to the stealth function are as follows.

- Behavior of background process There is a case of changing the argument value of ShellExecuteExW API call to hidden and the argument value of CREATE_NO_WINDOW of CreateProcessInternalW API call.

- Process spoofing changes its process name to the name of a common process through CreateProcessInternalW API call and ShellExecuteExW API call.

Referring to the worm function shown in (c) of FIG. 11, the basic action sequence of the worm function first performs an 'automatic start' operation when the window is booted. Afterwards, a "packing" action is performed using a known packer before transferring the malicious file to another device. Some malicious code then connects to the ICMP server to detect additional infections prior to sending the packet and performs a 'peripherals discovery' action. Finally, a port is opened to perform a 'packet transmission' operation of transmitting a network packet. In this case, port 445 is mainly used.

The action rules of the action corresponding to the worm function are as follows.

- The automatic startup behavior is CreateServiceA, CreateServiceW, and generates an autorun program key in the registry.

- The packing act performs a known packer.

- Peripheral device probe verifies the network connection to the ICMP server.

- The packet transmission behavior transmits network packets (port 445 is often used).

FIG. 12 is a diagram illustrating a malicious code function analyzing apparatus according to an embodiment of the present invention for measuring the similarity of an action using a first sequence; FIG.

The Windows API call information of the malicious code contains malicious code behavior information, and malicious code that performs similar actions generates a similar API call sequence.

In order to measure the similarity of the API call sequence, it is necessary to use an algorithm that satisfies both conditions in addition to the basic condition that similarity between similar sequences should be high.

The first condition is that the similarity of sequences of different lengths should be measurable regardless of the difference in length. The second condition is that the similarity calculation for a long sequence should be fast. Although the sequence similarity algorithms vary, most differences in length between sequences subject to comparison greatly affect the results of similarity measurement. A locality sensitive hashing (LSH) algorithm can be applied to a sequence similarity measurement algorithm that satisfies two conditions.

LSH algorithm is designed to generate a similar hash for similar input values by maximizing collision probability unlike general cryptographic hash. Since the sequence having a different length is made into a hash value of a certain length, the similarity between the generated hash values can be measured, and the similarity between the sequences can be measured without being influenced by the length of the input sequence. There is a Nilsimsa algorithm among the LSH algorithms, but the Nilsimsa algorithm can not be directly applied to the API call sequence similarity measure.

First, the API call sequence is not a character unit, but a string (API) unit. The existing algorithm divides a character string into character units. That is, an API called CreateFileA is divided into 11 different characters, C, r, e, a, t, e, F, i, Therefore, it is necessary to modify the algorithm to treat strings as strings (ex - ["CreateFileA", "WriteFileA", ...]) in a string list, rather than in character units.

Secondly, since we applied utf-8 encoding to ASCII characters, we were able to process only 256 different input values that can be expressed in utf-8. In this embodiment, a new API mapping table is applied instead of the utf-8 encoding method to process 512 different input values.

The processor measures the similarity between the first behavior information registered in the action rule and the extracted first behavior information, and extracts the second behavior information based on the measured similarity.

The processor extracts a string related to the application programming interface call instruction from the extracted first behavior information, generates a string list in which the extracted strings are arranged, and uses the mapping table in which the application programming interface calling instruction and the numbers are matched Converts to the number corresponding to each string to which it belongs. The processor measures the degree of similarity by performing a local sensitive hash operation on the transformed number.

The processor converts the API call sequence (string list) to a fixed length hash value using the LSH function, and calculates the similarity using the difference of the generated hash value. The method of measuring the degree of similarity is a bit-wise comparison of the two hash values to be compared. For example, a value between 0 and 1 can be obtained by calculating [number of identical bits / number of all bits (hash length)].

The processor computes the similarity using the list as an input value. In this case, each string included in the list is put into the mapping table in order and converted into numbers. The mapping table is a newly defined table that converts 512 different strings into specific numbers. For example, the output value may be an integer between 0 and 511.

According to the embodiments, the first action information of the lower level is abstracted as the second action information of the upper level based on the action rule defined by considering the parameters used in the API call, and the action rules of the lower level It is possible to predict the main purpose or the core function of the malicious code by estimating the function information from the second level of the action information of the upper level and judge whether or not the malicious code that calls another API performs the same function.

The plurality of components included in the function analysis device of the malicious code may be combined with each other and implemented as at least one module. The components are connected to a communication path connecting a software module or a hardware module inside the device and operate organically with each other. These components communicate using one or more communication buses or signal lines.

The function analysis device of the malicious code may be implemented in a logic circuit by hardware, firmware, software or a combination thereof, and may be implemented using a general purpose or special purpose computer. The device may be implemented using a hardwired device, a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), or the like. Further, the device may be implemented as a System on Chip (SoC) including one or more processors and controllers.

The malicious code function analysis device may be implemented as software, hardware, or a combination thereof in a computing device having hardware elements. The computing device includes a communication device such as a communication modem for performing communication with various devices or wired / wireless communication networks, a memory for storing data for executing a program, a microprocessor for executing and calculating a program, Device. ≪ / RTI >

1 and 2, it is described that each process is sequentially executed, but it is only exemplarily described. It will be apparent to those skilled in the art that various changes and modifications may be made thereto without departing from the essential characteristics of the embodiments of the present invention Or to perform one or more processes in parallel, or to add other processes.

13 is a block diagram illustrating and illustrating a computing environment including a computing device suitable for use in the exemplary embodiments. In the illustrated embodiment, each of the components may have different functions and capabilities than those described below, and may include additional components in addition to those described below.

The illustrated computing environment includes a computing device 12. In one embodiment, the computing device 12 may be any type of computing device that communicates signals with other terminals.

The computing device 12 includes at least one processor 14, a computer-readable storage medium 16, and a communication bus 18. The processor 14 may cause the computing device 12 to operate in accordance with the exemplary embodiment discussed above. For example, the processor 14 may execute one or more programs stored in a computer-readable storage medium 16. [ The one or more programs may include one or more computer-executable instructions, which when executed by the processor 14 cause the computing device 12 to perform operations in accordance with the illustrative embodiment .

The computer-readable storage medium 16 is configured to store computer-executable instructions or program code, program data, and / or other suitable forms of information. The program 20 stored in the computer-readable storage medium 16 includes a set of instructions executable by the processor 14. In one embodiment, the computer-readable storage medium 16 may include one or more of a memory (volatile memory such as random access memory, non-volatile memory, or any suitable combination thereof), one or more magnetic disk storage devices, Flash memory devices, or any other form of storage medium that can be accessed by the computing device 12 and store the desired information, or any suitable combination thereof.

The communication bus 18 interconnects various other components of the computing device 12, including a processor 14, a computer-readable storage medium 16, and the like.

The computing device 12 may also include one or more input / output interfaces 22 and one or more communication interfaces 26 that provide an interface for one or more input / output devices 24. The input / output interface 22 and the communication interface 26 are connected to the communication bus 18. An input / output device (not shown) may be coupled to other components of the computing device 12 via the input / output interface 22. Exemplary input and output devices include input devices such as pointing devices (such as a mouse or trackpad), keyboards, touch input devices (such as touch pads or touch screens), voice or sound input devices, various types of sensor devices and / And / or an output device such as a display device, a printer, a speaker, and / or a network card. Exemplary input and output device 24 may be included within computing device 12 as a component of computing device 12 and may be coupled with a computing device as a separate device distinct from computing device 12.

The operations according to the present embodiments may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. A computer-readable medium represents any medium that participates in providing instructions to a processor for execution. The computer readable medium may include program instructions, data files, data structures, or a combination thereof. For example, there may be a magnetic medium, an optical recording medium, a memory, and the like. The computer program may be distributed and distributed on a networked computer system so that computer readable code may be stored and executed in a distributed manner. Functional programs, codes, and code segments for implementing the present embodiment may be easily deduced by programmers of the technical field to which the present embodiment belongs.

The present embodiments are for explaining the technical idea of the present embodiment, and the scope of the technical idea of the present embodiment is not limited by these embodiments. The scope of protection of the present embodiment should be construed according to the following claims, and all technical ideas within the scope of equivalents thereof should be construed as being included in the scope of the present invention.

Claims (13)

One or more processors; And
A memory for storing one or more programs executed by the one or more processors,
The processor analyzes the malicious code to extract the first level of action information,
Abstracting the first action information of the lower level into second action information of a higher level based on a predetermined action rule,
Estimating function information from second higher-level action information based on a predetermined function rule,
Wherein the lower level first behavior information comprises a first sequence and parameters relating to an application programming interface (API) call instruction,
The second action information of the upper level includes a second sequence in which the basic actions of the malicious code that abstracts the first action information of the lower level are arranged in order,
The second level of action information of the higher level is interpreted as another basic action according to the parameter even if the same application programming interface call instruction is read,
When the processor calls the CreateFile function for the first action information and inputs the path of the MBR area as a parameter of the file creation function, the processor writes the second action information to the MBR area The malicious code is abstracted by an approaching action. The method according to claim 1,
Wherein the processor performs a static analysis for testing without executing the malicious code or a dynamic analysis for testing the malicious code by executing the malicious code to extract the lower level behavior information. delete delete The method according to claim 1,
The function information may include at least one of (i) an advertisement, (ii) a vaccine detection, (iii) a debugging interrupt, (iv) a sandbox check, (v) a privilege acquisition, (vi) a remote control, (vii) , (ix) file installation, (x) information deed, (xi) key hooking, (xii) master boot area modification, (xiii) encryption, (xiv) concealment, (xv) Features malicious code function analysis device. The method according to claim 1,
Wherein the action rule defines a relationship between the first action information of the lower level and the second action information of the higher level,
Wherein the function rule defines a relationship between the second action information of the upper level and the function information. The method according to claim 1,
The processor
A degree of similarity between the first action information registered in the action rule and the extracted first action information is measured,
And extracts the second behavior information based on the measured degree of similarity. The method according to claim 1,
The processor
Extracts a character string related to the application programming interface call instruction from the extracted first behavior information, generates a character string list in which the extracted character string is arranged, And converts the number into a number corresponding to each string belonging to the list. 9. The method of claim 8,
The processor
And performing a local sensible hash operation on the converted number to measure the degree of similarity. 9. The method of claim 8,
The processor
Converting the string list into a hash value and comparing the two hash values in a bit-wise manner to measure the similarity. The method according to claim 1,
The processor
And estimating the function information by comparing the estimated second behavior information and the previously stored second behavior information. A computer program recorded in a computer-readable storage medium including computer program instructions executable by a processor, the computer program instructions being executable by at least one processor of a computing device,
Analyzing the malicious code to extract first behavior information at a lower level;
Abstracting the first action information of the lower level into second action information of a higher level based on a predetermined action rule; And
And estimating function information from the second level of action information on the basis of a predetermined function rule,
Wherein the lower level first behavior information comprises a first sequence and parameters relating to an application programming interface (API) call instruction,
The second action information of the upper level includes a second sequence in which the basic actions of the malicious code that abstracts the first action information of the lower level are arranged in order,
The second level of action information of the higher level is interpreted as another basic action according to the parameter even if the same application programming interface call instruction is read,
The step of abstracting with the second behavior information may include the steps of: when a CreateFile function is called for the first behavior information and a path of an MBR (Master Boot Record) area is input as a parameter of the file creation function, 2 behavior information is an action of accessing the MBR area. delete

Images