KR102177223B1 - Server and system for performing mornitoring of malware - Google Patents

Abstract

The present invention relates to a server for performing monitoring of a malicious code and a system thereof. Also, according to one embodiment of the present invention, the system for performing monitoring of a malicious code comprises: a plurality of terminals including a first terminal and a second terminal; and a server for monitoring an online connection record with respect to the plurality of terminals. The server receives first online connection record information of the first terminal from the first terminal, receives second online connection record information of the second terminal from the second terminal, receives information indicating that a malicious code is found in the first terminal from the first terminal, receives information indicating that a malicious code is found in the second terminal from the second terminal, and generates information indicating a suspected infection path based on the first online connection record information and the second online connection record information.

Description

Server and system that performs malicious code monitoring {SERVER AND SYSTEM FOR PERFORMING MORNITORING OF MALWARE}

The present invention relates to a server and a system for monitoring malicious code.

According to a 2017 data incident analysis report by Verizon, 51% of information breaches are related to malware, and the average malware infection time is 6 minutes.

The traditional countermeasure against such malicious codes is anti-virus, which is still a valid countermeasure against malicious codes, and it is constantly evolving by reinforcing new security technologies.

However, an average of 390,000 new malicious codes and variant malicious codes occur per day based on statistics of'AV-TEST' (Anti-Virus testing agency).

Appropriate response to this is very difficult even for malware expert analysts.

In addition, there are automation tools and sandboxes to help various analysis, but hackers' evasion technology has also developed, making it more difficult to detect malicious codes.

And if you look at the trend of malicious code growth over the past 10 years, you can see that it is increasing exponentially.

In particular, various methods of hiding malicious codes themselves have been tried, and there are also patterns in which automated alterations are spread.

In the current malicious code detection technology, signature-based pattern detection is the core, and the pattern of malicious code is manually analyzed by an analyst, and malicious code patterns are extracted and registered in a malicious code database for comparison.

There is a problem that this method can no longer be an alternative to the increase of malicious codes.

In addition, the reality is that malicious codes that are difficult to find patterns such as ransomware and that spread before malicious codes such as zero-day attacks are found are inevitable.

On the other hand, heuristic detection methods and dynamic analysis detection methods are being applied as they continue to develop, but there are still insufficient practical alternatives.

Accordingly, the present invention intends to propose a server and a system for performing more advanced malicious code monitoring.

An object of the present invention is to provide a server and a system for monitoring malicious codes.

As described above, an embodiment of the present invention has an object to visually show a price difference between at least one marriage service selected by a user and another candidate marriage service.

The technical problems to be achieved in the present invention are not limited to the technical problems mentioned above, and other technical problems that are not mentioned will be clearly understood by those of ordinary skill in the technical field to which the present invention belongs from the following description. I will be able to.

An embodiment of the present invention provides a system for monitoring a malicious code, comprising: a plurality of terminals including a first terminal and a second terminal; And a server for monitoring online access records for the plurality of terminals. It proposes a system including.

The server receives the first online connection record information of the first terminal from the first terminal, receives the second online connection record information of the second terminal from the second terminal, and is malicious in the first terminal. Receive information indicating that a code has been found from the first terminal, information indicating that a malicious code has been found in the second terminal is received from the second terminal, and the first online access record information and the second online access record It may be characterized by generating information indicating a suspicious path of infection based on the information.

The server compares the first online access record information and the second online access record information, generates information indicating the suspicious infection path based on the comparison result, and generates information indicating the suspicious infection path. It may be characterized in that predetermined alarm information is generated and transmitted to the plurality of terminals.

The server sets a security level for the first file, receives a message requesting execution of the first file from at least one of the plurality of terminals, and receives the first file based on the security level It may be characterized by performing a judgment on whether to execute or not.

The server performs a determination as to whether to execute the first file on a server or an external server based on the security level, and executes the first file or the external server based on the determination result And receiving information indicating the execution result of the first file from the external server.

The server receives first information on a first application requested to be installed by the first terminal from the first terminal, CPU information of a first time point of the first terminal, memory information of the first time point, Receives load average information of the first time point and traffic information of the first time point from the first terminal, wherein the first time point indicates a time point at which the server receives the first information. I can.

The server, the malicious code retention probability information of the first file stored in the database (DB) of the server, the first information, the CPU information at the first time, the memory information at the first time, the first It is possible to determine whether to install the first file in the first terminal by applying the load average information at a time point and the traffic information at the first time point to an artificial intelligence network model.

The server, when it is determined to install the first file on the first terminal, transmits installation instruction information instructing to install the first file on the first terminal to the first terminal. I can.

As described above, an embodiment of the present invention has a technical effect in terms of proposing a server and a system for monitoring malicious codes.

In addition, according to various embodiments of the present disclosure, a method of managing a server and a user device may be diversified to increase convenience of an administrator managing a server and a user using a user device.

The effects obtainable in the present invention are not limited to the above-mentioned effects, and other effects not mentioned can be clearly understood by those of ordinary skill in the art from the following description. will be.

Other aspects, features and benefits as described above of certain preferred embodiments of the present invention will become more apparent from the following description, which is handled in conjunction with the accompanying drawings.
1 is a diagram illustrating a method of monitoring a malicious code according to an embodiment of the present invention.
2 is a flowchart illustrating a method of monitoring a malicious code according to an embodiment of the present invention.
3 is a flowchart illustrating a method of monitoring a malicious code according to an embodiment of the present invention.
4 is a block diagram showing a system for monitoring malicious code according to an embodiment of the present invention.
5 is a diagram illustrating a system for monitoring malicious code according to an embodiment of the present invention.
6 is a block diagram illustrating a storage module according to an embodiment of the present invention.
It should be noted that throughout the drawings, like reference numbers are used to show the same or similar elements, features, and structures.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

In describing the embodiments, descriptions of technical contents that are well known in the technical field to which the present invention pertains and are not directly related to the present invention will be omitted. This is to more clearly convey the gist of the present invention by omitting unnecessary description.

For the same reason, some components in the accompanying drawings are exaggerated, omitted, or schematically illustrated. In addition, the size of each component does not fully reflect the actual size. The same reference numerals are assigned to the same or corresponding components in each drawing.

Advantages and features of the present invention, and a method of achieving them will become apparent with reference to the embodiments described below in detail together with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in a variety of different forms, only the present embodiments are intended to complete the disclosure of the present invention, and the general knowledge in the technical field to which the present invention pertains. It is provided to completely inform the scope of the invention to those who have it, and the invention is only defined by the scope of the claims. The same reference numerals refer to the same components throughout the specification.

In this case, it will be appreciated that each block of the flowchart diagrams and combinations of the flowchart diagrams may be executed by computer program instructions.

In addition, each block may represent a module, segment, or part of code that contains one or more executable instructions for executing the specified logical function(s). In addition, it should be noted that in some alternative execution examples, functions mentioned in blocks may occur out of order. For example, two blocks shown in succession may in fact be executed substantially simultaneously, or the blocks may sometimes be executed in reverse order depending on the corresponding function.

In this case, the term'~ unit' used in the present embodiment refers to software or hardware components such as field-programmable gate array (FPGA) or application specific integrated circuit (ASIC), and'~ unit' is a certain role. Perform them.

In describing the embodiments of the present invention in detail, examples of specific systems will be the main target, but the main subject matter to be claimed in this specification is the scope disclosed in the present specification to other communication systems and services having a similar technical background. It can be applied within a range that does not deviate greatly, and this will be possible at the judgment of a person skilled in the art.

Hereinafter, a method of monitoring a malicious code according to an embodiment of the present invention, a server implementing the above-described method, and a system thereof will be described.

1 is a diagram illustrating a method of monitoring a malicious code according to an embodiment of the present invention.

Referring to FIG. 1, the system of the present invention can be implemented through information sharing and file transmission between a collection channel, a virtual environment analysis system, a real machine analysis system, and a related information analysis system. In addition, a virtual environment analysis system that manages/records file information, a real machine analysis system that manages/records behavior information, and a related information analysis system that manages/records related information can share various types of information with each other.

Each of the virtual environment analysis system, real machine analysis system, and related information analysis system is implemented by a management server 310 and/or an external server 330 to be described later, or in the management server 310 or the external server 330, respectively. May correspond.

2 is a flowchart illustrating a method of monitoring a malicious code according to an embodiment of the present invention.

Referring to FIG. 2, the method includes monitoring records of online access for a plurality of terminals (S110).

For example, the management server 310 may receive information representing an online access record for a plurality of terminals 320, 340, 350, and 360 from each of the plurality of terminals 320, 340, 350, and 360. I can. For example, the management server 310 receives information representing a first online access record from the user terminal 320, receives information representing a second online access record from the second user terminal 340, and receives a third user Information indicating the third online connection record may be received from the terminal 350, and information indicating the fourth online connection record may be received from the fourth user terminal 360.

The first online access record to the fourth online access record include the IP address to which each of the plurality of terminals 320, 340, 350, and 360 has accessed, access time (eg, access details, last access time, etc.), number of accesses, It may include information on a connection target (eg, a specific site, network node, terminal, etc.).

In addition, the method according to an embodiment of the present invention includes receiving information indicating that the malicious code is infected from the first infected terminal and the second infected terminal among the plurality of terminals (S120).

For example, some of the terminals 320, 340, 350, and 360 may be infected with malicious codes, and for convenience of explanation, the third user terminal 350 and the fourth user terminal 360 The case of being infected with this malicious code will be described as an example.

The management server 310 may receive information indicating that the third user terminal 350 has infected the malicious code from the third user terminal 350, and set the third user terminal 350 as a first infected terminal. have. In addition, the management server 310 receives information indicating the malware infection of the fourth user terminal 360 from the fourth user terminal 360, and sets the fourth user terminal 360 as a second infected terminal. I can.

On the other hand, information indicating the infection of the malicious code may be determined and/or generated by a vaccine program installed in the terminal, or may be generated by each control module of the terminal when the hardware performance of the terminal falls below a threshold. .

In addition, a method according to an embodiment of the present invention includes comparing a third online access record for the first infected terminal and a fourth online access record for the second infected terminal (S130).

For example, the management server 310 records a third online access record for a first infected terminal (eg, a third user terminal 350) and a second infected terminal (eg, a fourth user terminal 360). The fourth online access record can be compared. For example, the management server 310 includes the IP address to which the first infected terminal (eg, the third user terminal 350) accessed, the access time (eg, access details, last access time, etc.), the number of access, and the connection target ( Example; information on a specific site, network node, terminal, etc.), the IP address to which the second infected terminal (e.g., the fourth user terminal 360) accessed, the access time (eg, access details, last access time, etc.), A first process for determining the degree of similarity and/or a second process for determining identity between information on the number of accesses and the connection target (eg, a specific site, network node, terminal, etc.) may be performed.

For example, in the third online access record for the first infected terminal and the fourth online access record for the second infected terminal, at least one first online address (or at least one There may be a record of accessing to (the first IP address of). In this case, considering the access time, it is taken into account that there may be a certain time, not always, that a certain site has a risk for malicious code.

In addition, the method according to an embodiment of the present invention includes generating information indicating a suspicious path based on the third online access record and the fourth online access record (S140).

For example, the management server 310 may generate information indicating a suspicious path based on the third online access record and the fourth online access record, and as an example, the management server 310 may include the at least one first Information indicating the suspicious path may be generated based on the access time and the at least one first online address. In another example, the information indicating the suspicious path is the at least one first access time and the at least one first online address. 1 May include an online address.

In addition, a method according to an embodiment of the present invention includes generating alarm information based on information indicating a suspicious path and transmitting it to a plurality of terminals (S150).

For example, the management server 310 may generate alarm information based on information indicating a suspicious path and transmit it to at least one of the plurality of terminals 320, 340, 350, and 360.

Meanwhile, the S110 to S150 may be implemented sequentially, but the order may be changed, and only some of the S110 to S150 may be implemented by being combined with other substrates (methods) of the present invention.

And with respect to the above-described features, the management server 310 of the present invention may further include the following features.

In order to more accurately determine whether each of the plurality of terminals 320, 340, 350, 360 can be set as a clean terminal and/or an infected terminal, the management server 310 The plurality of terminals 320, 340, 350, 360 are controlled to be set to a'diagnostic mode (or safety mode)' every period of and/or a signal for the plurality of terminals It can be transmitted to (320, 340, 350, 360). At this time, the plurality of terminals 320, 340, 350, and 360 set to the diagnosis mode (or safety mode) are the plurality of terminals 320, 340, 350, 360 while the diagnosis mode (or safety mode) is maintained. Each control module may be controlled so as not to receive a signal input through the input module.

In addition, the management server 310 receives information indicating a first online connection record from the user terminal 320, receives information indicating a second online connection record from the second user terminal 340, and Information indicating the third online connection record may be received from 350), and information indicating the fourth online connection record may be received from the fourth user terminal 360.

For convenience of explanation, it is assumed that the third user terminal 350 and the fourth user terminal 360 are infected with a malicious code, and the user terminal 320 and the second user terminal 340 are not infected with the malicious code. Listen and explain. At this time, the management server 310 sets the user terminal 320 as a first clean terminal, sets the second user terminal 340 as a second clean terminal, and sets the third user terminal 350 as a first infected terminal. And set the fourth user terminal 360 as a second infected terminal.

For example, in the third online access record for the first infected terminal and the fourth online access record for the second infected terminal, at least one first online address (or at least one There may be a record of accessing to the first IP address) and a record of accessing at least one second online address (or at least one second IP address) during the at least one second access time. In addition, in the first online access record for the first clean terminal and the second online access record for the second clean terminal, at least one second online address (or at least one second online address) during at least one second access time. 2 IP address) may have access records.

Based on this, the management server 310 generates information indicating a suspicious path based on a record of accessing at least one first online address (or at least one first IP address) during at least one first access time, In the process of generating information indicating the suspicious path, a record of accessing at least one second online address (or at least one second IP address) during at least one second access time may be excluded.

However, despite the fact that the first clean terminal and the second clean terminal have accessed at least one second online address (or at least one second IP address) during at least one second access time, they are not infected with malicious code. It is not because access to at least one second online address (or at least one second IP address) during the at least one second access time is secure, but the security level of the first and second clean terminals (Or vaccine grade or safety grade) and/or security performance (or vaccine performance or safety performance) may be higher than a predetermined standard.

Therefore, when the security level (or vaccine level or safety level) and/or security performance (or vaccine performance or safety performance) of the first and second clean terminals is higher than a predetermined standard, the management server 310 May not exclude a record of accessing at least one second online address (or at least one second IP address) during at least one second access time in the process of generating the information indicating the suspicious path (i.e., Based on this, the management server 310 records access to at least one first online address (or at least one first IP address) during at least one first access time and at least one during at least one second access time. Information indicating a suspicious path may be generated based on a record of accessing the second online address (or at least one second IP address).

On the other hand, the security level (or vaccine level or safety level) and/or security performance (or vaccine performance or safety performance) of the terminal, the management server 310 is the hardware performance of each of the terminal and / or a program installed in the terminal It can be set based on fields (eg, general program, vaccine program, etc.).

delete

3 is a flowchart illustrating a method of monitoring a malicious code according to an embodiment of the present invention.

Referring to FIG. 3, the method includes setting a security level for the first file (S210).

Here, the first file may be a file stored and/or recorded in the management server 310, and may include an application file, an installation file, an executable file, and the like. In addition, the first file may be generated through an external inflow path including a web browser, e-mail, excel, office program, and removable disk.

The management server 310 may set a security level for the first file, for example. As an example, the management server 310 checks whether a malicious code is a suspicious file by using the file signature of the first file, overall file information, and cloud DB information, and the malicious code is suspected. In this case, the first file may be set as a'suspicious file' and a security level for the first file may be set as a'suspicious level'.

In addition, the management server 310 may obtain information on the first file, and the information on the first file is a history of the creation of the first file, and an external device from which the first file is introduced into the management server 310 It may include an inflow path, a history of previously executing the first file, a history of modification of the first file, or signature information of the first file.

In addition, the method according to an embodiment of the present invention includes receiving a message requesting execution of the first file (S220).

The management server 310 may receive, for example, a message requesting execution of the first file from the user terminal 320.

In addition, the method according to an embodiment of the present invention includes determining whether to execute the first file on the first server or the second server, which is an external server, based on the security level (S230). ).

The management server 310, for example, based on the security level, whether to execute the first file on the first server (ie, the management server 310) or the first file to a second server (ie, external It may be determined whether or not to be executed by the server 330.

In addition, the method according to an embodiment of the present invention includes the step of executing the first file or transmitting the first file to the second server based on the determination result (S240).

The management server 310 may execute, for example, the first file based on the determination result in S230 or may transmit the first file to the second server (ie, the external server 330).

In addition, the method according to an embodiment of the present invention includes the step of receiving information indicating the execution result of the first file from the second server (S250).

The management server 310 may receive, for example, information indicating the execution result of the first file from the second server, that is, the external server 330.

On the other hand, the S210 to S250 may be implemented sequentially, but the order may be changed, and only some of the S210 to S250 may be implemented in combination with other substrates (methods) of the present invention.

4 is a block diagram showing a system for monitoring malicious code according to an embodiment of the present invention.

Referring to FIG. 4, the management server 310 may include a first control module 410, a first communication module 420, a first input module 430, and/or a first output module 410. have. In addition, the management server 310 may be a server operating a website and/or a mobile app related to a platform providing a malicious code monitoring service of the present invention.

In addition, the user terminal 320 may include a second control module 460, a second communication module 470, a second input module 480, and/or a second output module 490.

The control modules 410 and 460 may directly/indirectly control the management server 310 and/or the user terminal 320 to implement an operation/step/process according to an embodiment of the present invention. In addition, each of the control modules 410 and 460 may include at least one processor, and the processor may include at least one central processing unit (CPU) and/or at least one graphic processing device (GPU).

In addition, the control modules 410 and 460 are based on API (Application Programming Interface), IoT (Internet of Things), IIoT (Industrial Internet of Things), and ICT (Information & Communication Technology) technology. Can be created and/or managed.

The communication modules 420 and 420 include a management server 310, a user terminal 320, an external server 330, a second user terminal 340, a third user terminal 350, and/or a fourth user terminal 360. ), and various data, signals, and information can be transmitted and received. In addition, the communication modules 420 and 420 may be a wireless communication module (eg, a cellular communication module, a short range wireless communication module, or a global navigation satellite system (GNSS) communication module) or a wired communication module (eg, a local area network (LAN) communication module). Module, or a power line communication module). In addition, the communication module 420, 420 is a first network (for example, Bluetooth, WiFi direct, or a short-range communication network such as IrDA (Infrared Data Association)) or a second network (for example, a cellular network, the Internet, or a computer network (for example: LAN or WAN) to communicate with external electronic devices. These various types of communication modules may be integrated into one component (eg, a single chip), or may be implemented as a plurality of separate components (eg, multiple chips).

The input modules 430 and 430 include a management server 310, a user terminal 320, an external server 330, a second user terminal 340, a third user terminal 350, and/or a fourth user terminal 360. ) Of the command or data to be used for the components (eg, the control module 410) outside the management server 310 and/or the user terminal 320 (eg, a user (eg, a first user, a second user, etc.) ), the manager of the management server 310, etc.). In addition, the input modules 430 and 430 include a touch recognition capable display installed in the management server 310 and/or the user terminal 320, a touch pad, a button type recognition module, a voice recognition sensor, a microphone, a mouse, or a keyboard. can do. Here, the touch-recognizable display, touch pad, and button-type recognition module may recognize a touch through a user's body (eg, a finger) through a pressure-sensitive and/or capacitive method. In addition, each of the input modules 430 and 430 may further include a sensor unit for fingerprint recognition and/or iris recognition.

The output modules 440 and 440 are signals generated by the control modules 410 and 460 of the management server 310 and/or the user terminal 320 or obtained through the communication modules 420 and 420 (e.g., voice signals). ), information, data, images, and/or various objects. For example, the output modules 440 and 440 may include a display, a screen, a display unit, a speaker and/or a light emitting device (eg, an LED lamp).

The storage module 450 stores data such as a basic program, an application program, and setting information for the operation of the management server 310 and/or the user terminal 320. In addition, the storage module includes a flash memory type, a hard disk type, a multimedia card micro type, a card type memory (eg, SD or XD memory, etc.), Magnetic memory, magnetic disk, optical disk, RAM (Random Access Memory, RAM), SRAM (Static Random Access Memory), ROM (Read-Only Memory, ROM), PROM (Programmable Read-Only Memory), EEPROM (Electrically Erasable Programmable Read) -Only Memory) may include at least one storage medium. In addition, the storage module 450 may be a hardware module including a cloud server and/or a block chain server, or a software module including a function of the cloud server and/or a block chain server.

In addition, the storage module 450 is the management server 310 and/or the user who uses or operates the user terminal 320 (first user, second user, third user, fourth user, fifth user, etc.) Personal information and personal information of the manager (or manager) can be stored. Here, the personal information is name, date of birth information, ID (identifier), password, street name address, phone number, mobile phone number, email address, and/or a reward generated by the management server 310 (eg, point Etc.). In addition, the control modules 410 and 460 may perform various operations using various images, programs, contents, data, music, sounds, etc. stored in the storage module 450.

5 is a diagram illustrating a system for monitoring malicious code according to an embodiment of the present invention.

5, a system 300 according to an embodiment of the present invention includes a management server 310, a user terminal 320, an external server 330, a second user terminal 340, and a third user terminal ( 350) and a fourth user terminal 360.

In addition, in the present invention, the various types of information described above with reference to FIGS. 2 to 5 are grouped and/or hashed in the storage module 450 of the management server 310 and stored in a block chain, and then stored in the block chain. Forgery and/or tampering can be verified or determined.

For example, the management server 310, the user terminal 320, the external server 330, the second user terminal 340, the third user terminal 350, and the fourth user terminal 360, respectively, as blockchain nodes. It can also perform the function of a cryptocurrency wallet.

In general, a block chain is a non-forgery distributed storage created and managed by a peer-to-peer (P2P) network. Blockchain refers to a collection of data blocks created by a transaction (a unit operation that cannot be split between two parties) in succession in the form of a chain. Different from the previous block Since the block is successively encrypted and the data agreed by more than half of the users is recognized as real data, once recorded data cannot be forged or altered. A typical application of the blockchain is bitcoin, a decentralized electronic currency that records the transaction process of cryptocurrency. The block chain can store confirmed transaction details that occur between users for a certain period of time. And, many users each have a copy of the blockchain, and transaction details can be made public. In this way, only transaction details agreed by more than half of the users are recognized as actual data, and may be stored in blocks to be permanently stored.

6 is a block diagram illustrating a storage module according to an embodiment of the present invention.

Referring to FIG. 6, the storage module 450 of the management server 310 according to an embodiment of the present invention may include a data storage area 510 and a block chain area 520.

In addition, the management server 310, the user terminal 320, the external server 330, the second user terminal 340, the third user terminal 350 and/or the fourth user terminal 360 of the present invention It may correspond to a blockchain node that transmits and receives hashed information and/or block data through a blockchain (or blockchain network).

The management server 310 may be connected to other blockchain nodes 320, 330, 340, 350, 360 through a wired or wireless network (or a blockchain network). The management server 310 is generated through the control module 410, received through the communication module 420, or stored in the storage module 450,'user's personal information, first to fourth online access records, first and second Grouped (and/or hashed) information on the second infected terminal, information indicating the security level for the first file, and information indicating the suspicious path, and the grouped (hashed)'user's personal information, Chained elements of the first to fourth online access records, information on the first and second infected terminals, information indicating the security level for the first file, information indicating the suspicious path, and the chained'user's personal information , First to fourth online access records, information on the first and second infected terminals, information indicating the security level for the first file, information indicating the suspicious path' may be stored in the block chain area 520 .

For example, the management server 310 includes at least one'user's personal information, first to fourth online access records, and first and second infected terminals stored in the data storage area 510 of the storage module 450. Information on, information indicating a security level for the first file, and information indicating a suspicious path' may be grouped using a chain scaler. The management server 310 includes'user's personal information, first to fourth online access records, information on first and second infected terminals, information indicating security level for the first file, grouped using a chain scaler, Information indicating the suspicious path' may be stored in the storage module 450 and/or the block chain area 520 in a chain form.

The management server 310 provides the grouped'user's personal information, first to fourth online access records, information on first and second infected terminals, information indicating the security level for the first file, and suspicious path. At least one element included in'indicative information' may be stored in the block chain area 520.

The management server 310 includes a plurality of'user's personal information stored in the data storage area 510, first to fourth online access records, information on first and second infected terminals, and security level for the first file. Information indicating a "information indicating a suspicious path" may be grouped in units of a predetermined number. The management server 310 includes a predetermined time, predetermined'user's personal information, first to fourth online access records, information on first and second infected terminals, information indicating a security level for a first file, The number of'information indicating the suspicious path' and'personal information of the user, the first to fourth online access records, information on the first and second infected terminals, information indicating the security level for the first file, and indicating the suspicious path Information on a plurality of'user's personal information, first to fourth online access records, first and second infected terminals, and first files stored in the storage module 450 based on at least one of the importance of'information' Information indicating the security level and information indicating the suspicious path can be grouped. The management server 310 stores at least one'user's personal information, first to fourth online access records, information on first and second infected terminals, and security for a first file stored in the storage module 450 A Merkle hash is generated based on information indicating a grade and information indicating a suspicious path, and a plurality of'user's personal information, first to fourth online access records, and the first to include the generated Merkle hash. Information on the first and second infected terminals, information indicating a security level for the first file, and information indicating a suspicious path' may be grouped.

In addition, the management server 310 may convert the content to be stored in the storage module 450 into a blockchain transaction and transmit it to other blockchain nodes 320, 330, 340, 350, and 360 participating in the system 300 of the present invention. The'user's personal information, first to fourth online access records, information on the first and second infected terminals, information indicating the security level for the first file, information indicating the suspicious path' to be stored in the blockchain transaction It may include a merkle hash identifier, a group identifier, and/or an identifier of a previous group. The management server 310 includes a predetermined time and the stored'user's personal information, first to fourth online access records, information on first and second infected terminals, information indicating a security level for a first file, Based on at least one of the number of'suspect path information', at least one element stored in the block chain area 520 and the grouped'user's personal information, first to fourth online access records, first and second 2 Compare at least one element included in the information on the infected terminal, information indicating the security level for the first file, information indicating the suspicious path, and the stored'user's personal information, the first to fourth online access records , Integrity of'information on the first and second infected terminals, information indicating a security level for the first file, information indicating a suspicious path' may be verified.

The management server 310 includes the stored'user's personal information, first to fourth online access records, information on the first and second infected terminals, information indicating the security level for the first file, and indicating the suspicious path. If the information' is not integrity, the integrity may be output through the output module 410. The management server 310 indicates'user's personal information, first to fourth online access records, information on first and second infected terminals, and security level for the first file stored in the storage module 450 When'information, information indicating a suspicious path' is forged, altered, or damaged, the integrity status may be output through the output module 410 so that an administrator managing the management server 310 can know such matters. .

The control module 410 may generate a certificate for determining the integrity of the stored blockchain and transmit it to at least one electronic device. The certificate is the at least one stored'user's personal information, first to fourth online access records, information on the first and second infected terminals, information indicating the security level for the first file, and indicating the suspicious path. Information, the grouped'user's personal information, first to fourth online access records, information on the first and second infected terminals, information indicating the security level for the first file, information indicating the suspicious path 'And the stored block chain information. The certificate is provided by the management server 310 indicating'user's personal information, first to fourth online access records, information on first and second infected terminals, information indicating security level for the first file, and suspicious path. It can be used to determine the integrity of'information'. In the control module 410, the request of at least one element for the stored blockchain is i)'user's personal information, first to fourth online access records, and first and second infected terminals of the present invention. , Through a website and/or mobile app that supports a service and/or platform that provides'information indicating the security level of the first file, information indicating the suspicious path' to the user, and/or ii) other blockchain nodes When received from (320, 330, 340, 350, 360), the requested at least one element is i) output through the website and/or mobile app, and/or ii) other blockchain nodes (320, 330). , 340, 350, 360).

In addition, a plurality of'user's personal information, first to fourth online access records, information on the first and second infected terminals, information indicating the security level for the first file, information indicating the suspicious path' When the request for confidential information is set through the management server 310 and/or the user terminal 320, the management server 310 provides the plurality of'users' personal information, first to fourth online access records, and Among the information on the first and second infected terminals, information indicating a security level for a first file, and information indicating a suspicious path', at least one information whose confidential information request is equal to or greater than the first threshold is classified as first information, and , At least one piece of information whose secret information request degree is less than the first threshold may be classified as second information. In addition, the management server 310 generates a hash value corresponding to the first information by hashing the first information, and the plurality of blockchain nodes 310, 320, 330, 340, 350, 360 The information may be classified into a first node group sharing only information having a request for secret information equal to or greater than the first threshold, and a second node group sharing only information having a request for secret information less than the first threshold. In addition, the management server 310 transmits a hash value corresponding to the first information to the first node group when the situation information requesting the emergency is confirmed by the management server 310, but the situation information requesting the emergency If is not confirmed by the management server, the first information that is not hashed is transmitted to the first node group, and the second information is controlled to be transmitted to the second node group without hashing. can do.

In addition, the management server 310 is characterized in that the control to check the integrity of the first information based on the hash value, and the number of shared second information among nodes included in the second node group is a second threshold. It may be characterized in that the node exceeding is reset to the first node group.

In addition, the management server 310 transmits a first signal to the plurality of block chain nodes 320, 330, 340, 350, 360, and transmits a second signal in response to the first signal. 320, 330, 340, 350, 360), confirms the first time when the first signal is transmitted from the network interface of the management server, and the first signal is the plurality of blockchain nodes (320, 330). , 340, 350, 360) is obtained from each of the plurality of block chain nodes (320, 330, 340, 350, 360) information indicating a second time, which is a time received at each, and the second signal is Information indicating a third time, which is a time transmitted from each of the blockchain nodes 320, 330, 340, 350, 360, is obtained from each of the plurality of blockchain nodes 320, 330, 340, 350, 360, and the The fourth time, which is the time when the second signal is received by the network interface, is checked, and each of the plurality of block chain nodes 320, 330, 340, 350, 360 indicates the'user's personal information, first to first 4 Online access records, information on the first and second infected terminals, information indicating the security level for the first file, and information indicating the browsing cost required for reading'information indicating the suspicious path' are included in the plurality of blockchains. It can be obtained from each of the nodes 320, 330, 340, 350, and 360. And among the plurality of block chain nodes (320, 330, 340, 350, 360) i) excluding nodes whose browsing cost exceeds a predetermined cost threshold and/or a history set as an infected terminal exceeds a predetermined number threshold. Excluding a node (e.g., a node 350 set as a first infected terminal and/or a node 360 set as a second infected terminal), the first difference between the second time and the first time and the first Select a specific blockchain node with the lowest sum of the second difference between the 4 time and the third time, and the'user's personal information, the first to fourth online access records, and the first and second infected terminals. Information, information indicating a security level for the first file, information indicating a suspicious path' may be transmitted to the specific blockchain node.

In addition, the system 300, the management server 310, and/or the user terminal 320 according to an embodiment of the present invention may include the following features.

The management server 310 includes, for example, not only the security level of the first file in S230 described above, but also information about the first server (ie, the management server 310) and the second server (ie, the external server 330 )), it is possible to determine whether to execute the first file on the first server or the second server.

The embodiments of the present invention disclosed in the present specification and drawings are only provided for specific examples to easily explain the technical content of the present invention and to aid understanding of the present invention, and are not intended to limit the scope of the present invention. That is, it is apparent to those of ordinary skill in the art that other modifications based on the technical idea of the present invention can be implemented. In addition, each of the above embodiments can be operated in combination with each other as needed. For example, in all embodiments of the present invention, parts are combined with each other to provide a system 300, a management server 310, a user terminal 320, a management server 310, an external server 330, and a second user terminal 340. , It may be implemented by the third user terminal 350 and/or the fourth user terminal 360.

In addition, the system 300, the management server 310, the user terminal 320, the management server 310, the external server 330, the second user terminal 340, the third user terminal 350 according to the present invention And/or the method of controlling the fourth user terminal 360 and the like may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium.

As described above, various embodiments of the present invention may be implemented as computer readable code in a computer readable recording medium from a specific viewpoint. A computer-readable recording medium is any data storage device capable of storing data that can be read by a computer system. Examples of computer-readable recording media include read only memory (ROM), random access memory (RAM), and compact disk-read only memory (CD-ROM). ), magnetic tapes, floppy disks, optical data storage devices, and carrier waves (such as data transmission over the Internet). The computer readable recording medium can also be distributed through networked computer systems, so that the computer readable code is stored and executed in a distributed manner. In addition, functional programs, codes, and code segments for achieving various embodiments of the present invention can be easily interpreted by experienced programmers in the field to which the present invention is applied.

In addition, it will be appreciated that the apparatus and method according to various embodiments of the present invention can be realized in the form of hardware, software, or a combination of hardware and software. Such software may be, for example, a volatile or nonvolatile storage device such as a storage device such as a ROM, or a memory such as a RAM, memory chip, device or integrated circuit, or For example, it may be optically or magnetically recordable, such as a compact disk (CD), a DVD, a magnetic disk, or a magnetic tape, and stored in a storage medium that can be read by a machine (for example, a computer). In addition, the software may be stored in a hardware module including a cloud server and/or a block chain server, or may be stored in a software module including a function of the cloud server and/or a block chain server. The method according to various embodiments of the present invention may be implemented by a computer or portable terminal including a control unit (eg, control module 410) and a memory, and such a memory is used to provide instructions for implementing the embodiments of the present invention. It will be appreciated that this is an example of a machine-readable storage medium suitable for storing a program or programs containing.

Accordingly, the present invention includes a program including a code for implementing the apparatus or method described in the claims of the present specification, and a storage medium readable by a machine (such as a computer) storing such a program. Further, such a program may be transferred electronically through any medium, such as a communication signal transmitted through a wired or wireless connection, and the present invention suitably includes equivalents thereto.

The embodiments of the present invention disclosed in the present specification and drawings are merely provided for specific examples to easily explain the technical content of the present invention and to aid understanding of the present invention, and are not intended to limit the scope of the present invention. In addition, the embodiments according to the present invention described above are merely exemplary, and those of ordinary skill in the art will understand that various modifications and equivalent ranges of embodiments are possible therefrom. Therefore, the true technical protection scope of the present invention should be determined by the following claims.

Claims (5)

In a system that monitors malicious codes,
A plurality of terminals including a first terminal, a second terminal, and a third terminal; And
A server monitoring online access records for the plurality of terminals; Including,
The server,
Receiving first online connection record information of the first terminal from the first terminal,
Receiving second online access record information of the second terminal from the second terminal,
Receiving information indicating that a malicious code has been found in the first terminal from the first terminal,
Receiving information indicating that a malicious code has been found in the second terminal from the second terminal,
Generating information indicating a suspicious infection path based on the first online access record information and the second online access record information,
The server,
Receiving first information about the first application requested to be installed by the first terminal from the first terminal,
Receive CPU information of the first time point of the first terminal, memory information of the first time point, load average information of the first time point, and traffic information of the first time point from the first terminal However, the first time point indicates a time point at which the server receives the first information,
Malicious code retention probability information of a first file stored in the database (DB) of the server, the first information, the CPU information at the first time point, the memory information at the first time point, the load average at the first time point It is determined whether to install the first file in the first terminal by applying the information and the traffic information at the first time point to an artificial intelligence network model,
When it is determined to install the first file on the first terminal, installation instruction information instructing to install the first file on the first terminal is transmitted to the first terminal,
The server,
Set a third terminal that is not infected with malicious code as a clean terminal,
Receive third online access record information of the third terminal from the third terminal,
The first online access record information and the second online access record information include a record of accessing a first online address during a first access time, and the third online access record information is the first online access record information during the first access time. If the record of accessing the address is not included, information indicating the infection suspicious path is generated based on the first access time and the first online address,
The first online access record information, the second online access record information, and the third online access record information all include a record of accessing the first online address during the first access time, but the vaccine grade of the third terminal If it is less than this predetermined standard level, the record of accessing the first online address during the first access time is not considered in the process of generating the information indicating the infection suspicious route
The first online access record information, the second online access record information, and the third online access record information all include a record of accessing the first online address during the first access time, wherein the vaccine of the third terminal If the grade is equal to or higher than the predetermined standard grade, information indicating the infection suspicious path is generated based on the first access time and the first online address,
Set the security level for the first file,
Receiving a message requesting execution of the first file from at least one of the plurality of terminals,
Determine whether to execute the first file based on the security level, and
Determine whether to execute the first file on an external server based on the security level, and
Delivering the first file to the external server based on the determination result,
It characterized in that the information indicating the execution result of the first file is received from the external server,
system. delete delete delete delete

Images