KR102494827B1 - Methods and apparatus for detecting malicious macros in non-executable files using ocr - Google Patents

Abstract

In the present specification, in a method for a server to detect a malicious macro of a non-executable file using OCR (Optical Character Recognition), a character string of the non-executable file is extracted using the OCR, and 1) the macro 2) The extracted malicious string is compared with a suspicious malicious string related to security setting release, and based on the matching between the malicious suspicious string and the extracted string, whether or not the malicious macro is included in the non-executable file is analyzed. can

Description

Method for detecting malicious macros in non-executable files using OCR technology and apparatus therefor { METHODS AND APPARATUS FOR DETECTING MALICIOUS MACROS IN NON-EXECUTABLE FILES USING OCR

The present specification relates to a method and apparatus for generating an image included in a non-executable file using OCR (Optical Character Recognition) technology, extracting a string from the image, and detecting a malicious macro in a non-executable file. will be.

Non-executable files containing macros can be dangerous. Macros are basically part of computer code and can be used as a medium for malware. For example, Microsoft Office documents (eg, Word, Excel, PowerPoint, and other types of documents) may contain embed code written in a programming language called Visual Basic for Applications (VBA). Through this, repetitive tasks can be automated. The user can later run the macro to repeat the recorded action.

In a malicious non-executable document, various malicious actions can be performed by automatically executing macros inside the document. To prevent this, if a macro is included in the document in the basic security settings of MS-OFFICE, the corresponding macro is not automatically executed and the user must click the button in the security warning message.

An object of the present specification is to propose a method and apparatus for improving the detection speed of a scan engine and advancing the detection rate by utilizing OCR technology when a large amount of normal and malicious documents are introduced.

The technical problems to be achieved by this specification are not limited to the above-mentioned technical problems, and other technical problems not mentioned are clear to those skilled in the art from the detailed description of the specification below. will be understandable.

In one aspect of the present specification, in a method for a server to detect a malicious macro of a non-executable file using OCR (Optical Character Recognition), extracting a string of the non-executable file using the OCR ; 1) comparing a suspected malicious character string related to security setting release of the macro and 2) the extracted character string; and analyzing whether or not the malicious macro is included in the non-executable file, based on matching between the suspicious malicious character string and the extracted character string.

Also, based on that the non-executable file includes the malicious macro, updating the suspected malicious character string; may further include.

In addition, the step of extracting the string of the non-executable file may include creating a virtual machine for analyzing the non-executable file; executing the non-executable file through the virtualization machine; taking a screenshot of the first page of the non-executable file; and extracting a character string from the screenshot image file using the OCR; can include

Also, the suspicious malicious character string may include “Enable Content”, “Click”, and “Enable Macros”.

In addition, based on the fact that the suspicious malicious character string and the extracted character string do not match, a character string of a next non-executable file may be extracted.

Also, based on that the non-executable file includes the malicious macro, the extracted character string may be accumulated and stored.

In addition, the step of updating the suspected malicious character string may include adding a character string identically matched at a predetermined ratio or more to the suspected malicious character string in the set of the accumulated and stored extracted character strings; can include

Another aspect of the present specification is a server for detecting a malicious macro of a non-executable file using optical character recognition (OCR), comprising: a communication unit; a memory containing a database for managing suspicious malicious strings; and a processor functionally controlling the communication unit and the memory, wherein the processor extracts a character string of the non-executable file using the OCR, and 1) the suspicious malicious character string associated with releasing the security setting of the macro. and 2) comparing the extracted character string, and analyzing whether the malicious macro is included in the non-executable file based on matching between the malicious suspect character string and the extracted character string.

According to the embodiments of the present specification, when a large amount of normal and malicious documents are introduced, the detection speed and detection rate of the scanning engine can be improved by utilizing the OCR technology.

Effects obtainable in the present specification are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the description below. .

1 is a block diagram for explaining an electronic device related to the present specification.
2 is a diagram showing a server or client related to the present specification.
3 is an embodiment of a server that can be applied to this specification.
4 illustrates a method for determining a document behavior of a non-executable file to which this specification can be applied.
5 is an example of an additional action of a server to obtain a document action to which this specification may be applied.
6 illustrates a DDE function command detection table of a server to which this specification can be applied.
7 is an embodiment of a server that can be applied to this specification.
8 to 10 are examples of a part of image files to which the present specification can be applied.
The accompanying drawings, which are included as part of the detailed description to aid understanding of the present specification, provide examples of the present specification and describe technical features of the present specification together with the detailed description.

Hereinafter, the embodiments disclosed in this specification will be described in detail with reference to the accompanying drawings, but the same or similar components are given the same reference numerals regardless of reference numerals, and redundant description thereof will be omitted. The suffixes "module" and "unit" for components used in the following description are given or used together in consideration of ease of writing the specification, and do not have meanings or roles that are distinct from each other by themselves. In addition, in describing the embodiments disclosed in this specification, if it is determined that a detailed description of a related known technology may obscure the gist of the embodiment disclosed in this specification, the detailed description thereof will be omitted. In addition, the accompanying drawings are only for easy understanding of the embodiments disclosed in this specification, the technical idea disclosed in this specification is not limited by the accompanying drawings, and all changes included in the spirit and technical scope of this specification , it should be understood to include equivalents or substitutes.

Terms including ordinal numbers, such as first and second, may be used to describe various components, but the components are not limited by the terms. These terms are only used for the purpose of distinguishing one component from another.

It is understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, but other elements may exist in the middle. It should be. On the other hand, when an element is referred to as “directly connected” or “directly connected” to another element, it should be understood that no other element exists in the middle.

Singular expressions include plural expressions unless the context clearly dictates otherwise.

In this specification, terms such as "comprise" or "having" are intended to indicate that there is a feature, number, step, operation, component, part, or combination thereof described in the specification, but one or more other features It should be understood that the presence or addition of numbers, steps, operations, components, parts, or combinations thereof is not precluded.

Also, the term “unit” used in the specification means a software or hardware component, and “unit” performs certain roles. However, "unit" is not meant to be limited to software or hardware. A “unit” may be configured to reside in an addressable storage medium and may be configured to reproduce on one or more processors. Thus, as an example, “unit” can refer to components such as software components, object-oriented software components, class components and task components, processes, functions, properties, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays and variables. Functionality provided within components and "parts" may be combined into fewer components and "parts" or further separated into additional components and "parts".

Also, according to one embodiment of the present specification, "unit" may be implemented as a processor and a memory. The term “processor” should be interpreted broadly to include general-purpose processors, central processing units (CPUs), microprocessors, digital signal processors (DSPs), controllers, microcontrollers, state machines, and the like. In some circumstances, “processor” may refer to an application specific integrated circuit (ASIC), programmable logic device (PLD), field programmable gate array (FPGA), or the like. The term "processor" refers to a combination of processing devices, such as, for example, a combination of a DSP and a microprocessor, a combination of a plurality of microprocessors, a combination of one or more microprocessors in conjunction with a DSP core, or any other such configuration. may also refer to

The term “memory” should be interpreted broadly to include any electronic component capable of storing electronic information. The term memory includes random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), programmable read-only memory (PROM), erasable-programmable read-only memory (EPROM), electrical may refer to various types of processor-readable media, such as erasable PROM (EEPROM), flash memory, magnetic or optical data storage, registers, and the like. A memory is said to be in electronic communication with the processor if the processor can read information from and/or write information to the memory. Memory integrated with the processor is in electronic communication with the processor.

As used herein, a "non-executable file" is a concept opposite to an executable file or an executable file, and means a file that is not itself executed. For example, the non-executable file may be a PDF file, a Korean file, a document file such as a word file, an image file such as a JPG file, a video file, a JavaScript file, and an HTML file, but is not limited thereto.

Hereinafter, with reference to the accompanying drawings, embodiments will be described in detail so that those skilled in the art can easily carry out the embodiments. In addition, in order to clearly describe the present disclosure in the drawings, parts irrelevant to the description may be omitted.

1 is a block diagram for explaining an electronic device related to the present specification.

The electronic device 100 includes a wireless communication unit 110, an input unit 120, a sensing unit 140, an output unit 150, an interface unit 160, a memory 170, a control unit 180, and a power supply unit 190. ) and the like. The components shown in FIG. 1 are not essential to implement an electronic device, so an electronic device described in this specification may have more or fewer components than those listed above.

More specifically, among the components, the wireless communication unit 110 is between the electronic device 100 and the wireless communication system, between the electronic device 100 and other electronic devices 100, or between the electronic device 100 and an external server. It may include one or more modules enabling wireless communication between Also, the wireless communication unit 110 may include one or more modules that connect the electronic device 100 to one or more networks.

The wireless communication unit 110 may include at least one of a broadcast reception module 111, a mobile communication module 112, a wireless Internet module 113, a short-distance communication module 114, and a location information module 115. .

The input unit 120 includes a camera 121 or video input unit for inputting a video signal, a microphone 122 for inputting an audio signal, or a user input unit 123 for receiving information from a user, for example , a touch key, a push key (mechanical key, etc.). Voice data or image data collected by the input unit 120 may be analyzed and processed as a user's control command.

The sensing unit 140 may include one or more sensors for sensing at least one of information within the electronic device, environmental information surrounding the electronic device, and user information. For example, the sensing unit 140 may include a proximity sensor 141, an illumination sensor 142, a touch sensor, an acceleration sensor, a magnetic sensor, and gravity. Sensor (G-sensor), gyroscope sensor (gyroscope sensor), motion sensor (motion sensor), RGB sensor, infrared sensor (IR sensor), finger scan sensor, ultrasonic sensor , optical sensor (e.g. camera (see 121)), microphone (see 122), battery gauge, environmental sensor (e.g. barometer, soil hygrometer, thermometer, radiation detection sensor) , a heat sensor, a gas sensor, etc.), and a chemical sensor (eg, an electronic nose, a health care sensor, a biometric sensor, etc.). Meanwhile, the electronic device disclosed in this specification may combine and utilize information sensed by at least two or more of these sensors.

The output unit 150 is for generating an output related to sight, hearing, or touch, and includes at least one of a display unit 151, a sound output unit 152, a haptic module 153, and an optical output unit 154. can do. The display unit 151 may implement a touch screen by forming a mutual layer structure or integrally with the touch sensor. Such a touch screen may function as a user input unit 123 providing an input interface between the electronic device 100 and the user and provide an output interface between the electronic device 100 and the user.

The interface unit 160 serves as a passage for various types of external devices connected to the electronic device 100 . The interface unit 160 connects a device equipped with a wired/wireless headset port, an external charger port, a wired/wireless data port, a memory card port, and an identification module. It may include at least one of a port, an audio input/output (I/O) port, a video input/output (I/O) port, and an earphone port. In response to the external device being connected to the interface unit 160, the electronic device 100 may perform appropriate control related to the connected external device.

Also, the memory 170 stores data supporting various functions of the electronic device 100 . The memory 170 may store a plurality of application programs (application programs or applications) running in the electronic device 100 , data for operating the electronic device 100 , and commands. At least some of these application programs may be downloaded from an external server through wireless communication. In addition, at least some of these application programs may exist on the electronic device 100 from the time of shipment for basic functions of the electronic device 100 (eg, incoming and outgoing calls, outgoing functions, message receiving, and outgoing functions). Meanwhile, the application program may be stored in the memory 170, installed on the electronic device 100, and driven by the control unit 180 to perform an operation (or function) of the electronic device.

The controller 180 controls general operations of the electronic device 100 in addition to operations related to the application program. The control unit 180 may provide or process appropriate information or functions to the user by processing signals, data, information, etc. input or output through the components described above or by running an application program stored in the memory 170.

In addition, the controller 180 may control at least some of the components discussed in conjunction with FIG. 1 in order to drive an application program stored in the memory 170 . Furthermore, the controller 180 may combine and operate at least two or more of the components included in the electronic device 100 to drive the application program.

The power supply unit 190 receives external power and internal power under the control of the controller 180 and supplies power to each component included in the electronic device 100 . The power supply unit 190 includes a battery, and the battery may be a built-in battery or a replaceable battery.

At least some of the components may operate in cooperation with each other in order to implement an operation, control, or control method of an electronic device according to various embodiments described below. Also, the operation, control, or control method of the electronic device may be implemented on the electronic device by driving at least one application program stored in the memory 170 .

In this specification, the server (or cloud server) or client may include the electronic device 100, and the electronic device 100 may be collectively referred to as a terminal.

The terminal may communicate with an external server (or cloud server) or a client through a network connection.

2 is a diagram showing a server or client related to the present specification.

In this specification, a server (or cloud server) or a client may include a control unit 200 and a communication unit 230. The control unit 200 may include a processor 210 and a memory 220. The processor 210 may execute instructions stored in the memory 220 . The processor 210 may control the communication unit 230 . The memory 220 may include cache memory. The cache memory may temporarily store an original document to be described later for a certain period of time.

The processor 210 may control the operation of the server or client based on instructions stored in the memory 220 . A server or client may include one processor or may include a plurality of processors. When the server or the client includes a plurality of processors, at least some of the plurality of processors may be located at physically separated distances. In addition, the server or client may be implemented in various known ways without being limited thereto.

The communication unit 230 may include one or more modules enabling wireless communication between a server or client and a wireless communication system, between a server or client and another server or client, or between a server or client and an external server (terminal). there is. Also, the communication unit 210 may include one or more modules that connect a server or a client to one or more networks.

The controller 200 may control at least some of the components of the server or client in order to drive the application program stored in the memory 220 . Furthermore, the control unit 200 may combine and operate at least two or more of the components included in the server or client to drive the application program.

In this specification, the server may include a reversing engine or/and a CDR engine providing CDR services.

Reversing Engine

A reversing engine is an analysis/diagnostic engine that automates the reverse engineering (reversing) process for non-executable files. This is called reverse engineering, and through this, the server can learn about the principles and structure of software without source code by entering the assembly stage, which is a language that computers can execute. Using this, the server can know the structure of general software (for example, msoffice, pdf), malicious code behavior, and how to exploit vulnerabilities.

For example, the reversing engine may perform the following steps.

1. File analysis: As a step of analyzing the appearance of the non-executable file itself (eg, attribute, author, date of creation, file type), similar to general vaccine programs, maliciousness can be diagnosed only with the information of the non-executable file itself. can

2.Static analysis: This is a step of extracting and analyzing data in non-executable files to determine whether they are normal or malicious. Non-executable files are not executed, and internal data is extracted according to the file structure and analyzed for comparison to diagnose maliciousness. there is. This may be suitable for macros, URL extraction analysis, and the like.

3.Dynamic analysis: This is a step of analyzing behaviors while executing and monitoring non-executable files to determine whether they are malicious. It is easy to detect malicious behaviors using normal functions such as macros, hyperlinks, and DDE.

4. Debugging analysis: This is a step of analyzing vulnerabilities and exploits by executing and debugging non-executable files. Detecting vulnerabilities of applications using text, tables, fonts, pictures, etc. in documents, including macros, hyperlinks, and DDE suitable for doing

The reversing engine may include a debugging engine that may be used for debugging analysis. The debugging engine can diagnose vulnerabilities occurring in document input, processing, and output stages by using the debugging mode for the process of reading non-executable files. Vulnerability here refers to the use of errors and bugs that occur when an application program receives an unexpected value from the code (logic) developed by the application developer. Malicious document behavior such as remote code execution can be executed.

A debugging engine may include a debugger. A debugger is a tool for reverse engineering and can mean a program or process capable of breaking points in other target programs at the assembly level.

CDR engine (Contents Disarm and Reconstruction engine)

The CDR engine provides CDR services. The CDR service is a solution that disassembles non-executable files to remove malicious or unnecessary files, and creates new files by keeping the contents as identical as possible to the original.

In other words, CDR refers to a service that disarms and reconstructs contents in documents to create safe documents and provide them to customers. Here, the files to be harmless may be all non-executable files. Word files, Excel files, PowerPoint files, Hangul files, and PDF files may be exemplified as non-executable files. Content to be harmless may be active content. Examples of active content include macros, hyperlinks, and object linking and embedding (OLE).

3 is an example of an abnormal input that can be applied to this specification.

Referring to FIG. 3, when an application program receives an abnormal value (for example, when the input value exceeds the normal range of 2) through a non-executable file, the application program is changed into an execution flow unintended by the developer and is vulnerable. this can work. The debugging engine automatically debugs the document browsing process, sets a breakpoint at a specific point related to the vulnerability, checks a specific value related to the input value, determines whether the input value is a value that causes a vulnerability, and diagnoses whether the input value is malicious.

More specifically, the debugging engine can start debugging by identifying non-executable files and running an application to view them. When a module related to a document behavior is loaded while viewing a non-executable file, the debugging engine checks whether the module is an analysis target module, and if it is an analysis target, it can set a breakpoint at a designated address.

For example, a malicious non-executable file may have branching points at which an application program is terminated or branched into a flow in which no malicious activity occurs unless a specific condition such as an application version or an operating system environment is satisfied. The server can set a breakpoint at a divergence point that has been previously analyzed by an analyst and has this possibility.

In addition, the server may set conditions associated with a corresponding branching point to continuously execute the application program without terminating or lead to a flow in which a malicious action may occur.

If the process stops at the corresponding breakpoint while the process of the application program is running, the server may perform a step of detecting whether or not there is a vulnerability according to the detection logic and then storing the result in an analysis report.

The automated reversing engine included in the server can analyze and diagnose malicious non-executable files through a diagnosis algorithm researched and developed by an analyst by automatically performing and analyzing the above steps.

4 illustrates a method for determining a document behavior of a non-executable file to which this specification can be applied.

Referring to FIG. 4 , the server may include non-executable files and application programs (eg, MSOFFICE, Hancom Office, etc.) for executing non-executable files. For example, a document action of a non-executable file may include a macro action.

The server executes the process of the application program in debugging mode (S4010). For example, the server may execute a document process for opening a non-executable file to be analyzed by an application program in a debugging mode (DEBUG_ONLY_THIS_PROCESS) using the CreateProcess API. Through this, the server can receive the debug event of the application program process.

In more detail, the server can execute the application process by passing the “DEBUG_ONLY_THIS_PROCESS” flag using the CreateProcess API.

Based on the process of the application program, the server sets a first breakpoint at a point matching the document behavior (S4020). For example, the server can set a breakpoint by changing the OP (operating) code related to the process of the application program loaded into memory to “0xCC”. The OP code means an instruction code and may be a code in which work contents to be actually performed by the CPU are prepared. To do this, the server can change the memory using WriteProcessMemory.

In the server, information about a document act and a point where the document act is matched may be set in advance. For example, the server can set breakpoints using the WriteProcessMemory API according to the predefined behavior matching Break Point Table.

The server checks whether the non-executable file is being executed (S4030). More specifically, after setting a break point, the server checks whether other non-executable files requested for analysis are being read. Depending on the functions required by the non-executable file, the application process loads the necessary modules into the memory, so the application program has a state in which other non-executable files are not read in order to secure the reliability of determining the document behavior of the target non-executable file. should be For example, if a malicious non-executable file is read, the reliability of the document behavior determination result may be lowered.

Based on the fact that the non-executable file is not being executed, the server executes the non-executable file to be analyzed (S4040). In more detail, the server reads the non-executable file requested by the user for analysis using an application program process (eg, EXCEL, WORD, PPT, etc.) suitable for the format. For example, the server can browse the sample.ppt file using MS Power Point. Alternatively, the server may directly execute the file to be analyzed without checking whether the non-executable file is running.

The server determines whether a new module related to the non-executable file to be analyzed is loaded on the memory (S4050). When the non-executable file to be analyzed is executed by the application program process, the server checks whether a new module is loaded.

For example, the server may receive a debugging event when a debugging event occurs in an application program process using a debugging mode. The server can determine a new module (eg, DLL memory loading) when a LOAD DLL event occurs using the corresponding event. In more detail, the server may determine that a new module has been uploaded when a “LOAD_DLL_DEBUG_EVENT” event occurs.

For example, the server may newly load a module suitable for an application program process function into memory in order to use a function (for example, a macro, an ActiveX function, etc.) required in a non-executable file to be analyzed.

Based on the load of the new module, the server sets a second breakpoint at a point matching the document action (S4060). If it is not determined that the new module is loaded, the server does not set a second breakpoint.

The server monitors whether the application process is stopped at the first breakpoint and/or the second breakpoint (S4070). For example, the server can check whether the application process is stopped at the breakpoint and control of the process is transferred to the debugger. The debugger that has taken over control can check at which breakpoint it was interrupted.

Based on the monitoring result, the server generates document action information matching the first breakpoint and/or the second breakpoint (S4080). For example, the server can check the address value of the breakpoint. Thereafter, the server may generate and store information on a document activity matched with an address value of a breakpoint based on information about a corresponding document activity and a point where the corresponding document activity is matched.

Table 1 below is an example of the document behavior matched with the stored address value of the breakpoint.

Break Point Address document act 0x12345678 Run ActiveX from document

Also, to obtain the document behavior, the server may perform additional actions.

5 is an example of an additional action of a server to obtain a document action to which this specification may be applied.

Referring to Fig. 5, a "point condition" illustrates an additional action of the server to obtain a document action. For example, the server can detect the behavior of a Dynamic Data Exchange (DDE) document of a non-executable file document through a breakpoint. In addition, the server can know the command of the DDE function based on preset information (table).

For example, the server can confirm that string acquisition is implemented automatically in the code based on preset information, and when the code is extracted, the non-executable file can know which command to use using the DDE function. there is. Through this, the server can more accurately store the document action corresponding to the command.

6 illustrates a DDE function command detection table of a server to which this specification can be applied.

Referring back to FIG. 4 , the server determines whether the reading of the non-executable file to be analyzed is terminated (S4090). For example, the server may determine whether the viewing of the non-executable file to be analyzed is terminated in a manner such as when a preset time has elapsed or a message box (Alert) or a break point has not been passed for a certain period of time.

If the browsing is not terminated, the server continuously monitors whether the process of the application program is stopped at the breakpoint. Through this, the server can wait for the document action to fully manifest.

Thereafter, the server may transmit the stored document behavior information to the terminal. To this end, the terminal may include a management program capable of communicating with the server and controlling the operation of the server. The terminal may provide document action information to the user through the management application program.

Existing APT solutions extract document behavior based on sandbox changes after document behavior is manifested. This increases the analysis time because the sandbox has to wait until the document behavior is manifested. Also, since the last part is finally checked (eg, after sandbox change), the analysis speed in this specification is slower.

In addition, the server of the present specification may start analysis from the time when the application process is executed in the stage before the change of the sandbox.

In addition, since changes in document behavior are identified from the assembly level (eg, CPU instruction processing stage), the analysis speed (behavior extraction) is faster than that of existing APT solutions.

In addition, the existing APT solution waits until the document action appears, so it is difficult to know the end point. However, in this specification, since the server can roughly determine the end point of a document action, it is possible to analyze quickly.

In addition, in this specification, the server can accurately grasp the function used by the application program process corresponding to the document action.

7 is an embodiment of a server that can be applied to this specification.

Referring to FIG. 7, when a large amount of normal and malicious documents (non-executable files) are introduced, the server can improve the detection rate and advance the detection rate by utilizing OCR technology before determining the document behavior through the engine. .

Document behavior determination through the engine may include the document behavior determination method of non-executable files illustrated in FIG. 4 . The engine includes a reversing engine and a CDR engine.

For example, when documents are introduced, the server extracts text strings from the imported documents using OCR technology, compares the extracted text strings, and performs detailed analysis on matching documents. Through this, the detection rate of the engine can be improved.

If there is no matching, the server determines the document as a normal document and performs a detailed analysis on the next incoming document. Through this, the detection speed of the engine can be improved.

The server extracts the character string of the non-executable file using OCR (S7010). For example, a server may receive a non-executable file from another server or network. The server may generate a virtualization machine for analyzing the non-executable file and execute the non-executable file through the virtualization machine. The server may create an image file from a non-executable file through a virtualization machine. For example, the server may take a screenshot of the first page of the executed non-executable file and extract a character string from the screenshot image file using OCR.

8 to 10 are examples of a part of image files to which the present specification can be applied.

Referring to FIGS. 8 and 9 , when a server executes a Word file including macros, Word may display a security warning message for disabling macros included in the Word file for security reasons.

Referring to FIG. 10 , when a server executes a PowerPoint file including macros, PowerPoint may display a security warning message indicating that macros are disabled.

This security warning message can usually be displayed on the first page of non-executable files.

For example, Microsoft Office may display a security warning message to protect users from non-executable files (eg, Word, Excel, or PowerPoint files) containing macros.

The server may obtain an image file including such a security warning message using OCR.

For example, when a malicious document is executed, various malicious actions may be performed by automatically executing macros inside the document. According to MS-OFFICE's default security settings, if a macro is included inside a document, the macro is not automatically executed. In this case, the user can set security according to the security warning message.

Malicious non-executable files can use social engineering techniques to bypass these security settings. For example, the malicious non-executable file may provide the user with a guide on how to disable security settings by creating an image or text string on how to disable MS-OFFICE security warnings on the first page.

Referring back to FIG. 7 , the server may execute OCR through a virtualization machine and extract a string included in the image file. In more detail, the server may extract a string related to security setting release.

The server compares the suspected malicious character string with the extracted character string (S7020). For example, the suspicious malicious string includes a string related to releasing security settings of non-executable files (eg, Enable Content, Click, Enable Macros). Such a suspicious malicious string may be preset in the server based on the string of the security warning message.

The server may include in memory a database for managing a list of suspected malicious character strings.

The server analyzes the non-executable file based on the matching of the suspicious malicious character string and the extracted character string (S7030). For example, the server may perform the document behavior determination method of the non-executable file illustrated in FIG. 4 in order to analyze the non-executable file. In more detail, if there is a suspected malicious string matching the extracted string in the list of suspected malicious strings, the server may analyze whether the non-executable file contains a malicious macro. If not matched, the server may determine the non-executable file as a normal file without analyzing it.

The server updates the suspected malicious character string based on the fact that the non-executable file includes a malicious macro (S7040). For example, the server may accumulate and store character strings extracted from non-executable files determined to be malicious. The server may compare the accumulated character strings and add identically matched strings at a predetermined rate or more to the list of suspected malicious strings.

A typical APT (Advanced Persistent Threat) security solution (sandbox) has no way to cause user behavior (interaction), so it executes a macro detection function for all incoming documents (normal and malicious), so overall detection time this takes a long time

In the case of a debugger-based engine, there is a problem in that debugger detection must be performed even in normal documents that do not contain macros.

The present specification can solve these problems.

The above specification can be implemented as computer readable code on a medium on which a program is recorded. Computer-readable media include all types of recording devices in which data that can be read by a computer system is stored. Examples of computer-readable media include Hard Disk Drive (HDD), Solid State Disk (SSD), Silicon Disk Drive (SDD), ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc. , and also includes those implemented in the form of a carrier wave (eg, transmission over the Internet). Accordingly, the above detailed description should not be construed as limiting in all respects and should be considered illustrative. The scope of this specification should be determined by reasonable interpretation of the appended claims, and all changes within the equivalent scope of this specification are included in the scope of this specification.

In addition, although services and embodiments have been described above, this is only an example and does not limit the present specification, and those skilled in the art to which this specification belongs will not deviate from the essential characteristics of the present service and embodiments. It will be appreciated that various modifications and applications not exemplified above are possible. For example, each component specifically shown in the embodiments can be modified and implemented. And differences related to these modifications and applications should be construed as being included in the scope of the present specification as defined in the appended claims.

Claims (8)

A method for a server to detect a malicious macro of a non-executable file using OCR (Optical Character Recognition),
extracting a character string of the non-executable file using the OCR;
1) comparing a suspected malicious character string related to security setting release of the macro and 2) the extracted character string; and
analyzing whether or not the malicious macro is included in the non-executable file, based on matching between the suspicious malicious character string and the extracted character string;
Including,
Extracting the string of the non-executable file
generating a virtual machine for analyzing the non-executable file;
executing the non-executable file through the virtualization machine;
taking a screenshot of the first page of the non-executable file; and
extracting a character string from the screenshot image file using the OCR;
Including, malicious macro detection method.
According to claim 1,
updating the suspected malicious character string based on whether the non-executable file includes the malicious macro;
Further comprising a malicious macro detection method. delete According to claim 1,
The malicious suspect string is
Malicious macro detection methods, including “Enable Content”, “Click”, and “Enable Macros”.
According to claim 1,
extracting a character string of a next non-executable file based on a mismatch between the suspected malicious character string and the extracted character string;
Further comprising a malicious macro detection method.
According to claim 2,
Based on the non-executable file containing the malicious macro:
The extracted character string is accumulated and stored, malicious macro detection method. According to claim 6,
The step of updating the suspected malicious string
adding, to the suspected malicious character string, a character string identically matched at a predetermined rate or more from the accumulated and stored extracted set of character strings;
Including, malicious macro detection method. In a server that detects a malicious macro of a non-executable file using optical character recognition (OCR),
communications department;
a memory containing a database for managing suspicious malicious strings; and
A processor functionally controlling the communication unit and the memory;
The processor
Using the OCR, a character string of the non-executable file is extracted, 1) the malicious suspicious character string related to the release of the security setting of the macro, and 2) the extracted character string are compared, and the malicious suspicious character string and the extracted character string are compared. Based on the matching of, analyze whether the malicious macro is included in the non-executable file,
In order to extract the string of the non-executable file, a virtual machine for analyzing the non-executable file is created, the non-executable file is executed through the virtual machine, and the first page of the non-executable file is executed. A server for screenshotting and extracting a character string from the screenshot image file using the OCR.

Images