KR102495329B1 - Malware detection system using lstm method to provide a service vaccine platform with high detction rate - Google Patents

Abstract

The present invention relates to a malware detection system using a long short-term memory (LSTM) method to provide a service anti-virus platform with a high detection rate. The malware detection system comprises: a data input module that receives an analysis target file; a neural network module including an LSTM neural network; a neural network learning unit that trains the LSTM neural network using characteristics of input malware; and a malware diagnosis unit that inputs data from the analysis target file into the LSTM neural network to diagnose whether the same contains malware. The malware diagnosis unit includes a static diagnosis unit that diagnoses the data of the analysis target file through static analysis, and a dynamic diagnosis unit that executes the analysis target file and diagnoses the same through dynamic analysis. The static diagnosis unit diagnoses whether malware is included through the LSTM neural network.

Description

Malware detection system using LSTM method to provide service vaccine platform with high detection rate

The present invention relates to a malicious code detection system, and more particularly, to a malicious code detection system with improved malware detection performance by applying a long short-term memory (LSTM) neural network.

Malware refers to malicious programs created for malicious purposes that harm users, not for normal functions. Here, malware can be classified into spyware, adware, ransomware, etc. according to its form or purpose, and anti-malware is implemented in a user terminal to provide a function of detecting the malware in real time. Here, the anti-malware is often called a vaccine, and conventional vaccines generally detect malware using signatures, which are identification data collected in advance. As the above-described signature-type vaccine is detected through pattern matching of signatures and malware, continuous updates are essential to detect the latest malware, and detection is difficult when malware is forged or altered.

Accordingly, Korean Registered Patent Publication No. 10-2174475 (hereinafter referred to as 'prior art') discloses a system for identifying whether an application is obfuscated or packed using machine learning to overcome the above limitations, including it. A concealed malware detection classification system and method are disclosed. As shown in FIG. 1, the prior art includes a concealment inspection unit, a data extraction unit, a data conversion unit, and a malware diagnosis unit, wherein the malware diagnosis unit includes a static diagnosis unit such as a convolutional neural network (CNN) and a recurrent neural network (RNN) ), etc., to improve the ability to detect malicious codes.

As in the preceding literature, when the artificial intelligence method is applied by breaking away from the technology limited to the signature method, there is an advantage in that the detection performance for forged malware is also improved while having superior detection performance. However, in the case of using an existing RNN neural network in malware diagnosis, if the distance between the relevant information and the point where the information is used is long, the gradient gradually decreases during backpropagation, resulting in a vanishing gradient problem in which the learning ability is greatly reduced. According to the disadvantage of being used for a long time, data is lost during long-term use, which can lead to a problem of performance deterioration.

KR 10-2174475 B1 (2020.11.04.)

The present invention was made to solve the problems of the prior art, and the present invention relates to a malware detection system to which artificial intelligence analysis using an LSTM neural network is applied to improve malware detection performance.

A data input module for receiving an analysis target file according to the present invention to achieve the above object; A neural network module including a Long Short-Term Memory (LSTM) neural network; a neural network learning unit for learning the LSTM neural network using the input characteristics of the malware; and a malware diagnosis unit inputting the data of the analysis target file into the LSTM neural network to diagnose whether malware is included, wherein the malware diagnosis unit diagnoses the data of the analysis target file through static analysis. and a dynamic diagnosis unit that executes the file to be analyzed and diagnoses it through dynamic analysis, and the static diagnosis unit can diagnose whether or not malware is included through the LSTM neural network.

In addition, the dynamic diagnosis unit may include a virtual machine analyzer for diagnosing the analysis target file through dynamic analysis to detect malware in a plurality of virtual machine (VM) environments.

In addition, the virtual machine analyzer may collect information by allowing some of the plurality of virtual machines to run different operating systems (OS) and to execute analysis target files on each operating system.

In addition, the dynamic diagnosis unit further includes a real machine analysis unit for diagnosing the analysis target file by dynamic analysis to detect malware in at least one real machine environment, wherein the virtual machine analysis unit determines the analysis target file While detecting whether a detour log exists, the real machine analyzer may receive an analysis target file including a detour log for bypassing the virtual machine analyzer from the virtual machine analyzer.

In addition, the neural network learning unit collects information on normal files and malicious files including malware, analyzes the characteristics of the normal files and malicious files, and learns the LSTM neural network. It may include at least one of information, size and packing information, Import API, Export API, file type and size.

In addition, the anti-malware cloud server according to the present invention includes the above-described malicious code detection system; A communication unit for receiving analysis target files from a user terminal through a network; And an application installed in the user terminal and receiving information of the LSTM neural network from the server; and upon receiving the analysis target file from the user terminal, diagnosing whether the analysis target file contains malware, and learning the diagnosis result An LSTM neural network may be provided to the user terminal.

In addition, the anti-malware cloud server according to the present invention includes the above-described malicious code detection system; A communication unit for receiving analysis target files from a user terminal through a network; a memory unit for temporarily storing the received analysis target file until analysis; a database storing analysis results respectively diagnosed by the static diagnosis unit and the dynamic diagnosis unit; and a data correction module for post-processing the analysis results stored in the database, wherein the data correction module can post-process data after static analysis and dynamic analysis to store the risk according to the type of malware as related data. .

In addition, the database includes a plurality of storage devices, and the plurality of storage devices include: a group DB in which data sets are constructed for each group for a plurality of group data; A personal DB in which data sets are constructed for each user for a plurality of user data; and a relationship DB in which information on groups to which each user belongs is stored.

In addition, in the group DB, a plurality of groups including at least one of institutions, corporations, local governments, and schools are divided by an in-house intranet, and relation data between groups may be stored in the relation DB.

In addition, the memory unit has a predetermined memory, and when the anti-malware cloud server according to the present invention has a usage rate greater than N ₁ % compared to the maximum amount of data in the memory unit, the files temporarily stored in the memory unit are stored in the memory unit through the following steps. can be processed through

a) determining whether there is a group belonging to the user who uploaded the file;

b) if there is a group matched in step a, searching for previously detected malware in the corresponding group;

c) statically diagnosing files by specifying only previously detected malware when there is already detected malware in the corresponding group;

(Where 100 > N ₁ > 0)

In addition, the anti-malware cloud server according to the present invention may process files temporarily stored in the memory unit through the following steps when the usage rate is greater than N ₂ % and smaller than N ₁ % in preparation for the maximum amount of data in the memory unit. there is.

a) determining whether there is a group belonging to the user who uploaded the file;

b) if there is a group matched in step a, searching for previously detected malware in the corresponding group;

c) statically diagnosing files by specifying only previously detected malware when there is already detected malware in the corresponding group;

d) if there is no previously detected malware in the corresponding group, searching for at least one association group related to the corresponding group in a relational DB; and

e) statically diagnosing files by specifying only previously detected malware when there is previously detected malware in the searched association group;

(Where 100 > N ₁ > N ₂ > 0)

In addition, the N ₂ may be between 30 and 50, and the N ₁ may be formed between 60 and 80.

The malicious code detection system according to the present invention according to the above-described configuration has the advantage of providing a fast and accurate detection function by allowing an artificial neural network to learn based on the latest malware information through a collection server and to select forged or altered files. there is.

In addition, the malicious code detection system according to the present invention can selectively utilize static analysis and dynamic analysis according to the user's request, improve the accuracy of static analysis through LSTM, and improve the accuracy of dynamic analysis including virtual and real machines. has the advantage of improving This may lead to an advantage of minimizing system load.

1 is a block diagram of a concealed malware detection system according to the prior art.
2 is a diagram illustrating an anti-malware cloud server communicating with a user terminal according to the present invention.
3 is a configuration diagram of an anti-malware cloud server according to the present invention.
4 is a configuration diagram of a malicious code detection system according to the present invention.
5 is a configuration diagram of a diagnosis unit according to the present invention.
6 is a diagram showing AI characteristics used in a static diagnosis unit according to the present invention.
7 is a diagram showing a library used in a static diagnosis unit according to the present invention.
8 is a configuration diagram of a dynamic diagnosis unit according to the present invention.
9 is a diagram showing a neural network learning process according to the present invention.
10 and 11 are exemplary diagrams of a neural network model according to the present invention.
12 is a distribution diagram of learning data according to the present invention.
13 is a diagram illustrating a confusion matrix according to a Convolutional Neural Network (CNN) neural network model.
14 is a diagram illustrating a confusion matrix according to a Recurrent Neural Network (RNN) neural network model.
15 is a diagram showing a confusion matrix according to a long short-term memory (LSTM) neural network model.
16 is a diagram showing a confusion matrix according to the CNN-LSTM neural network model.
17 is a flowchart showing a malware analysis method according to the present invention.
18 to 20 are diagrams showing the interface of the present invention output to the user terminal.
Fig. 21 illustrates a database comprising multiple storage devices.

Hereinafter, a malicious code detection system according to the present invention will be described in detail with reference to the accompanying drawings. The drawings introduced below are provided as examples to sufficiently convey the spirit of the present invention to those skilled in the art. Therefore, the present invention may be embodied in other forms without being limited to the drawings presented below. Also, like reference numbers indicate like elements throughout the specification.

Unless otherwise defined, the technical terms and scientific terms used at this time have meanings commonly understood by those of ordinary skill in the art to which this invention belongs, and the gist of the present invention is unnecessary in the following description and accompanying drawings. Descriptions of well-known functions and configurations that may be obscure are omitted.

Further, implementations described herein may be implemented in, for example, a method or process, an apparatus, a software program, a data stream, or a signal. Even if discussed only in the context of a single form of implementation (eg, discussed only as a method), the implementation of features discussed may also be implemented in other forms (eg, an apparatus or program). The device may be implemented in suitable hardware, software and firmware. The method may be implemented in an apparatus such as a processor, which is generally referred to as a processing device including, for example, a computer, microprocessor, integrated circuit, programmable logic device, or the like. Processors also include communication devices such as computers, cell phones, personal digital assistants ("PDAs") and other devices that facilitate communication of information between end-users.

In addition, terms used in this specification are only used to describe specific embodiments, and are not intended to limit the present invention. Singular expressions include plural expressions unless the context clearly dictates otherwise. In this application, the terms "include" or "have" are intended to designate that there is a feature, number, step, operation, component, part, or combination thereof described in the specification, but one or more other features It should be understood that the presence or addition of numbers, steps, operations, components, parts, or combinations thereof is not precluded.

2 and 3 relate to an anti-malware cloud server according to the present invention. FIG. 2 shows a diagram showing an anti-malware cloud server communicating with a user terminal, and FIG. 3 shows a configuration diagram of the anti-malware cloud server, respectively.

Referring to FIG. 2, the anti-malware cloud server 10 according to the present invention can be connected to a user terminal 20 through a network, and the user terminal 20 is a personal user terminal brought by an individual user. (21) or an institutional user terminal 22 accessed by the institution. Here, the personal user terminal 21 may be in the form of access by domestic and foreign individual users, and the institutional user terminal 22 may be in the form of access by private companies such as small and medium-sized enterprises, medium-sized companies, and large companies, financial institutions, or public institutions. there is. At this time, when the anti-malware cloud server 10 according to the present invention receives a malware analysis request through artificial intelligence from the user terminal 20, it can diagnose whether or not malware is included by analyzing the received file through the built-in artificial intelligence neural network. there is.

The network means a connection structure in which the nodes of the anti-malware cloud server 10 and the user terminal 20 according to the present invention can exchange information with each other. Examples of the network include a 3rd Generation Partnership Project (3GPP) network, LTE (Long Term Evolution) network, WIMAX (World Interoperability for Microwave Access) network, Internet (Internet), LAN (Local Area Network), Wireless LAN (Wireless Local Area Network), WAN (Wide Area Network), PAN (Personal Area Network) Network), a Bluetooth network, a satellite broadcasting network, an analog broadcasting network, a Digital Multimedia Broadcasting (DMB) network, and the like, but are not limited thereto.

The user terminal 20 includes a digital broadcasting terminal, mobile phone, PDA (personal digital assistants), PMP (portable multimedia player), navigation, tablet PC, wearable device, smart glass, etc. It can be implemented in various types of mobile terminals. Alternatively, the user terminal 20 is implemented as a desktop PC, a laptop computer, or a personal computer such as an ultrabook, which is a fixed terminal, and is connected to the anti-malware cloud server 10 according to the present invention. may be

Referring to FIG. 3, the anti-malware cloud server 10 according to the present invention is networked with the malicious code detection system 100 and the user terminal 20 for analyzing whether or not malware is included in the received analysis target file. It may include a communication unit 200 that is connected and communicates data, and a database 300 that records data in association with the malicious code detection system 100. In addition, the anti-malware cloud server 10 according to the present invention includes a memory unit 400 for temporarily storing the analysis target file received from the communication unit 200 until analysis, and post-processing the analysis result stored in the database 300 A data correction module 500 may be further included. The database 300 may be configured to more easily search for highly interconnected data sets, including a meta database or a graph database (GDB) composed of a plurality of storage devices or metadata. there is. In addition, the data correction module 500 may post-process data after static analysis and dynamic analysis to store the risk according to the type of malware as related data.

The anti-malware cloud server 10 according to the present invention may further include an application 600 installed in the user terminal 20 to provide an input/output interface. When the file to be analyzed is received from the user terminal 20, the malicious code detection system 100 can check whether the file to be analyzed contains malware, and in the interface of the application 600 of the user terminal 20 The file to be analyzed may be uploaded and transmitted to the anti-malware cloud server 10 . In addition, the malicious code detection system 100 may determine whether the file to be analyzed includes malware through AI analysis including an artificial neural network.

When a plurality of analysis target files are received, the memory unit 400 may temporarily store the analysis target files and sequentially transmit the analysis target files to the malicious code detection system 100 . And the database 300 can record the identification information or history of the user terminal 20, or update the DB for the artificial neural network and malware information to the latest information. In addition, the malicious code detection system 100 compares the characteristics of the received file to be analyzed with the recorded malware information in addition to the static analysis of the existing signature method, and provides to detect even forged malware by determining the similarity of the artificial neural network. It can be.

4 and 5 relate to a malicious code detection system according to the present invention, FIG. 4 shows a configuration diagram of the malicious code detection system, and FIG. 5 shows a configuration diagram of a malware diagnosis unit, respectively.

Referring to FIG. 4 , the malicious code detection system 100 according to the present invention may include a malware diagnosis unit 110, a neural network module 120, a data input module 130, and a data output module 140. When a file to be analyzed is received from the user terminal 20 through the communication unit 200 , the file to be analyzed may be input to the data input module 130 . At this time, when temporary storage is required, such as when there are a large number of files to be analyzed or when a file being previously analyzed exists, the file to be analyzed is input to the data input module 130 via the memory unit 400 The malware diagnosis unit 110 may diagnose whether the file to be analyzed includes malware. At this time, the malware diagnosis unit 110 may be connected to the neural network module 120, and the neural network module 120 may include an artificial neural network. Here, the neural network module 120 includes an artificial neural network such as a convolutional neural network (CNN), a recurrent neural network (RNN), or a long short-term memory (LSTM), or a complex artificial neural network such as CNN-LSTM. It could be. More preferably, the neural network module 120 may include an LSTM neural network. At this time, the malware diagnosis unit 110 includes application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable gate arrays (FPGAs), and controllers. ), micro-controllers, microprocessors, and electrical units for performing other functions. In addition, the result of diagnosis by the malware diagnosis unit 110 is the data output module. It can be output through 140 and transmitted to the user terminal 20 through the communication unit 200 . Accordingly, it can be provided so that the user can immediately check whether the file to be analyzed is malicious or not.

The malicious code detection system 100 according to the present invention may further include a neural network learning unit 150 that trains the artificial neural network using the input characteristics of malware. Here, the neural network learning unit 150 is connected to the database 300 and the collection server 30 to transmit/receive data, and based on the characteristics of normal files and malware collected by the collection server 30, the neural network The artificial neural network of module 120 may be trained.

Referring to FIG. 5, the malware diagnosis unit 110 includes a static diagnosis unit 111 for diagnosing the data of the analysis target file through static analysis and a dynamic diagnosis unit for executing the analysis target file and diagnosing it through dynamic analysis. (112). Here, the static diagnosis unit 111 may detect malware by analyzing the analysis target file and performing static analysis on the analysis target file through the neural network module 120 . Also, the dynamic diagnosis unit 112 may detect malware by executing and analyzing the file to be analyzed through at least one physical machine. In this case, dynamic analysis may refer to an analysis method of performing malicious code analysis by collecting behavior information of an analysis target file when the analysis target file is executed on an operating system running in a virtual machine or real machine environment.

6 to 8 relate to a malicious code detection system according to the present invention, FIG. 6 is a diagram showing AI characteristics used in the static diagnosis unit, FIG. 7 is a diagram showing a library used in the static diagnosis unit, and FIG. 8 shows a configuration diagram of the dynamic diagnosis unit, respectively.

Referring to FIG. 6, a case in which the analysis target file is a PE (Portable Executable) file executed in Windows will be described in more detail. In the static diagnosis unit 111, various attributes can be used as AI features for malware detection. The properties that can be used here are pe.has_configuration, whether the Load Configuration exists in the PE file, pe.has_debug, whether the Debug section exists in the PE file, pe.has_exceptions whether or not exceptions are used in the PE file, and pe, whether the exported symbol exists in the PE file. .has_exports, pe.has_imports whether symbols are imported in PE files, pe.has_nx whether sets exist in PE files, pe.has_relocations whether there are relocation entries in PE files, pe.has_resources whether resources exist in PE files, rich header may be at least one of pe.has_rich_header indicating existence of , pe.has_signature indicating whether a PE file is digitally signed, or pe.has_tls indicating whether a PE file is used.

The static diagnosis unit 111 normalizes the first 64 bytes as an entry point of the PE file to use as a characteristic to detect malware, and normalizes each byte of the PE file to use the characteristic as a PE histogram. In addition, as shown in FIG. 7, if a PE file composed of a plurality of libraries corresponds to a list of some libraries, a weight may be assigned and used as a characteristic. In addition, some information about the PE section may use an encoded value as a characteristic, and at this time, the average Shannon entropy size of each section or the ratio between the size on disk and the size on memory may be included. The static diagnosis unit 111 may include a preprocessing process through a process of pre-analyzing obfuscation or packing and unpacking. In addition, the unpacked analysis target file can be analyzed using tools such as Veratrace, IDA Pro, and Objdump in the dump file obtained from Software De-Armoring. Also, mnemonic, API calls, or guidelines may be extracted for the characteristics of the file, and the frequency of the extracted characteristics may be calculated. Subsequently, a process of extracting features may be performed through normalization and discretization of the feature space using the frequency vector table of each feature and Zscore.

Referring to FIG. 8 , the dynamic diagnosis unit 112 may include a virtual machine analysis unit 112a for diagnosing the analysis target file by dynamic analysis to detect malware in a plurality of virtual machine (VM) environments. can At this time, the virtual machine analysis unit 112a may perform dynamic analysis on the analysis target file in the virtual machine environment and store the analysis result in the database 300 .

The dynamic diagnosis unit 112 may further include a real machine analysis unit 112b for diagnosing the analysis target file through dynamic analysis to detect perlware in at least one real machine environment. And, if the file to be analyzed includes a detour log for bypassing the virtual machine, the virtual machine analyzer 112a transmits the file to be analyzed to the real machine analyzer 112b and the real machine analyzer 112b ), dynamic analysis may be performed once more in a real machine environment, and analysis results may be stored in the database 300. Here, the detour log may mean a log to avoid a commonly used virtual machine-based dynamic analysis technique, and if the analysis target file includes such a detour log, the behavior information of the analysis target file in the virtual machine environment. As a limitation occurs in collecting , it may be provided to perform dynamic analysis once more in a real machine environment. The database 300 stores OSINT (Open Source Intelligence) information collected from an external server together with result information of the dynamic analysis performed by the virtual machine analyzer 112a and the real machine analyzer 112b, thereby diagnosing the malware. The unit 110 may perform correlation analysis using the dynamic analysis result information and OSINT information stored in the database 300 . Here, the correlation analysis may perform correlation analysis on the API call sequence, vulnerability attack information, drop file information, dump information, malicious traffic information, and process information, and detect the result.

In addition, the virtual machine (VM: Virtual Machine) emulates a computing environment made through a real machine (PC, laptop, portable terminal, etc.) and implements it as software, an environment in which an operating system or application program can be executed as in a real machine Examples of virtual machines may include VMware, VirtualBox, or QEMU/KVM, but are not necessarily limited thereto.

Some of the virtual machine analyzers 112a among the plurality of virtual machine analyzers 112a may collect information by driving different operating systems (OSs) and executing analysis target files on each operating system. Different operating systems (OS) may include windows 7 (32bit, 64bit), windows 8 (32bit, 64bit), windows 10 (32bit, 64bit), windows 11 (32bit, 64bit), Linux, Mac, Android, etc. , This is only explained as an example of an operating system currently in use, but is not necessarily limited thereto, and of course, dynamic analysis can be performed for any operating system (OS), including an operating system to be developed in the future. In addition, by performing dynamic analysis simultaneously or sequentially on different operating systems (OS) in a real machine environment for the same analysis target file through this analysis method, it is possible to determine in which operating system the malware detected in the analysis target file is most vulnerable. can be analyzed.

9 to 16 relate to a learning process of a malicious code detection system according to the present invention, FIG. 9 is a diagram showing a neural network learning process according to the present invention, FIGS. 10 and 11 are examples of a neural network model, 12 shows a distribution of training data, and FIGS. 13 to 16 show a confusion matrix according to various neural network models.

Referring to FIG. 9, the neural network learning unit 150 according to the present invention collects normal files and malicious files from the web through the collection server 30, analyzes the characteristics of the normal files and malicious files, and It is recorded in the database 300 and based on this, the neural network module 120 can be trained. At this time, the neural network learning unit 150 may extract, analyze, and record at least one characteristic of header information, size information, packing information, import API, export API, file type, and file size of the normal file and the malicious file.

Referring to FIGS. 10 and 11 , the neural network module 120 according to the present invention may be composed of, for example, two neuron networks having 70 neurons, and an activation function of ReLU dropout of 30%. At this time, the input is set to 486 and the output is set to 2, and the optimizer's Adam Loss Function can use banary_crossentropy. At this time, the batch size is 64, the number of learning times (epochs) is 50, and the EarlyStopping callback function can be used to design to stop learning when there is no decrease in loss for more than 5 times. Referring to FIG. 12 , the distribution of data used in the temporarily designed neural network module 120 may be evenly distributed as shown. In addition, the total learning data is defined as 139,979, and the accuracy of each artificial neural network can be measured by verifying the algorithm with various types of artificial neural networks.

As shown in FIG. 13, according to the confusion matrix through the CNN (Convolutional Neural Network) model, the learning loss is 0.3237, the accuracy is calculated as 0.8558, the validation val_loss is 0.3204, and the val_accuracy is calculated as 0.8550. can And, as shown in FIG. 14, according to the confusion matrix through the RNN (Recurrent Neural Network) model, the learning loss is 0.5243, the accuracy is 0.7558, the verification val_loss is 0.4844, and the val_accuracy is 0.7795. Can be calculated.

As shown in FIG. 15, according to the confusion matrix through the LSTM (Long Short-Term Memory) model, the learning loss is 0.0977 and the accuracy is 0.9669, and the validation val_loss is 0.0943 and the val_accuracy is 0.9689. can be derived. And, as shown in FIG. 16, according to the confusion matrix through the CNN-LSTM model, the learning loss is 0.6382, the accuracy is 0.5872, the verification val_loss is 0.6398, and the val_accuracy is 0.5894.

As described above, an AI model suitable for malware detection may be most preferable to be used in the neural network module 120 as the LSTM model shows the best result in accuracy.

17 to 20 relate to a malware analysis method according to the present invention, FIG. 9 is a diagram showing a neural network training process according to the present invention, FIGS. 10 and 11 are examples of a neural network model, and FIG. 12 is a learning diagram. As for the distribution of data, FIGS. 13 to 16 each show a confusion matrix according to various neural network models.

Referring to FIG. 17, in the malware analysis method according to the present invention, when an analysis target file is received from the user terminal 20 and an analysis request is started, an analysis standby step (S100), a static analysis step (S200), and result recording Through step (S300) and information processing step (S400), it is possible to provide information on the result to the user terminal (20). In addition, if the user terminal 20 also requests dynamic analysis, a dynamic analysis step (S210) may be further included. Here, the analysis standby step (S100) may be a step of temporarily storing the received analysis target file in the memory unit 400 before the static analysis or dynamic segmentation. The static analysis step (S200) and the dynamic analysis step (S210) may be steps in which static analysis and dynamic analysis are performed through the static diagnosis unit 111 and the dynamic diagnosis unit 112, respectively. In addition, the result recording step (S300) may be a step of recording the analysis result in the database 300, and may be a step that includes post-processing the information of the database 300 through the data correction module 500. there is. And the information processing step (S300) is to process the analyzed result data so that the user can view it through the interface of the user terminal 20, whether or not the analysis target file contains malware, the type of malware included, or the type of malware. Result data such as risk may be included.

As shown in FIG. 18 , an interface connected to the anti-malware cloud server 10 of the present invention may be provided to the user terminal 20 through an application or the like. At this time, the interface of the user terminal 20 may set a function to upload a file to be analyzed, a function to select any one of static analysis and dynamic analysis for the file to be analyzed, and a threat notification threshold through AI analysis. And, as shown in FIG. 19, the anti-malware cloud server 10 stores the risk level for each malware as related data, but may also provide the user terminal 20 with the risk level for the malware found in the file to be analyzed. . Alternatively, information on the artificial neural network of the neural network module 120 may be provided to the user terminal 20, and the processor of the user terminal 20 provides the device to immediately analyze malware based on the received artificial neural network information. It could be.

20 is an example of a detection analysis report provided from the anti-malware cloud server 10 to the user terminal 20, and may provide classification, detection start and end time, required time, analysis machine, analysis OS, risk level, etc. . In addition, as detailed information on the analysis information is additionally provided, there is an advantage in that the user can identify more precise information.

21 relates to an anti-malware cloud server according to the present invention, and FIG. 21 shows a diagram showing a database including a plurality of storage devices.

Referring to FIG. 21, the anti-malware cloud server 10 according to the present invention includes a malicious code detection system 100 for analyzing whether or not malware is included in the received analysis target file as described above, and the user terminal ( 20) and a communication unit 200 that communicates data by being connected to the network, and a database 300 that records data in association with the malicious code detection system 100. In addition, the anti-malware cloud server 10 according to the present invention includes a memory unit 400 for temporarily storing the analysis target file received from the communication unit 200 until analysis, and post-processing the analysis result stored in the database 300 A data correction module 500 may be further included. Here, the database 300 may be composed of a plurality of storage devices including a group DB 310, an individual DB 320 and a relation DB 330.

In the group DB 310, a dataset may be built for each group for a plurality of group data, and each group may be grouped according to whether an intranet is built. More specifically, at least one of institutions, corporations, local governments, and schools in which one intranet network is built may be grouped, and a plurality of groups may use different Internet networks. At this time, the group DB 310 may include information related to the group, such as a company name and location, a file previously uploaded by the group, or a diagnosis result of the file. In this case, it may be preferable that the diagnosis result includes the type of malware found in the corresponding file.

In the personal DB 320, a data set may be constructed for each user with respect to a plurality of user data. At this time, user data may be classified for each user through IP address, device information, ID (Identification Number), and the like. In this case, the data set built for each user may include the user's personal information, a file previously uploaded by the user, or a diagnosis result of the file. In this case, it may be preferable that the diagnosis result includes the type of malware found in the corresponding file.

The relation DB 330 may store information on groups to which each user belongs, and may also store relational data between groups. More specifically, in the case of users belonging to at least grouped institutions, corporations, government local governments, and schools, the user can be stratified so that the user is matched with the corresponding group. At this time, a number of user groups may be matched and stratified in one group, and when malware is diagnosed in a file uploaded by one user, information on the malware diagnosed for the group to which one user belongs may be stored. there is. In addition, when another user belongs to the same group, the history of files uploaded from the terminal of the other user and the history of users grouped into the same group may be recorded as related data. Also, since various relationships such as partner companies, subsidiaries, and customer companies can be formed between groups using different intranets, a function for designating two or more groups as related companies may be included. For example, in the case of inputting a parent company A group to a subsidiary group B as an affiliate, an affiliate approval request from the user terminal 20 authenticated as the B group may be designated as an affiliate between the A group and the B group. And when malware is found in a file uploaded from one user terminal 20, the file uploaded from another user terminal 20 using the same intranet is classified as the first risk group for the malware, and it is not the same intranet, but A file uploaded from another user terminal 20 belonging to an affiliate group may be classified as a second risk group for the corresponding malware. Here, the malicious code detection system 100 may determine that the first risk group is infected with a higher probability than the second risk group.

The memory unit 400 may have a predetermined memory, and when the usage rate is high compared to the maximum amount of data, a rapid test may be performed for the first risk group and the second risk group. That is, when large-capacity files are uploaded to the anti-malware cloud server 10 in a short period of time and the usage of the memory unit 400 is high, rapid processing is possible and a quick scan can be performed to reduce the load. . For example, when the usage rate compared to the maximum amount of data in the memory unit 400 is greater than N ₁ %, files temporarily stored in the memory unit 400 may be processed through the following steps.

a) determining whether there is a group belonging to the user who uploaded the file;

b) if there is a group matched in step a, searching for previously detected malware in the group;

c) statically diagnosing files by specifying only previously detected malware if there is already detected malware in the group;

The N ₁ % may be formed to be less than 100% and greater than 0%. In this way, when the memory usage of the memory unit 400 is greater than N ₁ %, files uploaded from the user terminal 20 corresponding to the first risk group are statically diagnosed by specifying only the malware type previously found in the group to which they belong. It can be done. In addition, the quick diagnosis result may be provided to the user terminal 20 and at the same time, it may be notified through an interface that the quick diagnosis has been made. Here, in the first risk group, not only static diagnosis of all malware types found in the group to which it belongs, but also static diagnosis may be made using information collected during a specific period, such as malware types found within 2 years in the group to which it belongs. there is.

When the usage rate of the memory unit 400 is less than N ₁ % and greater than N ₂ %, both the first risk group and the second risk group may be diagnosed for temporarily stored files through the following steps.

a) determining whether there is a group belonging to the user who uploaded the file;

b) if there is a group matched in step a, searching for previously detected malware in the group;

c) statically diagnosing files by specifying only previously detected malware if there is already detected malware in the group;

d) If there is no previously detected malware in the corresponding group, searching for at least one related group associated with the corresponding group in the relational DB;

e) If there is already detected malware in the searched association group, statically diagnosing the file by specifying only the previously detected malware;

(Where 100 > N ₁ > N ₂ > 0)

More preferably, the N ₂ is between 30 and 50, and the N ₁ may be formed between 60 and 80. Accordingly, when the usage rate of the memory unit 400 is excessively high and a resource greater than N1% is used, a rapid test for the first risk group can be performed, and the usage rate of the memory unit 400 is the N1% and N2%. In the case of using a high resource between %, a rapid test for the first risk group and the second risk group may be performed. At this time, the quick scan selects the files uploaded sequentially as described above and transfers them from the memory unit 400 to the malicious code detection system 100, and the user terminal ( 20) can be provided. That is, when there is no group to which the user who uploaded the file to be analyzed in step a belongs, the malicious code detection system 100 can perform static and dynamic diagnosis on the corresponding file, and if there is a matched group, the malicious code detection system 100 can perform Depending on the usage rate of the memory unit 400, the static diagnosis unit 111 of the malicious code detection system 100 may inspect the first risk group or the first and second risk groups.

Embodiments according to the present invention described above may be implemented in the form of program instructions that can be executed through various computer components and recorded on a computer-readable recording medium. The computer readable recording medium may include program instructions, data files, data structures, etc. alone or in combination. Program instructions recorded on the computer-readable recording medium may be specially designed and configured for the present invention, or may be known and usable to those skilled in the art of computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical recording media such as CD-ROMs and DVDs, and magneto-optical media such as floptical disks. medium), and hardware devices specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include high-level language codes that can be executed by a computer using an interpreter or the like as well as machine language codes generated by a compiler. A hardware device may be modified with one or more software modules to perform processing according to the present invention and vice versa.

Specific implementations described in the present invention are examples and do not limit the scope of the present invention in any way. For brevity of the specification, description of conventional electronic components, control systems, software, and other functional aspects of the systems may be omitted. In addition, the connection of lines or connecting members between the components shown in the drawings are examples of functional connections and / or physical or circuit connections, which can be replaced in actual devices or additional various functional connections, physical connection, or circuit connections. In addition, if there is no specific reference such as "essential" or "important", it may not necessarily be a component necessary for the application of the present invention.

In addition, the detailed description of the present invention described has been described with reference to preferred embodiments of the present invention, but those skilled in the art or those having ordinary knowledge in the art will find the spirit of the present invention described in the claims to be described later. And it will be understood that the present invention can be variously modified and changed without departing from the technical scope. Therefore, the technical scope of the present invention is not limited to the contents described in the detailed description of the specification, but should be defined by the claims.

10 : Antimalware Cloud Server
20: user terminal
21: personal user terminal
22: institutional user terminal
30: collection server
100: malware detection system
110: malware diagnosis unit
111: static diagnosis unit
112: dynamic diagnosis unit
112a: virtual machine analysis unit
112b: real machine analysis unit
120: neural network module
130: data input module
140: data output module
150: neural network learning unit
200: Ministry of Communication
300: database
310: group DB
320: Personal DB
330; Relation DB
400: memory unit
500: data correction module
600: application

Claims (12)

In the anti-malware cloud server including a malicious code detection system,
The malicious code detection system,
A data input module that receives an analysis target file;
A neural network module including a Long Short-Term Memory (LSTM) neural network;
a neural network learning unit for learning the LSTM neural network using the input characteristics of the malware; and
a malware diagnosis unit for diagnosing whether or not malware is included by inputting the data of the file to be analyzed into the LSTM neural network;
including,
The malware diagnosis unit,
A static diagnosis unit for diagnosing the data of the analysis target file by static analysis and a dynamic diagnosis unit for diagnosis by dynamic analysis by executing the analysis target file;
The static diagnosis unit diagnoses whether or not malware is included through the LSTM neural network,
The dynamic diagnosis unit,
Including a virtual machine analysis unit for diagnosing the analysis target file by dynamic analysis to detect malware in a plurality of virtual machine (VM) environments;
The anti-malware cloud server,
the malicious code detection system;
A communication unit for receiving analysis target files from a user terminal through a network;
a memory unit for temporarily storing the received analysis target file until analysis;
a database storing analysis results respectively diagnosed by the static diagnosis unit and the dynamic diagnosis unit; and
A data correction module for post-processing the analysis results stored in the database;
including,
The data correction module,
For the data that has been subjected to static and dynamic analysis, post-processing is performed to store the risk level according to the type of malware as related data.
The database includes a plurality of storage devices,
A plurality of the memory devices,
A group DB in which data sets are constructed for each group for a plurality of group data; A personal DB in which data sets are constructed for each user for a plurality of user data; and a relationship DB in which information on groups to which each user belongs is stored.
including,
In the group DB, a plurality of groups including at least one of institutions, corporations, government bodies, and schools are classified by an in-house intranet,
The anti-malware cloud server, characterized in that the relation data between groups is stored in the relation DB.
delete According to claim 1,
The virtual machine analysis unit,
An anti-malware cloud server characterized in that some of the virtual machines run different operating systems (OS) and collect information by executing analysis target files on each operating system.
According to claim 1,
The dynamic diagnosis unit,
Further comprising a real machine analysis unit for diagnosing the analysis target file by dynamic analysis to detect malware in at least one real machine environment,
The virtual machine analysis unit,
Detect whether a detour log exists in the file to be analyzed,
The real machine analysis unit,
The anti-malware cloud server, characterized in that for receiving an analysis target file including a detour log for bypassing the virtual machine analysis unit from the virtual machine analysis unit.
According to claim 1,
The neural network learning unit,
Collect information on normal files and malicious files including malware, analyze the characteristics of the normal files and malicious files, and train the LSTM neural network,
The characteristics of the normal file and the malicious file include at least one or more of header information, size and packing information, Import API, Export API, file type and size.
delete delete delete delete According to claim 1,
The memory unit has a predetermined memory,
When the usage rate is greater than N ₁ % compared to the maximum amount of data in the memory unit,
The anti-malware cloud server, characterized in that for processing the files temporarily stored in the memory unit through the following steps.
a) determining whether there is a group belonging to the user who uploaded the file;
b) if there is a group matched in step a, searching for previously detected malware in the corresponding group;
c) statically diagnosing files by specifying only previously detected malware when there is already detected malware in the corresponding group;
(Where 100 > N ₁ > 0)
According to claim 10,
The anti-malware cloud server, characterized in that, in preparation for the maximum amount of data in the memory unit, processing the files temporarily stored in the memory unit through the following steps when the usage rate is greater than N ₂ % and smaller than N ₁ %.
a) determining whether there is a group belonging to the user who uploaded the file;
b) if there is a group matched in step a, searching for previously detected malware in the corresponding group;
c) statically diagnosing files by specifying only previously detected malware when there is already detected malware in the corresponding group;
d) if there is no previously detected malware in the corresponding group, searching for at least one association group related to the corresponding group in a relational DB; and
e) statically diagnosing files by specifying only previously detected malware when there is previously detected malware in the searched association group;
(Where 100 > N ₁ > N ₂ > 0)
According to claim 11,
The anti-malware cloud server, wherein N ₂ is 30 or more and 50 or less, and N ₁ is 60 or more and 80 or less.

Images