KR20130028257A - Device, method and computer readable recording medium for providing information to detect unknown malware - Google Patents

Device, method and computer readable recording medium for providing information to detect unknown malware Download PDF

Info

Publication number
KR20130028257A
KR20130028257A KR1020110091672A KR20110091672A KR20130028257A KR 20130028257 A KR20130028257 A KR 20130028257A KR 1020110091672 A KR1020110091672 A KR 1020110091672A KR 20110091672 A KR20110091672 A KR 20110091672A KR 20130028257 A KR20130028257 A KR 20130028257A
Authority
KR
South Korea
Prior art keywords
malware
information
network
malware detection
client terminal
Prior art date
Application number
KR1020110091672A
Other languages
Korean (ko)
Inventor
주성범
최해길
Original Assignee
엔에이치엔비즈니스플랫폼 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 엔에이치엔비즈니스플랫폼 주식회사 filed Critical 엔에이치엔비즈니스플랫폼 주식회사
Priority to KR1020110091672A priority Critical patent/KR20130028257A/en
Publication of KR20130028257A publication Critical patent/KR20130028257A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Quality & Reliability (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

PURPOSE: A device for providing information for detecting unidentified malware, a method thereof, and a computer-readable recording medium thereof are provided to detect the unidentified malware by applying network connection information about the detected malware to the detection of new malware. CONSTITUTION: A receiving unit(609) receives a malware detection information log according to the detection of identified malware from a client terminal including a malware detecting application. An updating unit(608) updates a network pattern database(612) including network pattern information about unidentified malware based on the malware detection information log. A transmitting unit(607) transmits the updated network pattern database to the client terminal. The malware detecting application determines the unidentified malware based on the network pattern database. A providing unit provides the malware detecting application to the client terminal. [Reference numerals] (601) Malware detecting unit; (602) Malware processing unit; (603) Network scanning unit; (604) Network information extracting unit; (605) DNS cache extracting unit; (606) Detection information log generating unit; (607) Transmitting unit; (608) Pattern updating unit; (609) Receiving unit; (611) Malware signature; (612) Network pattern

Description

DEVICE, METHOD AND COMPUTER READABLE RECORDING MEDIUM FOR PROVIDING INFORMATION TO DETECT UNKNOWN MALWARE}

The present invention relates to an apparatus, a method for providing information for detecting gourmet malware, and a computer-readable recording medium, and more particularly, to collect gourmet malware by collecting network connection information about detected malware. A malware detection apparatus, method and computer readable recording medium for providing network connection information.

In general, the Internet is an open network configured to freely connect and use a common protocol called TCP / IP to a remote computer to be accessed anywhere in the world and to anyone. It is an open network that not only transmits basic character information but also develops compression technology, And various services such as e-mail, file transfer, and World Wide Web (WWW), which are used for delivering the service, can be used.

As the use of the Internet has rapidly increased in Korea and the world, the importance of the Internet has been rapidly increasing as a strategic tool for improving efficiency and productivity throughout the existing industries. As a result, new business opportunities through the Internet have been continuously created , And the number of Internet service providers is also increasing.

On the other hand, as an element that hinders the communication environment through the Internet, an attack is made to attack desired information by using a malicious program to attack a specific target computer connected to the Internet.

A malicious program is a malicious code written for malicious purposes. It is also called malware, malicious code. It is also called a malicious code, ), Worm virus (Trojan Horse), and the like.

In addition, spyware, similar to malicious programs, is software that infiltrates another person's computer and extracts important personal information. In recent years, it has been developed to find out user names, IP addresses, favorite URLs, personal IDs and passwords. It is becoming a problem because there are many possibilities to be used maliciously. The main symptoms caused by such malicious programs are network traffic, system performance degradation, file deletion, e - mail sending, personal information leakage, remote control, etc. In addition, most malicious programs are applied various analysis disruption techniques so that the intention and behavior of the malicious program can not be easily noticed even if the malicious program is analyzed by security experts.

Referring to FIG. 1, a typical malicious program (ie, malware) detection procedure is an example of scanning malware based on a signature (S101), and performing a corresponding malware processing process when malware is detected (S102) (S103). do.

The signature-based malware diagnosis method is a method of collecting and diagnosing virus samples. In other words, when new computer viruses come into play, antivirus vendors have to figure out how to collect, diagnose and treat these samples and add them to the antivirus database. This method is referred to as a reactive method, and the sign of the virus is referred to as a 'signature'.

As described above, the conventional malicious program detection method generates a signature through expert analysis of previously discovered malicious programs, and when the same malicious program is used based on the generated signature, most of the detected malicious programs are very similar to malignant malicious programs Malicious programs that do not have exactly the same signature as the malicious program have limitations in that they can not be detected, and there is a problem that it is impossible to detect and cope with unknown malicious programs immediately.

On the other hand, as a technique for detecting such malicious programs or malicious sites, Korean Patent Registration No. 10-1044274 entitled "A malicious site detection apparatus, a method and a recording medium on which a computer program is recorded (AhnLab, A method of determining whether the current site is a dangerous site or a process that is currently running on the computer is abnormal by checking whether the certificate is included in the process at the time of executing the process of the program that is down at the site and whether the stack structure is normal .

However, the symptom and the spreading method due to the malicious program are gradually becoming complicated and intelligent, and there is a limitation in that such conventional antivirus program can not diagnose and treat various malicious programs.

[Patent Document 1] Korean Registered Patent No. 10-1044274 Malicious site detection apparatus, method, and recording medium on which a computer program is recorded (AhnLab, Inc.) 2011.06.20

An object of the present invention is to collect network access information for the detected malware to construct a network pattern database, and to apply this to new malware detection, using the network access information that can be detected even for malware identified using malware An apparatus and method for providing information for detection are provided.

In addition, another object of the present invention is to detect malware using signature-based malware scanning using the previously detected malware access information to detect the malware by using network access information capable of detecting malformed malware. An apparatus and method for providing information for detecting the present invention are provided.

In addition, another object of the present invention is to collect a network connection information and DNS cache information for the malware detected by a plurality of client terminals to configure a malware network pattern database, and to update it to the database of each client terminal The present invention provides an apparatus and method for providing information for detecting gourmet malware by using network connection information that can detect detected malware.

In order to achieve the above-described object of the present invention and to achieve the specific effects of the present invention described below, the characteristic structure of the present invention is as follows.

According to an aspect of the present invention, there is provided an apparatus for providing information for detecting gourmet malware, comprising: a receiver configured to receive a malware detection information log according to detection of identification malware from at least one client terminal on which a malware detection application operates; An updater for updating a network pattern database having network pattern information on the gourmet malware based on the received malware detection information log, and transmitting the updated network pattern database to at least one client terminal operating the malware detection application; And a transmission unit, wherein the malware detection application determines the infection of the gourmet malware based on the transmitted network pattern database.

According to another aspect of the present invention, in a method for providing information for detecting gourmet malware, the step performed by the server is based on detection of identification malware from at least one client terminal running a malware detection application. Receiving a detection information log, updating a network pattern database having network pattern information on the gourmet malware based on the received malware detection information log, and operating the malware detection application on the updated network pattern database A method for performing the step of transmitting to at least one client terminal, wherein the malware detection application, based on the transmitted network pattern database determines the infection of the gourmet malware.

According to another aspect of the present invention, in the method for detecting gourmet malware, the step performed at the client terminal comprises: extracting network information for extracting network connection information of each process executed at the client terminal; If there is a network scanning step for searching whether there is information matching network connection information with information stored in a network pattern database and there is matching information as a result of performing the network scanning step, a process having the extracted network connection information is not present. A method of performing an infection determination step of determining that an infection has been identified as identification malware, wherein the network pattern database includes at least a part of network connection information of the detected identification malware.

On the other hand, the information for receiving the gourmet malware detection method may be stored in a recording medium readable by a server computer. Such recording media includes all kinds of recording media on which programs and data are stored so that they can be read by a computer system. Examples include Read Only Memory (ROM), Random Access Memory (RAM), Compact Disk (CD), Digital Video Disk (DVD) -ROM, Magnetic Tape, Floppy Disk, Optical Data Storage, etc. It also includes implementations in the form of (eg, transmission over the Internet). In addition, these recording media can be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

As described above, according to the present invention, by collecting network connection information about previously detected malware and applying the same to new malware detection, there is an advantage that detection can be performed even for malformed malware.

In addition, according to the present invention it is possible to detect malformed malware by detecting using the network connection information of the previously detected malware for unidentified malware not detected by various malware detection methods such as signature-based malware scanning. There is an advantage.

Also, according to the present invention, network access information and DNS cache information about the malware detected by the plurality of client terminals are collected, and various malware detections such as signature-based scanning are performed by updating them periodically or aperiodically. There is an advantage that can be detected even for malware that is not detected by the method.

1 is a flowchart illustrating a general malware detection procedure.
2 to 4 are diagrams illustrating a concept of gourmet malware detection using a network according to various embodiments of the present disclosure.
5 is a diagram showing the configuration of a system according to the present invention.
6 is a block diagram showing a detailed structure of a function performed by a malware detection application according to an embodiment of the present invention.
7 is a flowchart illustrating a malware detection procedure in a client terminal according to an embodiment of the present invention.
8 is a flowchart illustrating a malware network pattern database update procedure in a server according to an embodiment of the present invention.

DETAILED DESCRIPTION The following detailed description of the invention refers to the accompanying drawings that show, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It should be understood that the various embodiments of the present invention are different, but need not be mutually exclusive. For example, certain features, structures, and characteristics described herein may be implemented in other embodiments without departing from the spirit and scope of the invention in connection with an embodiment. It is also to be understood that the position or arrangement of the individual components within each disclosed embodiment may be varied without departing from the spirit and scope of the invention. Accordingly, the following detailed description is not to be taken in a limiting sense, and the scope of the present invention is defined only by the appended claims, along with the full range of equivalents to which such claims are entitled. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.

The present invention collects network access information about detected malware to construct a network pattern database, and applies it to new malware detection to detect even unknown malware that is not detected by general malware detection methods. An apparatus and method for detecting malware using possible network access information are proposed.

Meanwhile, an embodiment of the present invention described below describes a signature-based malware detection method as an example of a malware detection method. However, the present invention can be applied to any other malware detection methods as well as signature-based malware detection methods. That is, the present invention collects network connection information about malware detected by various methods such as signature-based malware detection method and malware detection method by heuristic analysis, and applies it to new malware detection through this, and thus, general malware detection method. Malware that is not detected by can be detected.

In more detail, the present invention can be obtained by cross-analyzing DNS (domain name server) cache information extracted from an operating system (IP), an Internet Protocol (IP) address, a port number, and the like for malware detection. Network connection information including domain name information is used for malware detection. Therefore, the network connection information of the malware detected by various methods is collected and processed according to the description below, and then used as a malware network pattern database of malware detection technology. At this time, the malware network pattern database is updated periodically or aperiodically.

On the other hand, in the specification of the present invention, the term 'malware (malware, malicious software)' is intended to perform malicious activities such as destroying the system or leaking information against the user's intention and benefit, 'malicious software (Malicious software) ", commonly translated" malware. " Malware is a broader concept that includes viruses that are characterized by self-replicating and file infections. Many of the so-called non-viral malwares are as destructive and dangerous as viruses. Trojan horses and keyboard input leakers are non-virus malware. In addition, there are remote management programs and various spyware. Although there are no reports of mass dissemination or serious damage to the public, the potential for major accidents is high. In other words, the malware used in the present invention to be described below is a generic name of executable code written for malicious purposes according to the present invention, and is a broad concept including a malicious program, a malicious code, and the like. The malware has various forms and may be classified into a virus, a worm virus, a Trojan horse, and the like, depending on the self-replicating ability and the presence or absence of an infection target. In addition, spyware, similar to malicious programs, is software that infiltrates another person's computer and extracts important personal information. In recent years, it has been developed to find out user names, IP addresses, favorite URLs, personal IDs and passwords. It is becoming a problem because there are many possibilities to be used maliciously. Thus, the present invention can be applied to the detection and diagnosis of code written for any malicious purpose, including such spyware, adware, tracking code, and the like.

In addition, in the specification of the present invention, the term 'network connection information' should be interpreted in a broad sense including all information related to the object to which a predetermined process executed in accordance with the execution of the program is to be connected through the network. As an example of the network connection information, it may include, but is not limited to, domain name information, an IP address, an access port (port) number, etc. of the connection target, and any information related to network connection of a predetermined process may be included in the present invention. It may be included in the network connection information of the person having ordinary skill in the art is obvious.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention.

Malware  Concept of detection

First, the concept of a gourmet malware detection using a network according to the present invention will be described with reference to FIGS. 2 to 4.

Referring to the malware detection concept according to an embodiment of the present invention with reference to FIG. 2, various application programs are executed in the client terminal, and at least one process according to the execution of the corresponding application program is executed. As shown in FIG. 2, process 1 communicates with the server 'www.google.com' by an Internet Protocol (IP) address and port number '8.8.8.8:80', and process 3 processes '66 .3.4.1: 80 '. Communicates with the server 'www.naver.com' by means of an Internet Protocol (IP) address and port number, and process 4 uses the 'hack1. Communicate with liOs.org 'server.

In this case, various types of virus diagnosis programs installed in the client terminal detect whether malware is executed by each process by a real-time monitoring function. For example, a malware detector of a virus diagnostic program operating in real time diagnoses whether or not each process is infected with malware, and when the virus diagnostic program uses a signature-based malware detection method, a previously stored malware signature is detected. Malware signature information stored in the database (malware signature DB) is used to diagnose the malware for infection. Meanwhile, the present invention is not limited to the signature-based malware detection method, and may be applied to any other method of detecting malware that is infected through a network.

If it is determined that the process is infected with malware according to the malware detection of the malware detection unit, network access information (eg, an IP (Internet Protocol) address and a port number) of the infected malware is extracted. The network access information extraction method can be implemented in various ways. For example, an application for obtaining network connection information is run at the user level, and a hooking driver for hooking a function of the TCP / IP driver at the kernel level is driven to obtain network connection information by calling a network information acquisition function by the application. can do. In this case, when the client terminal is a Windows OS based system, a function used to obtain network access information may be a 'GetTcpTable' or 'GetExtendedTcpTable' function. The 'GetTcpTable' function is a function for obtaining IP / Port network session information of Local / Remote, and the 'GetExtendedTcpTable' function is a function for obtaining IP / port of Local / Remote and process ID information owning the session. . Alternatively, you can write your own function to extract the network connection information of the process without using the functions supported by the OS.

Meanwhile, in FIG. 2, since the process 4 that accesses and executes the server 'hack1.liOs.org' by the malware detection unit is diagnosed as malware or infected with malware, the network access information of the process 4 is '10 .11.22.33: 8080 'is extracted as network connection information.

The network connection information thus extracted is transmitted to an information providing server (for example, a server having an address of 'log.malware.com' in FIGS. 2 to 4) by updating the network pattern database based on information collected from each client terminal. do.

Referring to Figure 3 looks at the concept of malware detection according to another embodiment of the present invention. As described above with reference to FIG. 2, when network access information about the detected malware is extracted, DNS (domain name server) cache information of an operating system (OS) of the client terminal is additionally extracted. The DNS cache stores domain name information and an IP address in network connection information of a server connected from the client terminal. For example, as shown in FIG. 3, the domain name information 'www.google.com' is mapped to the IP address' 8.8.8.8 ', and' www.naver.com 'is mapped to the IP address '66 .3.4.1'. 'Hack1.liOs.org' is mapped to the IP address '10 .11.22.33 'and stored. Therefore, at least a portion of network access information '10 .11.22.33: 8080 'of the process detected as malware and extracted DNS cache information, for example, IP address, is' hack1.liOs.org', which is a domain name information corresponding to the intersection of duplicates. ', And transmits one or more of the network connection information obtained by the intersection to a server (for example, an information providing server (' log.malware.com ')). Since the IP address of the server through which the malware communicates can be changed while maintaining the same domain name, in addition to the IP address and port number among the network access information, the IP address of the server communicating with the IP address is further transmitted to the server. It is preferable.

A new malware detection technique using network access information collected according to an embodiment of the present invention will be described with reference to FIG. 4. As described with reference to FIGS. 2 and 3, the network connection information collected from each client terminal is provided to the client terminal and updated by the information providing server periodically, aperiodically or at the request of each client terminal. Therefore, each client terminal collects the updated malware network access information from the information providing server and processes the collected information into a network pattern database for detection. That is, the network connection information of the malware detected in the network pattern database is added as network pattern information for malware detection. As described above, the network access information may include domain name information, an IP address, and a port number. Since the IP address of the server with which the malware communicates may be changed while maintaining the same domain name, the network pattern information may be one domain. It may be configured to include a plurality of IP addresses under the name.

Accordingly, the malware detection unit detects malware by a basic malware detection function (eg, signature-based malware scanning, etc.), and network access of each process by using network pattern information stored in the network pattern database according to an embodiment of the present invention. The information is compared with the IP address and / or the domain name to determine the match. As a result of the determination, if there is a process matching the network pattern information stored in the network pattern database, even if the malware is not detected by the basic malware detection function, the process is determined to be infected with malware or malware. As described above, there is an advantage in that the new malware that is not detected by the conventional malware detection method can be detected by the method according to the embodiment of the present invention.

In addition, in order to use newly detected malware in a method according to an embodiment of the present invention, it is also possible to analyze the signature and add the malware to a malware signature database.

Hereinafter, a system and apparatus according to an embodiment of the present invention will be described with reference to FIGS. 5 and 6.

Complete system configuration

5 is a diagram showing the configuration of a system according to the present invention. Referring to FIG. 5, a system according to the present invention includes an information providing server 500, at least one web service server 510, a network 520, at least one malware server 530, a client terminal 540, and the like. Can be configured.

First, the information providing server 500 collects network connection information on malware detected by the at least one client terminal 540 or the information providing server 500, and provides the information to each client terminal 540. It performs the function. In addition, the information providing server 500 may provide a dedicated application for malware detection to each client terminal 500, and may provide information to update and manage the application.

The web service server 510 generally refers to various servers that provide information, such as a portal site server. The web service server 510 is a general server that provides a normal service without being attacked by malicious attacks or malware by being distinguished from the malware server 530. Indicates.

The network 520 may be configured as an example of a communication network regardless of its communication mode such as wired and wireless, and may include a personal area network (PAN), a local area network (LAN), and a metropolitan area network (MAN). It may be configured with various communication networks such as Metropolitan Area Network (WAN), Wide Area Network (WAN). In addition, the network 520 may be a well-known World Wide Web (WWW), and partially transmits a wireless transmission technology used for short-range communication such as infrared data (IrDA) or Bluetooth. It can also be used.

The malware server 530 distributes malware to each client terminal 540, or includes a command & control server (C & C server) as a server attacking each client terminal or a server infected with malware. The concept of server. In this case, the command and control server refers to a server that a hacker remotely controls a zombie PC to execute an attack command to a specific target.

On the other hand, the client terminal 540 may be installed with a variety of applications for detecting whether the malware is infected for the execution of each process of the application program running in the client terminal.

In this case, according to the present invention, when a process infected with malware is detected as a result of malware detection of each process, the client terminal 540 obtains network connection information (eg, network connection information with the corresponding malware server 530) of the corresponding process. The extracted information is transmitted to the information providing server 500 through the network 520.

The information providing server 500 collects network connection information of the infected malware from at least one client terminal 540, and periodically, aperiodically or at the request of the client terminal 540, each client through the network 520. The network access information of the collected malware is transmitted to the terminal 540.

The client terminal 540 collects malware network access information from the information providing server 500 and processes the malware network access information into a network pattern database for detection. That is, domain name information and / or IP address among the network connection information of the malware previously detected in the network pattern database is added as network pattern information for malware detection. Therefore, the malware detection unit of the client terminal 540 detects the malware by a general malware detection function (eg, signature-based malware scanning, etc.), and further, network pattern information stored in the network pattern database according to an embodiment of the present invention. By comparing with the network connection information of each process to determine whether matching can be detected for malware that is not identified. On the other hand, the client terminal 540 may further have a function of transmitting information about the malware to the information providing server 500 so as to use the general malware detection function, when new unidentified malware is detected. In this case, the information providing server 500 analyzes the information on the malware received from the client terminal 540 (eg, extracts the signature of the malware), updates related information (eg, a malware signature database, etc.) and updates the client terminal 540. ) By providing relevant information updated to the client terminal 540 to perform a general malware detection function through the updated information.

Malware  Detection Application  function

6 is a block diagram illustrating a detailed structure of a function performed by a malware detection application according to an embodiment of the present invention, which may be installed and operated in the client terminal 540. Referring to FIG. 6, the malware detection application 600 according to an embodiment of the present invention includes a malware detection unit 601, a malware processing unit 602, a network scanning unit 603, a network information extraction unit 604, and a DNS cache. Extraction unit 605, detection information log generation unit 606, transmission processing unit 607, pattern updating unit 608, reception processing unit 609, malware signature D / B 611, network pattern D / B 612 ) And the like.

The malware detection unit 601 detects malware by various malware detection methods. For example, when detecting malware by using a signature-based malware detection method, it is determined whether the corresponding process is infected with malware by comparing the malware signature information stored in the malware signature database 611 with each process. As a result of the determination, when the process is infected with malware, the malware processing unit 602 processes the malware according to the set task (for example, notification of malware infection, deletion or modification of the file, recording log information in quarantine, etc.).

On the other hand, when malware is detected by the malware detection unit 601, the infection is notified to the network information extraction unit 604 according to the present invention, the network information extraction unit 604 is infected with malware as described above Extract network connection information (e.g. IP address and port number) of the process.

On the other hand, when the DNS cache extracting unit 605 receives an infection notification, the DNS cache extracting unit 605 may further extract domain name information matching the IP address from the network access information extracted by the network information extracting unit 604 from the DNS cache information of the OS. Can be. As such, when network connection information (with or without domain name information) for the process of detecting malware is extracted, the detection information log generation unit 606 generates a malware detection information log from the extracted network connection information. To the information providing server 500 through the transmission processing unit 607. The malware detection information log may consist of any one or more of the extracted network access information as it is, or may be processed information of the extracted information. The malware detection information log may further include client terminal related information, infected process information, detected malware information, and the like, in the extracted information.

On the other hand, if malware is not detected by the basic malware detection method in the malware detection unit 601, malware detection using the network pattern database 612 is further performed according to an embodiment of the present invention. More specifically, the network information extraction unit 604 and the DNS cache extraction unit 605 extracts network access information including an IP address and a port number and domain name information matching the IP address for each process. To the network scanning unit 603.

The network scanning unit 603 scans whether there is information mapped to network pattern information pre-stored in the network pattern database 612 among the extracted network access information. The scanning may be performed based on at least one or more information included in both the network access information and the network pattern information. Thus, as an example, it may be performed based on the IP address, or may be performed based on the domain name information, or may be performed based on both the IP address and the domain name information. As a result of the scanning, when there is information matching the network pattern information pre-stored in the network pattern database 612 among the extracted network access information, the process having the extracted network access information is determined to be a process infected with gourmet malware. And, it notifies the malware detection unit 601. The malware detection unit 601 processes the gourmet-specific malware through the malware processing unit 602. In this way, even if there is unknown malware that cannot be detected by the basic malware detection method in the malware detection unit 601, the malware detection unit may detect the malware by comparing the network access information of the network scanning unit 603. It becomes the number.

Meanwhile, according to an exemplary embodiment of the present invention, the network pattern database 612 may be updated with new network pattern information. That is, by collecting the network connection information extracted from the detected malware in the information providing server 500, and provides it to each client terminal 540 to update the network pattern database 612, it is possible to more effectively detect gourmet malware. Will be.

The update of the network pattern database 612 may be performed periodically, aperiodically or at the request of the client terminal 540. For example, when updated according to the update request of the client terminal 540, the pattern update unit 608 transmits the update request information for the network pattern database 612 to the information providing server 500 through the transmission processing unit 607. By doing so, an information update request is made.

In response to the request, the information providing server 500 provides the latest network pattern information to the corresponding client terminal 540, and the client terminal 540 receives and processes the provided network pattern information through the reception processor 609. The pattern update unit 608 updates the information of the network pattern database 612.

Hereinafter, a procedure performed in the client terminal and the information providing server will be described in detail with reference to FIGS. 7 and 8.

Malware  Detection procedure

7 is a flowchart illustrating a malware detection procedure in a client terminal according to an embodiment of the present invention. Referring to FIG. 7, the client terminal detects malware by various methods through installed applications. For example, by performing signature-based malware scanning (S701), whether each process is infected with malware is detected. When malware is detected as a result of the scanning (S702), according to an embodiment of the present invention, network access information for the process detected as malware is extracted (S703). Meanwhile, domain name information matching the same IP address as the IP address among the extracted network access information may be further extracted from the DNS cache information of the OS (S704). Based on the extracted network access information (with or without domain name information), a malware detection information log is generated and transmitted to the information providing server (S705).

On the other hand, the detected malware is processed according to the set malware response process (S706) (eg, a malware detection notification, a process of deleting or modifying the process, recording log information in a quarantine, etc.).

In FIG. 7, the malware response process of step S706 is performed after the network connection information extraction and transmission of steps S703 to S705, but the present invention is not limited thereto. That is, the malware response process of step S706 may be performed before the network connection information extraction and transmission of steps S703 to S705, or the procedures may be performed simultaneously. In addition, the step S704 may or may not be performed, and thus, domain name information may not be included in the extracted network access information.

On the other hand, if the malware is not detected as a result of the scanning (S702), according to an embodiment of the present invention, network access information for each process is extracted (S707) in order to detect gourmet-specific malware, and the DNS cache information of the OS From the extracted network access information, domain name information matching the same IP address as the IP address may be further extracted (S708). Next, the extracted network access information is searched for whether there is information that matches the network pattern information stored in the malware network pattern database. That is, the network pattern database is scanned (S709), and if the matching information is found as a result of the scanning, the corresponding process is detected as infected with malware by the gourmet (S710), and the infected process is processed according to the malware response process (S706). )do.

In FIG. 7, steps S707 to S710 for detecting gourmet malware are performed when the malware is not detected in step S702, but the present invention is not limited thereto. That is, irrespective of whether the steps S707 to S710 are the result of the step S702 of detecting the malware, the steps S707 to S710 may be performed in parallel with the steps S703 to S706, or may be additionally performed only when the malware is detected.

8 is a flowchart illustrating a malware network pattern database update procedure in a server according to an embodiment of the present invention. Referring to FIG. 8, the information providing server receives a log of malware detection information from each client terminal (S801). The received malware detection information log includes network connection information for a process in which infection of the malware identified as described above is detected. The information providing server extracts network connection information about malware from the collected malware detection information log (S802), and updates the network pattern database (S803). As an example, if the domain name information is included in the extracted network access information, the information providing server checks whether network pattern information having the domain name information exists in the network pattern database, and if not, extracts the extracted network. The network pattern database can be updated with the connection information as new network pattern information. If present, the network pattern database may be updated by further checking whether the IP address in the extracted network access information is included in the corresponding network pattern information, and if not included, adding the IP address to the corresponding network pattern information. Further, even if the domain name information is not included in the extracted network connection information, the network pattern database can be updated with the IP address as new network pattern information. However, since the above description is only an example, the network pattern database may be updated regardless of whether the network pattern information is stored in the network pattern database.

The updated network pattern database transmits the updated network pattern database to the corresponding client terminal periodically, aperiodically (for example, every time the pattern database is updated) or according to the information request of the client terminal (S804) (S805). )do. In this case, only the newly updated portion may be transmitted, not the entire network pattern database.

As described above, in addition to the malware detection by various basic malware detection methods, it is possible to detect even the malware that is not registered in the malware signature database through additional malware detection through network access information according to an embodiment of the present invention.

Embodiments according to the present invention may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as a hard disk, a floppy disk, and a magnetic tape; optical media such as CD-ROM and DVD; magnetic recording media such as a floppy disk; Includes hardware devices specifically configured to store and perform program instructions such as megneto-optical media and ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

In the present invention as described above has been described by the specific embodiments, such as specific components and limited embodiments and drawings, but this is provided to help a more general understanding of the present invention, the present invention is not limited to the above embodiments. For those skilled in the art, various modifications and variations are possible from these descriptions.

Accordingly, the spirit of the present invention should not be construed as being limited to the embodiments described, and all of the equivalents or equivalents of the claims, as well as the following claims, belong to the scope of the present invention .

500: information providing server 510: web service server
520: network 530: malware server
540: client terminal 600: malware detection application
601: malware detection unit 602: malware processing unit
603: network scanning unit 604: network information extraction unit
605: DNS cache extractor 606: detection information log generator
607: transfer processing unit 608: pattern update unit
609: reception processing unit 611: malware signature database
612: Network Pattern Database

Claims (18)

In the device for providing information for detecting gourmet malware,
A receiver configured to receive a malware detection information log according to detection of identification malware from at least one client terminal on which the malware detection application operates;
An update unit for updating a network pattern database having network pattern information on the identification malware based on the received malware detection information log; And
And a transmitter configured to transmit the updated network pattern database to at least one client terminal on which the malware detection application operates.
And the malware detection application determines the infection of the gourmet malware based on the transmitted network pattern database.
The apparatus of claim 1,
The apparatus further includes a providing unit for providing the malware detection application to the client terminal.
The method of claim 1, wherein the transmission unit,
Sending the updated network pattern database periodically, aperiodically or at the request of the client terminal.
The method according to claim 1,
The malware infection determination of the malware detection application,
A network information extraction function for extracting network connection information of each process executed in a client terminal on which the malware detection application operates;
A network scanning function for searching whether network pattern information matching the extracted network access information exists in the network pattern database; And
If there is a network connection information matched as a result of the search in the network scanning unit, the device having the matching network connection information is made through the execution of the infection determination function to determine that the infected by the malware.
The method of claim 4,
The network pattern information includes at least one of domain name information and an IP (Internet Protocol) address.
The domain name information is domain name information mapped to the same IP address as an Internet Protocol (IP) address among network access information of each extracted process in domain name server (DNS) cache information of the client terminal. Device.
The method according to claim 1, wherein the malware detection information log is further performed by the malware detection application,
A malware detection function that detects whether or not an identification malware is infected for each process executed in a client terminal on which the malware detection application operates;
Identifying a result of performing the malware detection function, if there is a process where infection of the malware is detected, extracting second network connection information of the detected process; And
And generated by a malware detection information log generation function that generates a malware detection information log based on the extracted second network connection information.
The method of claim 6,
And wherein the malware detection information log comprises at least one of domain name information and an Internet Protocol (IP) address.
The method of claim 4, wherein the malware detection application,
And a malware processing function for performing a malware processing on the process determined to be infected with the gourmet-specific malware as a result of performing the infection determination function.
CLAIMS 1. A method for providing information for detecting gourmet malware, the method comprising: performed by a server;
Receiving a malware detection information log according to detection of identification malware from at least one client terminal in which the malware detection application operates;
Updating a network pattern database having network pattern information on the gourmet malware based on the received malware detection information log; And
And transmitting the updated network pattern database to at least one client terminal on which the malware detection application operates.
And the malware detection application determines the infection of the gourmet malware based on the transmitted network pattern database.
The method according to claim 9,
And prior to receiving the malware detection information log, providing the malware detection application to a client terminal.
The method according to claim 9,
The transmission of the updated network pattern database is made periodically, aperiodically or at the request of the client terminal.
The method according to claim 9,
The malware infection determination of the malware detection application,
A network information extraction step of extracting network connection information of each process executed in a client terminal on which the malware detection application operates;
A network scanning step of searching whether the network pattern information matching the extracted network access information exists in the network pattern database; And
And if there is network matching information matched as a result of the network scanning, performing the infection determination step of determining that the process having the matching network connection information is infected with the gourmet malware.
The method of claim 12,
The network pattern information includes at least one of domain name information and an IP (Internet Protocol) address.
Wherein the domain name information is domain name information mapped to an IP address identical to an IP address among network access information of each extracted process in domain name server (DNS) cache information of the client terminal.
The method of claim 9, wherein the malware detection information log,
A malware detection step of detecting whether or not an identification malware is infected for each process executed in a client terminal on which the malware detection application operates;
Identifying a result of performing the malware detection step, extracting second network access information of the detected process when there is a process where infection of the malware is detected; And
And generating a malware detection information log generating step of generating a malware detection information log based on the extracted second network connection information.
The method according to claim 14,
The malware detection information log includes at least one of domain name information and an Internet Protocol (IP) address.
The method of claim 12, wherein the malware detection application,
And performing a malware process on the process determined to be infected with the gourmet-specific malware as a result of performing the infection determination step.
In how to detect gourmet malware,
A network information extraction step of extracting network connection information of each process executed in the client terminal;
A network scanning step of searching whether there is information in which the extracted network access information matches information stored in a network pattern database; And
If the matching information is found as a result of performing the network scanning step, an infection determination step of determining that the process having the extracted network access information is infected with the gourmet malware,
And the network pattern database includes at least some of the network connection information of the detected identifying malware.
A computer-readable recording medium in which a program for executing the method of any one of claims 9 to 17 is recorded.
KR1020110091672A 2011-09-09 2011-09-09 Device, method and computer readable recording medium for providing information to detect unknown malware KR20130028257A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020110091672A KR20130028257A (en) 2011-09-09 2011-09-09 Device, method and computer readable recording medium for providing information to detect unknown malware

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020110091672A KR20130028257A (en) 2011-09-09 2011-09-09 Device, method and computer readable recording medium for providing information to detect unknown malware

Publications (1)

Publication Number Publication Date
KR20130028257A true KR20130028257A (en) 2013-03-19

Family

ID=48178815

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020110091672A KR20130028257A (en) 2011-09-09 2011-09-09 Device, method and computer readable recording medium for providing information to detect unknown malware

Country Status (1)

Country Link
KR (1) KR20130028257A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160016816A (en) * 2013-05-31 2016-02-15 마이크로소프트 테크놀로지 라이센싱, 엘엘씨 Protecting anti-malware processes
US11636205B2 (en) 2020-03-20 2023-04-25 Line Corporation Method and system for detecting malware using memory map

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160016816A (en) * 2013-05-31 2016-02-15 마이크로소프트 테크놀로지 라이센싱, 엘엘씨 Protecting anti-malware processes
US11636205B2 (en) 2020-03-20 2023-04-25 Line Corporation Method and system for detecting malware using memory map

Similar Documents

Publication Publication Date Title
US10389740B2 (en) Detecting a malicious file infection via sandboxing
US8683585B1 (en) Using file reputations to identify malicious file sources in real time
KR101377014B1 (en) System and Method of Malware Diagnosis Mechanism Based on Immune Database
JP5897132B2 (en) Dynamic malware removal using cloud technology
KR101291782B1 (en) Webshell detection and corresponding system
CN107251037B (en) Blacklist generation device, blacklist generation system, blacklist generation method, and recording medium
JP5961183B2 (en) How to detect malicious software using contextual probabilities, generic signatures, and machine learning methods
CN107612924B (en) Attacker positioning method and device based on wireless network intrusion
JP2019082989A (en) Systems and methods of cloud detection, investigation and elimination of targeted attacks
CN111460445B (en) Sample program malicious degree automatic identification method and device
RU2726032C2 (en) Systems and methods for detecting malicious programs with a domain generation algorithm (dga)
CN105491053A (en) Web malicious code detection method and system
CN110730175A (en) Botnet detection method and detection system based on threat information
CN111786966A (en) Method and device for browsing webpage
CN107465702B (en) Early warning method and device based on wireless network intrusion
JP6341964B2 (en) System and method for detecting malicious computer systems
CN107566401B (en) Protection method and device for virtualized environment
US10601867B2 (en) Attack content analysis program, attack content analysis method, and attack content analysis apparatus
CN110135153A (en) The credible detection method and device of software
CN107231364B (en) Website vulnerability detection method and device, computer device and storage medium
Sasikumar Network intrusion detection and deduce system
JPWO2018143097A1 (en) Judgment apparatus, judgment method, and judgment program
KR20130116418A (en) Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol
KR100959274B1 (en) A system for early preventing proliferation of malicious codes using a network monitering information and the method thereof
KR20130028257A (en) Device, method and computer readable recording medium for providing information to detect unknown malware

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
AMND Amendment
E601 Decision to refuse application
AMND Amendment