KR20130028257A - Device, method and computer readable recording medium for providing information to detect unknown malware - Google Patents
Device, method and computer readable recording medium for providing information to detect unknown malware Download PDFInfo
- Publication number
- KR20130028257A KR20130028257A KR1020110091672A KR20110091672A KR20130028257A KR 20130028257 A KR20130028257 A KR 20130028257A KR 1020110091672 A KR1020110091672 A KR 1020110091672A KR 20110091672 A KR20110091672 A KR 20110091672A KR 20130028257 A KR20130028257 A KR 20130028257A
- Authority
- KR
- South Korea
- Prior art keywords
- malware
- information
- network
- malware detection
- client terminal
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Quality & Reliability (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
The present invention relates to an apparatus, a method for providing information for detecting gourmet malware, and a computer-readable recording medium, and more particularly, to collect gourmet malware by collecting network connection information about detected malware. A malware detection apparatus, method and computer readable recording medium for providing network connection information.
In general, the Internet is an open network configured to freely connect and use a common protocol called TCP / IP to a remote computer to be accessed anywhere in the world and to anyone. It is an open network that not only transmits basic character information but also develops compression technology, And various services such as e-mail, file transfer, and World Wide Web (WWW), which are used for delivering the service, can be used.
As the use of the Internet has rapidly increased in Korea and the world, the importance of the Internet has been rapidly increasing as a strategic tool for improving efficiency and productivity throughout the existing industries. As a result, new business opportunities through the Internet have been continuously created , And the number of Internet service providers is also increasing.
On the other hand, as an element that hinders the communication environment through the Internet, an attack is made to attack desired information by using a malicious program to attack a specific target computer connected to the Internet.
A malicious program is a malicious code written for malicious purposes. It is also called malware, malicious code. It is also called a malicious code, ), Worm virus (Trojan Horse), and the like.
In addition, spyware, similar to malicious programs, is software that infiltrates another person's computer and extracts important personal information. In recent years, it has been developed to find out user names, IP addresses, favorite URLs, personal IDs and passwords. It is becoming a problem because there are many possibilities to be used maliciously. The main symptoms caused by such malicious programs are network traffic, system performance degradation, file deletion, e - mail sending, personal information leakage, remote control, etc. In addition, most malicious programs are applied various analysis disruption techniques so that the intention and behavior of the malicious program can not be easily noticed even if the malicious program is analyzed by security experts.
Referring to FIG. 1, a typical malicious program (ie, malware) detection procedure is an example of scanning malware based on a signature (S101), and performing a corresponding malware processing process when malware is detected (S102) (S103). do.
The signature-based malware diagnosis method is a method of collecting and diagnosing virus samples. In other words, when new computer viruses come into play, antivirus vendors have to figure out how to collect, diagnose and treat these samples and add them to the antivirus database. This method is referred to as a reactive method, and the sign of the virus is referred to as a 'signature'.
As described above, the conventional malicious program detection method generates a signature through expert analysis of previously discovered malicious programs, and when the same malicious program is used based on the generated signature, most of the detected malicious programs are very similar to malignant malicious programs Malicious programs that do not have exactly the same signature as the malicious program have limitations in that they can not be detected, and there is a problem that it is impossible to detect and cope with unknown malicious programs immediately.
On the other hand, as a technique for detecting such malicious programs or malicious sites, Korean Patent Registration No. 10-1044274 entitled "A malicious site detection apparatus, a method and a recording medium on which a computer program is recorded (AhnLab, A method of determining whether the current site is a dangerous site or a process that is currently running on the computer is abnormal by checking whether the certificate is included in the process at the time of executing the process of the program that is down at the site and whether the stack structure is normal .
However, the symptom and the spreading method due to the malicious program are gradually becoming complicated and intelligent, and there is a limitation in that such conventional antivirus program can not diagnose and treat various malicious programs.
An object of the present invention is to collect network access information for the detected malware to construct a network pattern database, and to apply this to new malware detection, using the network access information that can be detected even for malware identified using malware An apparatus and method for providing information for detection are provided.
In addition, another object of the present invention is to detect malware using signature-based malware scanning using the previously detected malware access information to detect the malware by using network access information capable of detecting malformed malware. An apparatus and method for providing information for detecting the present invention are provided.
In addition, another object of the present invention is to collect a network connection information and DNS cache information for the malware detected by a plurality of client terminals to configure a malware network pattern database, and to update it to the database of each client terminal The present invention provides an apparatus and method for providing information for detecting gourmet malware by using network connection information that can detect detected malware.
In order to achieve the above-described object of the present invention and to achieve the specific effects of the present invention described below, the characteristic structure of the present invention is as follows.
According to an aspect of the present invention, there is provided an apparatus for providing information for detecting gourmet malware, comprising: a receiver configured to receive a malware detection information log according to detection of identification malware from at least one client terminal on which a malware detection application operates; An updater for updating a network pattern database having network pattern information on the gourmet malware based on the received malware detection information log, and transmitting the updated network pattern database to at least one client terminal operating the malware detection application; And a transmission unit, wherein the malware detection application determines the infection of the gourmet malware based on the transmitted network pattern database.
According to another aspect of the present invention, in a method for providing information for detecting gourmet malware, the step performed by the server is based on detection of identification malware from at least one client terminal running a malware detection application. Receiving a detection information log, updating a network pattern database having network pattern information on the gourmet malware based on the received malware detection information log, and operating the malware detection application on the updated network pattern database A method for performing the step of transmitting to at least one client terminal, wherein the malware detection application, based on the transmitted network pattern database determines the infection of the gourmet malware.
According to another aspect of the present invention, in the method for detecting gourmet malware, the step performed at the client terminal comprises: extracting network information for extracting network connection information of each process executed at the client terminal; If there is a network scanning step for searching whether there is information matching network connection information with information stored in a network pattern database and there is matching information as a result of performing the network scanning step, a process having the extracted network connection information is not present. A method of performing an infection determination step of determining that an infection has been identified as identification malware, wherein the network pattern database includes at least a part of network connection information of the detected identification malware.
On the other hand, the information for receiving the gourmet malware detection method may be stored in a recording medium readable by a server computer. Such recording media includes all kinds of recording media on which programs and data are stored so that they can be read by a computer system. Examples include Read Only Memory (ROM), Random Access Memory (RAM), Compact Disk (CD), Digital Video Disk (DVD) -ROM, Magnetic Tape, Floppy Disk, Optical Data Storage, etc. It also includes implementations in the form of (eg, transmission over the Internet). In addition, these recording media can be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.
As described above, according to the present invention, by collecting network connection information about previously detected malware and applying the same to new malware detection, there is an advantage that detection can be performed even for malformed malware.
In addition, according to the present invention it is possible to detect malformed malware by detecting using the network connection information of the previously detected malware for unidentified malware not detected by various malware detection methods such as signature-based malware scanning. There is an advantage.
Also, according to the present invention, network access information and DNS cache information about the malware detected by the plurality of client terminals are collected, and various malware detections such as signature-based scanning are performed by updating them periodically or aperiodically. There is an advantage that can be detected even for malware that is not detected by the method.
1 is a flowchart illustrating a general malware detection procedure.
2 to 4 are diagrams illustrating a concept of gourmet malware detection using a network according to various embodiments of the present disclosure.
5 is a diagram showing the configuration of a system according to the present invention.
6 is a block diagram showing a detailed structure of a function performed by a malware detection application according to an embodiment of the present invention.
7 is a flowchart illustrating a malware detection procedure in a client terminal according to an embodiment of the present invention.
8 is a flowchart illustrating a malware network pattern database update procedure in a server according to an embodiment of the present invention.
DETAILED DESCRIPTION The following detailed description of the invention refers to the accompanying drawings that show, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It should be understood that the various embodiments of the present invention are different, but need not be mutually exclusive. For example, certain features, structures, and characteristics described herein may be implemented in other embodiments without departing from the spirit and scope of the invention in connection with an embodiment. It is also to be understood that the position or arrangement of the individual components within each disclosed embodiment may be varied without departing from the spirit and scope of the invention. Accordingly, the following detailed description is not to be taken in a limiting sense, and the scope of the present invention is defined only by the appended claims, along with the full range of equivalents to which such claims are entitled. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.
The present invention collects network access information about detected malware to construct a network pattern database, and applies it to new malware detection to detect even unknown malware that is not detected by general malware detection methods. An apparatus and method for detecting malware using possible network access information are proposed.
Meanwhile, an embodiment of the present invention described below describes a signature-based malware detection method as an example of a malware detection method. However, the present invention can be applied to any other malware detection methods as well as signature-based malware detection methods. That is, the present invention collects network connection information about malware detected by various methods such as signature-based malware detection method and malware detection method by heuristic analysis, and applies it to new malware detection through this, and thus, general malware detection method. Malware that is not detected by can be detected.
In more detail, the present invention can be obtained by cross-analyzing DNS (domain name server) cache information extracted from an operating system (IP), an Internet Protocol (IP) address, a port number, and the like for malware detection. Network connection information including domain name information is used for malware detection. Therefore, the network connection information of the malware detected by various methods is collected and processed according to the description below, and then used as a malware network pattern database of malware detection technology. At this time, the malware network pattern database is updated periodically or aperiodically.
On the other hand, in the specification of the present invention, the term 'malware (malware, malicious software)' is intended to perform malicious activities such as destroying the system or leaking information against the user's intention and benefit, 'malicious software (Malicious software) ", commonly translated" malware. " Malware is a broader concept that includes viruses that are characterized by self-replicating and file infections. Many of the so-called non-viral malwares are as destructive and dangerous as viruses. Trojan horses and keyboard input leakers are non-virus malware. In addition, there are remote management programs and various spyware. Although there are no reports of mass dissemination or serious damage to the public, the potential for major accidents is high. In other words, the malware used in the present invention to be described below is a generic name of executable code written for malicious purposes according to the present invention, and is a broad concept including a malicious program, a malicious code, and the like. The malware has various forms and may be classified into a virus, a worm virus, a Trojan horse, and the like, depending on the self-replicating ability and the presence or absence of an infection target. In addition, spyware, similar to malicious programs, is software that infiltrates another person's computer and extracts important personal information. In recent years, it has been developed to find out user names, IP addresses, favorite URLs, personal IDs and passwords. It is becoming a problem because there are many possibilities to be used maliciously. Thus, the present invention can be applied to the detection and diagnosis of code written for any malicious purpose, including such spyware, adware, tracking code, and the like.
In addition, in the specification of the present invention, the term 'network connection information' should be interpreted in a broad sense including all information related to the object to which a predetermined process executed in accordance with the execution of the program is to be connected through the network. As an example of the network connection information, it may include, but is not limited to, domain name information, an IP address, an access port (port) number, etc. of the connection target, and any information related to network connection of a predetermined process may be included in the present invention. It may be included in the network connection information of the person having ordinary skill in the art is obvious.
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention.
Malware Concept of detection
First, the concept of a gourmet malware detection using a network according to the present invention will be described with reference to FIGS. 2 to 4.
Referring to the malware detection concept according to an embodiment of the present invention with reference to FIG. 2, various application programs are executed in the client terminal, and at least one process according to the execution of the corresponding application program is executed. As shown in FIG. 2, process 1 communicates with the server 'www.google.com' by an Internet Protocol (IP) address and port number '8.8.8.8:80', and process 3 processes '66 .3.4.1: 80 '. Communicates with the server 'www.naver.com' by means of an Internet Protocol (IP) address and port number, and process 4 uses the 'hack1. Communicate with liOs.org 'server.
In this case, various types of virus diagnosis programs installed in the client terminal detect whether malware is executed by each process by a real-time monitoring function. For example, a malware detector of a virus diagnostic program operating in real time diagnoses whether or not each process is infected with malware, and when the virus diagnostic program uses a signature-based malware detection method, a previously stored malware signature is detected. Malware signature information stored in the database (malware signature DB) is used to diagnose the malware for infection. Meanwhile, the present invention is not limited to the signature-based malware detection method, and may be applied to any other method of detecting malware that is infected through a network.
If it is determined that the process is infected with malware according to the malware detection of the malware detection unit, network access information (eg, an IP (Internet Protocol) address and a port number) of the infected malware is extracted. The network access information extraction method can be implemented in various ways. For example, an application for obtaining network connection information is run at the user level, and a hooking driver for hooking a function of the TCP / IP driver at the kernel level is driven to obtain network connection information by calling a network information acquisition function by the application. can do. In this case, when the client terminal is a Windows OS based system, a function used to obtain network access information may be a 'GetTcpTable' or 'GetExtendedTcpTable' function. The 'GetTcpTable' function is a function for obtaining IP / Port network session information of Local / Remote, and the 'GetExtendedTcpTable' function is a function for obtaining IP / port of Local / Remote and process ID information owning the session. . Alternatively, you can write your own function to extract the network connection information of the process without using the functions supported by the OS.
Meanwhile, in FIG. 2, since the process 4 that accesses and executes the server 'hack1.liOs.org' by the malware detection unit is diagnosed as malware or infected with malware, the network access information of the process 4 is '10 .11.22.33: 8080 'is extracted as network connection information.
The network connection information thus extracted is transmitted to an information providing server (for example, a server having an address of 'log.malware.com' in FIGS. 2 to 4) by updating the network pattern database based on information collected from each client terminal. do.
Referring to Figure 3 looks at the concept of malware detection according to another embodiment of the present invention. As described above with reference to FIG. 2, when network access information about the detected malware is extracted, DNS (domain name server) cache information of an operating system (OS) of the client terminal is additionally extracted. The DNS cache stores domain name information and an IP address in network connection information of a server connected from the client terminal. For example, as shown in FIG. 3, the domain name information 'www.google.com' is mapped to the IP address' 8.8.8.8 ', and' www.naver.com 'is mapped to the IP address '66 .3.4.1'. 'Hack1.liOs.org' is mapped to the IP address '10 .11.22.33 'and stored. Therefore, at least a portion of network access information '10 .11.22.33: 8080 'of the process detected as malware and extracted DNS cache information, for example, IP address, is' hack1.liOs.org', which is a domain name information corresponding to the intersection of duplicates. ', And transmits one or more of the network connection information obtained by the intersection to a server (for example, an information providing server (' log.malware.com ')). Since the IP address of the server through which the malware communicates can be changed while maintaining the same domain name, in addition to the IP address and port number among the network access information, the IP address of the server communicating with the IP address is further transmitted to the server. It is preferable.
A new malware detection technique using network access information collected according to an embodiment of the present invention will be described with reference to FIG. 4. As described with reference to FIGS. 2 and 3, the network connection information collected from each client terminal is provided to the client terminal and updated by the information providing server periodically, aperiodically or at the request of each client terminal. Therefore, each client terminal collects the updated malware network access information from the information providing server and processes the collected information into a network pattern database for detection. That is, the network connection information of the malware detected in the network pattern database is added as network pattern information for malware detection. As described above, the network access information may include domain name information, an IP address, and a port number. Since the IP address of the server with which the malware communicates may be changed while maintaining the same domain name, the network pattern information may be one domain. It may be configured to include a plurality of IP addresses under the name.
Accordingly, the malware detection unit detects malware by a basic malware detection function (eg, signature-based malware scanning, etc.), and network access of each process by using network pattern information stored in the network pattern database according to an embodiment of the present invention. The information is compared with the IP address and / or the domain name to determine the match. As a result of the determination, if there is a process matching the network pattern information stored in the network pattern database, even if the malware is not detected by the basic malware detection function, the process is determined to be infected with malware or malware. As described above, there is an advantage in that the new malware that is not detected by the conventional malware detection method can be detected by the method according to the embodiment of the present invention.
In addition, in order to use newly detected malware in a method according to an embodiment of the present invention, it is also possible to analyze the signature and add the malware to a malware signature database.
Hereinafter, a system and apparatus according to an embodiment of the present invention will be described with reference to FIGS. 5 and 6.
Complete system configuration
5 is a diagram showing the configuration of a system according to the present invention. Referring to FIG. 5, a system according to the present invention includes an
First, the
The
The
The
On the other hand, the
In this case, according to the present invention, when a process infected with malware is detected as a result of malware detection of each process, the
The
The
Malware Detection Application function
6 is a block diagram illustrating a detailed structure of a function performed by a malware detection application according to an embodiment of the present invention, which may be installed and operated in the
The
On the other hand, when malware is detected by the
On the other hand, when the DNS
On the other hand, if malware is not detected by the basic malware detection method in the
The
Meanwhile, according to an exemplary embodiment of the present invention, the
The update of the
In response to the request, the
Hereinafter, a procedure performed in the client terminal and the information providing server will be described in detail with reference to FIGS. 7 and 8.
Malware Detection procedure
7 is a flowchart illustrating a malware detection procedure in a client terminal according to an embodiment of the present invention. Referring to FIG. 7, the client terminal detects malware by various methods through installed applications. For example, by performing signature-based malware scanning (S701), whether each process is infected with malware is detected. When malware is detected as a result of the scanning (S702), according to an embodiment of the present invention, network access information for the process detected as malware is extracted (S703). Meanwhile, domain name information matching the same IP address as the IP address among the extracted network access information may be further extracted from the DNS cache information of the OS (S704). Based on the extracted network access information (with or without domain name information), a malware detection information log is generated and transmitted to the information providing server (S705).
On the other hand, the detected malware is processed according to the set malware response process (S706) (eg, a malware detection notification, a process of deleting or modifying the process, recording log information in a quarantine, etc.).
In FIG. 7, the malware response process of step S706 is performed after the network connection information extraction and transmission of steps S703 to S705, but the present invention is not limited thereto. That is, the malware response process of step S706 may be performed before the network connection information extraction and transmission of steps S703 to S705, or the procedures may be performed simultaneously. In addition, the step S704 may or may not be performed, and thus, domain name information may not be included in the extracted network access information.
On the other hand, if the malware is not detected as a result of the scanning (S702), according to an embodiment of the present invention, network access information for each process is extracted (S707) in order to detect gourmet-specific malware, and the DNS cache information of the OS From the extracted network access information, domain name information matching the same IP address as the IP address may be further extracted (S708). Next, the extracted network access information is searched for whether there is information that matches the network pattern information stored in the malware network pattern database. That is, the network pattern database is scanned (S709), and if the matching information is found as a result of the scanning, the corresponding process is detected as infected with malware by the gourmet (S710), and the infected process is processed according to the malware response process (S706). )do.
In FIG. 7, steps S707 to S710 for detecting gourmet malware are performed when the malware is not detected in step S702, but the present invention is not limited thereto. That is, irrespective of whether the steps S707 to S710 are the result of the step S702 of detecting the malware, the steps S707 to S710 may be performed in parallel with the steps S703 to S706, or may be additionally performed only when the malware is detected.
8 is a flowchart illustrating a malware network pattern database update procedure in a server according to an embodiment of the present invention. Referring to FIG. 8, the information providing server receives a log of malware detection information from each client terminal (S801). The received malware detection information log includes network connection information for a process in which infection of the malware identified as described above is detected. The information providing server extracts network connection information about malware from the collected malware detection information log (S802), and updates the network pattern database (S803). As an example, if the domain name information is included in the extracted network access information, the information providing server checks whether network pattern information having the domain name information exists in the network pattern database, and if not, extracts the extracted network. The network pattern database can be updated with the connection information as new network pattern information. If present, the network pattern database may be updated by further checking whether the IP address in the extracted network access information is included in the corresponding network pattern information, and if not included, adding the IP address to the corresponding network pattern information. Further, even if the domain name information is not included in the extracted network connection information, the network pattern database can be updated with the IP address as new network pattern information. However, since the above description is only an example, the network pattern database may be updated regardless of whether the network pattern information is stored in the network pattern database.
The updated network pattern database transmits the updated network pattern database to the corresponding client terminal periodically, aperiodically (for example, every time the pattern database is updated) or according to the information request of the client terminal (S804) (S805). )do. In this case, only the newly updated portion may be transmitted, not the entire network pattern database.
As described above, in addition to the malware detection by various basic malware detection methods, it is possible to detect even the malware that is not registered in the malware signature database through additional malware detection through network access information according to an embodiment of the present invention.
Embodiments according to the present invention may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as a hard disk, a floppy disk, and a magnetic tape; optical media such as CD-ROM and DVD; magnetic recording media such as a floppy disk; Includes hardware devices specifically configured to store and perform program instructions such as megneto-optical media and ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.
In the present invention as described above has been described by the specific embodiments, such as specific components and limited embodiments and drawings, but this is provided to help a more general understanding of the present invention, the present invention is not limited to the above embodiments. For those skilled in the art, various modifications and variations are possible from these descriptions.
Accordingly, the spirit of the present invention should not be construed as being limited to the embodiments described, and all of the equivalents or equivalents of the claims, as well as the following claims, belong to the scope of the present invention .
500: information providing server 510: web service server
520: network 530: malware server
540: client terminal 600: malware detection application
601: malware detection unit 602: malware processing unit
603: network scanning unit 604: network information extraction unit
605: DNS cache extractor 606: detection information log generator
607: transfer processing unit 608: pattern update unit
609: reception processing unit 611: malware signature database
612: Network Pattern Database
Claims (18)
A receiver configured to receive a malware detection information log according to detection of identification malware from at least one client terminal on which the malware detection application operates;
An update unit for updating a network pattern database having network pattern information on the identification malware based on the received malware detection information log; And
And a transmitter configured to transmit the updated network pattern database to at least one client terminal on which the malware detection application operates.
And the malware detection application determines the infection of the gourmet malware based on the transmitted network pattern database.
The apparatus further includes a providing unit for providing the malware detection application to the client terminal.
Sending the updated network pattern database periodically, aperiodically or at the request of the client terminal.
The malware infection determination of the malware detection application,
A network information extraction function for extracting network connection information of each process executed in a client terminal on which the malware detection application operates;
A network scanning function for searching whether network pattern information matching the extracted network access information exists in the network pattern database; And
If there is a network connection information matched as a result of the search in the network scanning unit, the device having the matching network connection information is made through the execution of the infection determination function to determine that the infected by the malware.
The network pattern information includes at least one of domain name information and an IP (Internet Protocol) address.
The domain name information is domain name information mapped to the same IP address as an Internet Protocol (IP) address among network access information of each extracted process in domain name server (DNS) cache information of the client terminal. Device.
A malware detection function that detects whether or not an identification malware is infected for each process executed in a client terminal on which the malware detection application operates;
Identifying a result of performing the malware detection function, if there is a process where infection of the malware is detected, extracting second network connection information of the detected process; And
And generated by a malware detection information log generation function that generates a malware detection information log based on the extracted second network connection information.
And wherein the malware detection information log comprises at least one of domain name information and an Internet Protocol (IP) address.
And a malware processing function for performing a malware processing on the process determined to be infected with the gourmet-specific malware as a result of performing the infection determination function.
Receiving a malware detection information log according to detection of identification malware from at least one client terminal in which the malware detection application operates;
Updating a network pattern database having network pattern information on the gourmet malware based on the received malware detection information log; And
And transmitting the updated network pattern database to at least one client terminal on which the malware detection application operates.
And the malware detection application determines the infection of the gourmet malware based on the transmitted network pattern database.
And prior to receiving the malware detection information log, providing the malware detection application to a client terminal.
The transmission of the updated network pattern database is made periodically, aperiodically or at the request of the client terminal.
The malware infection determination of the malware detection application,
A network information extraction step of extracting network connection information of each process executed in a client terminal on which the malware detection application operates;
A network scanning step of searching whether the network pattern information matching the extracted network access information exists in the network pattern database; And
And if there is network matching information matched as a result of the network scanning, performing the infection determination step of determining that the process having the matching network connection information is infected with the gourmet malware.
The network pattern information includes at least one of domain name information and an IP (Internet Protocol) address.
Wherein the domain name information is domain name information mapped to an IP address identical to an IP address among network access information of each extracted process in domain name server (DNS) cache information of the client terminal.
A malware detection step of detecting whether or not an identification malware is infected for each process executed in a client terminal on which the malware detection application operates;
Identifying a result of performing the malware detection step, extracting second network access information of the detected process when there is a process where infection of the malware is detected; And
And generating a malware detection information log generating step of generating a malware detection information log based on the extracted second network connection information.
The malware detection information log includes at least one of domain name information and an Internet Protocol (IP) address.
And performing a malware process on the process determined to be infected with the gourmet-specific malware as a result of performing the infection determination step.
A network information extraction step of extracting network connection information of each process executed in the client terminal;
A network scanning step of searching whether there is information in which the extracted network access information matches information stored in a network pattern database; And
If the matching information is found as a result of performing the network scanning step, an infection determination step of determining that the process having the extracted network access information is infected with the gourmet malware,
And the network pattern database includes at least some of the network connection information of the detected identifying malware.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020110091672A KR20130028257A (en) | 2011-09-09 | 2011-09-09 | Device, method and computer readable recording medium for providing information to detect unknown malware |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020110091672A KR20130028257A (en) | 2011-09-09 | 2011-09-09 | Device, method and computer readable recording medium for providing information to detect unknown malware |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20130028257A true KR20130028257A (en) | 2013-03-19 |
Family
ID=48178815
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020110091672A KR20130028257A (en) | 2011-09-09 | 2011-09-09 | Device, method and computer readable recording medium for providing information to detect unknown malware |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20130028257A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20160016816A (en) * | 2013-05-31 | 2016-02-15 | 마이크로소프트 테크놀로지 라이센싱, 엘엘씨 | Protecting anti-malware processes |
US11636205B2 (en) | 2020-03-20 | 2023-04-25 | Line Corporation | Method and system for detecting malware using memory map |
-
2011
- 2011-09-09 KR KR1020110091672A patent/KR20130028257A/en active Search and Examination
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20160016816A (en) * | 2013-05-31 | 2016-02-15 | 마이크로소프트 테크놀로지 라이센싱, 엘엘씨 | Protecting anti-malware processes |
US11636205B2 (en) | 2020-03-20 | 2023-04-25 | Line Corporation | Method and system for detecting malware using memory map |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10389740B2 (en) | Detecting a malicious file infection via sandboxing | |
US8683585B1 (en) | Using file reputations to identify malicious file sources in real time | |
KR101377014B1 (en) | System and Method of Malware Diagnosis Mechanism Based on Immune Database | |
JP5897132B2 (en) | Dynamic malware removal using cloud technology | |
KR101291782B1 (en) | Webshell detection and corresponding system | |
CN107251037B (en) | Blacklist generation device, blacklist generation system, blacklist generation method, and recording medium | |
JP5961183B2 (en) | How to detect malicious software using contextual probabilities, generic signatures, and machine learning methods | |
CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
JP2019082989A (en) | Systems and methods of cloud detection, investigation and elimination of targeted attacks | |
CN111460445B (en) | Sample program malicious degree automatic identification method and device | |
RU2726032C2 (en) | Systems and methods for detecting malicious programs with a domain generation algorithm (dga) | |
CN105491053A (en) | Web malicious code detection method and system | |
CN110730175A (en) | Botnet detection method and detection system based on threat information | |
CN111786966A (en) | Method and device for browsing webpage | |
CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
JP6341964B2 (en) | System and method for detecting malicious computer systems | |
CN107566401B (en) | Protection method and device for virtualized environment | |
US10601867B2 (en) | Attack content analysis program, attack content analysis method, and attack content analysis apparatus | |
CN110135153A (en) | The credible detection method and device of software | |
CN107231364B (en) | Website vulnerability detection method and device, computer device and storage medium | |
Sasikumar | Network intrusion detection and deduce system | |
JPWO2018143097A1 (en) | Judgment apparatus, judgment method, and judgment program | |
KR20130116418A (en) | Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol | |
KR100959274B1 (en) | A system for early preventing proliferation of malicious codes using a network monitering information and the method thereof | |
KR20130028257A (en) | Device, method and computer readable recording medium for providing information to detect unknown malware |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
AMND | Amendment | ||
E601 | Decision to refuse application | ||
AMND | Amendment |