KR20130080831A - System, method and computer readable recording medium for detecting malicious message - Google Patents

Abstract

PURPOSE: Malicious message detection system, method thereof and computer-readable recording medium are provided to exactly judge whether a message is malicious although the message is a new patterned message not existing in previously detected patterns and to warn a user. CONSTITUTION: A message reception unit (110) is installed in a user terminal and is executed. The message reception unit judges whether a link is included in a message transmitted to the user terminal. A link extraction unit (130) extracts a link corresponding to a final destination from the link. A judgment unit (140) judges whether the received message is malicious based on the link corresponding to the final destination. [Reference numerals] (110) Message reception unit; (120) Pattern matching unit; (130) Link extraction unit; (140) Judgment unit; (150) Malignant app detection unit; (160) Alarm unit

Description

SYSTEM, METHOD AND COMPUTER READABLE RECORDING MEDIUM FOR DETECTING MALICIOUS MESSAGE}

The present invention relates to a malicious message detection system and the like, and more particularly, to detect whether a message sent to a user terminal is a malicious message including a phishing function for illegally obtaining personal information, and the like. A malicious message detection system, method, and computer readable recording medium for alerting a user when detected as an invalid message.

Today, the widespread use of the Internet has led to the rapid development of wireless mobile communication technology beyond the fixed line, and in the real world, information retrieval on the Internet through portable terminals such as mobile phones, PDAs, and hand- It became possible regardless of time and place.

On the other hand, as the performance of recently launched smartphones has improved, users are moving a lot from general mobile phones to smart phones. A smart phone is an intelligent mobile phone that adds computer support to a mobile phone. It is faithful to the mobile phone function, but adds a personal digital assistant (PDA) function, Internet function, and video playback function. Etc. are provided to provide a more convenient interface. In addition, with the support of wireless Internet function, it is connected to internet and computer, and also functions as a terminal such as e-mail, web browsing, fax, banking, and game. On the other hand, smart phones have a standard operating system (OS) or a dedicated operating system to accommodate various functions.

As such, various functions can be implemented through various mobile terminals such as a smart phone, and various application program files driven in the mobile terminal are being developed.

Such application files installed on and running on the smartphone are usually called 'apps.' They are downloaded and installed on smart phones through paid applications or various free applications. Accordingly, a user can access a specific application market on a smart phone, search for a desired application, select the application, download and install the application.

Meanwhile, as the wireless mobile communication market using smart phones and the like expands, conventional phishing techniques have also been extended using SMS (Short Message Service), which is called smishing. Smishing is a combination of SMS and phishing that sends a text message that includes a link to install a specific app on a user's device, such as a smartphone, and when the user of the device clicks the link, This is a fraud that automatically downloads and installs and then steals user's personal information to induce micropayments.

Smishing has become a major social problem in that it causes financial damages to users by randomly taking personal information such as financial information of users. Accordingly, various schemes have been devised for detecting whether there is a possibility of smishing through the transmitted text message, i.e. it is a malicious message.

As one of such malicious message detection technology, Korean Patent Registration No. 10-1060122 "Spam message processing method and apparatus (Gran Jigyo Soft)" (Document 1) sends a spam message that sends a message to several people in the same manner. To determine whether or not spam is received for a received message using the characteristics of the same message (for example, when a number of messages having the same calling number, message content, attachment or URL address, etc. are identified within a predetermined time) and processing the spam message accordingly. This is disclosed.

However, the above-mentioned spam message processing method includes a problem that a spam recognition server for receiving a message from a plurality of terminal users and determining whether the message is a spam message includes a problem, and a spam recognition server for determining whether the message is a spam message. Message reception depends on the user's spam query, so if a message is not received enough spam can not be judged, and it takes a considerable amount of time to receive a sufficient amount of messages, so that the user is very aware of spam Very difficult to implement, such as difficult. In addition, according to the method described above, even if the normal notification message sent to a plurality of users is the same in the same calling number and message content, the method described above is likely to be mistaken as a spam message, that is, a high false positive rate. It also exists.

Therefore, after pattern matching is applied to a text message that has already been determined to be malicious, it is determined whether the message is a malicious message or is formally determined depending on whether the contents or calling number are the same after receiving a message from a plurality of terminal users. By actually detecting whether a specific app can be downloaded in a sent text message, including an active link, and whether the app contained in the link is more likely to be a malicious app Even if a new message does not exist in the existing pattern, there is a need for a method of accurately determining whether or not malicious and warning the user.

[Patent Document 1] Korean Patent Registration No. 10-1060122 Spam Message Processing Method and Apparatus (Jianjigyo Software Co., Ltd.) 2011.08.23

SUMMARY OF THE INVENTION An object of the present invention relates to a malicious message detection system, method and computer readable recording medium capable of accurately determining whether a message is a malicious message and warning a user even if a message of a new pattern that is not present in a previously detected pattern is detected. will be.

Another object of the present invention is to detect a malicious message that can detect whether a specific app downloaded through a link included in a message performs a malicious function such as phishing, and detects a malicious app and warns a user. A system, method and computer readable recording medium.

Another object of the present invention is to store the message and the related information, such as malicious messages connected to the link in a pattern that is determined to be malicious to detect the malicious message more quickly when the same message is sent later to alert the user. A malicious message detection system, method and computer readable recording medium are provided.

In order to achieve the above-described object of the present invention and to achieve the specific effects of the present invention described below, the characteristic structure of the present invention is as follows.

According to an aspect of the present invention, a malicious message detection system includes a distribution server for providing a detection application to a user terminal, wherein the detection application is installed and executed on the user terminal, and the message is transmitted to the user terminal. A message receiving unit determining whether a link is included, a link extracting unit extracting a link corresponding to a final destination from the link, and determining whether the received message is a malicious message based on a link corresponding to the final destination It includes a determination unit.

Preferably, the link extracting unit applies at least one of a first transformation scheme for extracting an entire link from a shortened link and a second transformation scheme for extracting a link corresponding to a final destination through redirection from the entire link. do.

Preferably, the first conversion scheme, by analyzing the reception of the second link included in the HTTP RESPONSE requesting an HTTP REQUEST to the destination from the shortened form of the first link and returned in response thereto, The entire link is extracted by repeatedly performing the second link as the first link until it is not a shortened link.

Preferably, the second conversion scheme extracts a fourth link redirected based on the source code of the web page corresponding to the third link, and replaces the fourth link with the third link until no redirect occurs. By repeating the process, the link corresponding to the final destination is extracted.

Preferably, the determining unit, the link corresponding to the final destination, the first condition corresponding to the link for downloading a predetermined application, the second condition currently operating, or a corresponding IP address occurs a lot of smishing It is determined whether the received message is a malicious message based on whether one or more of the third conditions assigned to the specific country correspond.

Preferably, the detection application further includes a malicious app detection unit for detecting whether the application downloaded through the specific link is a malicious app.

Preferably, the malicious app detection unit includes an order combination analysis unit that detects whether or not a malicious app based on whether the downloaded application matches a specific function and order combination included in the code combination data of the malicious app.

Preferably, the detection application further includes a notification unit for displaying one or more of the determination result of the determination unit or the detection result of the malicious app detection unit to the user.

According to another aspect of the present invention, a malicious message detection method comprising: a link determination step of determining whether a link is included in a received message by a message receiver, and a link extractor corresponding to a final destination from the link; And a link extracting step of extracting a link, and a determining unit, determining whether the received message is a malicious message based on the link corresponding to the final destination.

On the other hand, a program for performing a malicious message detection method may be stored in a computer-readable recording medium. Such a recording medium includes all kinds of recording media in which programs and data are stored so that they can be read by a computer system. Examples of the storage medium include a ROM (Read Only Memory), a RAM (Random Access Memory), a CD (Compact Disk), a DVD (Digital Video Disk) -ROM, a magnetic tape, a floppy disk, (For example, transmission over the Internet). Such a recording medium may also be distributed over a networked computer system so that computer readable code in a distributed manner can be stored and executed.

As described above, according to the present invention, even if a message of a new pattern that is not present in a previously detected pattern has an advantage of accurately determining whether it is a malicious message and warning the user.

In addition, according to the present invention, there is an advantage in that it is possible to detect whether a specific app downloaded through a link included in a message performs a malicious function such as phishing or not, and warn the user whether it is a malicious app.

In addition, according to the present invention by storing the relevant information, such as the message determined to be malicious and malicious apps connected by the link in a pattern it can detect the malicious message more quickly when the same message is sent later to alert the user There is an advantage.

FIG. 1 is a diagram illustrating an overall system structure for explaining an example of smishing that may occur through a malicious message.
2 is a diagram illustrating a malicious message detection system according to the present invention.
3 is a block diagram illustrating a detailed structure of detecting whether a message received at a user terminal is a malicious message according to an embodiment of the present invention.
Figure 4 is a block diagram showing the detailed structure of a malicious app detection unit according to an embodiment of the present invention.
5 is a flowchart illustrating a malicious message detection method according to an embodiment of the present invention.
6A and 6B are diagrams illustrating an application file structure and a decompile stage of an Android operating system.
7 is a diagram illustrating a result screen of decompiling an application of the Android operating system according to an exemplary embodiment of the present invention.
8 is a diagram illustrating a malicious message detection result according to various embodiments of the present disclosure.

DETAILED DESCRIPTION OF THE INVENTION The following detailed description of the invention refers to the accompanying drawings that show, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It should be understood that the various embodiments of the present invention are different, but need not be mutually exclusive. For example, certain features, structures, and characteristics described herein may be implemented in other embodiments without departing from the spirit and scope of the invention in connection with an embodiment. It is also to be understood that the position or arrangement of the individual components within each disclosed embodiment may be varied without departing from the spirit and scope of the invention. Accordingly, the following detailed description is not to be taken in a limiting sense, and the scope of the present invention is defined only by the appended claims, along with the full range of equivalents to which such claims are entitled. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.

The present invention checks whether a message received by the user terminal includes a specific link, and if present, tracks the link to determine whether it is a download link of a specific app, whether the link currently works, and whether to download from the link. Malicious message detection systems, methods, and computer readable recording media capable of detecting whether a transmitted message is a malicious message and analyzing a malicious message by analyzing whether or not the capable app can function as a malicious app. It starts.

In the present invention, the term "malicious app" is downloaded to the user terminal to collect the user's personal information, any program having the function of using the other personal purposes, such as transfer to the other device over the network or smishing Or a broad concept, including a library.

In the present invention, the term "personal information" is a broad concept that includes all information obtained by a malicious app or obtained by using a user terminal. In the present invention, the term "personal information" may be used in financial transactions of a user such as a mobile phone payment in particular. Include all information. Examples of personal information that malicious apps can extract include your location information, IP (Internet Protocol) addresses, Media Access Control (MAC) addresses, your social security number / telephone number / email address, application information installed on your device, and May include, but is not limited to, cookie information stored while using a web browser, user name, phone numbers / email addresses stored on the device, call history, email / messages (SMS) actually sent and received, and contents of a messenger. .

On the other hand, the user terminal in the following description is provided with a memory means such as a mobile communication terminal, a notebook computer, a workstation, a palmtop computer, a personal digital assistant (PDA), a web pad, etc. As long as the digital device equipped with the mobility equipped with the computing power can be adopted as the user terminal according to the present invention, it preferably includes a smartphone.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention.

Full system to explain smishing

Prior to the description of the present invention, with reference to Fig. 1, a description will be given of an entire system for explaining general smishing. As shown in FIG. 1, when a malicious message including a link for downloading a malicious app is transmitted to the victim terminal 100b by manipulation of the terminal 100a of a malicious user (1), the victim terminal 100b is transmitted. The malicious app is installed from the malicious app server 1000 to the victim terminal 100b by the link selection (②). The malicious app installed in the victim terminal 100b leaks (③) various types of personal information of the victim to the terminal 100a of the malicious user without the victim knowing. Examples of the personal information leaked herein include, but are not limited to, a resident registration number, a telephone number, and a telecommunication company information of a victim that can be used for mobile phone payment.

Subsequently, the malicious user requests a purchase (④) of a specific product or service through the payment server 2000 using the victim's personal information leaked to his terminal 100a. At this time, the payment server 2000 transmits a message including the randomly generated authentication number to the victim's telephone number included in the corresponding personal information (step 5) for authentication.

If intact, the transmitted message should be displayed on the victim terminal 100b, but the malicious app installed in the victim terminal 100b intercepts the transmitted message and sends it to the malicious user's terminal 100a in a detour (⑥). Therefore, the malicious user can obtain the authentication number without the victim's knowledge and enter it into the payment server (⑦) to pass the authentication step safely and purchase the requested product or service. As such, an incident such as a small payment of a mobile phone may occur without the victim's knowledge by stealing various personal information of the victim by a malicious app installed in the victim terminal 100b, which is a typical example of smishing.

Hereinafter, a structure of a system and an apparatus according to an embodiment of the present invention will be described with reference to FIGS. 2 to 4, and the method according to an embodiment of the present invention will be described in detail with reference to FIG. 5.

Malicious Message Detection System

2 is a diagram illustrating a malicious message detection system according to the present invention. The malicious message detection system according to the present invention analyzes the characteristics of the link, the current operation of the link, and the malicious possibility of the app that can be downloaded through the link when the received message includes a specific link. It can detect whether it is a malicious message.

More specifically, referring to FIG. 2, a detection application 111 capable of detecting a malicious message is installed in the user terminal 100, and one or more messages 112 may be received and stored. Here, the message 112 may include a specific link 113 therein, and the specific link 113 may be in a short form or a full Uniform Resource Locator (URL) format. If the message 112 corresponds to a malicious message, the malicious app is downloaded and installed on the user terminal 100 by clicking on the user's link 113.

In FIG. 2, the detection application 111 is an application that detects whether the received message 112 is a malicious message. The detection by the detection application 111, if the link 113 is included in the message 112, whether the link is a link for downloading a specific app, whether the link is currently active (alive), and the link It can be performed by determining whether an app that can be downloaded through a conventional app is registered as a malicious app or by analyzing a decompiled source code to determine whether malicious actions performed by a malicious app are performed in a specific order. . Specific embodiments of performing the detection function by the detection application 111 will be described later. If newly detected as a malicious app, the message determined to be a malicious message and / or information about the newly detected malicious app, for example, a pattern or signature information of the malicious app to be used for pattern matching, is collected to the collection server 400. You can update it. Meanwhile, according to an embodiment of the present invention, the detection application 111 may be provided from the distribution server 300.

The communication network 200 may be configured without regard to its communication mode such as wired and wireless and may be a personal area network (PAN), a local area network (LAN), a metropolitan area network ), A wide area network (WAN), and the like. Also, the communication network 200 may be a known World Wide Web (WWW) and may use a wireless transmission technique used for short-distance communication such as Infrared Data Association (IrDA) or Bluetooth It is possible.

The distribution server 300 provides a detection application 110 that performs the above-described functions according to a request of the user terminal 100. As a specific example, the distribution server 300 may include a Google Play service, an Apple App Store service, And may be referred to as a distribution server 300.

The collection server 400 performs smishing by pattern information on a message that is already determined to be a malicious message, pattern information (signature, etc.) for an application already detected as a malicious app, and a malicious app by leaking user's personal information. In order to store the code combination data including the necessary code and the order combination, and the right authority request and the corresponding authorization, the database included in the user terminal 100 may be periodically updated. In addition, the data stored in the collection server 400 may perform the detection activity on its own and update as a result, instead of relying only on the user terminal 100.

Malicious Message Detection Device

3 is a block diagram illustrating a detailed structure of detecting whether a message received at a user terminal is a malicious message according to an embodiment of the present invention. Referring to FIG. 3, the user terminal 100 according to an exemplary embodiment of the present invention may include a message receiver 110, a pattern matcher 120, a link extractor 130, a determiner 140, and a malicious app detector 150. ) And a notification unit 160, and may further include a database 170.

The message receiving unit 110 determines whether a link is included in the message received by the user terminal 100, and when the link is included, the message receiver 110 patterns the message to determine whether it has been detected as a malicious message in the past. Transmit to the matching unit 120.

The pattern matching unit 120 determines whether the message transmitted to the user terminal 100 is a malicious message in comparison with the patterns of the messages previously determined to be malicious messages previously stored in the database 170. Here, the pattern can be used as long as it is a specific word that can be extracted from the message, such as a specific word included in the message, a phrase, or a value converted to a hash function, and is not limited to a specific format or value. If it is determined that the malicious message is a pattern matching unit 120 may warn the user through the notification unit 160.

If the pattern matching unit 120 does not match the malicious message that has been detected in the past, the link extracting unit 130 receives the link from the message receiving unit 110 and extracts the link corresponding to the final destination. To perform. Hereinafter, the link describes a Uniform Resource Locator (URL) of a HyperText Transfer Protocol (HTTP) method for the convenience of description, but is not necessarily limited thereto.

On the other hand, a link included in a malicious message may be shortened or hidden through at least one redirection to prevent the user from easily recognizing the malicious message. Is common. Therefore, it is necessary to extract the link corresponding to the final destination of the link because the link included in the message does not know whether the message is a malicious message.

The shortened form of the link is converted by the service company that provides the shortened URL service, such as goo.gl or twurl.nl, from the shortened URL to the full URL, or built by a person related to a malicious message. It is converted to a full link by providing a conversion to the full URL using a web server. Here, the full URL or full link means the original URL or link not shortened. In any case, the link extracting unit 130 repeats the above method more than once since a request for an HTTP REQUEST to a destination is returned to another shortened URL or an entire URL which is converted as an HTTP RESPONSE. To perform the first transform scheme that finally obtains the entire link.

In addition, even if the entire link obtained by converting the shortened link as described above is obtained, the obtained entire link is not a link to the final destination, and may be subjected to more than one redirection here. Therefore, the link extracting unit 130 may extract the link corresponding to the final destination by repeating a method of acquiring the link at least once when redirection occurs by analyzing the web page corresponding to the entire link. As an example of redirecting, a web page can add the 3xx code of the HTTP status code to the header and the browser can recognize it and redirect to another URL, or to the meta tag of HTML. If you enter a redirected URL, the browser can recognize it and redirect to another URL, or if you insert JavaScript code in your HTML to redirect to another URL, the browser can recognize it and redirect to another URL. Therefore, the link extracting unit 103 requests and receives the source code of the web page corresponding to the entire URL, and analyzes whether the redirect can be generated by any one of the above-described exemplary methods. If it is determined that a redirect occurs, a second transformation method of acquiring the redirected URL, requesting the source code of the webpage corresponding to the obtained URL, and receiving and analyzing the source code is repeated to extract the link corresponding to the final destination. Do this.

That is, the link extracting unit 130 may perform at least one or more of the above-described first conversion method and second conversion method to extract the link of the final destination according to the nature of the received link.

The determination unit 140 determines whether a danger to the user terminal may occur through the link of the final destination extracted by the link extracting unit 130. As a specific example, the determination unit 140 determines whether there is a risk that malicious apps may be installed on the user terminal based on the link, and if it is determined that the risk exists, the determination unit 140 may be malicious. You can warn the user about possible messages.

Whether or not there is a risk that malicious apps may be installed on the user terminal may be determined by, for example, whether the link corresponds to a link for downloading an application that may be installed on the user terminal 100, whether the link currently works or whether The determination may be made based on whether or not the corresponding IP address is assigned to a specific country where a lot of smishing occurs. More specifically, whether or not the link corresponds to a link for downloading an application can be determined based on whether or not the link points to a file (e.g., apk file, etc.) that can be installed in the user terminal, Can be determined based on whether or not an HTTP REQUEST is sent and an HTTP RESPONSE message is received indicating that the file does not exist, the page does not exist, or the Web server is not responding and TIME OUT is received. In addition, whether or not the IP address is allocated is based on whether or not the IP address corresponding to the link is included in the stored group by storing a group of IP addresses assigned to a specific country where a lot of smishing occurs in advance in the database 170. Can be judged.

If the user selects to install an application despite the above warning, the malicious app detection unit 150 detects whether the malicious app corresponds to a malicious app after downloading the application and before installing the application on the user terminal. Warn you further about whether to install or prevent the application from being installed. In addition, the malicious app detection unit 150 may update the data stored in the database inside each user terminal by transmitting the signature and message pattern to the collection server 400 in the case of a newly detected malicious app. Detection of whether the downloaded application is a malicious app, which may be performed by the malicious app detection unit 150, will be described in detail with reference to FIG. 4 below.

Figure 4 is a block diagram showing the detailed structure of a malicious app detection unit according to an embodiment of the present invention. Referring to FIG. 4, the malicious app detection unit 150 according to an embodiment of the present invention may include a download unit 151, a signature matching unit 152, a decompiler 153, and an order combination analyzer 154. Can be.

The download unit 151 downloads the corresponding application through a link and temporarily stores the application without installing it in the user terminal 100.

The signature matching unit 152 extracts a signature of a corresponding application downloaded and temporarily stored by the downloader 151, and checks a pattern for comparing the extracted signature with signatures of malicious apps previously stored in the database 170. Perform If it matches any one of them, the signature matching unit 152 may determine that the application corresponds to a malicious app and may additionally warn whether the application is installed through the notification unit 160.

If there is no pattern matched as a result of the pattern inspection performed by the signature matching unit 152, the decompiler 153 decompiles the corresponding application for analysis by the sequence combination analyzer 154 which will be described later.

Decompilation performed by the decompile unit 153 is a task of obtaining source code that is substantially similar to the original source code through reverse engineering. More specifically, an embodiment of decompiling an application of the Android operating system will be described in detail. Referring to FIG. 5A, the application file structure of the Android operating system is in the form of a compressed APK file format including two folders and three files. have. In FIG. 6A, the 'META-INF' folder represents a folder including APK signature information. The 'res' folder stores images, layouts, and strings used in the Android operating system. 'AndroidManifest' file shows the definition of activity / service used in the project and is composed in XML format. The 'classes.dex' file is a file in which the class file is converted back to the dex file format after compiling the source file. The 'resources.arsc' file represents resource table information of the project.

The decompile unit 153 first decompresses and converts the 'dex' file format to the 'jar' file format to check the contents of the source code from the 'classes.dex' file as shown in FIG. 6B. You can then decompile the 'jar' file format to see the source code. Exemplary source code decompiled by the decompile unit 153 is shown in FIG. 7, and it is possible to check not only the package name or the class name but also the actually used method name and property name through the decompile. You can also check through

 The sequence combination analysis unit 154 detects whether the application is a malicious app by determining whether the application performs malicious behavior based on whether the functions necessary for performing the smishing occur in a combination of a predetermined sequence. do. Malicious apps for performing smsing generally collects user's personal information without obtaining permission according to the user's permission and transmits the collected personal information to another device through the network, It is possible to judge whether or not the malicious app is based on whether or not an action occurs and the order of occurrence.

For example, in order to check whether there is an act of externally transmitting information related to a financial transaction and / or a received message, such as a user's social security number, a telephone number, and a carrier's information, the sequence combination analyzer 154 may execute the corresponding application. Whether there is a code (API) that analyzes and accesses the user's personal information or received messages, whether there is a code that accesses and reads the above-mentioned information in the personal information, and whether the read or received message is Check if there is a code to send outside, and also check the order combination of the codes. In addition, the sequence combination analysis unit 154 requests whether the application requests the right to access the user's personal information or message, whether the permission is actually granted, and whether the granted permission accesses the user's personal information or the message. Check it. If all of the above codes are not present or the order combinations do not match, even if they are present, or if the codes are all present and all the order combinations are matched, then the application will be allowed to smash. It can be determined that the malicious app is not executed, otherwise it can be determined to be a malicious app.

In this way, the malicious code leaks the user's personal information and the necessary code and order combinations, and the right permission request and the corresponding authorization can be determined by referring to the malicious apps that have been discovered so far. The code assembly data is downloaded from the distribution server 300 and stored in the database 170 in advance to be used by the sequence combination analysis unit 154.

That is, the application related information used in the sequence combination analysis unit 154 may include a code for accessing personal information or a message of a user included in the application, a code for accessing and reading information related to a financial transaction, and a network of the read information. The code transmitted to the outside through, the sequence combination of the corresponding code, the request for the right to access the user's personal information or message, the right actually granted.

If it is determined that the downloaded application is a malicious app, the sequence combination analysis unit 154 warns of whether or not the malicious app before installation through the notification unit 160 or deletes it without installing, and then determines that it is a malicious app. You can tell the user that it was deleted without installation.

3 again, the notification unit 160 is determined by the pattern matching unit 120, the determination unit 140 and the malicious app detection unit 150, whether or not a malicious message or the like, or determined to be a malicious app or deleted. If so, the user is alerted or notified by displaying the deleted content on the screen of the user terminal 100. In addition, the notification unit 160 may further include a function of deleting the transmitted message or stopping the download and installation through a link based on the user's selection.

Referring to FIG. 8, when it is determined that the message is malicious through the pattern matching unit 120, the notification unit 160 warns the user terminal through the screen of the user terminal, for example, as shown in (a). You can delete the message. Alternatively, when it is determined through the determination unit 140 that there is a risk that malicious apps may be installed on the user terminal, the notification unit 160 warns, for example, (b) through the screen of the user terminal, and the user. The download of the application via the link can be stopped by the selection of. Alternatively, when the app downloaded through the malicious app detection unit 150 is determined to be a malicious app, the notification unit 160 warns, for example, (c) through the screen of the user terminal and the application downloaded by the user's selection. You can stop the installation of or delete the downloaded app without installing it, and you can tell whether or not to remove it as shown in (d).

Finally, the database 170 stores data used for pattern matching in the pattern matching unit 120 and data used for analyzing signature matching and order combination in the malicious app detection unit 150, and the user terminal. In (100), it means a space capable of further storing temporarily or permanently various data generated during the performance of the present invention. More specifically, the database 170 may smear pattern information on a message that is already determined to be a malicious message, signature information on an application already detected as a malicious app, and a malicious app to leak user's personal information. For the purpose of storing codes and order combinations, and code combination data including legitimate permission requests and authorizations, the present invention is not limited thereto. In addition, the database 170 may be updated periodically or in real time while communicating with the collection server 400 via the communication network 200.

Although FIG. 3 illustrates an example in which each component for detecting whether a received message is a malicious message is implemented in a user terminal according to the present invention, the present invention is not limited thereto, for example, in a server other than the user terminal. Each of the components of FIG. 3 may be implemented, or some may be implemented on the server side and others may be implemented in the user terminal. If the components of FIG. 3 are implemented in the server, the user terminal transmits the received message to the server, and the server receives the message from the user terminal through the message receiving unit to perform the above-described pattern matching unit and link extracting unit. do. In addition, when a user requests installation of an application by clicking a link through the user terminal, the corresponding request is transmitted to the server, and the server performs the above function through the malicious app detection unit. Meanwhile, the warning through the notification unit of the server may be transmitted to the user terminal and displayed on the screen of the user terminal.

How to detect malicious messages

5 is a flowchart illustrating a malicious message detection method according to an embodiment of the present invention. Referring to FIG. 5, when a message is transmitted to a user terminal (S501), the message receiver 110 determines whether a link is included in the received message (S502). Whether or not a link is included in the message may be determined based on whether a string corresponding to the link is included by parsing the received message.

If a link is included in the received message in step S502, the pattern matching unit 120 extracts a pattern from the received message, compares the pattern with the pattern of messages already determined to be malicious stored in the database 170, (Step S503). If it is present, it is determined that the received message is a malicious message and the user is warned through the notification unit 160 (S504). On the other hand, step S503 can be omitted as an optional step.

If there is no matching result in step S503, the link extractor 130 extracts a link corresponding to the final destination from the link included in the message received from the message receiver 110 (S504). As a method of extracting a link corresponding to the final destination, as described above, a first conversion method of extracting an entire link from a shortened link and a second conversion method of extracting a link corresponding to the final destination through redirection from the entire link At least one of the above may be applied.

Next, the determination unit 140 determines whether there is a risk that malicious apps may be installed in the user terminal based on the link corresponding to the final destination extracted from the link extracting unit 130 (S505). As a specific example for determining whether there is a risk that a malicious app may be installed in step S505, whether the link corresponds to a link for downloading an application that may be installed on the user terminal 100, and the link currently operates. As described above, it may be determined based on whether the IP address corresponding to the link is assigned to a specific country where a lot of smishing occurs.

If there is a risk that the malicious app can be installed through a link in step S505, the determination unit 140 alerts the user through the notification unit 160 (S506). Then, when the user tries to download and install a specific application by clicking the link (S507), the malicious app detecting unit 150 downloads the application through the link and detects whether it is a malicious app (S508). Detection as to whether it is a malicious app can be detected by extracting the signature of the downloaded application as described above, and performing a pattern check comparing the signatures of malicious apps previously stored in the database 170, or the application performs smishing. It may be determined whether the application is a malicious app by determining whether to perform a malicious action in a combination of a predetermined order necessary to perform.

If it is determined that the malicious app is detected as a result of step S508, the malicious app detection unit 150 may display the result to the user through the notification unit 160 (S509).

Method according to an embodiment of the present invention is implemented in the form of program instructions that can be executed by various computer means may be recorded on a computer readable medium. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks, such as floppy disks. Magneto-optical media, and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like. The hardware device described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

The present invention has been described above with the aim of method steps indicative of the performance of certain functions and their relationships. The boundaries and order of these functional components and method steps have been arbitrarily defined herein for convenience of description. Alternative boundaries and sequences may be defined as long as the specific functions and relationships are properly performed. Any such alternative boundaries and sequences are therefore within the scope and spirit of the claimed invention. In addition, the boundaries of these functional components have been arbitrarily defined for ease of illustration. Alternative boundaries can be defined as long as certain important functions are properly performed. Likewise, the flow diagram blocks may also be arbitrarily defined herein to represent any significant functionality. For extended use, the flowchart block boundaries and order may have been defined and still perform some important function. Alternative definitions of both functional components and flowchart blocks and sequences are therefore within the scope and spirit of the claimed invention.

The invention may also be described, at least in part, in terms of one or more embodiments. Embodiments of the invention are used herein to describe the invention, aspects thereof, features thereof, concepts thereof, and / or examples thereof. The physical embodiment of an apparatus, article of manufacture, machine, and / or process for implementing the invention may include one or more aspects, features, concepts, examples, etc., described with reference to one or more embodiments described herein . Moreover, in the entire drawing, embodiments may incorporate the same or similarly named functions, steps, modules, etc. that may use the same or different reference numbers, and as such, the functions, The steps, modules, etc. may be the same or similar functions, steps, modules, etc. or others.

As described above, the present invention has been described by specific embodiments such as specific components and the like. For those skilled in the art, various modifications and variations are possible from these descriptions.

Accordingly, the spirit of the present invention should not be construed as being limited to the embodiments described, and all of the equivalents or equivalents of the claims, as well as the following claims, belong to the scope of the present invention .

100: user terminal 110: message receiving unit
111: Detection Application 112: Message
113: link 120: pattern matching unit
130: link extraction unit 140: determination unit
150: malicious app detection unit 151: download unit
152: signature matching unit 153: decompilation unit
154: sequence combination analysis unit 160: notification unit
170: database 200: communication network
300: distribution server 400: collection server

Claims (17)

A malicious message detection system comprising a distribution server for providing a detection application to a user terminal, the detection application comprising:
Installed and executed in the user terminal,
A message receiver to determine whether a link is included in a message transmitted to the user terminal;
A link extracting unit which extracts a link corresponding to a final destination from the link; And
And a determination unit that determines whether the received message is a malicious message based on a link corresponding to the final destination.
The method of claim 1, wherein the link extraction unit,
And at least one of a first transformation scheme for extracting an entire link from a shortened link and a second transformation scheme for extracting a link corresponding to a final destination through redirection from the entire link.
The method according to claim 2, wherein the first conversion method,
Requesting an HTTP REQUEST from the shortened first link as a destination and analyzing the reception of the second link included in the HTTP RESPONSE returned in response thereto until the second link is not the shortened link. And extracting the entire link by repeatedly performing the second link as the first link.
The method according to claim 2, wherein the second conversion method,
Extracting a fourth link redirected based on the source code of the web page corresponding to the third link, and repeatedly performing the fourth link as the third link until no redirect occurs, thereby corresponding to the final destination. Malicious message detection system that extracts links.
The method according to claim 1, wherein the determination unit,
A third condition in which a link corresponding to the final destination is a first condition corresponding to a link for downloading a predetermined application, a second condition currently operating, or a corresponding IP address is assigned to a specific country in which a lot of smishing occurs. And determine whether the received message is a malicious message based on one or more of the following.
The method according to claim 1, wherein the detection application,
The malicious message detection system further comprises a malicious app detecting unit for detecting whether the application downloaded through the link is a malicious app.
The method of claim 6, wherein the malicious app detection unit,
And a sequence combination analysis unit for detecting whether the downloaded application is a malicious app based on whether or not the downloaded application matches a specific function and sequence combination included in the code combination data of the malicious app.
The method according to any one of claims 1 to 7, wherein the detection application,
The malicious message detection system further comprises a notification unit for displaying to the user one or more of the determination result of the determination unit or the detection result of the malicious app detection unit.
As a malicious message detection method,
A link determination step of determining, by the message receiving unit, whether a link is included in the received message;
A link extracting step of extracting, by a link extracting unit, a link corresponding to a final destination from the link; And
And determining, by the determining unit, whether the received message is a malicious message based on a link corresponding to the final destination.
The method of claim 9, wherein the link extraction step,
A first transforming step of extracting the entire link from the shortened link; And
And performing at least one or more of the second transformation steps of extracting the link corresponding to the final destination via redirection from the entire link.
The method of claim 10, wherein the first conversion step,
Requesting an HTTP REQUEST from the shortened form of the first link to a destination; And
The second step of analyzing whether the reception of the second link included in the HTTP RESPONSE returned in response to the request is a shortened link until the second link is not a shortened link. And repeatedly performing the first and second steps using the link as the first link.
The method of claim 10, wherein the second conversion step,
Malicious message, repeatedly performing the fourth link as the third link until the redirection does not occur to extract the fourth link redirected based on the source code of the web page corresponding to the third link Detection method.
The method of claim 8, wherein the determining step,
A third condition in which a link corresponding to the final destination is a first condition corresponding to a link for downloading a predetermined application, a second condition currently operating, or a corresponding IP address is assigned to a specific country in which a lot of smishing occurs. And determining whether the received message is a malicious message based on whether or not it corresponds to one or more of the following.
The method of claim 8,
The malicious app detecting unit further includes a malicious app detecting step of detecting whether an application downloaded through the link is a malicious app.
The method according to claim 14, The malicious app detecting step,
And a sequence combination analysis step of detecting whether the downloaded application is a malicious app based on whether or not the downloaded application matches a specific function and sequence combination included in the code combination data of the malicious app.
17. The method of claim 16,
The notification unit further comprises a notification step of displaying to the user one or more of the determination result of the determination unit or the detection result of the malicious app detection unit, malicious message detection method.
A computer-readable recording medium in which a program for executing the method of any one of claims 9 to 16 is recorded.

Images