KR20160112744A - document security system and security method - Google Patents
document security system and security method Download PDFInfo
- Publication number
- KR20160112744A KR20160112744A KR1020150038994A KR20150038994A KR20160112744A KR 20160112744 A KR20160112744 A KR 20160112744A KR 1020150038994 A KR1020150038994 A KR 1020150038994A KR 20150038994 A KR20150038994 A KR 20150038994A KR 20160112744 A KR20160112744 A KR 20160112744A
- Authority
- KR
- South Korea
- Prior art keywords
- vulnerability
- document
- file
- format
- document file
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
Description
The present invention relates to a document security system and a document security method, and more particularly, to a document security system and a document security method capable of detecting and analyzing an error vulnerability of a document file regardless of whether a computer document file is executed .
(Hereinafter referred to as " terminals ") such as a computer or a mobile terminal that manages and manages data including various document files, and a communication network such as the Internet that mediates mutual communication between them, But also through portable storage media such as USB memory, CD / DVD, and the like.
Meanwhile, malicious codes such as viruses, spyware, adware, and hacking tools that harm computer systems may be included in the document files.
Document files with these malicious codes are controlled by conventional vaccines.
On the other hand, an example of a security system is disclosed in Korean Patent Publication No. 10-2010-0067383 (registered on June 21, 2010, hereinafter referred to as "
However, since the vaccine is a signature method, the document file is securely handled based on the malicious code itself or the information (for example, hash information) of the document file including the malicious code. Therefore, There is a problem that security processing may not be performed on document files having vulnerabilities.
For example, if the vulnerability is not exposed until the document file is opened and executed directly, and if the vulnerability exists in the document file, the patterning of the vulnerability may become more difficult. Therefore, There is a problem that the system may be contaminated or easily exposed to an attack from the outside.
An object of the present invention is to provide a document security system and a document security method capable of analyzing a target document file in real time and systematically organizing error vulnerabilities of an unknown document file such as a zeroday by type, .
In addition, a document security system and document which can prevent the risk of the system in advance by judging in advance whether a document file which is inputted from the outside or already existing in a user PC, USB, or a file server contains a vulnerability of a document file, Security method.
The present invention also provides a document security system and a document security method that can detect a vulnerability of a document file having an error vulnerability that can not be caught by a computer vaccine without requiring a separate pattern DB for malicious codes.
In order to achieve the above object, a document security method according to the present invention includes: a document vulnerability determination step of determining whether a document file is abnormal; Constructing a vulnerability knowledge base for separately classifying and storing the vulnerability analysis data generated through the document vulnerability determination step when it is determined that the document file is abnormal in the document vulnerability determination step; And analyzing the vulnerability analysis data obtained through the step of determining the vulnerability of the document with the vulnerability analysis data accumulated in the vulnerability knowledge base building step to generate result report data on the vulnerability of the document file, The method comprising the steps of:
Here, it is preferable that the document security method according to the present invention further includes a format validation step of verifying the format of the document file before the document vulnerability determination step.
The document security method according to the present invention may further comprise a file conversion step of converting the file format of the document file into at least one other file format between the format verification step and the document vulnerability determination step.
According to another aspect of the present invention, there is provided a document security system comprising: document vulnerability determination means for determining whether a document file is abnormal; A vulnerability knowledge base for separately classifying and storing the vulnerability analysis data obtained by the document vulnerability determination means if it is determined that there is an abnormality in the document file according to the determination result of the document vulnerability determination means; And a vulnerability analysis module that compares the vulnerability analysis data obtained through the document vulnerability determination means with the vulnerability analysis data accumulated in advance in the vulnerability knowledge base to generate result report data on the vulnerability of the document file .
It is preferable that the document security system according to the present invention further includes file analysis means provided in the terminal and including a format verification module for verifying the format of the document file.
The file analysis module may include at least one file conversion module for converting the file format of the format-verified document file into a different file format in the format verification module.
According to the present invention, it is possible to provide a document security system and a document security method capable of analyzing a target document file in real time and structuring the error vulnerabilities of an unknown document file such as a zeroday by type, .
In addition, by constructing a knowledge base through file analysis based on known vulnerability files and by constantly updating it, the range of protection focused on known malicious codes and document files that can be controlled by conventional computer virus vaccines, To a document file having an error vulnerability that can not be caught by the document, and to predict a document having a vulnerability to a document file that is newly inflowed or unstable.
On the other hand, it is possible to find out whether a document file is vulnerable to a document file that does not require a separate pattern DB for malicious code and has an error vulnerability that can not be caught by a computer vaccine.
In addition, through vulnerability analysis and conversion, vulnerability files can be securely supported by secure processing such as quarantine or deletion.
Furthermore, the risk of the system can be prevented in advance by judging in advance whether the vulnerability is included in the document file that is infiltrated from the outside via USB, e-mail, Internet,
1 is a block diagram of a document security system according to the present invention;
FIG. 2 is a block diagram illustrating another embodiment of FIG. 1;
3 is a flowchart of a document security method according to the present invention,
4 is a flow chart showing detailed steps of the format verification step of FIG. 3,
5 is a flow chart showing still another embodiment of Fig. 3,
6 is a diagram showing an example of a format basic structure of a general document file,
7 is a diagram showing an example of the format structure of a document file having an extension of .hwp or .doc,
FIG. 8 is a diagram illustrating an example of comparing a size of original data compressed in a data header and a data size uncompressed to target data in the document body structure of FIG. 6 or FIG. 7;
9 is a diagram showing an example of the format structure of an image document file having an extension of .JPEG.
Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.
1, a document security system according to the present invention is provided in a
The
The
That is, the
Accordingly, it is possible to determine whether a document file is vulnerable to a document file having an error vulnerability that can not be caught by a computer vaccine such as zero-day, because it does not require a separate pattern DB for malicious code.
As shown in FIG. 1, the
4, the
The reference format structure and the reference detailed data structure according to the format of each extension as file information of known vulnerabilities stored and updated in the reference format information DB 113 are already publicly known, and are shown in Table 1 Data can be obtained from the bulletin website.
<Source of format structure data by extension - example>
An example in which the
Not a positive number
As shown in Table 2, the
That is, the
For example, if the document file has a valid range for each field FIELD in the extension-specific format, and the
More specifically, when the document file has a file format such as HWP or MS-OFFICE, the
1 and 2, the
The
As shown in FIG. 2, the file conversion module according to the present invention may be provided with a plurality of file analysis means 110 in parallel or in series.
For example, the
2, the file conversion module includes a file
When a conversion failure of the document file (1,5) occurs in the file conversion process performed by the file conversion module (115), the file conversion module (115) converts the error form into a code value And transmit it to the document
<Example of error result data in case of conversion failure>
On the other hand, the document vulnerability judging means 120 is provided with an
The
The security processing means 140 includes a storage path control module for setting a dedicated storage path according to the data inflow means 10 when the
Accordingly, as shown in FIGS. 3 and 5, the
1 and 2, if it is determined that there is an abnormality in the document file (1, 5) according to the determination result of the document
Meanwhile, the vulnerability analysis data stored and updated in the
For example, the
Accordingly, the file format verification and the file conversion result based on the known vulnerability file are converted into a database in the
In addition, by constructing the
If the document file is the
The document security method according to the present invention will now be described with reference to FIGs. 3 to 5. FIG.
First, when the document file is downloaded to the terminal 100 or when the document file (1,5) stored in advance in the terminal (100) is executed or a check is executed by the user and the administrator, the format verification module (111) 1,5) (S100).
As an embodiment of the present invention,
For reference, when the document file is a file format such as HWP or MS-OFFICE, as shown in FIG. 6, almost all the data files except the special-purpose data file are recorded with the data size in the file , It is configured to read the memory from the application program based on the data size and use the data according to the purpose of the program. Such a data structure is efficient in utilizing the data, but if the file header is damaged, there is a possibility of data loss or malfunction Therefore, the integrity of the header and the size of the data need to be verified. However, if this verification is not performed properly, it is called a security vulnerability and it is also a target of malicious code attack. Therefore, it is possible to surely verify the integrity and the data size of the header of the document file by the format verification step S100 according to the present invention.
FIG. 7 is a diagram showing an example of the format structure of a document file having an extension of .hwp or .doc, FIG. 8 is an example showing the size of original data compressed in a data header in the document body structure of FIG. 6 or FIG. (See FIG. 8 (a)) and an example of comparing the decompressed data size with the target data (see FIG. 8 (b)).
Referring to FIG. 8, in order to increase the capacity of the document data, most document files contain compressed data in the inside (right part in FIG. 8A) The size is recorded (the left part in FIG. 8A), and the compressed data can be released and edited on the memory when the document is executed.
Generally, when compressing meaningful data, the maximum value of the lossless compression algorithm can not exceed 512 times. Therefore, if the data compression ratio of the document file exceeds 512, the
In this case, the maximum compression ratio 512 of the data is an example, and it is needless to say that the maximum compression ratio of the data can be changed and adjusted according to the basic data structure of the extension-specific format.
9 is a diagram showing an example of the format structure of an image document file having an extension of .JPEG.
Referring to FIG. 9, in case of a normal image document file (1), the data length of the DHT should be 256 or less. Otherwise, if a value exceeding 256 is inputted, a buffer overflow occurs . However, the size of the data length is 2 bytes, and data lengths of up to 2 ^ 16-1 can be recorded. The
In the case of the normal image document file (1) in FIG. 9, COM should always be a positive number. However, if the image file has a size of 0 or minus other values, . Accordingly, the
Example of vulnerability link: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0200
Next, after
5, between
If it is determined in step 300 that there is no abnormality in the document file, the document
Between steps 300 and 600, the
In the meantime, the document security method according to the present invention compares the vulnerability analysis data passed through the document
Accordingly, the
Thus, according to the present invention, it is possible to determine whether a document file is vulnerable to a document file having an error vulnerability that can not be caught by a computer virus vaccine, because it does not require a separate pattern DB for the malicious code.
While the invention has been described in connection with what is presently considered to be practical exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined in the appended claims.
100: terminal 110: file analysis means
111: format validation module 115: file conversion module
120: document vulnerability determination means 150: vulnerability knowledge base
160: Vulnerability Analysis Module
Claims (6)
Constructing a vulnerability knowledge base for separately classifying and storing the vulnerability analysis data generated through the document vulnerability determination step when it is determined that the document file is abnormal in the document vulnerability determination step; And
A vulnerability analysis and result derivation step of generating result report data on the vulnerability of the document file by comparing the vulnerability analysis data that has undergone the document vulnerability determination step with the vulnerability analysis data accumulated in advance through the vulnerability knowledge base establishing step;
The method comprising the steps of:
Further comprising a format validation step of validating a format of the document file before the document vulnerability determination step.
Further comprising a file conversion step of converting a file format of the document file into at least one other file format between the format verification step and the document vulnerability determination step.
A vulnerability knowledge base for separately classifying and storing the vulnerability analysis data obtained by the document vulnerability determination means if it is determined that there is an abnormality in the document file according to the determination result of the document vulnerability determination means; And
A vulnerability analysis module that compares vulnerability analysis data that has been subjected to the document vulnerability determination means with vulnerability analysis data accumulated in the vulnerability knowledge base to generate result report data on the vulnerability of the document file;
The document security system.
Further comprising file analysis means, provided in the terminal, for analyzing the format of the document file and including a format verification module.
Wherein the file analysis unit includes at least one file conversion module for converting the file format of the document file that has undergone the format verification in the format verification module to a different file format.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150038994A KR101670456B1 (en) | 2015-03-20 | 2015-03-20 | document security system and security method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150038994A KR101670456B1 (en) | 2015-03-20 | 2015-03-20 | document security system and security method |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20160112744A true KR20160112744A (en) | 2016-09-28 |
KR101670456B1 KR101670456B1 (en) | 2016-10-28 |
Family
ID=57101728
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150038994A KR101670456B1 (en) | 2015-03-20 | 2015-03-20 | document security system and security method |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101670456B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20190042154A (en) * | 2017-10-16 | 2019-04-24 | 주식회사 센티언스 | Data security maintenance method for data analysis application |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101850098B1 (en) * | 2017-11-21 | 2018-04-19 | 한국인터넷진흥원 | Method for generating document to share vulnerability information, system and apparatus thereof |
KR102188396B1 (en) * | 2019-03-08 | 2020-12-08 | 신한금융투자 주식회사 | Apparatus for neutralizing malicious code and hidden information included in image file and driving method thereof |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100653122B1 (en) * | 2005-08-31 | 2006-12-01 | 학교법인 대전기독학원 한남대학교 | Real-time detection system and method based rule for safety software development |
KR20100067383A (en) | 2008-12-11 | 2010-06-21 | 주식회사 티맥스 소프트 | Server security system and server security method |
KR101212553B1 (en) * | 2012-05-11 | 2012-12-14 | 주식회사 안랩 | Apparatus and method for detecting malicious files |
KR101265173B1 (en) * | 2012-05-11 | 2013-05-15 | 주식회사 안랩 | Apparatus and method for inspecting non-portable executable files |
-
2015
- 2015-03-20 KR KR1020150038994A patent/KR101670456B1/en active IP Right Grant
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100653122B1 (en) * | 2005-08-31 | 2006-12-01 | 학교법인 대전기독학원 한남대학교 | Real-time detection system and method based rule for safety software development |
KR20100067383A (en) | 2008-12-11 | 2010-06-21 | 주식회사 티맥스 소프트 | Server security system and server security method |
KR101212553B1 (en) * | 2012-05-11 | 2012-12-14 | 주식회사 안랩 | Apparatus and method for detecting malicious files |
KR101265173B1 (en) * | 2012-05-11 | 2013-05-15 | 주식회사 안랩 | Apparatus and method for inspecting non-portable executable files |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20190042154A (en) * | 2017-10-16 | 2019-04-24 | 주식회사 센티언스 | Data security maintenance method for data analysis application |
WO2019078374A1 (en) * | 2017-10-16 | 2019-04-25 | 주식회사 센티언스 | Data security maintenance method for data analysis use |
US11263338B2 (en) | 2017-10-16 | 2022-03-01 | Sentience Inc. | Data security maintenance method for data analysis application |
Also Published As
Publication number | Publication date |
---|---|
KR101670456B1 (en) | 2016-10-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11609994B2 (en) | File sanitization technologies | |
RU2638710C1 (en) | Methods of detecting malicious elements of web pages | |
CA2491114C (en) | Detection of code-free files | |
US8819835B2 (en) | Silent-mode signature testing in anti-malware processing | |
US8732825B2 (en) | Intelligent hashes for centralized malware detection | |
RU2680736C1 (en) | Malware files in network traffic detection server and method | |
CN106557697B (en) | System and method for generating a set of disinfection records | |
CN104680064A (en) | Method and system for optimizing virus scanning of files using file fingerprints | |
RU2726878C1 (en) | Method for faster full antivirus scanning of files on mobile device | |
US11520889B2 (en) | Method and system for granting access to a file | |
KR101670456B1 (en) | document security system and security method | |
WO2018143097A1 (en) | Determination device, determination method, and determination program | |
KR101865785B1 (en) | document security system and security method through verifying and converting document file | |
CN114003907A (en) | Malicious file detection method and device, computing equipment and storage medium | |
RU2726877C1 (en) | Method for selective repeated antivirus scanning of files on mobile device | |
CN115186255B (en) | Industrial host white list extraction method and device, terminal device and storage medium | |
US11574049B2 (en) | Security system and method for software to be input to a closed internal network | |
US20230244786A1 (en) | File integrity monitoring | |
CN115495758A (en) | Application program certificate storage vulnerability detection method and device | |
KR20190118950A (en) | System and method for detecting error of electronic document | |
KR20240039505A (en) | Security analysis method for detecting abnormal behavior in financial environment and apparatus | |
KR20150042024A (en) | Method for distribution preventing malicious code using memory file system and file eigen value |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20191008 Year of fee payment: 4 |