KR20200073822A - Method for classifying malware and apparatus thereof - Google Patents

Abstract

Provided are a method for classifying a malicious code and an apparatus thereof. According to some embodiments of the present disclosure, the method for classifying a malicious code comprises the steps of: obtaining API call sequence information for a plurality of malicious codes; extracting call sequence information for a main API from the API call sequence information using a term frequency-inverse document frequency (TF-IDF) technique; generating an action vector for each of the plurality of malicious codes based on the extracted call sequence information; and building a malicious code cluster by clustering the generated action vector.

Description

METHOD FOR CLASSIFYING MALWARE AND APPARATUS THEREOF}

The present disclosure relates to a method and apparatus for classifying a malicious code. More specifically, a method of constructing a classification model for classifying malicious codes according to behavior types by analyzing behavior information of malicious codes, a method of classifying new malicious codes using a classification model, and a computing device supporting the methods will be.

Malware (malware) is a set of malicious or exploitable software, and is a general term for all software potentially dangerous to users and computers, such as viruses, worms, spyware, and malicious adware. Currently, more than 200,000 new variants of malicious code are discovered every day worldwide, and the number of malicious codes is increasing every year.

In order to bypass the detection of malicious code in security equipment, attackers mainly conduct cyber attacks using variant malicious codes that modify existing malicious codes. This is because it is relatively easy to modify the existing malicious code and less expensive to develop than developing new malicious code. In recent years, with the advent of tools that automatically create malicious codes, an environment in which a malicious code with various functions can be generated and distributed in large quantities even without being a professional attacker has been formed.

In order to effectively respond to cyber attacks caused by various malicious codes, it is important to classify malicious codes by type. This is because, if various malicious codes can be classified by type, it is possible to respond appropriately and quickly according to the types of malicious codes used in cyber attacks. Therefore, in the field related to cyber security, the classification of malicious codes is one of the most important research topics, and various studies are under way.

Korean Patent Publication No. 10-2015-0124020 (published on Nov. 2015)

The technical problem to be solved through some embodiments of the present disclosure is to provide a method for classifying by mass type of malicious codes and an apparatus supporting the method.

Another technical problem to be solved through some embodiments of the present disclosure is to provide a method for constructing a classification model capable of accurately classifying a large amount of malicious codes and an apparatus for performing the method.

Another technical problem to be solved through some embodiments of the present disclosure is to provide a method for automatically assigning a class label to a large amount of malicious code and an apparatus to perform the method.

The technical problems of the present disclosure are not limited to the technical problems mentioned above, and other technical problems not mentioned will be clearly understood by those skilled in the art from the description below.

In order to solve the above technical problem, a malicious code classification method according to some embodiments of the present disclosure includes API call sequence information for a plurality of malicious codes in a malicious code classification method performed by a computing device. Acquiring, extracting call sequence information for the main API from the API call sequence information using a TF-IDF (Term Frequency-Inverse Document Frequency) technique, and based on the extracted call sequence information It may include generating an action vector for each malicious code, and clustering the generated action vector to construct a malicious code cluster.

In some embodiments, extracting call sequence information for the main API includes selecting an API whose TF-IDF value is less than a reference value among APIs called by the first malware, and calling the API of the first malware And removing the selected API from the sequence to construct a main API call sequence for the first malicious code.

In some embodiments, generating the action vector includes extracting an n-gram unit action feature from the extracted call sequence information and generating the action vector based on the extracted action feature. can do.

In some embodiments, the step of constructing the malicious code cluster includes: identifying a file type of each malicious code, grouping the plurality of malicious codes based on the identified file type, and malicious formed through the grouping It may include performing clustering for each code group.

In some embodiments, the step of constructing the cluster of malicious codes includes generating a classification code indicating an action type for each malicious code using a predefined API function code, and based on the generated classification code The method may include grouping codes and clustering each malicious code group formed through the grouping.

In some embodiments, the step of assigning the same class label for each of the constructed malware clusters and constructing a classification model for classifying the malicious codes by learning the assigned class label and an action vector belonging to the malware clusters It may further include.

In some embodiments, the clustering may be performed by a k-medoids clustering algorithm.

A malware classification apparatus according to some embodiments of the present disclosure for solving the above-described technical problem includes a processor and a memory including one or more instructions executed by the processor, wherein the processor comprises: By executing the one or more instructions, acquiring API call sequence information for a plurality of malicious codes, and using the TF-IDF (Term Frequency-Inverse Document Frequency) technique from the API call sequence information to the main API It extracts call sequence information, generates an action vector for each of the plurality of malicious codes based on the extracted call sequence information, and clusters the generated action vector to construct a malware cluster.

A computer program according to some embodiments of the present disclosure for solving the above technical problem is coupled to a computing device to obtain API call sequence information for a plurality of malicious codes, TF-IDF ( Extracting call sequence information for the main API from the API call sequence information using a Term Frequency-Inverse Document Frequency) technique, and generating an action vector for each of the plurality of malicious codes based on the extracted call sequence information In order to execute the step of constructing the malicious code cluster by clustering the generated action vector and the generated action vector, it may be stored in a computer-readable recording medium.

In order to solve the above technical problem, a malicious code classification method according to some other embodiments of the present disclosure includes a plurality of malicious codes using a predefined API function code in a malicious code classification method performed by a computing device. Generating a classification code indicating each type of action, grouping the plurality of malicious codes based on the generated classification code, and clustering for each malicious code group formed through the grouping, for each malicious code group And building a malware cluster.

1 is an exemplary configuration diagram illustrating a malicious code classification system according to some embodiments of the present disclosure.
2 is a diagram for describing a behavior analysis system according to some embodiments of the present disclosure.
FIG. 3 is a view for explaining an example of using the malicious code classification system illustrated in FIG. 1.
4 to 6 are exemplary block diagrams illustrating a malicious code classification device according to some embodiments of the present disclosure.
7 is an exemplary flowchart illustrating a method for constructing a malicious code classification model according to some embodiments of the present disclosure.
8 is an exemplary flow diagram illustrating a pre-processing method in accordance with some embodiments of the present disclosure.
9 and 10 are exemplary diagrams for describing a method for generating a classification code according to some embodiments of the present disclosure.
11 and 12 are diagrams for explaining a method of determining a major API according to some embodiments of the present disclosure.
13 and 14 are exemplary views for explaining a call sequence extraction method of a main API according to some embodiments of the present disclosure.
15 is an exemplary flowchart illustrating a method of generating a behavior vector according to some embodiments of the present disclosure.
16 to 18 are exemplary views for explaining a method of generating a motion vector according to some embodiments of the present disclosure.
19 to 21 are diagrams for describing a classification code based clustering method according to some embodiments of the present disclosure.
22 schematically illustrates a learning process of a classification model according to some embodiments of the present disclosure.
23 is an exemplary view for explaining a method for selecting learning data according to some embodiments of the present disclosure.
24 is an exemplary diagram for describing a weight-based learning method according to some embodiments of the present disclosure.
25 is an exemplary flowchart illustrating a method for classifying a new malicious code according to some embodiments of the present disclosure.
26 is an example hardware configuration diagram illustrating an example computing device capable of implementing a device/system in accordance with various embodiments of the present disclosure.

Hereinafter, preferred embodiments of the present disclosure will be described in detail with reference to the accompanying drawings. Advantages and features of the present disclosure, and a method of achieving them will be apparent by referring to embodiments described below in detail together with the accompanying drawings. However, the technical spirit of the present disclosure is not limited to the following embodiments, but may be implemented in various different forms, and only the present embodiments allow the present disclosure to be complete, and common knowledge in the technical field to which the present disclosure pertains. It is provided to fully inform the holder of the scope of the present disclosure, and the technical spirit of the present disclosure is only defined by the scope of the claims.

It should be noted that in adding reference numerals to the components of each drawing, the same components have the same reference numerals as possible even though they are displayed on different drawings. In addition, in describing the present disclosure, when it is determined that detailed descriptions of related known configurations or functions may obscure the subject matter of the present disclosure, detailed descriptions thereof will be omitted.

Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used as meanings commonly understood by those skilled in the art to which the present disclosure pertains. In addition, terms defined in the commonly used dictionary are not ideally or excessively interpreted unless specifically defined. The terminology used herein is for describing the embodiments and is not intended to limit the present disclosure. In the present specification, the singular form also includes the plural form unless otherwise specified in the phrase.

In addition, in describing components of the present disclosure, terms such as first, second, A, B, (a), and (b) may be used. These terms are only for distinguishing the component from other components, and the nature, order, or order of the component is not limited by the term. When a component is described as being "connected", "coupled" or "connected" to another component, the component may be directly connected to or connected to the other component, but another component between each component It will be understood that elements may be "connected", "coupled" or "connected".

As used herein, "comprises" and/or "comprising" refers to the components, steps, operations and/or elements mentioned above, the presence of one or more other components, steps, operations and/or elements. Or do not exclude additions.

Prior to the description of the present specification, some terms used in the specification will be clarified.

In this specification, the API function code is code defined to indicate a functional classification of an API (Application Programming Interface). The API function code can be used to generate a classification code indicating the behavior type of the malicious code. For an example of the API function code, refer to FIG. 9.

In this specification, an instruction is a series of computer-readable instructions grouped by function and refers to a component of a computer program and executed by a processor.

Hereinafter, some embodiments of the present disclosure will be described in detail according to the accompanying drawings.

1 is an exemplary configuration diagram illustrating a malicious code classification system according to some embodiments of the present disclosure.

As illustrated in FIG. 1, the malicious code classification system may include a behavior analysis system 10 and a malicious code classification device 20. However, this is only a preferred embodiment for achieving the object of the present disclosure, and of course, some components may be added or deleted as necessary. In addition, it is noted that each component of the malicious code classification system illustrated in FIG. 1 is functionally divided functional elements, and a plurality of components may be implemented in an integrated form in an actual physical environment.

Further, in the actual physical environment, each of the components may be implemented in a form of being divided into a plurality of detailed functional elements. For example, the first function of the malicious code classification device 20 may be implemented in the first computing device, and the second function may be implemented in the second computing device. Hereinafter, each of the components will be described.

In the malicious code classification system, the behavior analysis system 10 is a system that performs behavior analysis on the malicious code. The behavior analysis system 10 may be implemented with one or more computing devices. An example of the computing device will be described with reference to FIG. 26.

For reference, the term "behavior analysis" may be used interchangeably with the term "dynamic analysis" in the art, but for the sake of clarity, in this specification, the term behaviour analysis is used uniformly.

The behavior analysis system 10 may perform behavior analysis on malicious code in an isolated environment such as a sandbox, and provide behavior analysis results. At this time, the behavior analysis result may include application program interface (API) call sequence information of the malicious code.

In some embodiments, the behavioral analysis system 10 may include an analysis manager 30 and one or more workers 40-1 to 40-n, as shown in FIG. 2. In this case, the analysis manager 30 and each worker 40-1 or 40-2 or? Or 40-n may be implemented as an independent computing device or a computing module in the device. In order to provide convenience of understanding, an operation of the behavior analysis system 10 according to the present embodiment will be described in detail with reference to FIG. 2. Hereinafter, when one or more workers 40-1 to 40-n are generically referred to or arbitrary workers 40-1 or 40-2 or? Or 40-n, reference numeral "40" is used. .

The analysis manager 30 is a module that performs overall control and management for the worker 40 and behavior analysis tasks. The analysis manager 30 may include a task manager 31, a collection unit 33, and behavior information DB 35.

The task manager 31 performs task management, such as assigning a behavior analysis task to the worker 40. For example, the task manager 31 may assign a behavior analysis task to the workers 40 in which the number of idle workers 40 or the activated virtual machines is less than the reference value.

The collection unit 33 collects the behavior analysis results from the worker 40 and stores them in the behavior information DB 35.

Next, the worker 40 is a module that performs a task analysis task assigned in a sandbox environment. The worker 40 may include one or more virtual machines 41 to 43 and a local DB 45 in which behavior analysis results are stored. In FIG. 2, the virtual machines 41 to 43 are used as examples of the sandbox environment, but the technical scope of the present disclosure is not limited thereto.

The worker 40 performs behavior analysis on the malicious code in each virtual machine 41 or 42 or 43, and reports the analysis result to the analysis manager 30. More specifically, the worker 40 creates a virtual machine to configure a virtual environment in which the malicious code is to be executed, directly executes the malicious code in the generated virtual machine, and monitors the behavior of the executed malicious code to perform behavior analysis. It can be done.

In some embodiments, in order to detect malicious behavior of the analysis-avoidance malicious code, the worker 40 may utilize fake information. Here, the analysis-avoidance malicious code is intelligent codes equipped with a detection function for an execution environment, and means a code implemented to not perform a malicious action when detected as a virtual environment. For example, the analysis evasion-type malicious code calls an API (hereinafter referred to as "virtual environment detection API") that reads a feature value (eg, a virtual machine-specific setting value) indicating that it is a virtual environment, and checks the return value to determine the current execution environment It is possible to determine whether it is a virtual environment. In the fake information, a value similar to the real environment is set in advance, and the worker 40 hooks the call of the virtual environment detection API and provides the prepared fake information as the return value of the hooked API, thereby avoiding analysis malicious The code evasion feature can be disabled. According to the present embodiment, the detection accuracy of the analysis-avoidance malicious code is improved, and a highly reliable behavior analysis result can also be provided for the analysis-avoidance malware.

Again, the description will be continued with reference to FIG. 1.

In the malicious code classification system, the malicious code classification device 20 is a computing device equipped with a classification function for malicious codes. Here, the computing device may be a laptop, a desktop, a laptop, or the like, but is not limited thereto, and may include all types of devices equipped with computing functions. An example of the computing device is referred to FIG. 26. In the following description, for convenience of description, the malicious code classification device 20 will be abbreviated as the classification device 20.

The classification device 20 may receive a behavior analysis result for a large amount of malicious code from the behavior analysis system 10 and build a classification model for classifying the malicious code based on the behavior analysis result. In addition, the classification device 20 may classify new malicious codes using a classification model. In order to exclude duplicate description, a detailed description of the operation of the classification device 20 will be described later with reference to the drawings of FIG. 4 and below.

In some embodiments, behavior analysis system 10 and classification device 20 may communicate over a network. Here, the network is a wired/wireless network of any kind, such as a local area network (LAN), a wide area network (WAN), a mobile radio communication network, a Wibro (Wireless Broadband Internet), and the like. Can be implemented.

The above-described malicious code classification system may be constructed and utilized in various environments where cyber security is required, and an example of this is illustrated in FIG. 3. As illustrated in FIG. 3, the above-described malicious code classification system may be utilized in the security system 51 in charge of cyber security of the intranet 50 in the enterprise. For example, the malicious code classification system may classify new malicious codes introduced into the intranet 50 as components of the security system 51 and provide a classification result to the security manager.

When a classification result is provided, the security manager can identify similar malicious codes (e.g. variant malicious codes) performing similar malicious actions based on the classification result. In addition, the security manager can quickly grasp the risk of new malware based on the scale and risk of cyber infringement incidents performed by the similar malware. For this reason, the security manager can prevent the spread of cyber infringement incidents by establishing prompt response measures, and can more systematically respond to cyber infringement incidents by assigning an appropriate response priority according to the risk level.

So far, referring to FIGS. 1 to 3, a malicious code classification system according to some embodiments of the present disclosure and an application example thereof have been described. Hereinafter, the configuration and operation of the classification device 20 will be described with reference to FIGS. 4 to 6.

4 is an exemplary block diagram illustrating a classification device 20 in accordance with some embodiments of the present disclosure. In particular, FIG. 4 also shows a functional flow for constructing a classification model.

4, the classification device 20 may include a collection unit 61, a pre-processing unit 63, a clustering unit 65, a classification model building unit 67, and a classification unit 69. . However, only components related to the exemplary embodiment of the present disclosure are illustrated in FIG. 4. Accordingly, a person skilled in the art to which the present disclosure belongs may recognize that other general-purpose components may be further included in addition to the components illustrated in FIG. 4. In addition, it is noted that each component of the classification device 20 shown in FIG. 4 is functionally divided functional elements, and a plurality of components may be implemented in an integrated form in an actual physical environment. Hereinafter, the operation of each component for constructing the classification model will be described.

The collection unit 61 collects malicious code behavior information (ie, behavior analysis results). At this time, the behavior information of the malicious code includes API call sequence information of the malicious code.

The collection unit 61 may collect the behavior information of the malicious code from the behavior analysis system 10 or a separate malicious code DB, but the technical scope of the present disclosure is not limited thereto.

Next, the pre-processing unit 63 pre-processes the collected action information to generate an action vector. In addition, the pre-processing unit 63 may further perform operations such as identifying the file type of the malicious code or generating a classification code for each malicious code using the API function code.

As shown in FIG. 5, the pre-processing unit 63 according to some embodiments includes a file type identification unit 63-1, a classification code generation unit 63-2, a main API extraction unit 63-3, and actions A vector generator 63-4 may be included.

The file type identification unit 63-1 identifies the file type of the malicious code. For example, in the case of document-type malicious code, it may have a file type of pdf, hwp, doc, and the like, and the file type of the malicious code may be identified based on the file extension.

Next, the classification code generation unit 63-2 generates classification codes for each malicious code. Specifically, the classification code generation unit 63-2 generates classification codes of malicious codes using predefined API function codes. For example, when the first malicious code calls the first API and the second API, the function code of the first API and the function code of the second API are combined (eg or calculated) to classify the first malicious code. Can be generated. A more detailed description of the operation of the classification code generation unit 63-2 will be described later with reference to FIGS. 8 to 10.

In some embodiments, the classification code generation unit 63-2 may generate a classification code by synthesizing function codes of major APIs among all APIs called by the malicious code. The method for determining the main API will be described later.

Next, the main API extracting unit 63-3 determines the main API among all APIs called by the malicious code and extracts the call sequence of the main API from among all the API call sequences. The main API means a representative API that well represents the behavior characteristics of the malicious code. The reason for extracting the main API is that if the non-critical APIs (e.g. APIs commonly called by many normal codes or malicious codes) are included in the action vector, the accuracy of the classification of the malicious code is deteriorated.

In some embodiments, the main API extraction unit 63-3 may determine a main API by applying a Term Frequency-Inverse Document Frequency (TF-IDF) technique, for details of which is described with reference to FIGS. 11 to 14 It will be described later.

In some embodiments, the main API extraction unit 63-3 may perform a main API extraction process based on TF-IDF only when the file type of the malicious code is a document type. This is because, in the case of document-type malicious code, malicious behavior is mainly performed by a built-in script, and most of the APIs actually called are APIs that commonly call normal codes. Therefore, when focusing on the purpose of purifying the common call API, the TF-IDF technique may be utilized only for document-type malware.

Next, the action vector generation unit 63-4 generates action vectors of malicious codes from call sequence information of the main API. A detailed description thereof will be described later with reference to FIGS. 15 to 18.

For reference, it should be noted that the functional flow illustrated in FIG. 5 is only some examples for achieving the purpose of the present disclosure. According to some other embodiments of the present disclosure, the functional flow of the pre-processing unit 63 may be modified in any way. This is because there is no dependency in order between the file type identification unit 63-1, the classification code generation unit 63-2, and the main API extraction unit 63-3.

The description will be continued again with reference to FIG. 4.

Next, the clustering unit 65 builds a malicious code cluster by clustering the action vectors of the malicious codes. The malicious code cluster constructed in this way represents a set of similar/variant malicious codes that perform similar malicious actions.

In some embodiments, the clustering unit 65 may construct a malware cluster using the K-Medoids clustering algorithm. The K-Medoids clustering algorithm is a variant of the K-means clustering algorithm, and is an algorithm that performs clustering around representative objects (medoids) located closest to the center of the cluster. Unlike the K-means clustering algorithm, which is sensitive to outliers, the K-Medoids clustering algorithm is robust to the effects of outliers. According to this embodiment, by applying a robust clustering algorithm to outliers, highly reliable clustering results can be provided even when noise is present in the action vector (or action information).

In some embodiments, the clustering unit 65 may group malicious codes according to file types of the malicious codes, and perform clustering for each malicious code group. By doing so, more accurate (or fine-grained) clustering results can be provided for each type of action. Detailed description of this embodiment will be described later.

In some embodiments. The clustering unit 65 may group malicious codes according to the classification codes of the malicious codes, and perform clustering for each malicious code group. By doing so, more accurate (or fine-grained) clustering results can be provided for each type of action. A detailed description of this embodiment will also be described later.

Next, the classification model construction unit 67 builds a classification model based on the clustering result. More specifically, the classification model building unit 67 assigns the same class label to each malware cluster, and constructs a classification model by machine learning the class label and the behavior vector of the malicious codes.

In some embodiments, the classification model may be a machine learning model based on a deep neural network (DNN). However, the technical scope of the present disclosure is not limited thereto.

Next, the classification unit 69 performs a classification task for new malicious codes using the classification model constructed by the classification model construction unit 67. The associated functional flow is shown in FIG. 6.

As illustrated in FIG. 6, the classification process of the new malicious code starts from the collection unit 61 collecting the behavior information of the new malicious code. Next, the pre-processing unit 63 converts the behavior information into the behavior vector in the same manner as described above. Then, the classification unit 69 inputs the behavior vector of the new malicious code into the classification model, and as a result, obtains and outputs the classification result of the new malicious code.

On the other hand, according to some other embodiments of the present disclosure, classification of new malicious codes may be performed using a malicious code cluster constructed by the clustering unit 65. That is, the malware cluster may be used as a classification model. In this case, the classification unit 69 may classify the new malicious code by determining the malicious code cluster matching the action vector of the new malicious code.

Meanwhile, it should be noted that not all components shown in FIG. 4 may be essential components for implementing the classification device 20. That is, the classification device 20 according to some other embodiments of the present disclosure may be implemented by some of the components illustrated in FIG. 4.

Each component illustrated in FIGS. 4 to 6 may mean software or hardware such as a field programmable gate array (FPGA) or an application-specific integrated circuit (ASIC). However, the above components are not limited to software or hardware, and may be configured to be in an addressable storage medium, or may be configured to execute one or more processors. The functions provided in the above components may be implemented by more detailed components, or may be implemented as a single component that performs a specific function by combining a plurality of components.

So far, the configuration and operation of the classification device 20 according to some embodiments of the present disclosure have been described with reference to FIGS. 4 to 6. Hereinafter, a method for classifying a malicious code according to some embodiments of the present disclosure will be described in detail with reference to FIGS. 7 to 25.

Each step of the malicious code classification method to be described below may be performed by a computing device having a processor. In other words, each step of the malicious code classification method may be implemented with one or more instructions executed by a processor. All the steps included in the malicious code classification method may be executed by one physical computing device, but the first steps of the method are performed by the first computing device, and the second steps of the method are second computing It can also be performed by the device. Hereinafter, for convenience of understanding, it is assumed that each step of the malicious code classification method is performed by the classification device 20 to continue the description. However, the description of the operation subject of each step included in the malicious code classification method may be omitted.

The method of classifying the malicious codes can be classified into a process of constructing a classification model through action-based clustering of the malicious codes and a process of classifying new malicious codes using the constructed classification model. First, a process of constructing a classification model will be described with reference to FIGS. 7 to 24.

7 is an exemplary flowchart illustrating a method for constructing a malicious code classification model according to some embodiments of the present disclosure. However, this is only a preferred embodiment for achieving the object of the present disclosure, and of course, some steps may be added or deleted as necessary.

As illustrated in FIG. 7, the method starts at step S100 of collecting the behavior analysis results for the malicious code. Here, the collected behavior analysis results include API call sequence information. The method of collecting the behavior analysis results in this step S100 may be any method.

In step S200, a behavior vector is pre-processed to generate a behavior vector for each malicious code. That is, through the pre-processing process, the behavior analysis results are converted into vector format data. Detailed description of the step S200 will be described later with reference to FIGS. 8 to 18.

In step S300, a malicious code cluster is constructed by clustering the action vectors. At this time, each malicious code cluster represents a group of malicious codes that perform similar malicious actions.

In some embodiments, clustering may be performed based on the K-Medoids clustering algorithm. However, the technical scope of the present disclosure is not limited thereto, and of course, a K-average clustering algorithm, a density-based clustering algorithm, and the like may be utilized.

Detailed description of the step S300 will be described later with reference to FIGS. 19 to 21.

In step S400, a classification model for classifying the malicious code based on the clustering result is constructed. More specifically, the same class label is assigned to each malware cluster, and a classification model is constructed by learning class labels and behavior vectors. Of course, as described above, the malware cluster itself may be used as a classification model. Detailed description of this step S400 will be described later with reference to FIGS. 22 to 24.

For reference, among the aforementioned steps S100 to S400, step S100 is performed by the collecting unit 61, step S200 is performed by the pre-processing unit 63, and step S300 can be performed by the clustering unit 65. have. In addition, step S400 may be performed by the classification model building unit 67.

So far, with reference to FIG. 7, a method for constructing a malicious code classification model has been schematically described. Hereinafter, details of each step and related embodiments will be described in detail.

First, a preprocessing method that can be applied to step S200 will be described with reference to FIGS. 8 to 18.

8 is an exemplary flow diagram illustrating a pre-processing method in accordance with some embodiments of the present disclosure.

As shown in FIG. 8, the pre-processing method starts at step S210 for identifying the file type of the malicious code. The file type may be used to group malicious codes in the clustering step S300.

In step S230, classification codes are generated for each malicious code. The classification code may also be used to group malicious codes in the clustering step S300. The classification code may be generated based on a predefined API function code, and will be described in detail with reference to FIGS. 9 and 10 for convenience of understanding.

9 shows some examples of API function codes. Table 70 shown in FIG. 9 illustrates that API functions are defined as 17 categories, and function codes are assigned to each function category. Since the table 70 shown in FIG. 9 is only an example, a method for defining an API function category, a method for allocating a function code, and the like may vary.

In the table 70 shown in FIG. 9, "Crypto" is a category of APIs that perform encryption-related functions, "Crypto" is a category of APIs that perform encryption-related functions, and "Misc" is an API that performs other functions. It is a category. Those skilled in the art will be able to intuitively know the function of the category in the name of the category, and further description will be omitted.

FIG. 10 shows an example of generating a classification code of the first malicious code using the predefined API function code (e.g. 70 of FIG. 9). 10 shows an example in which the first malicious code calls three APIs (a, b, and c).

As shown in FIG. 10, when the API information (eg, API call sequence information) of the first malicious code is obtained, the function categories (72, 74, 76) and function codes (73, 75, 77) for each API are obtained. ) Can be determined. For example, when the function categories 72, 74, and 76 of each API (a, b, c) are determined, the function codes corresponding to each function category (72, 74, 76) are searched for each API (a, b, The function codes 73, 75, 77 of c) can be determined. In addition, the classification code 78 of the first malicious code may be generated to have a total value of function codes 73, 75, and 77 of each API (a, b, c). 10 illustrates an example in which the classification code 78 is generated through the or operation, but this may vary depending on the embodiment.

It will be described again with reference to FIG. 8.

In step S250, the main API is determined for each malicious code, and call sequence information of the main API is extracted. The main API means a representative API that well represents the behavior characteristics of the malicious code. The reason for extracting the main API among all APIs called by the malicious code is that if the non-critical APIs (eg, APIs commonly called by many normal codes or malicious codes) are included in the action vector, the accuracy of the classification of the malicious code decreases Because. That is, if the API commonly called by a plurality of malicious codes is included in the action vector of the malicious code, malicious codes that do not perform similar malicious actions may be classified into the same group (ie, a malicious code cluster). It is to prevent.

In some embodiments, TF-IDF techniques can be applied to determine the primary API. Referring to FIG. 11, the upper boxes 81 and 83 represent a formula for calculating the keyword's TF-IDF value in the document, and the lower boxes 85 and 87 calculate the API's TF-IDF value. Indicates the formula. In this way, if the document corresponds to the malicious code (or malicious code and normal code), and the word corresponds to the API, and then the value is calculated according to the TF-IDF formula, the TF-IDF value of the API may be calculated. The TF-IDF value of the first API of the first malicious code calculated in this way, the lower the frequency of the first API being called from a plurality of malicious codes, the higher the frequency of the first API being called from the first malicious code. The higher the value, the higher the value.

When the TF-IDF value is calculated for each API, an API in which the TF-IDF value is greater than or equal to a reference value may be determined as the main API. For example, in the graph 90 illustrated in FIG. 12, APIs 93 to 99 having a TF-IDF value equal to or greater than a preset reference value 91 may be determined as a main API of the corresponding malicious code. In some other embodiments, k APIs with a higher TF-IDF value (where k is a natural number greater than or equal to 1) may be determined as the main API of the corresponding malicious code. As described above, when the main API is determined through the TF-IDF technique, not only the common calling API having a low TF-IDF value is purified, but also an API reflecting the behavior characteristics of the corresponding malicious code can be extracted.

In some embodiments, the main API extraction process may be performed only when the file type of the malicious code is a document type. That is, if it is not a document type, an action vector may be generated from all API call sequence information, and in the case of a document type malicious code, an action vector may be generated from call sequence information of a major API. The reason for this is to refer to the above description.

13 and 14 illustrate a method of extracting the main API call sequence from the entire API call sequence of the malicious code. The shaded API in FIGS. 13 and 14 indicates the main API.

In some embodiments, as shown in FIG. 13, only the main APIs e, c, and n are extracted in order from the entire API call sequence 101, so that the call sequence 103 of the main API may be configured.

In some other embodiments, as illustrated in FIG. 14, APIs adjacent to the main APIs (e, c, n) may be further extracted along with the main APIs (e, c, n) in the entire API call sequence 111. have. For example, the API APIs (b, d) adjacent to the first main API (n) may be further extracted from the entire API call sequence 111 to form the main API call sequence 113. The reason why the neighboring API is further extracted is that it is highly likely that the neighboring API has been used for supporting the malicious behavior of the main API.

In particular, FIG. 14 illustrates extracting two adjacent APIs, including an API called immediately before the main API and an API called immediately after, but the number of adjacent APIs extracted together may vary according to embodiments. In some other embodiments, the number of neighboring APIs extracted in proportion to the TF-IDF value of the main API may be determined. For example, the higher the TF-IDF value, the greater the number of neighboring APIs may be extracted.

The description will be continued again with reference to FIG. 8.

In step S270, an action vector of the malicious code is generated by processing call sequence information of the main API. The specific manner of generating the action vector may vary depending on the embodiment.

In some embodiments, N-gram unit behavior features are extracted from the call sequence of the main API, and behavior vectors having the behavior features as vector elements are generated. For example, an action vector may be generated such that the action feature corresponds to a column of vectors, and the frequency value of the action feature corresponds to column values.

In some other embodiments, as illustrated in FIG. 15, N-gram unit behavior features are extracted, and behavior vectors may be generated through feature hashing (S271, S273 ). The reason to perform feature hashing is to reduce the order of the vectors (or dimension), and to match the vector orders of different malicious codes (ie, the number of vector elements). In order to provide more convenience, the present embodiment will be described in detail with reference to FIGS. 16 to 18.

16 illustrates the main API call sequence 123 for the malware A 121 and the main API call sequence 127 for the malware B 125. In addition, FIG. 17 exemplifies extracting 2-gram unit behavior characteristics from the call sequences 123 and 127 illustrated in FIG. 16. The symbols A, B, C, and D shown in FIG. 17 are used for convenience of replacing the names of major APIs.

Referring to FIG. 17, when the main API call sequences 123 and 127 of the malicious codes A 121 and B 125 are replaced with symbols, they may be represented by symbol sequences 131 and 135 as shown on the left. When 2-gram is applied to the symbol strings 131 and 135, as shown on the right, the behavior characteristics 133 of the malware A 121 become AA, AA, AB, BC, and CC, and the malware B The behavior characteristics 137 of 125 are AA, AB, BC, CD, and DD.

The main API call sequences 123 and 127 illustrated in FIG. 16 are illustrated in rather short lengths for convenience of explanation, but the main API call sequences of actual malicious codes may be much longer, and this results in n-gram unit behavior. Behavior vectors having features as vector elements can be very high-dimensional vectors. In addition, the behavior vector has a high probability of becoming a sparse vector in which most vector elements are "0". In addition, if the length of the main API call sequence is different for each malicious code, since the length of the action vector is also different for each malicious code, a process of matching the length of the vector must be performed. For these various reasons, feature hashing is performed on the extracted behavior characteristics. In addition, behavior vectors are generated for each malicious code using the result of feature hashing. An example of this is shown in FIG. 18.

Referring to FIG. 18, when the hash values for the behavior characteristics (AA, AB, BC, and CC) of the malware A 121 are 0, 1, 1, and 2 (see box 143), the malware A ( 121), the action vector 141 may be (2, 2, 1). Similarly, when the hash values for the behavior characteristics (AA, AB, BC, CD, DD) of the malicious code A 125 are 0, 1, 1, 2, and 2 (refer to box 147), the malicious code B The action vector 145 of 125 may be (1, 2, 2). That is, when feature hashing is performed, the hash value indicates the column index of the action vector, and the number of action features is set as the column value of the action vector. The hash function used for feature hashing can be any function, and a modular function (%) can be used together to limit the dimension of the action vector. Alternatively, the modulo function itself may be used as a hash function. The feature hashing may be used interchangeably with a term such as a hashing trick in the art, but refers to the same meaning, and a description that is already well known in the art will be omitted.

So far, a pretreatment method according to some embodiments of the present disclosure has been described with reference to FIGS. 8 to 18. According to the above-described method, an action vector for a malicious code is generated based on call sequence information of a main API extracted based on TF-IDF. Therefore, although the length of the action vector is reduced, an action vector reflecting the behavior characteristics of the malicious code can be generated.

In addition, since sparse vectors are prevented from being generated through feature hashing, data space can be efficiently utilized. Furthermore, since the low-dimensional action vector generated through feature hashing is suitable for machine learning, it can be easily used as a training dataset of a classification model later.

For reference, steps S210, S230, and S250/S270 shown in FIG. 8 are not necessarily performed in the order shown in FIG. 8, and the order of execution may be changed as much as possible.

Hereinafter, a clustering method according to some embodiments of the present disclosure that may be applied to step S300 will be described.

In some embodiments, malware is grouped based on the file type of the malware, and clustering may be performed for each malware group. Of course, the clustering is performed on the action vector of the malicious code. The reason for grouping malicious codes based on file types is that malicious behavior of malicious codes varies depending on file types. That is, when the malicious codes are primarily grouped according to the file type, malicious codes that perform similar malicious behaviors form a group, and if clustering is performed within the formed groups, the malicious codes can be classified by action type more accurately. . In addition, malicious codes can be classified according to more detailed action types.

In addition, in some embodiments, a classification model may be constructed for each file type. Specifically, a first classification model may be built based on the clustering result for the first file type, and a second classification model may be built based on the clustering result for the second file type. A detailed description of how to build a classification model based on clustering results will be described later.

In some embodiments, malicious codes are grouped based on the classification codes of the malicious codes, and clustering is performed for each malicious code group. The reason for grouping malicious codes based on the classification code is that the classification code indicates the behavior type of the malicious code. That is, since the classification code is generated based on the API function code, malicious codes performing similar actions have similar classification codes. Therefore, if clustering is performed within a group formed based on the classification code, the malicious code can be classified more accurately for each type of action. In addition, malicious codes can be classified according to more detailed action types.

19 to 21, the malicious codes M29, M31, and M32 are grouped into the same malicious code group 157 because the classification codes 151 to 155 are the same. In addition, as illustrated in FIG. 20, clustering 163 is performed on the action vector of the first malware group 161, and clustering 167 is performed on the second malware group 165. When the clustering is performed in this way, as shown in the clustering result table 170 shown in FIG. 21, a malicious code cluster can be constructed for each classification code.

In addition, in some embodiments, a classification model may be constructed for each classification code. Specifically, a first classification model may be built based on the clustering result for the first classification code, and a second classification model may be built based on the clustering result for the second classification code. A detailed description of how to build a classification model based on clustering results will be described later.

In some embodiments, malicious codes are grouped based on file types and classification codes, and clustering may be performed for each malicious code group.

So far, a clustering method according to some embodiments of the present disclosure has been described with reference to FIGS. 19 to 21. Hereinafter, methods that can be applied in step S400 will be described with reference to FIGS. 22 to 24.

When clustering is completed, class labels are assigned to each malware cluster. Specifically, the first class label is assigned to the first malwares belonging to the first malware cluster, and the second class label is assigned to the second malwares belonging to the second malware cluster. That is, malicious codes belonging to the same malicious code cluster have the same class label.

When the labeling operation is completed, a classification model may be constructed through the learning process 175 illustrated in FIG. 22. In the learning process 175, the action vector is used as an input and the pre-assigned class label is used as a correct answer label. 22 shows the classification model as an example of a deep neural network, but the technical scope of the present disclosure is not limited thereto, and other types of machine learning algorithms or models may be utilized, such as a support vector machine (SVM).

Meanwhile, according to various embodiments of the present disclosure, a process of selecting/purifying learning data before learning may be performed in order to construct a highly accurate classification model, and various embodiments related to the learning data selecting process will be described below. Do it.

In some embodiments, only action vectors of malware located within a certain distance from the centroid of the malware cluster may be selected as training data.

In some embodiments, only action vectors having a similarity level or higher than the central vector of the malware cluster may be selected as training data. At this time, the similarity may be calculated based on the cosine similarity, but the technical scope of the present disclosure is not limited thereto.

In some embodiments, only action vectors located in a region where the density is greater than or equal to a reference value in the malware cluster may be selected as learning data. For example, as illustrated in FIG. 23, in the first cluster 181, the first class label 183 is assigned only to the action vector of the region 182 in which the density is greater than or equal to the reference value, and the density in the second cluster 184 is the reference value. The second class label 186 is assigned only to the action vector of the above-described region 185 and can be used as learning data.

In some embodiments, learning data selection may be based on a combination of the above-described embodiments. For example, only the first action vectors located within a certain distance based on the center of the malware cluster and the second action vectors in a region having a density greater than or equal to a reference value among areas located outside the predetermined distance may be selected as learning data.

In some embodiments, weight-based learning can be performed to build a highly accurate classification model. For example, as illustrated in FIG. 24, a sample weight is assigned to each action vector 194 to 196, and machine learning for the classification model 197 may be performed based on the sample weight. At this time, the method of performing learning based on the sample weight adjusts the learning error (that is, the difference between the correct answer value and the predicted value) according to the sample weight (ie increases or decreases) and classifies the adjusted learning error in the direction of minimizing. It may be a method of updating the weight of the model 197, but the technical scope of the present disclosure is not limited thereto.

As illustrated in FIG. 24, the sample weight of the first action vector 194 is determined based on the distance between the point 191 corresponding to the first action vector 194 and the cluster center 193 (eg, the distance is close). The collected sample weight is determined to be a high value), and the sample weight of the second action vector 195 may be determined based on the distance between the point 192 corresponding to the second action vector 195 and the cluster center 193. . However, the technical scope of the present disclosure is not limited thereto. For example, the sample weight may be determined based on the similarity between the behavior vector and the central vector of the cluster (e.g., the higher the similarity, the higher the sample weight is determined).

So far, the learning data selection method and the learning method according to various embodiments of the present disclosure have been described with reference to FIGS. 22 to 24. According to the above-described method, the performance of the classification model may be improved by learning using refined learning data. In addition, the performance of the classification model may be further improved by more strongly learning representative behavior vectors (e.g. behavior vectors located close to the center) in the cluster through weight-based learning.

Hereinafter, a method for classifying a new malicious code according to some embodiments of the present disclosure will be described with reference to FIG. 25.

25 is an exemplary flowchart illustrating a method for classifying a new malicious code according to some embodiments of the present disclosure. However, this is only a preferred embodiment for achieving the object of the present disclosure, and of course, some steps may be added or deleted as necessary.

As illustrated in FIG. 25, the method for classifying new malware starts at step S500 for obtaining a result of behavior analysis for the new malware. At this time, the behavior analysis result includes API call sequence information.

In step S600, an action vector of a new malicious code is generated by preprocessing the action analysis result. The description of the step S600 will be referred to the description of FIGS. 8 to 18.

In step S700, the generated action vector is input to the classification model corresponding to the new malicious code, and the new malicious code is classified according to the output result. Here, the corresponding classification model may be determined by the file type or classification code of the new malicious code.

For example, if a classification model is constructed for each file type, the behavior vector may be input as a classification model matching the file type of the new malicious code. For another example, if a classification model is constructed for each classification code, the action vector may be input as a classification model matching the classification code of the new malicious code.

Among the above-described steps S500 to S700, step S500 is performed by the collecting unit 61, step S600 is performed by the pre-processing unit 63, and step S700 can be performed by the sorting unit 69.

So far, a method for classifying a new malicious code according to some embodiments of the present disclosure has been described with reference to FIG. 25. According to the above-described method, similar malicious codes (e.g. variant malicious codes) performing malicious actions similar to the classification information for new malicious codes may be identified through the action-based classification model. Therefore, the security manager can grasp the risk of new malicious code based on the scale and risk of cyber infringement incidents performed by the similar malicious codes, and systematically respond to cyber infringement incidents by assigning an appropriate response priority according to the risk. It becomes possible.

Hereinafter, an exemplary computing device capable of implementing a device (e.g. classification device 20)/system (e.g. behavior analysis system 10) according to various embodiments of the present disclosure will be described.

26 is an example hardware configuration diagram illustrating an example computing device capable of implementing a device/system in accordance with various embodiments of the present disclosure.

As illustrated in FIG. 26, the computing device 200 may include a memory (for loading) a computer program performed by one or more processors 210, a bus 250, a communication interface 270, and a processor 210. 230, and a storage 290 for storing the computer program 291. However, only components related to the exemplary embodiment of the present disclosure are illustrated in FIG. 26. Accordingly, a person skilled in the art to which the present disclosure belongs may recognize that other general-purpose components may be further included in addition to the components illustrated in FIG. 26.

The processor 210 controls the overall operation of each component of the computing device 200. The processor 210 comprises a CPU (Central Processing Unit), MPU (Micro Processor Unit), MCU (Micro Controller Unit), GPU (Graphic Processing Unit) or any type of processor well known in the art of the present disclosure. Can be. Also, the processor 210 may perform operations on at least one application or program for executing the method according to embodiments of the present disclosure. Computing device 200 may include one or more processors.

The memory 230 stores various data, commands and/or information. The memory 230 may load one or more programs 291 from the storage 290 to execute the method/operation according to various embodiments of the present disclosure described above. For example, when the computer program 291 is loaded in the memory 230, a module may be implemented on the memory 230 as illustrated in FIGS. 4 to 6. The memory 230 may be implemented as a volatile memory such as RAM, but the technical scope of the present disclosure is not limited thereto.

The bus 250 provides communication functions between components of the computing device 200. The bus 250 may be implemented as various types of buses, such as an address bus, a data bus, and a control bus.

The communication interface 270 supports wired and wireless Internet communication of the computing device 200. In addition, the communication interface 270 may support various communication methods other than Internet communication. To this end, the communication interface 270 may include a communication module well known in the art of the present disclosure.

The storage 290 may store the one or more programs 291 non-temporarily. The storage 290 is well-known in the art of non-volatile memory such as read only memory (ROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EPMROM), flash memory, hard disks, removable disks, or the present disclosure. And any known form of computer-readable recording media.

Computer program 291 can include one or more instructions that, when loaded into memory 230, cause processor 210 to perform a method/operation in accordance with various embodiments of the present disclosure. That is, the processor 210 may perform operations/methods according to various embodiments of the present disclosure by executing the one or more instructions.

For example, the computer program 291 obtains API call sequence information for a plurality of malicious codes, from the API call sequence information using TF-IDF (Term Frequency-Inverse Document Frequency) technique Extracting call sequence information for major APIs, generating action vectors for each of the plurality of malicious codes based on the extracted call sequence information, and clustering the generated action vectors to build a malware cluster It may include one or more instructions to perform the operation. In such a case, the classification device 20 according to some embodiments of the present disclosure may be implemented through the computing device 200.

For example, the computer program 291 generates a classification code indicating each behavior type of a plurality of malicious codes using a predefined API function code, and the plurality of malicious codes based on the generated classification code. It may include one or more instructions to perform grouping operation and clustering for each malicious code group formed through the grouping to perform an operation for building a malicious code cluster for each malicious code group. In such a case, the classification device 20 according to some other embodiments of the present disclosure may be implemented through the computing device 200.

So far, an exemplary computing device capable of implementing a device/system according to various embodiments of the present disclosure has been described with reference to FIG. 26.

So far, various embodiments of the present disclosure and effects according to the embodiments have been described with reference to FIGS. 1 to 26. Effects according to the technical spirit of the present disclosure are not limited to the above-mentioned effects, and other effects not mentioned will be clearly understood by those skilled in the art from the following description.

The technical idea of the present disclosure described so far with reference to FIGS. 1 to 26 may be embodied as computer readable codes on a computer readable medium. The computer-readable recording medium may be, for example, a removable recording medium (CD, DVD, Blu-ray Disc, USB storage device, removable hard disk), or a fixed recording medium (ROM, RAM, hard disk equipped with a computer). You can. The computer program recorded on the computer-readable recording medium may be transmitted to another computing device through a network such as the Internet and installed on the other computing device, and thus used on the other computing device.

In the above, even if all components constituting the embodiments of the present disclosure are described as being combined or operated as one, the technical spirit of the present disclosure is not necessarily limited to these embodiments. That is, within the scope of the present disclosure, all of the components may be selectively combined and operated.

Although the operations are shown in a specific order in the drawings, it should not be understood that the operations must be performed in a specific order or in a sequential order, or all illustrated operations must be executed to obtain a desired result. In certain situations, multitasking and parallel processing may be advantageous. Moreover, the separation of the various configurations in the above-described embodiments should not be understood as such separation is necessary, and the described program components and systems may generally be integrated together into a single software product or packaged into multiple software products. It should be understood that there is.

Although the embodiments of the present disclosure have been described with reference to the accompanying drawings, a person of ordinary skill in the art to which the present disclosure pertains may implement the present disclosure in other specific forms without changing the technical spirit or essential features. You can understand that there is. Therefore, it should be understood that the above-described embodiments are illustrative in all respects and not restrictive. The scope of protection of the present disclosure should be interpreted by the claims below, and all technical spirits within the scope equivalent thereto should be interpreted as being included in the scope of the technical spirits defined by the present disclosure.

Claims (22)

In the malicious code classification method performed by the computing device,
Obtaining API call sequence information for a plurality of malicious codes;
Extracting call sequence information for a major API from the API call sequence information using a TF-IDF (Term Frequency-Inverse Document Frequency) technique;
Generating an action vector for each of the plurality of malicious codes based on the extracted call sequence information; And
Clustering the generated action vector, characterized in that it comprises the step of building a malware cluster,
How to classify malware. According to claim 1,
Extracting call sequence information for the main API,
Characterized in that it comprises the step of extracting the call sequence information for the main API only for document-type malware among the plurality of malware,
How to classify malware. According to claim 1,
Extracting call sequence information for the main API,
Selecting an API having a TF-IDF value equal to or greater than a reference value among APIs called by the first malicious code as the first main API;
And extracting the first main API from the API call sequence of the first malicious code to construct a main API call sequence of the first malicious code.
How to classify malware. According to claim 1,
Extracting call sequence information for the main API,
Selecting an API having a TF-IDF value equal to or greater than a reference value among APIs called by the first malicious code as the first main API;
And extracting together the first main API and an API adjacent to the first main API from the API call sequence of the first malicious code to construct a main API call sequence of the first malicious code.
How to classify malware. According to claim 4,
The number of adjacent APIs to be extracted is determined based on the TF-IDF value of the first main API,
How to classify malware. According to claim 1,
Generating the behavior vector,
Extracting n-gram unit behavior characteristics from the extracted call sequence information; And
And generating the action vector based on the extracted action feature.
How to classify malware. According to claim 1,
The step of building the malware cluster,
Identifying a file type of each malicious code;
Grouping the plurality of malicious codes based on the identified file type; And
Characterized in that it comprises the step of performing clustering for each malware group formed through the grouping,
How to classify malware. According to claim 1,
The step of building the malware cluster,
Generating a classification code indicating an action type for each malicious code using the predefined API function code;
Grouping the plurality of malicious codes based on the generated classification code; And
Characterized in that it comprises the step of performing clustering for each malware group formed through the grouping,
How to classify malware. According to claim 1,
Assigning the same class label for each of the constructed malware clusters; And
Characterized in that it further comprises the step of constructing a classification model for classifying the malicious code by learning the assigned class label and the action vector belonging to the malicious code cluster,
How to classify malware. The method of claim 9,
Obtaining API call sequence information for new malware;
Generating an action vector for the new malware from the API call sequence information of the new malware; And
Characterized in that it further comprises the step of inputting the behavior vector of the new malware into the constructed classification model, and classifying the new malicious code according to the output value of the constructed classification model,
How to classify malware. The method of claim 9,
Characterized in that the behavior vector located in a region where the density is less than the reference value in the malware cluster is not used for learning the classification model,
How to classify malware. The method of claim 9,
The step of building the classification model,
Assigning weights to each action vector belonging to the malicious code cluster; And
Characterized in that it comprises the step of training the classification model based on the assigned weight,
How to classify malware. The method of claim 12,
The weight is determined based on the distance from the center of the malware cluster to the point where the action vector is located,
How to classify malware. The method of claim 12,
The weight is determined based on the similarity between the central vector of the malicious code cluster and the action vector,
How to classify malware. According to claim 1,
The clustering,
Characterized by a k-medoids clustering algorithm,
How to classify malware. In the malicious code classification method performed by the computing device,
Generating a classification code indicating an action type of each of the plurality of malicious codes using the predefined API function codes;
Grouping the plurality of malicious codes based on the generated classification code; And
And performing clustering for each malicious code group formed through the grouping, and constructing a malicious code cluster for each malicious code group.
How to classify malware. The method of claim 16,
Generating the classification code,
Obtaining a first function code for the first API called by the first malware;
Obtaining a second function code for the second API called by the first malicious code; And
Comprising the step of synthesizing the first function code and the second function code to generate a classification code for the first malicious code,
How to classify malware. The method of claim 16,
The step of building a malware cluster for each of the malicious code groups,
Generating an action vector for each of the first plurality of malicious codes based on API call sequence information of the first plurality of malicious codes belonging to the first malicious code group; And
Clustering the generated action vector, characterized in that it comprises the step of building a malware cluster for the first group of malware,
How to classify malware. The method of claim 18,
Generating the behavior vector,
Extracting call sequence information for a major API from the API call sequence information using a TF-IDF (Term Frequency-Inverse Document Frequency) technique; And
And generating an action vector for each of the first plurality of malicious codes based on the extracted call sequence information.
How to classify malware. The method of claim 16,
It characterized in that it further comprises the step of building a classification model for each of the malicious code groups, using the malicious code clusters built for each of the malicious code groups,
How to classify malware. The method of claim 20,
Generating classification codes for new malicious codes using the predefined API function codes;
Selecting a classification model matching the classification code of the new malicious code from the constructed classification model; And
Characterized in that it further comprises the step of classifying the new malicious code using the selected classification model,
How to classify malware. Processor; And
A memory comprising one or more instructions executed by the processor,
The processor,
By executing the one or more instructions,
Obtain API call sequence information for a plurality of malicious codes,
The call sequence information for the main API is extracted from the API call sequence information by using TF-IDF (Term Frequency-Inverse Document Frequency) technique,
Create an action vector for each of the plurality of malicious codes based on the extracted call sequence information,
Characterized in that by constructing a cluster of malicious codes by clustering the generated action vector,
Malware classification device.

Images