KR20230090247A - Method and device for generating optimized signature of specific malware - Google Patents

Abstract

A method and apparatus for generating an optimized signature for an entered malicious code are provided. The signature generation method generates a signature for a malicious code input from the outside based on a plurality of existing malicious codes, updates the signature based on a family malicious code corresponding to the malicious code, and based on a reference characteristic value of the signature. Determine whether to re-update the updated signature.

Description

Method and device for generating optimized signature of specific malware {Method and device for generating optimized signature of specific malware}

The present invention relates to a method and apparatus for generating an optimized signature for a specific malicious code input from the outside.

When a malicious code invades a network of a company or research institute, a security officer of the company or research institute creates a signature for the intruding malicious code to prevent damage caused by the malicious code.

However, in order to generate the signature of the malicious code, it is difficult to determine which information is meaningful among a plurality of information included in the malicious code, for example, characteristic values of the malicious code, and an inaccurate signature is generated for the malicious code. The effectiveness of preventing damage caused by malicious codes is reduced.

Conventionally, a method of collecting a large number of malicious codes in addition to intruding malicious codes, configuring groups through similarity-based clustering, and extracting common information from each group to create signatures for each group has been used. there is.

However, in the existing signature generation method, a large number of malicious codes are clustered to generate an optimal signature for the malicious codes, which causes a problem in that clustering takes a lot of time.

In addition, when an arbitrary function is added to or deleted from the intruding malicious code, the existing similarity-based clustering has a problem of not accurately identifying a variant malicious code similar to the malicious code.

Moreover, in the past, clustering is a method of generating common characteristics from malicious codes grouped into a group as signatures. As a result, in the case of individual malicious codes grouped together, significant characteristics of malicious codes are removed when creating signatures. there is a problem.

Due to this problem, it is difficult to quickly cope with the intruding malicious code in the existing signature generation method, and inaccurate signatures for the malicious code are generated, which is a reality in which damage caused by the malicious code is increasing.

Korean Patent Registration No. 10-1337216 (2013.12.05.)

An object of the present invention is to provide a method and apparatus for generating an optimized signature for a specific malicious code input from the outside.

A signature generation method according to an embodiment of the present invention includes generating a signature for a malicious code input from the outside based on a plurality of pre-stored existing malicious codes; updating a signature based on at least one family malicious code corresponding to the malicious code among the plurality of existing malicious codes; and determining whether to re-update the updated signature based on one or more reference feature values of the signature before the update.

The generating of the signature may include extracting a plurality of initial feature values from the malicious code; extracting one or more existing malicious codes including each of the plurality of initial characteristic values from among the plurality of existing malicious codes and matching each of the plurality of initial characteristic values; selecting some of the plurality of initial feature values based on a preset first threshold value; and generating the signature including the selected initial feature values.

Selecting some of the plurality of initial feature values may include arranging each of the plurality of initial feature values in an order of a large number of the one or more existing malicious codes matched with each of the plurality of initial feature values; and selecting one or more initial feature values in which the number of the one or more existing malicious codes is less than the first threshold value from among the plurality of initial feature values.

The updating of the signature may include extracting the one or more family malicious codes based on the family label extracted from the malicious codes; Determining a matching rate between each of the extracted one or more family malicious codes and signatures; extracting one family malicious code having the highest matching rate with a signature from among the one or more family malicious codes according to the determination result; extracting a common characteristic value between the extracted one family malicious code and the signature; and generating each of the signature and the common characteristic value as a pre-update signature and an updated signature.

The step of extracting one family of malicious codes is a step of extracting the one family of malicious codes having the best matching rate from among the remaining malicious codes of the family except for the family of malicious codes having feature values that match all of the characteristic values of the signatures. .

The step of determining whether to re-update the updated signature may include extracting some of a plurality of feature values of the signature before update as the one or more reference feature values based on a preset second threshold value; calculating a ratio including the one or more reference feature values among a plurality of feature values of the updated signature; and comparing the ratio with a preset third threshold value, and determining whether to re-update the updated signature according to the comparison result.

The step of extracting as the reference feature value is a step of extracting as many as the second threshold value as the reference feature value in order of decreasing number of corresponding existing malicious codes among the plurality of feature values of the signature before update. .

In the step of determining whether to re-update the updated signature, if the ratio including the one or more reference feature values among the plurality of feature values of the updated signature is greater than or equal to the third threshold value, the updated signature Determining re-update, and outputting the pre-update signature as the signature of the malicious code if the ratio including the one or more reference feature values among the plurality of feature values of the updated signature is less than the third threshold It is a step.

The signature generation method of this embodiment further includes extracting a family label and a plurality of initial feature values from the malicious code.

A signature generating device according to an embodiment of the present invention includes a malicious code storage module in which a plurality of existing malicious codes are stored; a signature generation module that generates and outputs a signature for the malicious code based on the plurality of existing malicious codes when a malicious code is input from the outside; a signature update module that extracts one or more family malicious codes corresponding to the malicious codes from among the plurality of existing malicious codes, updates the signature based on the extracted family malicious codes, and outputs a signature before updating and an updated signature; and a signature verification module for determining whether to re-update the updated signature based on one or more reference feature values of the signature before the update.

The signature generation module may include: a malicious code analysis unit that analyzes the malicious code and extracts a family label and a plurality of initial feature values; a feature value selection unit that selects and outputs some of the plurality of initial feature values based on a preset first threshold value; and a signature generating unit generating a signature including the selected feature values.

The characteristic value selector extracts one or more existing malicious codes including each of the plurality of initial characteristic values from among the plurality of existing malicious codes, matches each of the plurality of initial characteristic values, and determines each of the plurality of initial characteristic values. Each of the plurality of initial characteristic values is sorted in the order of the matching number of the one or more existing malicious codes, and the number of the one or more existing malicious codes among the plurality of aligned initial characteristic values is less than the first threshold value. Select the above feature values.

The signature update module may include: a family malicious code extractor extracting the one or more family malicious codes from among the plurality of existing malicious codes based on the family label extracted from the malicious codes; A common feature of determining the matching rate between each of the extracted one or more family malicious codes and signatures, and extracting a common characteristic value between the signature and one family malicious code having the best matching rate with the signature among the one or more family malicious codes according to the determination result. value extraction unit; and a signature updating unit that updates a signature based on the common feature value.

The common feature value extraction unit extracts the one family malicious code having the highest matching rate from among the remaining malicious code families except for family malicious codes having feature values that all match the feature values of the signature.

The signature updating unit generates a signature before updating and a signature after updating as a signature before updating and a signature after updating, respectively.

The signature verification module extracts the one or more reference feature values from among the plurality of feature values of the signature before updating, and calculates a ratio including the one or more reference feature values among the plurality of feature values of the updated signature. value ratio calculation unit; and a signature update control unit that determines whether or not to re-update the updated signature based on the calculated ratio, and controls an operation of the signature update module according to the determination result.

The feature value ratio calculation unit extracts some of the plurality of feature values of the pre-update signature as the one or more reference feature values based on a predetermined second threshold value, and extracts the one or more feature values of the updated signature. The ratio including the above reference feature values is calculated.

The feature value ratio calculation unit extracts, as the reference feature value, the number less than or equal to the second threshold in order of decreasing number of corresponding existing malicious codes among the plurality of feature values of the signature before update.

The signature update control unit determines whether to re-update the updated signature when the ratio including the one or more reference feature values among a plurality of feature values of the updated signature is equal to or greater than a preset third threshold, and the signature update module and if the ratio is less than the third threshold, the pre-update signature is output as the signature of the malicious code.

The present invention can quickly generate a signature for a malicious code input from the outside based on a plurality of existing malicious codes stored in an inverted index storage structure.

In addition, the present invention can create an optimal signature for an input malicious code by controlling re-update of the signature after update according to the same ratio of feature values between the signature before update and the signature after update.

1 is a block diagram showing a signature generating device according to an embodiment of the present invention.
FIG. 2 is a block diagram of the signature generation module of FIG. 1 .
3 is a block diagram of the signature update module of FIG. 1;
Figure 4 is a block diagram of the signature verification module of Figure 1;
5 is a flowchart illustrating a signature generation method according to an embodiment of the present invention.
6 to 8 are flowcharts specifically illustrating a signature generation method according to an embodiment of the present invention.

Advantages and features of the present invention, and methods of achieving them, will become clear with reference to the detailed description of the following embodiments taken in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in various different forms, and only these embodiments make the disclosure of the present invention complete, and common knowledge in the art to which the present invention belongs. It is provided to completely inform the person who has the scope of the invention, and the present invention is only defined by the scope of the claims.

In describing the embodiments of the present invention, if it is determined that a detailed description of a known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description will be omitted. In addition, terms to be described later are terms defined in consideration of functions in the embodiment of the present invention, which may vary according to the intention or custom of a user or operator. Therefore, the definition should be made based on the contents throughout this specification.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram showing a signature generating device according to an embodiment of the present invention.

Referring to the drawings, the signature generating device 100 of this embodiment can generate a signature for the malicious code when any malicious code is input from the outside. The signature generating device 100 may transmit the generated signature to an external device, for example, the malicious code detection device 200 .

Accordingly, the malicious code detecting apparatus 200 stores the signature of the received malicious code in an internal malicious code database (not shown), and uses the signatures stored in the database to detect a plurality of codes flowing through the network. Whether or not malicious code is included can be detected.

Here, the arbitrary malicious code input to the signature generator 100 may be a new malicious code other than the previously detected malicious code, or a variant malicious code in which a specific function is added or deleted from the existing malicious code.

In addition, the signature generated by the signature generator 100 may be data extracted from input malicious code, for example, a malicious code pattern expressed as a set of one or more feature values.

In addition, in this embodiment, the signature generating device 100 is described as a separate configuration from the malicious code detection device 200, but the present invention is not limited thereto. For example, the signature generating device 100 may be included as one module in the malicious code detection device 200 .

The signature generating device 100 of this embodiment may include a malicious code storage module 110, a signature generating module 120, a signature updating module 130, and a signature verification module 140.

The malicious code storage module 110 may store a plurality of existing malicious codes. Each of a plurality of existing malicious codes may include one or more sets of feature values. In addition, each of a plurality of existing malicious codes may further include a family label for the corresponding malicious code.

Here, the family label is the name of a family to which the malicious code corresponds, and the malicious code family may be a set of one or more malicious codes sharing overlapping characteristics. The family label of these malicious codes can be collected through the vaccine's diagnostic name. As an example, using the Virustotal service, it is possible to collect diagnosis names from more than 70 vaccines for entered malicious codes.

In addition, the malicious code storage module 110 may store a plurality of existing malicious codes in an inverted indexing structure, as shown in [Table 1] below.

ID feature value malware hash One CreateDirectoryW+"dirpath_r":"C:\\Users\\Administrator"|"dirpath":"C:\\Users\\Administrator" b643d5ae9a8aeecc5b092e7bd8ea6f43,d5159b90b87669c6fadd15ed3fc13ba1,
f1264a968aa937344a9591be33409e69,
... 2 DrawTextExW+"string":"Get MD5 signature from:" 1c5549ed4f02f206f961c4e8e4bb63b6,9a00a22edc7aed4bffccca10b3f16c31
... .
.
. .
.
. .
.
.

As shown in [Table 1], the malicious code storage module 110 of this embodiment has a reverse index structure so that one or more malicious codes, for example, malicious code hash values are matched for each of a plurality of feature values. Existing malware can be saved.

Here, in the feature values of [Table 1], the left side of the plus (+) sign is the API name, and the right side of the plus sign indicates the name of the parameter defined in the API and the transfer factor in turn.

Due to the reverse index storage structure for a plurality of existing malicious codes, the speed at which the signature generating module 120 to be described later extracts characteristic values and corresponding malicious codes from the malicious code storage module 110 can be improved.

The signature generation module 120 may generate a signature for a malicious code input from the outside based on a plurality of existing malicious codes stored in the malicious code storage module 110 .

FIG. 2 is a block diagram of the signature generation module of FIG. 1 .

Referring to FIGS. 1 and 2 , the signature generation module 120 of this embodiment may include a malicious code analysis unit 121 , a characteristic value selection unit 122 and a signature generation unit 123 .

The malicious code analyzer 121 may analyze the input malicious code and extract a family label and a plurality of feature values for the malicious code. Hereinafter, for convenience of description, the feature value extracted from the input malicious code will be referred to as an initial feature value.

Each of a plurality of initial feature values extracted from the malicious code may include static information and dynamic information. Here, the static information may be a characteristic value extracted from the malicious code itself, and the dynamic information may be a characteristic value extracted when the malicious code is actually executed.

Accordingly, the malicious code analysis unit 121 of the present embodiment extracts a plurality of initial characteristic values from the malicious code through a predetermined program capable of actually executing the entered malicious code in a virtual machine, for example, the cuckoo sandbox. can be extracted.

The feature value selector 122 may select and output some of the initial feature values among a plurality of initial feature values extracted from the malicious code.

The characteristic value selection unit 122 may extract one or more existing malicious codes including each of a plurality of initial characteristic values from among a plurality of existing malicious codes stored in the malicious code storage module 110 . The feature value selection unit 122 may match the number of extracted existing malicious codes to each of a plurality of initial feature values, and select and output some of the plurality of initial feature values based on a preset first threshold value.

Here, the first threshold value may be a predetermined percentage (%) of the total number of existing malicious codes stored in the malicious code storage module 110, and may be approximately 50%. For example, if the total number of existing malicious codes is 3,054, the first threshold value may be approximately 1,527.

Accordingly, the feature value selector 122 may select and output the remaining feature values excluding feature values matched with a malicious code equal to or higher than the first threshold value among a plurality of feature values matched with one or more existing malicious codes, respectively.

The signature generation unit 123 may generate a signature for malicious code including one or more initial characteristic values output from the characteristic value selection unit 122 .

Referring back to FIG. 1 , the signature update module 130 may update the signature of the malicious code generated by the signature generating module 120 based on a plurality of existing malicious codes stored in the malicious code storage module 110. .

3 is a block diagram of the signature update module of FIG. 1;

Referring to FIGS. 1 and 3 , the signature update module 130 may include a family malicious code extractor 131 , a common characteristic value extractor 132 and a signature updater 133 .

The family malicious code extraction unit 131 is based on the family label of the malicious code previously extracted by the malicious code analysis unit 121 of the signature generation module 120, among a plurality of existing malicious codes stored in the malicious code storage module 110. One or more existing malicious codes having the same family label can be extracted as family malicious codes.

The common feature value extraction unit 132 may determine a matching rate between the feature value of the signature and the feature value of each of one or more families of malicious codes, and extract one family of malicious codes according to the determination result.

Here, the common feature value extraction unit 132 may determine a matching rate according to whether the feature values of the family malicious code and the feature values of the signature match. At this time, the common feature value extractor 132 may exclude family malwares having feature values completely identical to the feature values of the signature, eg, 100% matched, from among one or more family malwares. Also, the common feature value extraction unit 132 may extract one family of malicious codes including feature values having the best matching rate with signature feature values from among the remaining malicious codes of the family.

Accordingly, the common feature value extraction unit 132 extracts one or more feature values that appear in common among a plurality of feature values included in the extracted one family of malicious codes and a plurality of feature values of the signature, and outputs them as common feature values. can do.

The signature updater 133 may generate the signature and the one or more common characteristic values as a pre-update signature and an updated signature, respectively.

The signature updating unit 133 may output the signature before updating and the updated signature together.

Referring back to FIG. 1 , the signature verification module 140 determines whether the updated signature is re-updated based on the reference feature value extracted from the signature before update, and controls the operation of the signature update module 130 accordingly. can

Figure 4 is a block diagram of the signature verification module of Figure 1;

Referring to FIGS. 1 and 4 , the signature verification module 140 may include a feature value ratio calculation unit 141 and a signature update control unit 142 .

The feature value ratio calculation unit 141 may extract one or more reference feature values from among a plurality of feature values of the signature before update.

Here, the feature value ratio calculation unit 141 may extract some of the feature values as many as the second threshold value as reference feature values in order of decreasing number of corresponding existing malicious codes among a plurality of feature values of the signature before update. .

In this case, the second threshold value may be a predetermined percentage (%) of the total number of feature values of the signature before update, and may be approximately 20%.

For example, if the total number of feature values of the signature before update is 707, the second threshold value may be approximately 141, and the feature value ratio calculation unit 141 calculates the number of corresponding existing malicious codes among the plurality of feature values. 141 feature values can be extracted as reference feature values for the signature before update in the order of small number.

In addition, the feature value ratio calculation unit 141 may calculate a ratio including a pre-extracted reference feature value among a plurality of feature values of the updated signature.

The signature update control unit 142 may determine whether to re-update the updated signature based on the included ratio of the reference feature value calculated by the feature value ratio calculation unit 141 .

In this case, the signature update control unit 142 may determine whether to re-update the updated signature according to the included ratio of the reference characteristic value based on the preset third threshold. Here, the third threshold value may be a predetermined percentage of the total number of reference feature values, and may be approximately 80%.

Here, if the included ratio of the pre-calculated reference feature value is equal to or greater than the third threshold value, that is, if the reference feature value is included in 80% or more of the plurality of feature values of the updated signature, the signature update control unit 142 updates the updated signature. Re-update of the signature can be judged. Accordingly, the signature updating unit 133 may control the operation to re-update the signature updated in the signature updating module 130 .

In addition, if the pre-calculated standard feature value is less than the third threshold, the signature update control unit 142 converts the signature before the update into the final signature for the malicious code input to the signature generator 100, for example, the optimal signature. can be output as

In this way, the signature generating apparatus 100 of the present embodiment can quickly generate a signature for a malicious code input from the outside based on a plurality of existing malicious codes stored in an inverted index storage structure.

In addition, the signature generating device 100 according to the present embodiment controls the repetition of signature renewal according to the same ratio of feature values between the two signatures, that is, the signature before updating and the updated signature, thereby generating an optimal signature for the entered malicious code. can create

5 is a flowchart illustrating a signature generation method according to an embodiment of the present invention, and FIGS. 6 to 8 are flowcharts showing a signature generation method according to an embodiment of the present invention in detail.

5 and 6, the signature generation module 120 may generate a signature for a malicious code input from the outside based on a plurality of existing malicious codes stored in the malicious code storage module 110 (S10). .

First, the malicious code analysis unit 121 of the signature generation module 120 analyzes the input malicious code and extracts a family label of the malicious code and a plurality of feature values, for example, a plurality of initial feature values (S110). .

Next, the characteristic value selection unit 122 may extract one or more existing malicious codes including each of a plurality of initial characteristic values from among a plurality of previously stored existing malicious codes (S120).

Subsequently, the feature value selection unit 122 may match the number of extracted existing malicious codes to each of a plurality of initial feature values, and select and output some of the plurality of initial feature values based on a preset first threshold value. Yes (S130).

Here, the feature value selector 122 may arrange each of the plurality of initial feature values in the order of the largest number of existing malicious codes matched thereto. Then, among the plurality of aligned initial feature values, one or more initial feature values having a number of matched existing malicious codes less than a first threshold value may be selected and extracted.

In this case, the first threshold value may be a value corresponding to a predetermined percentage ratio, for example, approximately 50% of the total number of existing malicious codes stored in the malicious code storage module 110 .

For example, as shown in [Table 2] below, the feature value selector 122 may match the number of existing malicious codes including the initial feature values with each of the plurality of initial feature values. In addition, a plurality of initial feature values may be arranged in the order of a large number of matched existing malicious codes.

ID initial feature value Number of existing malicious codes One NtClose+"handle": masked 2925 2 RegCloseKey+"key_handle": masked 2562 ..
. .
.
. .
.
. 25 GetFileType+"file_handle": masked 1559 26 NtProtectVirtualMemory+"process_identifier":masked|"stack_dep_bypass": masked|"stack_pivoted":
masked|"heap_dep_bypass": masked|"length":
masked|"protection": masked|"process_handle":
masked|"base_address": masked| 1430 27 LdrGetDllHandle_"module_name": masked:"kernel32.dll"|"stack_pivoted":
masked|"module_address": 1384 .
.
. .
.
. .
.
. 731 UuidCreate+"uuid":
"{fc7ae18d-a45d-46ca-a289-864d213cd522}" 0 732 NtWriteFile+"file_handle": masked|"filepath":"C:\\Users\\Administrator\\AppData\\Local\\Temp\\serverr.exe" 0

In this case, if the total number of existing malicious codes stored in the malicious code storage module 110 is 3,054, the number of existing malicious codes according to the first threshold value may be approximately 1,527. Accordingly, the feature value selector 122 selects initial feature values having existing malicious codes below the first threshold among a plurality of aligned initial feature values, for example, 707 initial feature values from 26 to 732 in [Table 2]. can be selected and printed.

Subsequently, the signature generation unit 123 may generate a signature of the malicious code including the selected one or more initial feature values based on the selected one or more initial feature values (S140).

5 and 7, the signature update module 130 updates a previously generated signature based on one or more family malicious codes corresponding to the input malicious code among a plurality of existing malicious codes, and outputs the updated signature. It can (S20).

The family malicious code extraction unit 131 of the signature update module 130 extracts the malicious code storage module 110 based on the family label of the malicious code previously extracted by the malicious code analysis unit 121 of the signature generation module 120. One or more existing malicious codes corresponding to the family label among a plurality of stored existing malicious codes may be extracted as family malicious codes (S210).

Next, the common feature value extraction unit 132 of the signature update module 130 may determine a matching rate between the signature and one or more family malicious codes, and extract one family malicious code based on the determined matching rate (S220). ).

Specifically, the common feature value extractor 132 may determine a match rate according to whether the feature values of the family malicious codes and the feature values of the signature, for example, the selected initial feature values match.

In this case, the common feature value extractor 132 may exclude family malwares including signatures having feature values that are completely identical to, for example, 100% matched to, feature values of the signatures from among one or more family malwares.

Accordingly, the common feature value extractor 132 may extract a signature including a feature value having the best match rate with the feature value of the signature among the remaining malicious codes of the family, and extract one family malware corresponding to the extracted signature. there is.

Subsequently, the common feature value extraction unit 132 may extract a common feature value between the extracted feature value of one family of malware and the signature (S230).

Here, the common feature value extractor 132 may extract one or more common feature values among a plurality of feature values included in one family of malicious codes and a plurality of initial feature values of the signature. The common feature value extractor 132 may output one or more extracted feature values as common feature values.

Next, the signature updating unit 133 may update the signature based on the extracted common feature values and output the updated signature (S240).

At this time, the signature updating unit 133 may output both the signature before updating and the updated signature.

Referring to FIGS. 5 and 8 , the signature verification module 140 verifies the updated signature and determines whether to re-update or not. The signature verification module 140 may control the operation of the signature update module 130 according to the determination result (S30).

First, the feature value ratio calculation unit 141 of the signature verification module 140 may extract some feature values as reference feature values among a plurality of aligned feature values of the pre-update signature based on a preset second threshold value. Yes (S310).

In this case, the second threshold value may be a value corresponding to a predetermined percentage ratio, for example, approximately 20% of the total number of feature values of the signature before update.

Referring to [Table 3] below, a plurality of characteristic values of the signature before update, for example, 707 characteristic values, are arranged in descending order of the number of malicious codes matched to each.

Also, the second threshold value may be 141, which is approximately 20% of the total number of feature values of the signature before update.

Accordingly, the feature value ratio calculation unit 141 may extract feature values less than or equal to a preset second threshold value, for example, 1 to 141 feature values among the 707 sorted feature values as reference feature values of the signature before update.

ID initial feature value Number of existing malicious codes One NtWriteFile_"file_handle": masked|"filepath":"C:\\Users\\Administrator\\AppData\\Local\\Temp\\serverr.exe" 0 2 UuidCreate_"uuid":"{fc7ae18d-a45d-46ca-a289-864d213cd522}" 0 ..
. .
.
. .
.
. 141 RegQueryValueExW_"key_handle": masked|"value":
""|"regkey_r": "Modules"|"reg_type":
masked|"regkey":
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules"| 139 142 RegQueryValueExW_"key_handle": masked|"value":"System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089"|"regkey_r": "DisplayName"|"reg_type":
masked|"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName"| 139 .
.
. .
.
. .
.
. 706 LdrGetDllHandle_"module_name":
"kernel32.dll"|"stack_pivoted":
masked|"module_address": masked 1384 707 NtProtectVirtualMemory+"process_identifier":masked|"stack_dep_bypass": masked|"stack_pivoted":
masked|"heap_dep_bypass": masked|"length":
masked|"protection": masked|"process_handle":
masked|"base_address": masked| 1430

Next, the feature value ratio calculation unit 141 may extract a plurality of feature values of the updated signature, and calculate a ratio of including one or more pre-extracted reference feature values to the extracted feature values (S320). .

Next, the signature renewal control unit 142 of the signature verification module 140 determines whether to re-update the updated signature based on the included ratio of the standard feature value among the plurality of feature values of the updated signature based on a preset third threshold. It can (S330).

For example, the signature update controller 142 may determine that the updated signature needs to be re-updated if the previously calculated reference feature value is equal to or greater than the third threshold. Accordingly, the signature update control unit 142 may control the operation of the signature update module 130 to re-update the signature updated in the signature update module 130 so that a new signature is output.

On the other hand, the signature update control unit 142 may determine that significant feature values are not sufficient when the pre-calculated reference feature value is less than the third threshold. Accordingly, the signature verification module 140 may output the pre-update signature as an optimal signature for the previously input malicious code.

Here, the third threshold value may be a value corresponding to a predetermined percentage ratio, for example, approximately 80% of the total number of reference feature values.

Therefore, when the number of feature values of the updated signature include the reference feature value, i.e., the feature value extracted from the signature before update, at least the third threshold value, it is known that the significant signature of the signature before update is valid in the updated signature. can Accordingly, the signature update controller 142 may control the operation of the signature update module 130 by determining re-update of the updated signature.

In addition, when the reference feature value is less than the third threshold value in the plurality of feature values of the updated signature, it can be seen that the significant signature of the signature before update is not valid. Accordingly, the signature update control unit 142 may remove the updated signature and output the signature before the update as an optimal signature of the previously input malicious code.

In this way, the signature generating apparatus 100 of the present embodiment can quickly generate a signature for a malicious code input from the outside based on a plurality of existing malicious codes stored in an inverted index storage structure.

In addition, the signature generator 100 according to the present embodiment controls the repetition of signature updates according to the same ratio of feature values between the two signatures, that is, the signature before update and the signature after update, thereby generating the optimal signature for the entered malicious code. can create

Combinations of each block of the block diagram and each step of the flowchart of the present invention described above may be performed by computer program instructions. Since these computer program instructions may be loaded into an encoding processor of a general-purpose computer, special-purpose computer, or other programmable data processing equipment, the instructions executed by the encoding processor of the computer or other programmable data processing equipment are each block or block diagram of the block diagram. Each step in the flow chart creates means for performing the functions described. These computer program instructions may also be stored in a computer usable or computer readable memory that can be directed to a computer or other programmable data processing equipment to implement functionality in a particular way, such that the computer usable or computer readable memory The instructions stored in are also capable of producing an article of manufacture containing instruction means that perform the function described in each block of the block diagram or each step of the flowchart. The computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operational steps are performed on the computer or other programmable data processing equipment to create a computer-executed process to generate computer or other programmable data processing equipment. It is also possible that the instructions performing the processing equipment provide steps for executing the functions described in each block of the block diagram and each step of the flow chart.

Additionally, each block or each step may represent a module, segment or portion of code that includes one or more executable instructions for executing specified logical function(s). It should also be noted that in some alternative embodiments it is possible for the functions recited in blocks or steps to occur out of order. For example, two blocks or steps shown in succession may in fact be performed substantially concurrently, or the blocks or steps may sometimes be performed in reverse order depending on their function.

The above description is merely an example of the technical idea of the present invention, and various modifications and variations can be made to those skilled in the art without departing from the essential qualities of the present invention. Therefore, the embodiments disclosed in the present invention are not intended to limit the technical idea of the present invention, but to explain, and the scope of the technical idea of the present invention is not limited by these embodiments. The protection scope of the present invention should be construed according to the claims below, and all technical ideas within the scope equivalent thereto should be construed as being included in the scope of the present invention.

100: signature generating device 110: malicious code storage module
120: signature generation module 121: malicious code analysis unit
122: feature value selection unit 123: signature generation unit
130: signature update module 131: family malware extraction unit
132: common feature value extraction unit 133: signature update unit
140: signature verification module 141: feature value ratio calculator
142: signature update control unit

Claims (20)

generating a signature for a malicious code input from the outside based on a plurality of pre-stored existing malicious codes;
updating a signature based on at least one family malicious code corresponding to the malicious code among the plurality of existing malicious codes; and
A signature generation method comprising determining whether to re-update an updated signature based on one or more reference characteristic values of the signature before renewal.
According to claim 1,
The step of generating the signature is,
extracting a plurality of initial feature values from the malicious code;
extracting one or more existing malicious codes including each of the plurality of initial characteristic values from among the plurality of existing malicious codes and matching each of the plurality of initial characteristic values;
selecting some of the plurality of initial feature values based on a preset first threshold value; and
A signature generating method comprising generating the signature including the selected initial feature values.
According to claim 2,
Selecting some of the plurality of initial feature values,
arranging each of the plurality of initial characteristic values in the order of a large number of the one or more existing malicious codes matched with each of the plurality of initial characteristic values; and
and selecting one or more initial feature values in which the number of the one or more existing malicious codes is less than the first threshold value from among the plurality of initial feature values.
According to claim 1,
Updating the signature,
extracting the one or more family malicious codes based on the family label extracted from the malicious codes;
determining a matching rate between each of the extracted one or more family malicious codes and the signature;
extracting one family malicious code having the highest matching rate with the signature from among the one or more family malicious codes according to the determination result;
extracting a common characteristic value between the extracted one family malicious code and the signature; and
and outputting the signature and the common feature value as a pre-update signature and an updated signature, respectively.
According to claim 4,
The step of extracting the one family malicious code,
The signature generation method of extracting the one family malicious code having the best matching rate from the rest of the family malicious codes excluding the family malicious codes having feature values that completely match the feature values of the signature.
According to claim 1,
The step of determining whether to re-update the renewed signature,
extracting some of the plurality of feature values of the pre-update signature as the one or more reference feature values based on a preset second threshold value;
calculating a ratio including the one or more reference feature values among a plurality of feature values of the updated signature; and
Comparing the ratio with a preset third threshold value, and determining whether to re-update the updated signature according to the comparison result.
According to claim 6,
The step of extracting as the reference feature value,
The step of extracting, as the reference feature value, a number less than or equal to the second threshold value among the plurality of feature values of the signature before update.
According to claim 6,
The step of determining whether to re-update the renewed signature,
If the ratio including the one or more reference feature values among the plurality of feature values of the updated signature is greater than or equal to the third threshold value, determining whether to re-update the updated signature;
The step of outputting the pre-update signature as the signature of the malicious code when the ratio including the one or more reference feature values among the plurality of feature values of the updated signature is less than the third threshold value. Signature generation method.
According to claim 1,
The signature generation method further comprising extracting a family label and a plurality of initial feature values from the malicious code.
A malicious code storage module in which a plurality of existing malicious codes are stored;
a signature generation module that generates and outputs a signature for the malicious code based on the plurality of existing malicious codes when a malicious code is input from the outside;
A signature update module for extracting one or more family malicious codes corresponding to the malicious code from among the plurality of existing malicious codes, updating the signature based on the extracted family malicious code, and outputting a signature before update and an updated signature; and
and a signature verification module for determining whether to re-update the updated signature based on one or more reference characteristic values of the signature before the update.
According to claim 10,
The signature generation module,
a malicious code analysis unit that analyzes the malicious code and extracts a family label and a plurality of initial feature values;
a feature value selection unit that selects and outputs some of the plurality of initial feature values based on a preset first threshold value; and
A signature generating device comprising a signature generating unit generating the signature including the selected first feature value.
According to claim 11,
The feature value selection unit,
Among the plurality of existing malicious codes, one or more existing malicious codes including each of the plurality of initial characteristic values are extracted, matched with each of the plurality of initial characteristic values, and the one or more existing malicious codes matched with each of the plurality of initial characteristic values. Arranging each of the plurality of initial feature values in the order of the largest number of malicious codes, and selecting one or more feature values in which the number of the one or more existing malicious codes is less than the first threshold value among the arranged plurality of initial feature values. signature generator.
According to claim 10,
The signature update module,
a family malicious code extraction unit extracting the one or more family malicious codes from among the plurality of existing malicious codes based on the family label extracted from the malicious codes;
Determining the matching rate between each of the extracted one or more family malicious codes and the signature, and extracting a common feature value between the signature and one family malicious code having the best matching rate with the signature among the one or more family malicious codes according to the determination result a common feature value extraction unit; and
and a signature updater configured to update the signature based on the common characteristic value.
According to claim 13,
The common feature value extraction unit,
A signature generating device for extracting the one family malicious code having the best match rate from among the remaining family malicious codes excluding the family malicious codes having feature values that completely match the feature values of the signature.
According to claim 10,
The signature verification module,
a feature value ratio calculation unit extracting the one or more reference feature values from among the plurality of feature values of the signature before updating, and calculating a ratio including the one or more reference feature values among the plurality of feature values of the updated signature; and
and a signature update controller configured to determine whether to re-update the updated signature based on the calculated ratio, and to control an operation of the signature update module according to the determination result.
According to claim 15,
The feature value ratio calculation unit,
Extracting some of the plurality of feature values of the pre-update signature as the one or more reference feature values based on a preset second threshold value, and including the one or more reference feature values among the plurality of feature values of the updated signature A signature generating device that calculates the ratio.
According to claim 16,
The feature value ratio calculation unit,
The signature generating device for extracting, as the reference feature value, the number of values less than or equal to the second threshold value in order of decreasing number of corresponding existing malicious codes among the plurality of feature values of the signature before update.
According to claim 15,
The signature update control unit,
If the ratio of the one or more reference feature values among the plurality of feature values of the updated signature is greater than or equal to a preset third threshold value, determining re-update of the updated signature to control the operation of the signature update module;
and outputting the pre-update signature as the signature of the malicious code when the ratio is less than the third threshold.
A computer-readable recording medium in which a computer program is stored,
The computer program,
generating a signature for a malicious code input from the outside based on a plurality of pre-stored existing malicious codes;
updating the signature based on at least one family malicious code corresponding to the malicious code among the plurality of existing malicious codes; and
A computer-readable recording medium comprising instructions for performing a signature generation method comprising determining whether to re-update an already-updated signature based on one or more reference characteristic values of the pre-update signature.
A computer program stored on a computer readable recording medium,
The computer program,
generating a signature for a malicious code input from the outside based on a plurality of pre-stored existing malicious codes;
updating the signature based on at least one family malicious code corresponding to the malicious code among the plurality of existing malicious codes; and
A computer program stored in a recording medium including instructions for performing a signature generation method comprising the step of determining whether or not to re-update the previously updated signature based on one or more reference characteristic values of the pre-update signature.

Images